chn-intel-feeds

The chn-intel-feeds container will automatically download indicators from a specified Collective Intelligence Framework (CIF) instance. You can read more about CIF here.

The downloaded indicators will be formatted to a 'single indicator per line' format, and served up over HTTP on (default) port 9000. These feeds will be refreshed automatically, and are in a format easily consumed by protection devices such as Palo Alto EDL's or Cisco Firepower SI Lists.

Adding chn-intel-feeds to CHN-Server

The simplest way to integrate feeds is:

First, include this stanza in the docker-compose.yml file for CHN-server:

  chn-intel-feeds:
    image: stingar/chn-intel-feeds:1.9
    env_file:
      - chn-intel-feeds.env
    volumes:
      - ./safelists:/var/www/safelists
    ports:
      - 9000:9000

Next, add the following chn-intel-feeds.env configuration file:

# Turn on additional logging
DEBUG=false

# Number of minutes between each refresh of the feeds
SLEEP=5

# Number of hours between each refresh of the safelist
SAFELIST_SLEEP=24

# Change the port the web server listens on in the container
# You must also adjust the docker-compose ports stanza to match
PORT=9000

# Specify feeds by prefacing each variable with "CHNFEEDX" where "X" is the feed number
# A minimal configuration includes: FILENAME, REMOTE, TOKEN, ITYPE, TAGS, and DAYS or HOURS
# You are limited to 10 feed specifications; this limit can be changed in code
# Any of the VALID_FILTERS may be used as part of the specification
# VALID_FILTERS = ['indicator', 'itype', 'confidence', 'provider', 'limit', 'application', 'nolog', 'tags', 'days',
#                 'hours', 'groups', 'reporttime', 'cc', 'asn', 'asn_desc', 'rdata', 'firsttime', 'lasttime',
#                 'region', 'id']

CHNFEED1_FILENAME=stingar_ip.txt
CHNFEED1_REMOTE={cif_server_url}
CHNFEED1_TOKEN={cif_read_token}
CHNFEED1_TLS_VERIFY=True
CHNFEED1_ITYPE=ipv4
CHNFEED1_LIMIT=10
CHNFEED1_HOURS=24
CHNFEED1_CONFIDENCE=8
CHNFEED1_TAGS=honeypot

CHNFEED2_FILENAME=stingar_sha256.txt
CHNFEED2_REMOTE={cif_server_url}
CHNFEED2_TOKEN={cif_read_token}
CHNFEED2_TLS_VERIFY=True
CHNFEED2_ITYPE=sha256
CHNFEED2_LIMIT=10
CHNFEED2_DAYS=1
CHNFEED2_CONFIDENCE=8
CHNFEED2_TAGS=honeypot

CHNFEED3_FILENAME=stingar_url.txt
CHNFEED3_REMOTE={cif_server_url}
CHNFEED3_TOKEN={cif_read_token}
CHNFEED3_TLS_VERIFY=True
CHNFEED3_ITYPE=url
CHNFEED3_LIMIT=10
CHNFEED3_DAYS=1
CHNFEED3_CONFIDENCE=8
CHNFEED3_TAGS=honeypot

# Specify safelists by prefacing each variable with "CHNSAFELISTX" where "X" is the safelist number
# A minimal configuration includes: FILENAME, REMOTE, TOKEN, PROVIDER, and ITYPE
# You are limited to 5 feed specifications; this limit can be changed in code
# The FILENAME should be a file available in the container path /var/www/safelists
# A PROVIDER variable is required and corresponds to a CIF group to write the safelist to
# The ITYPE is used to validate entries found in the FILENAME. YMMV.

CHNSAFELIST1_FILENAME=ipv4_safelist.txt
CHNSAFELIST1_REMOTE={cif_server_url}
CHNSAFELIST1_TOKEN={cif_write_token}
CHNSAFELIST1_TLS_VERIFY=True
CHNSAFELIST1_ITYPE=ipv4
CHNSAFELIST1_PROVIDER={cif_org}

The .env file may contain up to 10 feed specifications. Please be sure to substitute the variables inside the braces {}!

The FILENAME, REMOTE, TOKEN, ITYPE, TAGS, and a time specification (such as DAYS or HOURS) are required for all feed specifications. Other items may be specified, and will otherwise default to the values as defined in the upstream CIF Python SDK.

It is worth noting that there is NO default safelisting for feeds performed by this container.

To add safelisting entries to your partner id, create a one-indicator-per-line file for each type of indicator you wish to safelist for. Place the file in the volume specified in your docker-compose.yml (in this case ./safelists ), and specify the filename, remote CIF server, provider id, and CIF token (with write permissions) in the CHNSAFELIST variables.

Upon startup these safelist files will be read by the container and uploaded to the specified CIF server with a tag of whitelist and a group permission of only your PROVIDER as specified.

If you do not wish to perform any safelisting, you may leave the safelisting section out of your env file.

Once the docker-compose.yml is updated and the chn-intel-feeds.env file is present, you can simply:

docker-compose down && docker-compose up -d

To examine logs of the chn-intel-feeds instance, run:

docker-compose logs chn-intel-feeds