Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Proofpoint Emerging Threats Signatures CDF for ThreatQuotient enables a ThreatQ user to import Snort rules from Emerging Threats.

The integration provides the following feed:

• Proofpoint Emerging Threats Signatures - ingests Snort Signatures Adversary objects.

The integration ingests the following system objects:

• Signatures
• Indicators
• Malware
• Attack Patterns
• Adversaries

Prerequisites

• If you are a Proofpoint Pro user, you will need your Oinkcode to use access the Pro version.  
• MITRE ATT&CK attack patterns must have already been ingested by a previous run of the MITRE ATT&CK feeds in order for MITRE ATT&CK attack patterns extracted from detection event tags to be related to the event. MITRE ATT&CK attack patterns are ingested from the following feeds: MITRE Enterprise ATT&CK MITRE Mobile ATT&CK MITRE ICS ATT&CK

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the integration file.
3. Navigate to the integrations management page on your ThreatQ instance.
4. Click on the Add New Integration button.
5. Upload the integration file using one of the following methods:
   • Drag and drop the file into the dialog box
   • Select Click to Browse to locate the integration file on your local machine

   ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.

You will still need to configure and then enable the feed.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Commercial option from the Category dropdown (optional).

   If you are installing the integration for the first time, it will be located under the Disabled tab.

3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Version	Select your version of Proofpoint.  Options include Open and Pro.
   ET Pro Oinkcode	Enter your Oinkcode if you selected the Pro version above.
   Which Rules Do You Want to Import	Select which rules to import.  Options include: Snort 2.9.0 Snort Edge Suricata 5.0 Suricata 7.0
   Block Rules Snort 2.9.0	If you selected to import Snort 2.9.0, select which Block Rules Snort 2.9.0 rules to import. Options include: emerging-botcc.portgrouped.rules emerging-botcc.rules emerging-ciarmy.rules emerging-compromised.rules emerging-drop.rules emerging-dshield.rules emerging-tor.rules threatview_CS_c2.rules
   Block Rules Snort Edge	If you selected to import Snort Edge, select which Block Rules Snort Edge rules to import. Options include: emerging-botcc.portgrouped.rules emerging-botcc.rules emerging-ciarmy.rules emerging-compromised.rules emerging-drop.rules emerging-dshield.rules emerging-tor.rules threatview_CS_c2.rules
   Block Rules Suricata 5.0	If you selected to import Suricata 4.0 , select which Block Rules Sucricata rules to import. Options include: emerging-botcc.portgrouped.suricata.rules emerging-botcc.suricata.rules emerging-ciarmy.suricata.rules emerging-compromised.suricata.rules emerging-drop.suricata.rules emerging-dshield.suricata.rules emerging-tor.suricata.rules threatview_CS_c2.suricata.rules
   Block Rules Suricata 7.0	If you selected to import Sucricata 5.0, select which Block Rules Scuricata 5.0 rules to import. Options include: emerging-botcc.portgrouped.suricata.rules emerging-botcc.suricata.rules emerging-ciarmy.suricata.rules emerging-compromised.suricata.rules emerging-drop.suricata.rules emerging-dshield.suricata.rules emerging-tor.suricata.rules threatview_CS_c2.suricata.rules
   ET Snort 2.9.0 Rules	If you selected to import Snort 2.9.0, select which Snort 2.9.0 rules to import. Options include: emerging-activex.rules emerging-attack_response.rules emerging-botcc.portgrouped.rules emerging-botcc.rules emerging-chat.rules emerging-ciarmy.rules emerging-compromised.rules emerging-current_events.rules emerging-deleted.rules emerging-dns.rules emerging-dos.rules emerging-exploit.rules emerging-ftp.rules emerging-games.rules emerging-icmp.rules emerging-icmp_info.rules emerging-imap.rules emerging-inappropriate.rules emerging-info.rules emerging-malware.rules emerging-misc.rules emerging-mobile_malware.rules emerging-netbios.rules emerging-p2p.rules emerging-policy.rules emerging-pop3.rules emerging-retired.rules emerging-rpc.rules emerging-scada.rules emerging-scada_special.rules (Pro Only) emerging-scan.rules emerging-shellcode.rules emerging-smtp.rules emerging-snmp.rules emerging-sql.rules emerging-telnet.rules emerging-tftp.rules emerging-tor.rules emerging-trojan.rules emerging-user_agents.rules emerging-voip.rules emerging-web_client.rules emerging-web_server.rules emerging-web_specific_apps.rules emerging-worm.rules threatview_CS_c2.rules
   ET Snort Edge Rules	If you selected to import SnortEdge, select which Snort Edge rules to import. Options include: emerging-activex.rules emerging-attack_response.rules emerging-botcc.portgrouped.rules emerging-botcc.rules emerging-chat.rules emerging-ciarmy.rules emerging-compromised.rules emerging-current_events.rules emerging-deleted.rules emerging-dns.rules emerging-dos.rules emerging-exploit.rules emerging-ftp.rules emerging-games.rules emerging-icmp.rules emerging-icmp_info.rules emerging-imap.rules emerging-inappropriate.rules emerging-info.rules emerging-malware.rules emerging-misc.rules emerging-mobile_malware.rules emerging-netbios.rules emerging-p2p.rules emerging-policy.rules emerging-pop3.rules emerging-retired.rules emerging-rpc.rules emerging-scada.rules emerging-scada_special.rules (Pro Only) emerging-scan.rules emerging-shellcode.rules emerging-smtp.rules emerging-snmp.rules emerging-sql.rules emerging-telnet.rules emerging-tftp.rules emerging-tor.rules emerging-trojan.rules emerging-user_agents.rules emerging-voip.rules emerging-web_client.rules emerging-web_server.rules emerging-web_specific_apps.rules emerging-worm.rules threatview_CS_c2.rules
   ET Suricata 5.0 Rules	If you selected to import Suricata 4.0, select which Suricata 4.0 rules to import. Options include: botcc.portgrouped.rules botcc.rules ciarmy.rules compromised.rules drop.rules dshield.rules emerging-activex.rules emerging-adware_pup.rules emerging-attack_response.rules emerging-chat.rules emerging-coinminer.rules emerging-current_events.rules emerging-deleted.rules emerging-dns.rules emerging-dos.rules emerging-exploit.rules emerging-exploit_kit.rules emerging-ftp.rules emerging-games.rules emerging-hunting.rules emerging-icmp.rules emerging-imap.rules emerging-inappropriate.rules emerging-info.rules emerging-ja3.rules emerging-malware.rules emerging-misc.rules emerging-mobile_malware.rules emerging-netbios.rules emerging-p2p.rules emerging-phishing.rules emerging-pop3.rules emerging-retired.rules emerging-rpc.rules emerging-scada.rules emerging-scada_special.rules (Pro Only) emerging-scan.rules emerging-shellcode.rules emerging-smtp.rules emerging-snmp.rules emerging-sql.rules emerging-telnet.rules emerging-tftp.rules emerging-user_agents.rules emerging-voip.rules emerging-web_client.rules emerging-web_server.rules emerging-web_specific_apps.rules emerging-worm.rules threatview_CS_c2.rules tor.rules
   ET Suricata 7.0 Rules	If you selected to import Suricata 5.0, select which Suricata 5.0 rules to import. Options include: botcc.portgrouped.rules botcc.rules ciarmy.rules compromised.rules drop.rules dshield.rules emerging-activex.rules emerging-adware_pup.rules emerging-attack_response.rules emerging-chat.rules emerging-coinminer.rules emerging-current_events.rules emerging-deleted.rules emerging-dns.rules emerging-dos.rules emerging-exploit.rules emerging-exploit_kit.rules emerging-ftp.rules emerging-games.rules emerging-hunting.rules emerging-icmp.rules emerging-imap.rules emerging-inappropriate.rules emerging-info.rules emerging-ja3.rules emerging-malware.rules emerging-misc.rules emerging-mobile_malware.rules emerging-netbios.rules emerging-p2p.rules emerging-phishing.rules emerging-pop3.rules emerging-retired.rules emerging-rpc.rules emerging-scada.rules emerging-scada_special.rules (Pro Only) emerging-scan.rules emerging-shellcode.rules emerging-smtp.rules emerging-snmp.rules emerging-sql.rules emerging-telnet.rules emerging-tftp.rules emerging-user_agents.rules emerging-voip.rules emerging-web_client.rules emerging-web_server.rules emerging-web_specific_apps.rules emerging-worm.rules threatview_CS_c2.rules tor.rules

