search

intelowlproject / IntelOwl

IntelOwl: manage your Threat Intelligence at scale
https://intelowlproject.github.io
GNU Affero General Public License v3.0
3.75k stars 425 forks source link

[Analyzer] Tor_Nodes_DanMeUk #1886

Closed mlodic closed 5 months ago

mlodic commented 1 year ago

Name

Tor_Nodes_DanMeUk

Link

Extract lists of all Tor nodes from this site periodically: https://www.dan.me.uk/tornodes

Type of analyzer

observable for IP addresses only

Why should we use it

An user requested this:

the Torproject Analyzer uses the Tor exit nodes list, whereas the dan.me.uk list includes all nodes (also entry and intermediary relays). It may be debatable if only the exit nodes are of interest - surely if you are looking at their roles as senders. However, if you look at outgoing traffic (possible C2) yo also want to match against the bridges and entry relay nodes, as this could identify malware. I would advocate to actually use the full list of tor nodes found at dan.me.uk, or provide another Analyzer that uses this list

Possible implementation

just basically copy/paste TorProject one and change the results based on the type of the node

moonpatel commented 6 months ago

Hey @mlodic, I would like to work on this issue.

moonpatel commented 6 months ago

Hey @mlodic what should be the name of this analyzer?

mlodic commented 5 months ago

Tor_Nodes_DanMeUk

we need to complete the other issue before starting a new one

mlodic commented 5 months ago

solved with v6.0.0