Add ctibulter api key (#9)

* add support for CTIBUTLER API Key #8 * replace CTIBUTLER_HOST with CTIBUTLER_BASE_URL * adding more docs * updating docs --------- Co-authored-by: David G <[email protected]>
muchdogesec · Jan 8, 2025 · 84eff50 · 84eff50
1 parent 4242def
commit 84eff50
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 9 deletions.
diff --git a/.env.example b/.env.example
@@ -5,4 +5,5 @@ ANTHROPIC_API_KEY=
 GOOGLE_API_KEY=
 TEMPERATURE=
 ## CTIBUTLER
-CTIBUTLER_HOST=
+CTIBUTLER_BASE_URL=
+CTIBUTLER_API_KEY=
diff --git a/.env.markdown b/.env.markdown
@@ -19,7 +19,9 @@ However, if you just want to experiment, set the following values
 
 ## CTIBUTLER
 
-Requires [ctibutler](https://github.com/muchdogesec/ctibutler) to lookup ATT&CK Enterprise objects;
+txt2detection requires [ctibutler](https://github.com/muchdogesec/ctibutler) to lookup ATT&CK
 
-* `CTIBUTLER_HOST`: `'http://host.docker.internal:8006'`
-	* If you are running CTI Butler locally, be sure to set `'http://host.docker.internal:8006'` in the `.env` file otherwise you will run into networking errors.
+* `CTIBUTLER_BASE_URL`: `'http://api.ctibutler.com'` (recommended)
+	* If you are running CTI Butler locally, be sure to set `'http://host.docker.internal:8006/api/'` in the `.env` file otherwise you will run into networking errors.
+* `CTIBUTLER_BASE_URL`:
+	* If using `'http://api.ctibutler.com'`, [get your API key here](http://app.ctibutler.com). Can be left blank if running locally.
diff --git a/tests/files/CVE-2024-1212.txt b/tests/files/CVE-2024-1212.txt
@@ -1,3 +1,5 @@
 A detection rule for the potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
 
-It needs to look for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
+It needs to look for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
+
+It uses MITRE ATT&CK techniques T1547 and T1190.
diff --git a/txt2detection.py b/txt2detection.py
@@ -13,7 +13,7 @@
 if __name__ == '__main__':
     load_dotenv(override=True)
     args = parse_args()
-    if not os.getenv('CTIBUTLER_HOST'):
-        logging.fatal("CTIBUTLER_HOST env not set, exiting...")
+    if not os.getenv('CTIBUTLER_BASE_URL'):
+        logging.fatal("CTIBUTLER_BASE_URL env not set, exiting...")
         sys.exit(11)
     main(args)
diff --git a/txt2detection/bundler.py b/txt2detection/bundler.py
@@ -265,11 +265,11 @@ def to_json(self):
 
     def get_attack_objects(self, attack_ids):
         logger.debug(f"retrieving attack objects: {attack_ids}")
-        endpoint = urljoin(os.environ['CTIBUTLER_HOST'], f"api/v1/attack-enterprise/objects/?attack_id="+','.join(attack_ids))
+        endpoint = urljoin(os.environ['CTIBUTLER_BASE_URL'] + '/', f"v1/attack-enterprise/objects/?attack_id="+','.join(attack_ids))
 
         s = requests.Session()
         if api_key := os.environ.get('CTIBUTLER_API_KEY'):
-            s.headers['Authorization'] = f"Bearer {api_key}"
+            s.headers['API-KEY'] = api_key
 
         data = []
         page = 1