Friday, January 23, 2015

Try the Critical Stack Intel Client

You may have seen in my LinkedIn profile that I'm advising a security startup called Critical Stack. If you use Security Onion or run the Bro network security monitoring platform (NSM), you're ready to try the Critical Stack Intel Client.

Bro is not strictly an intrusion detection system that generates alerts, like Snort. Rather, Bro generates a range of NSM data, including session data, transaction data, extracted content data, statistical data, and even alerts -- if you want them.

Bro includes an intelligence framework that facilitates integrating various sources into Bro. These sources can include more than just IP addresses. This Bro blog post explains some of the options, which include:


This Critical Stack Intel Client makes it easy to subscribe to over 30 threat feeds for the Bro intelligence framework. The screen capture below shows some of the feeds:

Visit and follow the wizard to get started. Basically, you begin by creating a Collection. A Collection is a container for the threat intelligence you want. Next you select the threat intelligence Feeds you want to populate your collection. Finally you create a Sensor, which is the system where you will deploy the threat intelligence Collection. When done you have an API key that your client will use to access the service.

I wrote a document explaining how to move beyond the wizard and test the client on a sensor running Bro -- either Bro by itself, or as part of the Security Onion NSM distro.

The output of the Critical Stack Intel Client will be new entries in an intel.log file, stored with other Bro logs.

If Bro is completely new to you, I discuss how to get started with it in my latest book The Practice of Network Security Monitoring.

Please take a look at this new free software and let me know what you think.


Anonymous said...

Set this up today on our current Security Onion sensors with no issues whatsover. Looking forward to validating alerts from feed sources.

Anonymous said...

Just installed this. Started feeds from all 33 sources. Hashes all seem to be config.bin on VT. Domains are good.

Sarvagya said...

Thank you for this blog. I have played with Critical Stack a lot but I have not found any way to remove the already added api key. For example, Say if I have added an api key using critical-stack-intel api Some_KEY and later would like to remove that key Some_KEY, how do I do this? Any help will be much appreciated. Thanks.

Richard Bejtlich said...

Please contact CS directly. I am no longer involved with this code.