About ARTIF
ARTIF is a new advanced real-time threat intelligence framework that builds on MISP and adds another abstraction layer to enable the identification of malicious web traffic based on IP addresses and historical data. In addition to this, the tool can perform automated analysis and threat scoring by collecting, processing and correlating observations based on different factors.
Features
Scoring system: Enrich IP address information with threat metadata, including threat scores, which can be used as thresholds for security teams to take action.
Containerization: The tool uses containers for deployment, so it is easy to deploy.
Modular architecture: The project is based on plug-ins, which can be easily extended by modifying the threat source in MISP, and can be updated online in real time without causing the actual service to stop running.
Alerts: The extension integrates seamlessly with Slack for proactive alerts.
Better attack analysis and visualization.
scenes to be used
threat detection
Logging and Monitoring
user profile
Alert Automation
tool requirements
First, we need to install MISP, which can be installed directly from source code, or using a pre-built AWS image.
After the installation is complete, we need to subscribe to maxmind to populate the metadata for the IP. Here we need to edit docker-compose.yaml and add a subkey: maxmind:image: maxmindinc/geoipupdateenvironment:GEOIPUPDATE_ACCOUNT_ID: xxxxxGEOIPUPDATE_LICENSE_KEY: xxxxxxxxxxxxxxx
tool installation
First, we need to use the following command to clone the project source code locally: git clone https://github.com/CRED-CLUB/ARTIF/
Then switch the working directory to the ARTIF root directory, build Docker, and start the Docker container: sudo docker-compose buildsudo docker-compose up
To install MISP, visit the MISP Dashboard and get the MISP key. Then edit the config.yaml file and add the values of MISP_KEY and MISP_URL. MISP_KEY here is your MISP key, and MISP_URL is the URL address hosting MISP.
The following is a sample config.yaml, you can directly replace it with your corresponding value: credentials:MISP_URL: "https://127.0.0.1"MISP_KEY: "qwertyuiopasdfghjk"
Now, run the following command with the full absolute path plus the "-s" parameter: python3 /home/user/ARTIF/ip_rep/feed_ingestor/update_check.py -s
Run it again, this time without the "-s" parameter: python3 /home/user/ARTIF/ip_rep/feed_ingestor/update_check.py
Next, add crontab using Django's built-in support: python3 manage.py crontab add
Start the Django server from the ip_rep directory: python3 manage.py runserver
This will open port 8000, which is used to fetch metadata from IP addresses: curl 127.0.0.1:8000/ip/?ip=xxxx
The output is similar to the following: {“is_IoC”: false, “is_Active”: false, “metadata”: {“asn”: “AS165**”, “country”: “XXX”, “org”: “XXX”}, "score": 80.14671726301682, "description": "XXX", "blacklists": "", "type": "", "historical": false, verdict": "No action needed"}
Tool demo
Set up and start a Docker container:
Turn on ARTIF:
Example of tool use
We need to use update_check.py to call ARTIF: ubuntu@localhost:~/ARTIF/ip_rep/feed_ingestor$ python3 /home/user/ARTIF/ip_rep/feed_ingestor/update_check.py -husage: update_check.py [-h] [-s [S]] -k [KEY] -m MISP IP reputation program optional arguments:-h, --helpshow this help message and exit-s [S]Required only for the first run
We can also view cron jobs by running the following command: python3 manage.py crontab show
By default, the tool checks MISP every 24 hours and fetches the latest feed.
at last
Share a quick way to learn [Network Security], "maybe" the most comprehensive learning method:
1. Theoretical knowledge of network security (2 days)
①Understand the industry-related background, prospects, and determine the development direction.
②Learn laws and regulations related to network security.
③The concept of network security operation.
④Multiple guarantee introduction, guarantee regulations, procedures and norms. (Very important)
2. Penetration testing basics (one week)
①Penetration testing process, classification, standards
②Information collection technology: active/passive information collection, Nmap tools, Google Hacking
③Vulnerability scanning, vulnerability utilization, principles, utilization methods, tools (MSF), Bypass IDS and anti-virus reconnaissance
④ Host attack and defense drill: MS17-010, MS08-067, MS10-046, MS12-20, etc.
3. Operating system basics (one week)
①Common functions and commands of Windows system
②Common functions and commands of Kali Linux system
③Operating system security (system intrusion troubleshooting/system reinforcement basis)
4. Computer network foundation (one week)
①Computer network foundation, protocol and architecture
②Network communication principle, OSI model, data forwarding process
③Common protocol analysis (HTTP, TCP/IP, ARP, etc.)
④Network attack technology and network security defense technology
⑤Web vulnerability principle and defense: active/passive attack, DDOS attack, CVE vulnerability recurrence
5. Basic database operations (2 days)
①Database basics
②SQL language basics
③Database security reinforcement
6. Web penetration (1 week)
①Introduction to HTML, CSS and JavaScript
②OWASP Top10
③Web vulnerability scanning tools
④Web penetration tools: Nmap, BurpSuite, SQLMap, others (chopper, missing scan, etc.)
Congratulations, if you learn this, you can basically work in a job related to network security, such as penetration testing, web penetration, security services, security analysis and other positions; if you learn the security module well, you can also work as a security engineer. The salary range is 6k-15k.
So far, about a month. You've become a "script kiddie". So do you still want to explore further?
Friends who want to get involved in hacking & network security, I have prepared a copy for everyone: 282G, the most complete network security data package on the entire network, for free!
Click [Card at the end of the article] to get it for free
With these foundations, if you want to study in depth, you can refer to the super-detailed learning roadmap below. Learning according to this route is enough to support you to become an excellent intermediate and senior network security engineer:
[High-definition learning roadmap or XMIND file (click the card at the end of the article to get it)]
There are also some video and document resources collected in the study, which can be taken by yourself if necessary:
supporting videos for each growth path corresponding to the section:
of course, in addition to supporting videos, various documents, books, materials & tools are also organized for you , and has helped everyone to classify.
Due to the limited space, only part of the information is displayed. If you need it, you can [click the card below to get it for free]