Problems with github configuration...

[mathurin68]

There's a couple github's I'd like to get into MISP, like this one... https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama220_02.11.2022.txt

I have my github and misp authorization...

sources:
  - name: github-qakbot-repos
    credentials: github-auth
    module: github
    search: qakbot

operators:
  - name: github-qakbot
    module: misp
    credentials: misp-auth
    allowed_sources: github-qakbot-repos
    tags: [github,qakbot]

but this search seems to come back with nothing!

If I search 'qakbot' here, https://github.com/search, it comes back with everything.

Also, misp seems to take these

c2's
174.0.224.214:443
193.3.19.137:443

as url's, what's the best way to get the IP addresses into MISP? Should I just wait till after they've gone into MISP and then pull them out, modify with python, strip the port, and add them back as IP addresses?

Thanks!!!

[battleoverflow]

Hey, @mathurin68!

We currently have a hardcoded integer set for the number of days that GitHub queries, which is based on the creation date. This will soon be customizable in the config.yml file (this will be optional, defaults to ~10 days). The PR for this fix is merged into develop, but not available yet within the package. I will close this issue and send another comment once a new package is available.

Here's my config.yml file for reference once the new package is available:

sources:
  - name: github-qakbot-repos
    credentials: github-auth
    module: github
    search: qakbot
    num_of_days: 90

As for the MISP question. We should be able to strip out the port from incoming IP addresses during artifact generation and use both data points separately fairly easily. I'll have to do more testing on this front, but I will include it in the task list.

[mathurin68]

Awesome....thank you!

[battleoverflow]

@mathurin68,

New version of ThreatIngestor is now available!

Release: https://github.com/InQuest/ThreatIngestor/releases/tag/v1.0.0b9