• Monty Security C2 Tracker
  • Introduction
  • Installation
    • Requirements
  • Configuration variables
    • OpenCTI environment variables
    • Base connector environment variables
    • Connector extra parameters environment variables
  • Deployment
    • Docker Deployment
    • Manual Deployment
  • Usage
  • Behavior
  • Debugging
  • Additional information

The MontySecurity C2-Tracker connector imports a free, community-driven IOC feed into OpenCTI, creating Malware and associated IP addresses. The feed leverages Shodan searches to identify active C2, botnet, and malware infrastructure across the internet.

• Python >= 3.11
• OpenCTI Platform >= 6.8.13
• pycti library matching your OpenCTI version
• connectors-sdk library matching your OpenCTI version

Find all the configuration variables available here: Connector Configurations

The opencti and connector options in the docker-compose.yml and config.yml are the same as for any other connector. For more information regarding these variables, please refer to OpenCTI's documentation on connectors.

Before building the Docker container, you need to set the version of pycti in requirements.txt equal to whatever version of OpenCTI you're running. Example, pycti==5.12.20. If you don't, it will take the latest version, but sometimes the OpenCTI SDK fails to initialize.

Build a Docker Image using the provided Dockerfile.

Example:

# Replace the IMAGE NAME with the appropriate value
docker build . -t [IMAGE NAME]:latest

Make sure to replace the environment variables in docker-compose.yml with the appropriate configurations for your environment. Then, start the docker container with the provided docker-compose.yml

docker compose up -d
# -d for detached

Create a file config.yml based on the provided config.yml.sample.

Replace the configuration variables (especially the "ChangeMe" variables) with the appropriate configurations for you environment.

Install the required python dependencies (preferably in a virtual environment):

pip3 install -r requirements.txt

Then, start the connector from src directory:

python3 main.py

After Installation, the connector should require minimal interaction to use, and should update automatically at a regular interval specified in your docker-compose.yml or config.yml in duration_period.

However, if you would like to force an immediate download of a new batch of entities, navigate to:

Data management -> Ingestion -> Connectors in the OpenCTI platform.

Find the connector, and click on the refresh button to reset the connector's state and force a new download of data by re-running the connector.

At each run, the connector fetches the malware list from the Monty Security C2-Tracker dataset, then downloads associated IP lists for each malware family. It converts malware names and IP observables into STIX objects and creates indicates relationships between each IP and its malware.

The generated bundle is sent to OpenCTI as a scheduled external import. The connector also stores last_run in state so operators can track previous executions in logs.

Because the source is community OSINT, entities are marked with a configurable TLP level (default: clear) and attributed to the Monty Security author identity.

The connector can be debugged by setting the appropiate log level. Note that logging messages can be added using self.helper.connector_logger,{LOG_LEVEL}("Sample message"), i. e., self.helper.connector_logger.error("An error message").