Tired of writing parsers?

SMRT is an independent tool that uses YAML to map your threat feeds to a very simple indicator format. Indicators can be printed to STDOUT, sent to a CIF, CSIRTG or just about any threat intelligence backend you want.

It's as simple as:

$ csirtg-smrt -r csirtg.yml -f port-scanners --client cif ...

It's the swiss-army knife of intel consumption.

Example CSIRTG Config

# cif-smrt configuration file to pull feeds from csirtg.io
# For more information see https://csirtg.io
#
# If no token is given, the feed by default is a "limited feed"
# provided by https://csirtg.io. The limits of the "limited feed"
# are:
#
# 1. Only results from the last hour are returned
# 2. A maximum of 25 results are returned per feed
#
# To remove the limits, sign up for an API key at https://csirtg.io

parser: csv
token: 'CSIRTG_TOKEN'  # ENV['CSIRTG_TOKEN'] <get one at https://csirtg.io >
limit: 250
defaults:
  provider: csirtg.io
  altid_tlp: white
  altid: https://csirtg.io/search?q={indicator}
  tlp: white
  confidence: 9
  values:
    - null
    - indicator
    - itype
    - portlist
    - null
    - null
    - protocol
    - application
    - null
    - null
    - lasttime
    - description
    - null

feeds:
  # A feed of IP addresses block by a firewall (e.g. port scanners)
  port-scanners:
    remote: https://csirtg.io/api/users/csirtgadgets/feeds/port-scanners.csv
    defaults:
      tags:
        - scanner

  # A feed of URLs seen in the message body of UCE email. Do not alert or block
  # on these urls without additional post-processing.
  uce-urls:
    remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-urls.csv
    defaults:
      tags:
        - uce
        - uce-url

  # A feed of email addresses seen in UCE email. Do not alert or block on these
  # email addresses without additional post-processing.
  uce-email-address:
    remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-email-addresses.csv
    defaults:
      tags:
        - uce
        - uce-email-address

  # A feed of IP addresses seen delivering UCE email. This could be a machine that
  # is compromised or a user account has been compromised and used to send UCE.
  uce-ip:
    remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-ip.csv
    defaults:
      tags:
        - uce
        - uce-ip