netstat ioc check - Githubissues

spyre-project / spyre

simple YARA-based IOC scanner

GNU Lesser General Public License v3.0

164 stars 27 forks source link

netstat ioc check #58

Closed lprat closed 2 years ago

lprat commented 3 years ago

netstat ioc.json check

"netstat":
  [
    {
      "dip": [],
      "sip": [],
      "sport": [],
      "dport": [14444, 49636],
      "pname": [],
      "notpname": [],
      "state": [],
      "proto": "*",
      "description": "Potential wannamine"
    },
    {
      "dip": [],
      "sip": [],
      "sport": [49636],
      "dport": [],
      "pname": [],
      "notpname": [],
      "state": [],
      "proto": "*",
      "description": "Potential wannamine"
    }
    ]

hillu commented 3 years ago

Oh, sorry. For some reason, Github did not show me your PRs and now I have made conflicting changes. :-(

I'm going to have a look anyway and see if I can fix them.

hillu commented 3 years ago

@lprat Please have a look at #66. I have adapted your netscan module (should we call it "netstat" instead?) to use the new YAML-based configuration scheme. Your example might look like this:

system:
  netstat:
    config:
        iocs:
          "potential wannamine 1":
            dport: [14444, 49636]
          "potential wannamine 2":
            sport: [49636]

What do you think?