use more of the feed #84
Comments
|
Yes, I agree with that 100% and would be one of the objectives of the plugin model in #23 to have precise parsing from each feed and normalizing the different types of information we get from different ones. There are some pre-requisites to get there, but if you want to help us categorizing the different kinds of metadata the feeds have we would greatly appreciate it. |
|
on my way there. First, i'm working on shoving the results into CRITs (https://github.com/crits/crits) |
|
Nice! 👍 Let me know how that goes :) |
|
Hey, @mgoffin, can you give us some pointers on the best way to integrate with CRITS? |
|
Sure! The best thing for now would probably be to write a script using the CRITs API to consume the feed and ingest it into CRITs. Ultimately what would be more beneficial is to create a service which has the ability to pull down the feed, parse it, display results to a user, and let them "approve" which items to accept into the system. That will probably become the standard model for any service(s) that deal with feed ingestion. |
|
Cool! I saw the services API on the Wiki, I guess that is what you mean, right? Do you have a reference implementation I could look at maybe? it sounds like a good idea to build this integration as more and more people use CRITs |
|
You'll wanto check out the Authenticated API on the wiki. It gives some examples and such. It's not 100% but you can read and write all of the different TLOs. Just can't do updates or removal. |
|
👍 |
|
@alexcpsec @mgoffin working on uploading the IOCs via the web API - it's a bit too slow (a few hours for the 300K+ IPs), so i'll try multithreading and if that works better, i'll submit the code for review. |
|
I'll note that we haven't tried hammering the API like that before, so we don't have any useful benchmarks for what speeds we should be getting :) |
|
as for the original topic and more context, before Combine i wrote something to do this and I implemented it by trying to get STIX-like fields from the sources. {
"impact": "high",
"source": "malwareDomainList",
"campaign":"testCampaign",
"confidence": "medium",
"format": "^\\\".*\\\"\\,\\\"(.*?)\\\"\\,\\\"(\\d+\\.\\d+\\.\\d+\\.\\d+|-)\\\"\\,\\\"(.*?)\\\"\\,\\\".*?\\\"\\,\\\".*?\\\"\\,\\\"(\\d+|-)\\\"",
"reference": "http://www.malwaredomainlist.com/updatescsv.php",
"fields": ["URI - URL", "Address - ipv4-addr", "URI - Domain Name","Address - asn"]
}My intention was to design a relationship engine for all the IOCs from here and upload them related into CRIts, but i never got to it |
|
@alexcpsec and @mgoffin , here's my single threaded code: https://github.com/paulpc/combine. I'll wait until I can get better performance before I submit an official pull request |
|
@paulpc Got the gist of it by looking at your code, nice work. To speed things up by making the requests parallel, I would suggest you have a look at the |
|
@alexcpsec , i'll give it a look. I did it manually using multithread and was able to do it 25% faster for 5380 IPs/Domains - not sure it's worth the code complications yet. |
|
So maybe 5-ish mins for 5500 indicators? That is not too bad. As to Mike's point, who knows how much CRITs can handle. :) LMK if you want to merge back when you think you are ready. We might tinker with it in the near future or so to try to add |
|
will do - i'm testing with a few more indicators (a couple more blocklist.de Paul Poputa-Clean On Tue, Oct 21, 2014 at 8:24 AM, Alex Pinto [email protected]
|
|
turns out, the more indicators, the more speed gains: I'll get everything ready for it and submit it for a pull request |
|
Looks good. Thanks! |
|
So TL;DR: this is multithreading the submission to CRITs and possibly grabbing some additional data from the feeds? |
|
No extra info from feeds in this submission, just crits. But the original discussion was about the extra info. :) On Wed, Oct 22, 2014 at 7:33 AM, Kyle Maxwell [email protected]
This e-mail message and any files transmitted with it contain legally |
|
sorry, @technoskald! discussion got derailed with CRITs. We can get back to the metadata when I have time to code some more. I might wait and see what comes out of the labeled-feeds-branch. Do you know if the conf reader library will read regex out of a conf file or try to interpret / clobber them? |
|
OK, so this is just about CRITs? Cool then. 👍 |
why not keep some of the metadata from the feeds and use it for enrichment? For example, the AlienVault feed has some interesting information as to why that IP is there and would make for better context.
The text was updated successfully, but these errors were encountered: