Comments (8)
pedramamini
commented on July 29, 2024
For DNS: https://majestic.com/reports/majestic-million
from threatkb.
pedramamini
commented on July 29, 2024
@dcuellar322 what will the API interaction look like for this when we're posting a new C2 IP or C2 DNS artifact and it matches something on the whitelist. Drop it silently? Return an error?
from threatkb.
pedramamini
commented on July 29, 2024
@dcuellar322 ideally if we post a list of artifacts, we'll get a response back for the ones that were rejected with some reason (duplicate, whitelisted, etc.)
from threatkb.
danny248
commented on July 29, 2024
If you're talking about mass import then it would be a function of the import api. The current output of the import api is below. we will just add a "whitelisted" key to the artifacts dictionary and pass back the information that way.
{
"artifacts": {
"duplicates": [
{
"type": "IP",
"artifact": "1.1.1.1"
}
],
"committed": [
{
"addedTags": [],
"tags": [],
"ip": "200.0.2.2",
"created_user": {
"active": true,
"admin": true,
"registered_on": "2017-08-23T00:27:31",
"email": "[email protected]",
"id": 3
},
"owner_user": null,
"reference_link": null,
"id": 49,
"asn": "CLARO S.A., BR",
"expiration_timestamp": null,
"city": null,
"date_modified": "2017-09-14T18:11:11",
"reference_text": null,
"modified_user": {
"active": true,
"admin": true,
"registered_on": "2017-08-23T00:27:31",
"email": "[email protected]",
"id": 3
},
"comments": [],
"st": null,
"state": "Imported",
"removedTags": [],
"country": null,
"date_created": "2017-09-14T18:11:11",
"expiration_type": null
}
]
}
}
from threatkb.
danny248
commented on July 29, 2024
@pedramamini how big is this list going to get? Trying to decide if we should store it in a flat file or the database.
from threatkb.
pedramamini
commented on July 29, 2024
Go with database. For the better.
…On Sun, Sep 17, 2017 at 10:24 AM danny248 ***@***.***> wrote:
@pedramamini <https://github.com/pedramamini> how big is this list going
to get? Trying to decide if we should store it in a flat file or the
database.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABMgxfn_kgtOKChPriSU1-qj_DbZ4yYAks5sjSuPgaJpZM4PG4KA>
.
from threatkb.
danny248
commented on July 29, 2024
We need a table to track whitelist items. It will need CRUD operations and fields:
created_time
modified_time
created_by_user
modified_by_user
whitelist_artifact
notes
Whitelist artifacts can be:
network CIDR (EX: 100.12.12.0/24)
a single IP
regex
Add a before-insert listener for c2dns and c2ip (See: app.models.yara_rules line 171 for example):
in the before-insert listener, iterate through the whitelist and do the following:
if the whitelist artifact is a network cidr, test to see whether the IP is in the CIDR
if the whitelist artifact is a single IP, test for an exact match
if the whitelist artifact is a regex, test it against the ip or dns entry
If there is a match, bail on the insert
from threatkb.
dcuellar322
commented on July 29, 2024
whitelist_artifact (2048)
notes (2048)
https://netaddr.readthedocs.io/en/latest/tutorial_01.html
try to instantiate IPAddress and IPNetwork
if they fail then it is a regex
from threatkb.
Related Issues (20)
- Mass import not committing YARA rules
- Add YARA signature generation capability
- SC_Email_Body_with_Known_Phishing_URL takes a long time to populate. HOT 4
- Add last updated date field HOT 2
- Make release data path configurable in settings
- Dashboard is not working
- Add option in mass import to mass retire IOCs HOT 1
- Escape on the new Signature creation modal exits without confirmation
- Copying a "Released" rule via "edit view" bounces the rule into "Vetting" status HOT 3
- Update DFI containers under ThreatKB
- Enable support for C2 DNS match type field in bulk import and batch edit HOT 2
- Entering and deleting an expiration date in batch edit view disables the save button in the same view.
- HA_MAGICSPELL_C2_Request_URI_Pattern fails validation on KB but is valid YARA.
- Ingested and imported rules without confidence and severity scores cannot be modified. HOT 1
- Tag rules on ingestion
- Dashboard does not load HOT 1
- Cannot save changes to signatures
- Cannot manually add new signatures
- Bulk import allows invalid IPs
- Server error in ThreatKB API from Recorded Future integration script HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from threatkb.