ssnkhan
commented
2 years ago Just realised that an API key is only required to submit indicators; otherwise, no key is required :)
Closed ssnkhan closed 2 years ago
ssnkhan
commented
2 years ago Just realised that an API key is only required to submit indicators; otherwise, no key is required :)
ninoseki
commented
2 years ago I intentionally did not develop an analyzer for a feed because Mihari is a search aggregator, not a feed aggregator. But your proposal is understandable. So I created a general feed ingestor which is shipped in v3.12.0. (#382) Here is the usage of the new feature. https://www.notion.so/Feed-b4bd11723e7043e5b2fdf78423479014
ssnkhan
commented
2 years ago Thank you, this works wonderfully!
Make sure your requested feature makes sense for Mihari. ThreatFox, provided by abuse.ch, is a free portal allowing access to various IOCs related to malware and malware infrastructure. All IOCs are validated, meaning they are high-fidelity. Access to the API is free, and detailed here.
If you want to suggest a new integration of a service, please provide detailed information of it. (e.g. API docs) API Docs - https://threatfox.abuse.ch/api/ FAQ - https://threatfox.abuse.ch/faq/
It probably makes sense to implement the analyzer to accept a single string to search against either the tag or malware name, and a limit of 1,000. ThreatFox supports return types (
ioc) includingip:port,urlandhash.ip:portcould be stripped to just theipconsistent with the Mihari ip IOC data format.Sample Usage
mihari analyze threatfox 'RedLineStealer' --title "RedLine Stealer" --description "Identifies RedLineStealer C2s." --tags "InfoStealer"Thank you for your consideration, and wishing you the best for 2022!