Skip to content
/ zabbix Public

Criminal IP is a comprehensive OSINT-based Cyber Threat Intelligence (CTI) search engine that can be used as an automated Attack Surface Management solution.

www.criminalip.io
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

criminalip/zabbix

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
externalscripts
externalscripts
 
 
template
template
 
 
zabbix_agentd.d
zabbix_agentd.d
 
 
README.md
README.md
 
 

Repository files navigation

Criminalip Zabbix Template

1. About (Criminal IP integrated with Zabbix)

Criminal IP is a comprehensive OSINT-based Cyber Threat Intelligence (CTI) search engine that can be used as an automated Attack Surface Management solution.

We have created a template that integrates Criminal IP with Zabbix's monitoring to detect all security threats related to your exposed IP and open ports. It will notify you once a day about the number of exposed CVEs, the number of Honeypot attacks, and more.

To retrieve data, you need a Criminal IP API key. You can register for a free account at https://www.criminalip.io/ and find your API key on the My Information page.

Please note that this template was created using malicious IP info from https://www.criminalip.io/en/developer/api/get-ip-malicious-info.

In addition to the alarm service, you can also check out more detailed insights through Criminal IP integrated with Zabbix. You can search for suitable APIs and use them easily.

For more information or customization, please refer to the Web Filter and API Development Guide below:

2. Zabbix Template Structure

1) Macros used

Name

Description

Default

Type

{$CRIMINALIP_TARGET_PUBLIC_IP}

-

Text macro

2) Template links

There are no template links in this template.

3) Discovery rules

Name

Type

Key

 Additional info 

LLD Current Opened Ports

Zabbix Agent
Zabbix Agent (Active)

lld.criminalip.ports

Update: 60s

You can check the open ports and vulnerability information of the target public IP.  

For more information, please refer to the Asset Search page at https://www.criminalip.io/en/asset

Item prototypes

 Zabbix Agent
Zabbix Agent (Active)

check.criminalip.port[{#SOCKEY_TYPE}, {#PORT}]

Update: 60s

 It creates the Socket type and Port of the current open port data and shows you the Vulnerability category.
Trigger prototypes
last(/Template Security Criminalip/check.criminalip.port[{#SOCKEY_TYPE}, {#PORT}])>0

The vulnerability is exposed to an open port of the target IP.

For more information, please refer to the Asset Search page at https://www.criminalip.io/en/asset

4) Items collected

Name

Description

Type

Key

 Additional info 

Criminalip: Get Criminalip API

-

 Zabbix Agent
Zabbix Agent(Active)

get.criminalip.api[{$CRIMINALIP_TARGET_PUBLIC_IP}]

Update: 1d

You can get the get-ip-malicious-info information from https://api.criminalip.io and save it to a local file. 

(Saved file: /tmp/criminalip_cache.txt)

You can check more details at https://www.criminalip.io/en/asset

Criminalip: Sender Criminalip Malicious

-

Zabbix Agent
Zabbix Agent(Active)

sender.criminalip.malicious.count

Update: 1h

 The saved local file, criminalip_cache.txt is read and sends you the number of vulnerabilities to the items of each Trigger type.  

Criminalip: Vulnerabilities CVE stats

-

Zabbix Triggers 

criminalip.vulnerability.cve.count

 It counts the number of times the server has been exposed to a CVE vulnerability.

Criminalip: Vulnerabilities Honypot stats

-

Zabbix Triggers 

criminalip.vulnerability.honeypot.count

It counts the number of Honeypot attacks. 

Criminalip: Vulnerabilities Snort stats

-

Zabbix Triggers 

criminalip.vulnerability.snort.count

It counts the number of registered Public IPs at https://www.snort.org/

Criminalip: Vulnerabilities Webcam stats

-

Zabbix Triggers 

criminalip.vulnerability.webcam.count

 It counts the number of webcam exposure. 

5) Triggers

Severit

Name

Expression

Additional info 
High Criminalip: Vulnerability exposed in {$CRIMINALIP_TARGET_PUBLIC_IP}

last(/Template Security Criminalip/criminalip.vulnerability.cve.count)>0

It triggers when the number of exposures to CVE vulnerability is greater than 0. 

You can check details at https://www.criminalip.io

Average Criminalip: {$CRIMINALIP_TARGET_PUBLIC_IP} has exposed the webcam externally. last(/Template Security Criminalip/criminalip.vulnerability.webcam.count)>0

It triggers when the webcam exposure is greater than 0. 

You can check details at https://www.criminalip.io

Warning Criminalip: {$CRIMINALIP_TARGET_PUBLIC_IP} is detected by Honeypot as a threat. last(/Template Security Criminalip/criminalip.vulnerability.honeypot.count)>0

It triggers when Honeypot detection is greater than 0. 

You can check details at https://www.criminalip.io

Warning Criminalip: {$CRIMINALIP_TARGET_PUBLIC_IP} is detected by Snort as a threat.

last(/Template Security Criminalip/criminalip.vulnerability.snort.count)>0

It triggers when IDS(snort) detection is greater than 0. 

You can check details at https://www.criminalip.io

6) Graph

 Graph name  Item Name 
Criminalip: malicious info


 Template Security Criminalip: Criminalip: Vulnerabilities Honeypot stats    all
Template Security Criminalip: Criminalip: Vulnerabilities Snort stats all
Template Security Criminalip: Criminalip: Vulnerabilities CVE stats all
Template Security Criminalip: Criminalip: Vulnerabilities Webcam stats all

4. Zabbix Server Settings

Edit ExternalScripts in the Zabbix server.

vi /etc/zabbix/zabbix_server.conf :

ExternalScripts=/usr/lib/zabbix/externalscripts

Restart the Zabbix server.

