Comments (8)
For DNS: https://majestic.com/reports/majestic-million
from threatkb.
@dcuellar322 what will the API interaction look like for this when we're posting a new C2 IP or C2 DNS artifact and it matches something on the whitelist. Drop it silently? Return an error?
from threatkb.
@dcuellar322 ideally if we post a list of artifacts, we'll get a response back for the ones that were rejected with some reason (duplicate, whitelisted, etc.)
from threatkb.
If you're talking about mass import then it would be a function of the import api. The current output of the import api is below. we will just add a "whitelisted" key to the artifacts dictionary and pass back the information that way.
{
"artifacts": {
"duplicates": [
{
"type": "IP",
"artifact": "1.1.1.1"
}
],
"committed": [
{
"addedTags": [],
"tags": [],
"ip": "200.0.2.2",
"created_user": {
"active": true,
"admin": true,
"registered_on": "2017-08-23T00:27:31",
"email": "[email protected]",
"id": 3
},
"owner_user": null,
"reference_link": null,
"id": 49,
"asn": "CLARO S.A., BR",
"expiration_timestamp": null,
"city": null,
"date_modified": "2017-09-14T18:11:11",
"reference_text": null,
"modified_user": {
"active": true,
"admin": true,
"registered_on": "2017-08-23T00:27:31",
"email": "[email protected]",
"id": 3
},
"comments": [],
"st": null,
"state": "Imported",
"removedTags": [],
"country": null,
"date_created": "2017-09-14T18:11:11",
"expiration_type": null
}
]
}
}
from threatkb.
@pedramamini how big is this list going to get? Trying to decide if we should store it in a flat file or the database.
from threatkb.
from threatkb.
We need a table to track whitelist items. It will need CRUD operations and fields:
created_time
modified_time
created_by_user
modified_by_user
whitelist_artifact
notes
Whitelist artifacts can be:
network CIDR (EX: 100.12.12.0/24)
a single IP
regex
Add a before-insert listener for c2dns and c2ip (See: app.models.yara_rules line 171 for example):
in the before-insert listener, iterate through the whitelist and do the following:
if the whitelist artifact is a network cidr, test to see whether the IP is in the CIDR
if the whitelist artifact is a single IP, test for an exact match
if the whitelist artifact is a regex, test it against the ip or dns entry
If there is a match, bail on the insert
from threatkb.
whitelist_artifact (2048)
notes (2048)
https://netaddr.readthedocs.io/en/latest/tutorial_01.html
try to instantiate IPAddress and IPNetwork
if they fail then it is a regex
from threatkb.
Related Issues (20)
- Mass import not committing YARA rules
- Add YARA signature generation capability
- SC_Email_Body_with_Known_Phishing_URL takes a long time to populate. HOT 4
- Add last updated date field HOT 2
- Make release data path configurable in settings
- Dashboard is not working
- Add option in mass import to mass retire IOCs HOT 1
- Escape on the new Signature creation modal exits without confirmation
- Copying a "Released" rule via "edit view" bounces the rule into "Vetting" status HOT 3
- Update DFI containers under ThreatKB
- Enable support for C2 DNS match type field in bulk import and batch edit HOT 2
- Entering and deleting an expiration date in batch edit view disables the save button in the same view.
- HA_MAGICSPELL_C2_Request_URI_Pattern fails validation on KB but is valid YARA.
- Ingested and imported rules without confidence and severity scores cannot be modified. HOT 1
- Tag rules on ingestion
- Dashboard does not load HOT 1
- Cannot save changes to signatures
- Cannot manually add new signatures
- Bulk import allows invalid IPs
- Server error in ThreatKB API from Recorded Future integration script HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from threatkb.