krmaxwell
commented
11 years ago The current cifglue.cfg used by our CIF instance looks like the following:
detection = daily
source = 'RISK team'
severity = high
guid = everyone
restriction = public
period = daily
[cifglue_cases]
feed = 'http://localhost:3000/indicators.csv?q%5Btype_start%5D=Indicator'
confidence = 95
regex = '^,([^,]*),,([^,]*),([^,]*),([^,]*),([^,]*)'
regex_values = 'address,description,detecttime,alternativeid'
impact = 'botnet infrastructure'
alternativeid_restriction = private
[cifglue_malware]
feed = 'http://localhost:3000/indicators.csv?q%5Btype_start%5D=MalwareIndicator'
confidence = 85
regex = '^([^,]*),([^,]*),,([^,]*),([^,]*),([^,]*),([^,]*)'
regex_values = 'malware_md5,address,description,detecttime,alternativeid'
impact = 'botnet infrastructure'
alternativeid_restriction = private
It might be helpful to have the application generate a cif configuration that a user can cut and paste into their CIF instance. That would make it easier to configure CIF to pull in the feeds.
I think the right way to do this would be to add a couple more variables to app/models/settings.rb. One variable is the ip address or hostname that CIF would use to contact the CIFGlue server and the other variable is the port that CIFGlue is going to run on.
Then we could publish feeds like this: http://Settings::ServerHost:Settings::ServerPort/indicators/index.rss