search

certtools / intelmq

IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.
https://docs.intelmq.org/latest/
GNU Affero General Public License v3.0
976 stars 296 forks source link

Question - #1715

Closed mfiedler144 closed 3 years ago

mfiedler144 commented 3 years ago

Hello everyone,

in my bachelor-thesis I analyze ioc-feeds, in which I try to rank feeds by correlating them to each other. I tried already some tools, but none worked for me.

What the tool should can: Feeds -> Gather Feeds and normalize them: Osint, commercial doesn't matter, but I should be able to implement my own feeds. Look up if a value (single IOC) is already in the database and how often. Additionally I should be able to add the source to every IOC as well as a risk score.

What do you think: Is IntelMQ the right tool for the job?

Do you know any tools which would be good for the job?

Many thanks and best regards.

Maurice

ghost commented 3 years ago

in my bachelor-thesis I analyze ioc-feeds, in which I try to rank feeds by correlating them to each other. I tried already some tools, but none worked for me.

That's indeed a very interesting topic and I am sure that a lot of teams would appreciate if you can share your work somehow.

Feeds -> Gather Feeds and normalize them: Osint, commercial doesn't matter, but I should be able to implement my own feeds.

In the feeds documentation we list a lot of feeds and how they can be configured in IntelMQ. This includes fetching them and parsing. Parsing in IntelMQ also meas normalizing the names, classification etc. Of course you can configure any feeds yourself. In the bots documentation you can find all the available parameter for the collectors and parsers - The feeds documentation is just a template which allows you to take some shortcuts. There are plenty of more feeds out there, some interesting ones are listed in our feeds whishlist.

Look up if a value (single IOC) is already in the database and how often. Additionally I should be able to add the source to every IOC as well as a risk score.

That's not covered by IntelMQ tools, but you can do that with SQL and other tools. If you send all data in IntelMQ with the Postgres Output (see the bots' documentation linked above), to a PostgreSQL database, you can use just SQL. I have done some analysis like this some years ago, but just for a fixed set if feeds. You'd need to do a correlation matrix which is a bit more work, but I am sure, that you'll find some ideas or even complete SQL statements/software in the internet.

What do you think: Is IntelMQ the right tool for the job?

For the first problem yes. Not for the second.

Do you know any tools which would be good for the job?

Did I already mention that I like SQL? 8-)

ghost commented 3 years ago

Closing because of inactivity. Please reopen if needed.