search

Graylog2 / graylog-plugin-threatintel

Graylog Processing Pipeline functions to enrich log messages with IoC information from threat intelligence databases
Other
150 stars 19 forks source link

ransomwaretracker.abuse.ch discontinued #184

Closed rkmbaxed closed 3 years ago

rkmbaxed commented 4 years ago

https://ransomwaretracker.abuse.ch/ says bye bye

Ransomware Tracker has been discontinued on Dec 8th, 2019

The Data Adadpter for abuse.ch ransomware Domains and IP gets no new food.

Expected Behavior

Use of URLhaus instead (https://urlhaus.abuse.ch/api/)

Current Behavior

ransomwaretracker.abuse.ch stops its service.

Possible Solution

Use of URLhaus instead (https://urlhaus.abuse.ch/api/)

ortizleo commented 4 years ago

+1 Please!

H2Cyber commented 4 years ago

Does this mean that the Abuse.ch Ransomware tracker lookups in Graylog are no longer useful ?

rkmbaxed commented 4 years ago

When they did not changed anything in the meantime, that it is not useful since Dec 8th, 2019

waab76 commented 4 years ago

Had a look at the the API for urlhaus.abuse.ch and it seems like it might support something roughly like the ransomware URL data adapter, but I'm not sure there's a solution for the Domain and IP ransomware adapters. Discussing with the team about the best path forward for this issue.

H2Cyber commented 4 years ago

I have removed the abuse.ch plugin, rules, pipeline, and events/alerts from my setup, to save the wasted processing power and storage space.

The rest of the GL userbase should probably be prompted to do so (be it via the notification system or in a future update).

Also the blog entry on the GL website on the abuse.ch setup should probably get updated.

Finally I think it would be better to treat the URLhaus integration separately as it has a different use case.