phpsystems
commented
5 years ago There is also URLs to consider too.
FYI, the Fortiguard plugin was fixed with #358
Open garanews opened 5 years ago
phpsystems
commented
5 years ago There is also URLs to consider too.
FYI, the Fortiguard plugin was fixed with #358
nadouani
commented
5 years ago Hello @garanews I've just spotted this one. Can you list all the analyzers that need to be updated to include FQDN as possible datatype? We can add them to this issue's description as checklist and fix them.
garanews
commented
5 years ago Hello @nadouani , I think all analyzers that have "domain" but not fqdn:
Abuse_Finder C1fApp CIRCLPassiveDNS Censys Crtsh DNSSinkhole FireEyeiSight Fortiguard GoogleSafebrowsing IBMXForce Malwares MnemonicPDNS OTXQuery Pulsedive Shodan Threatcrowd URLhaus VirusTotal
Here you can see the full matrix:
For everyone would generate this table, here there is the code (need python 3.5+, pandas, glob): https://gist.github.com/garanews/02e051a555bbf83cde527b9f086b1b26
Request Type
Question
Description
Analyzing attributes with datatype "hostname" and "domain" in MISP:
domain Page 1 of 1615, showing 60 records out of 96849 total, starting on record 1, ending on 60
hostname Page 1 of 1393, showing 60 records out of 83522 total, starting on record 1, ending on 60
when imported in The Hive they become type "fqdn" and "domain". In this situation the analyzers available for the 2 types are different:
But all the fqdn above mentioned can be analyzed with (almost?) all analyzers used for domain type.
Possible Solutions
In order to access to other analyzers (VT,etc), analyst is removing manually all fqdn imported and adds again as domain... An option would be configure the "domain" analyzers to analyze also fqdn type.
What do you think?