$ systemctl restart zabbix-server

5. Zabbix Agent Settings

Mandatory installation

  • The Zabbix-sender must be installed.

Register UserParameter Create and save the /etc/zabbix/zabbix_agentd.d/criminalip.conf file

vi /etc/zabbix/zabbix_agentd.d/criminalip.conf :

UserParameter=get.criminalip.api[*],/usr/lib/zabbix/externalscripts/Get_criminalip_data.py $1
UserParameter=sender.criminalip.malicious.count,/usr/lib/zabbix/externalscripts/FileRead_count_criminalip.py
UserParameter=lld.criminalip.ports,/usr/lib/zabbix/externalscripts/FileRead_lld_criminalip.py
UserParameter=check.criminalip.port[*],/usr/lib/zabbix/externalscripts/Check_has_vulnerability.py $1 $2

Save the following Python script (UserParameter), which is stored in GIT, to the /usr/lib/zabbix/externalscripts/ directory

ls /usr/lib/zabbix/externalscripts/ :

Get_criminalip_data.py
FileRead_count_criminalip.py
Check_has_vulnerability.py
FileRead_lld_criminalip.py

Changing permissions with Zabbix ``` $ chown -Rf zabbix:zabbix /usr/lib/zabbix/externalscripts/ ```

Edit the file /usr/lib/zabbix/externalscripts/Get_criminalip_data.py

  • ${CRIMINALIP_API_KEY}: Register API_KEY issued from https://www.criminalip.io/

    vi /usr/lib/zabbix/externalscripts/Get_criminalip_data.py :
API_KEY = '${CRIMINALIP_API_KEY}'

Edit the file /usr/lib/zabbix/externalscripts/FileRead_count_criminalip.py

  • ${ZABBIX_SERVER_IP}: Enter the Zabbix server or Proxy IP
  • ${ZABBIX_SERVER_PORT}: Enter the Zabbix server or Proxy IP

    vi /usr/lib/zabbix/externalscripts/FileRead_count_criminalip.py :
ZABBIX_SERVER = '${ZABBIX_SERVER_IP}'
ZABBIX_PORT = '${ZABBIX_SERVER_PORT}'

Install the Python library to use the UserParameter script ``` $ pip install requests $ pip install py-zabbix ```

Restart Zabbix agent

$ systemctl restart zabbix-agent

## 6. Test Process __Run on a Zabbix server__

Check the Criminal IP API to verify if the searched information is stored properly to /tmp/criminalip_cache.txt

  • ${ZABBIX_AGENT_IPADDRESS}: Enter the Access IP where the Zabbix agent is installed, accessed by the Zabbix server (or proxy)
  • ${CRIMINALIP_TARGET_PUBLIC_IP}: Enter the Public IP target (macro registration) to detect threats
$ zabbix_get -s ${ZABBIX_AGENT_IPADDRESS} -k get.criminalip.api[${CRIMINALIP_TARGET_PUBLIC_IP}]

Data saved to file: /tmp/criminalip_cachefile.txt

cat /tmp/criminalip_cachefile.txt :

{
    "datetime": "2023-03-28T12:34:06.038880",
    "ip": "${CRIMINALIP_TARGET_PUBLIC_IP}",
    "ids_count": 0,
    "vulnerability_count": 39,
    "webcam_count": 0,
    "scanning_record_count": 0,
    "current_opened_port_value":
    [
        {"socket_type": "tcp", "port": 22, "protocol": "ssh", "product_name": "openssh", "product_version": "7.4", "has_vulnerability": true, "confirmed_time": "2023-02-21 16:58:52"},
        {"socket_type": "tcp", "port": 80, "protocol": "http", "product_name": "openssl", "product_version": "1.0.2k", "has_vulnerability": true, "confirmed_time": "2023-02-22 03:24:31"},
        {"socket_type": "tcp", "port": 443, "protocol": "https", "product_name": "openssl", "product_version": "1.0.2k", "has_vulnerability": true, "confirmed_time": "2023-02-05 03:01:50"}
    ]
}

Check whether the discovery function of the saved local file works correctly

  • ${ZABBIX_AGENT_IPADDRESS}: Enter the Access IP where the Zabbix agent is installed, accessed by the zabbix_server (or proxy)
{
    "data":
    [
        {"{#SOCKEY_TYPE}": "tcp", "{#PROTOCOL}": "ssh", "{#PORT}": 22, "{#PRODUCT_NAME}": "openssh", "{#PRODUCT_VERSION}": "7.4", "{#HAS_VULNERABILITY}": true, "{#CONFIRMED_TIME}": "2023-02-21 16:58:52"},
        {"{#SOCKEY_TYPE}": "tcp", "{#PROTOCOL}": "http", "{#PORT}": 80, "{#PRODUCT_NAME}": "openssl", "{#PRODUCT_VERSION}": "1.0.2k", "{#HAS_VULNERABILITY}": true, "{#CONFIRMED_TIME}": "2023-02-22 03:24:31"},
        {"{#SOCKEY_TYPE}": "tcp", "{#PROTOCOL}": "https", "{#PORT}": 443, "{#PRODUCT_NAME}": "openssl", "{#PRODUCT_VERSION}": "1.0.2k", "{#HAS_VULNERABILITY}": true, "{#CONFIRMED_TIME}": "2023-02-05 03:01:50"}
    ]
}

About

Criminal IP is a comprehensive OSINT-based Cyber Threat Intelligence (CTI) search engine that can be used as an automated Attack Surface Management solution.

www.criminalip.io

Topics

search-engine zabbix cyberthreatintelligence malicious-ips criminalip

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages