Closed epazoglu closed 8 years ago
We generally consider those types of feeds "overloaded". What is the feed author trying to communicate? If I want to try to use the observables in network sensors do I treat every observable with an equal weight? Typically that is not the case.
The easiest way to handle a feed like that is to have cif-smrt parse the feed multiple times parsing out a different observable on each pass.
You can seen an example of this in the zeus tracker feed:
https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/default/zeustracker.yml
On the feed hxxps://zeustracker.abuse.ch/monitor.php?urlfeed=binaries
...
This allows you to tag each observable type with completely different meta data (e.g. confidence) if you so choose.
Make sense?
Thanks Giovanni,
i did it as you said, date is not parsed so i remove date for test, and all observables parsed correctly.
Now i have 2 question : )
1- Is Date format must be YYYY-MM-DDTHH:MM:SSZ i ask because this feed's date format is different and i transform with sed and awk as
2015-4-21T8:35:00
and if Month,Day,Hour is not 2 digit (like 1-9) it doesnt add "0" before variable. Must i add "0" for this 1 digit variables ?
2- hash observable is parsed and i can see with cif client when i run
cif --today --description cryptowall
and cif --today --description cryptowall --otype ipv4 cif --today --description cryptowall --otype fqdn also works but
cif --today --description cryptowall --otype hash
doesnt work.
How can i only pull hash observable ?
Q1:
I do not know if that date format is supported or not... off the top of my head. Testing is probably the easiest thing to do. CIF calls date-parse to try to auto figure out format it does not natively understand.
Q2:
I also could not get --otype hash
to work, I would have guessed it was supported but we don't have any doc that says that it is. I've open an issue to have it looked into.
@evrenbey
Querying for a list of hashes needs to be done like this:
I'm closing this issue, please let us know if you have further questions.
Hello i have multiple observables included file,
as seen below.
i write parser file
when i run command /opt/cif/bin/cif-smrt --testmode -v -c -d -r /etc/cif/rules/default/Cyber_Threat_Alliance.yml
cif-smrt doesnt parse it.
any idea?