Sunday, September 4, 2016

Threat Intelligence Feeds Part II - Bro, SecurityOnion and CriticalStack

In my previous post Threat Intelligence Feeds Part I. - Using Security Onion and Snort I described the process to use OSINT IP indicators to detect malicious traffic as part of an Incident Response, malware analysis, etc.

In this second post, I'll explain how to use OSINT domain and URL indicators for the same purpose.
Like in previous post, I'll show a real scenario where this intel feeds detect malicious activity.

The same way there are multiple sources of  OSINT IP indicator, there are also multiple sources of OSINT for URL and Domain indicators, for example:

  • etc, etc, etc
However, this time, instead of manually gathering the intel feeds one by one, I'll use Criticalstack for this purpose. CriticalStack is basically a service which integrates different OSINT feeds which are consumed directly from a central repository. You need to check the terms of use of the service and see if you can use them for commercial purpose or in your environment.

Besides Criticalstack, I'll use Bro (network Security Monitor) integrated in Security Onion ( I assume Security Onion is fully working)

Setting up the feeds in CriticalStack

First thing is to create an account in 
Once the account is setup, it is necessary to create a 'Collection'. This basically is a set of feeds we want to use.

Following to this, it is necessary to include the feeds in the collection

Lastly, a sensor is defind,  which will consume the feeds. The collection needs to be assigned to the sensor.

When this is done, a KEY will be assigned to the sensor. This will be used by the sensor to access the API.

Installing CriticalStack Client in SecurityOnion

Now it is time to integrate CriticalStack in Security Onion. These are the set of commands to run

curl | sudo bash
apt-get install critical-stack-intel
critical-stack-intel api CRITICAL-STACK-KEY
broctl check && broctl install && broctl restart

Finally, a summary of the installed feeds are showed with the command 'critical-stack-intel list' 

Performing analysis with Bro in ELSA

Now, I can search in ELSA. For example, with the "class=BRO_INTEL" I find all the matches based on intel indicators. I can refine the search with additional information.

In this case, I see there 3 matches to a Zeus C&C Domain (hxxp://

I can also search for any match to any URL indicator. For example, I see some Phising website has been visited


When dealing with URL indicators, the traffic is captured, hence the 'pcap' file can be extracted and analysed in 'capme', integrated in Security Onion.