search

stratosphereips / StratosphereLinuxIPS

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.
Other
716 stars 177 forks source link

Some TI files give some errors in the update manager #880

Closed eldraco closed 3 months ago

eldraco commented 4 months ago

Describe the bug Some threat intelligence files/rows, give errors when processed

[Update Manager] The data chicago_cbslocal.us.intellitxt.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data client_monitor.isnssdk.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data dmol_mn.adk2x.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data ecpm_api.propellerads.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data es-sunicontent_test.videoplaza.tv is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data ht-viral_laughingc.native.andbeyond.media is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data i_mobistar.tealiumiq.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data losangeles_cbslocal.us.intellitxt.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data mcr_media.adk2x.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data philadelphia_cbslocal.us.intellitxt.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data pt_br.statcounter.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data sanfrancisco_cbslocal.us.intellitxt.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data test_pages.crittercism.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data zh_cn.statcounter.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.
[Update Manager] The data zh_tw.statcounter.com is not valid. It was found in modules/threat_intelligence/remote_data_files/adserversandtrackers.csv.

To Reproduce Steps to reproduce the behavior:

  1. Go to branch main
  2. Run Slips normally

Expected behavior No errorz

Branch Main

Environment (please complete the following information):

AlyaGomaa commented 3 months ago

The domains in this issue are valid domains, so these warning were FPs, we were using validators library to validate these domains.

In the fix i used tldextract, here #890 , now we're no longer getting these FP warnings, however, we still have many warnings because some of our TI feeds do contain invalid domains e.g.

2024/08/06 19:12:16.777268 [Update Manager] The data amazing.lab is not valid. It was found in modules/threat_intelligence/remote_data_files/civilsphereindicators.csv.
2024/08/06 19:15:08.718958 [Update Manager] The data performer.api.naiadsystems.comm is not valid. It was found in modules/threat_intelligence/remote_data_files/adservers.txt.
2024/08/06 19:15:08.756786 [Update Manager] The data fhits.xy is not valid. It was found in modules/threat_intelligence/remote_data_files/adservers.txt.
2024/08/06 19:15:08.757079 [Update Manager] The data www.fhits.xy is not valid. It was found in modules/threat_intelligence/remote_data_files/adservers.txt.
2024/08/06 19:15:08.757363 [Update Manager] The data cdn1.fhits.xy is not valid. It was found in modules/threat_intelligence/remote_data_files/adservers.txt.
2024/08/06 19:15:18.740840 [Update Manager] The data www.xxx.xxx.bucket is not valid. It was found in modules/threat_intelligence/remote_data_files/mifitblocklist.txt.
2024/08/06 19:15:32.602095 [Update Manager] The data 7thebook.gogofinder.com.twvote is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.
2024/08/06 19:15:32.849274 [Update Manager] The data aenigmatica.ita is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.
2024/08/06 19:15:32.991267 [Update Manager] The data antikregiseg.hufelh is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.
2024/08/06 19:15:33.150239 [Update Manager] The data autotouch.netuser is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.
2024/08/06 19:15:33.165102 [Update Manager] The data awardsdaily.comwp is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.
2024/08/06 19:15:33.272243 [Update Manager] The data berlin.demix is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.
2024/08/06 19:15:33.413416 [Update Manager] The data botdevelopment.comcscart is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.
2024/08/06 19:15:33.655319 [Update Manager] The data chesspro.ruchon is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.
2024/08/06 19:15:33.956109 [Update Manager] The data desktop.ini is not valid. It was found in modules/threat_intelligence/remote_data_files/cps-collected-iocs.intel.

now any domain with a suffix that doesnt exist in https://publicsuffix.org/list/public_suffix_list.dat is discarded by slips

eldraco commented 3 months ago

These domains are really not valid, and we should ignore them