search

csirtgadgets / massive-octo-spice

DEPRECATED - USE v3 (bearded-avenger)
https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki
GNU Lesser General Public License v3.0
227 stars 62 forks source link

File location of black listed or malacious data in CIF server. #443

Closed diveshshah closed 8 years ago

diveshshah commented 8 years ago

Hi,

We want to send updated Data ( Malicious IP, url, domian name etc), provided by CIF to our Arcsight ESM. Could you please let us know the location of these file(combined one) or files( all septate 32) where CIF is storing all the data (feed from the all sites).

Thanks and Regards, Divesh Shah

wesyoung commented 8 years ago

have you read / tested this out?

https://github.com/csirtgadgets/massive-octo-spice/wiki/where-do-i-start-feeds

diveshshah commented 8 years ago

Hi,

I go throught that document and run various command like:- cif --feed --otype fqdn -c 95 --tags phishing --today -f csv cif --feed --otype ipv4 -c 85 --last-day -f csv

it is giving out-put on terminal .

but want to know from CIF where it is showing this result .in data base where all value is store? or it is giving out by checking online on scripted websites??

Thanks & regards Divesh Shah

From: "Wes" notifications@github.com To: "csirtgadgets" massive-octo-spice@noreply.github.com Cc: "diveshshah" divesh.shah@sequretek.com, "Author" author@noreply.github.com Sent: Friday, August 19, 2016 11:48:54 PM Subject: Re: [csirtgadgets/massive-octo-spice] File location of black listed or malacious data in CIF server. (#443)

have you read / tested this out?

https://github.com/csirtgadgets/massive-octo-spice/wiki/where-do-i-start-feeds

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub , or mute the thread .

wesyoung commented 8 years ago

the data is stored in an embedded elasticsearch instance:

https://www.elastic.co/guide/en/elasticsearch/reference/1.4/getting-started.html https://www.elastic.co/guide/en/elasticsearch/reference/1.4/setup-dir-layout.html

somewhere under /var/lib/elasticsearch you'll see all the lucene indicies. cif-smrt fetches the data, sends it to cif-router where cif-router stores it in elasticsearch using the elasticsearch REST API.

if you want to learn more about elasticsearch, i'd read throw their doc and examples, it's not as simple as "can i read through all the files" given the way lucene indexes and stores the data to make searching the data faster..

diveshshah commented 8 years ago

Hi, Thanks a lot. your guidance and support helping us.

Thanks Divesh Shah