Bro+MISP = Dovehawk Bro Module

Bro is a open source intrusion detection and discovery system. It can detect and log unusual activity, DNS queries and connections which can then be used for threat hunting on your network.

MISP is an open source threat intelligence platform. It can store indicators, signatures, TTPs, analysis, attribution, and links to external reports on groups of information called Events.


Bro+MISP


Bro has some powerful APT hunting features built-in. The Intelligence Framework allows indicators to be tasked such as domains, IPs, file hashes (including SSL certificate hashes), and email addresses.

This is where Dovehawk is a powerful tool to link your MISP directly to Bro. We've seen other Bro tools download and import a static file of indicators, but Dovehawk is the first to directly connect to MISP and task indicators at a regular timed interval and expire older indicators as they are deleted from MISP.

Bro also has a signature framework for writing more advanced signatures which are imported at startup, this does introduce a requirement to restart Bro regularly if you plan to use Bro signatures. Broctl can be used to restart Bro and do regular maintenance like rotate logs.





Sightings


MISP can receive simple reports of indicators being "seen" - Dovehawk can report directly to MISP that an indicator was spotted.

Additional metadata for the hit can be sent to a slack channel or other remote web hook.





Pro Integration


For our use, we developed a RDS database model to track hits and view recent activity.


Download


https://github.com/tylabs/dovehawk


Comments