5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

alert tcp $HOME_NET any -> [104.129.55.103] any (msg:"ET CNC Feodo Tracker Reported CnC Server TCP group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404300; rev:7100; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2024_02_12;)
alert udp $HOME_NET any -> [104.129.55.103] any (msg:"ET CNC Feodo Tracker Reported CnC Server UDP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404301; rev:7100; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2024_02_12;)
alert tcp $HOME_NET any -> [104.129.55.104] any (msg:"ET CNC Feodo Tracker Reported CnC Server TCP group 2"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404302; rev:7100; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2024_02_12;)
alert udp $HOME_NET any -> [104.129.55.104] any (msg:"ET CNC Feodo Tracker Reported CnC Server UDP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404303; rev:7100; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2024_02_12;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.LoadMoney User Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader "; http_header; fast_pattern:12,11; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024260; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods"; flow:to_client,established; file_data; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; distance:0; content:"Save"; distance:0; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; pcre:"/(Save|SaveLayoutChanges|SaveMenuUsageData)/i"; reference:bugtraq,24959; reference:cve,CVE-2007-3883; reference:url,www.exploit-db.com/exploits/5395/; reference:url,doc.emergingthreats.net/2008127; classtype:web-application-attack; sid:2008127; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2010_10_15;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/ip.php)"; flow:established,to_server; content:"av_base/ip.php"; nocase; http_uri; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; classtype:trojan-activity; sid:2010567; rev:4; metadata:created_at 2010_07_30, updated_at 2010_09_16;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; classtype:trojan-activity; sid:2000307; rev:25; metadata:attack_target Client_Endpoint, created_at 2010_07_30, confidence Medium, deployment Perimeter, updated_at 2011_02_08, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"antivirus-update.top"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/; classtype:domain-c2; sid:2029326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_01_29;)

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Known Issues / Limitations

• Several rule collections may contain a substantial number of signatures.  Selecting multiple rule collections to run simultaneously can result in timeout error. 
• The Version should be set to Pro for files marked as Pro Only.

Change Log

• Version 1.1.0
  • Updates rule lists based on Proofpoint's latest offerings
  • Suricata 4.0 has been replaced with Suricata 7.0 (5.0 still available)
  • Fixes issue causing an Attack Pattern with the value of [] to be ingested and related to signatures
  • Adds support for parsing the Confidence metadata field
  • Adds support for mapping MITRE ATT&CK Technique IDs to the proper ThreatQ objects
  • Adds support for parsing CVEs, SHA-1, SHA-256, and SHA-512 metadata fields
  • Better MITRE Tactic parsing and mapping
• Version 1.0.0
  • Initial release