About Client
CrowdSec is a hyper growth cybersecurity company with 300k+ installations. According to G2 it’s a market leader in 8+ categories.
Problem Statement
MISP is a open source threat intelligence platform. It allows users to share and consume threat intelligence. Many CrowdSec users would roll up their custom solutions to import CrowdSec data into MISP. This would lead to a lot of duplication of work and often the solutions would be buggy and miss out features.
Solution
We brainstormed with the CrowdSec team and Circl.lu (Creators of MISP). The result being, we decided to build a MISP feed generator for CrowdSec. We decided to use Python because MISP and CrowdSec already had a Python SDK thus preventing us from reinventing the wheel. We also decided to use Docker to package the feed generator for easy deployment. We also decided to use GitHub Actions to automate the build process. The project is also packaged on PYPI for easy installation.
Implementation
The feed generator at it’s core does the following:
- Poll CrowdSec API for new data.
- Update existing feed or create a new feed depending on the received data. This feeds are exposed over HTTP/S so MISP can consume them.
- Update manifests to reflect the changes in feeds.
Challenges
The biggest challenge was to make the feed generator as generic as possible. We made this possible by using a lot of configuration options.
We also found that examples of MISP feed generators were very limited. We had to go through the MISP documentation and source code to understand how to implement a feed generator.
Results
The project is open source and available on GitHub.
It’s also available on PYPI.
Docker images are available on Docker Hub.