search

viper-framework / viper

Binary analysis and management framework
Other
1.54k stars 353 forks source link

Add support for storing IOCs in relation to projects and samples #592

Open botherder opened 7 years ago

botherder commented 7 years ago

While notes can already be used for this purpose, I've been finding a lack of a way to track IOCs to be annoying. Having such support natively could also then facilitate the import and export of the same indicators from e.g. MISP, Yeti and such.

Thoughts?

Rafiot commented 7 years ago

What do you mean by tracking IOCs?

I'm planning to improve the support of tagging using PyTaxonomies and adding metadata using the misp-galaxies with PyMISPGalaxies. Both libs are stand alone and come with the datasets bundled-in so no hard dependencies on MISP, or remote services.

The next big upgrade we're currently working on in MISP are the objects: https://github.com/MISP/PyMISP/compare/master...MISP:objects which allows you to groups indicators into... objects (such as PE indicators, or SSL certificates). All the object templates are also stand alone but I don't have a stand alone library yet.

Exporting a viper project into a (list of) MISP events (or in other formats, of course), that would be great. Having a full correlation engine in viper, I'm less sure, as it will add lots of complexity, and viper doesn't really support multi user, sharing... without massive changes so you may just want to rely on MISP (or other similar tools for that).

botherder commented 7 years ago

I don't think it needs anything complex, just a simple database table like that for notes or tags and with a minimal search function.

While I think integration is important, I don't want Viper to become solely dependent on MISP (or any other tool for that matter) because folks might need some basic functionality like that while not being MISP users and we don't really have a good way to for example tag C&Cs and other properties to samples and project right now.

Rafiot commented 7 years ago

For the search function, I'd recommend whoosh, it does standalone full text indexing, is portable and efficient, that will be a lot easier than using an actual database.

There is no reason to make viper dependant on MISP, the taxonomies and the galaxies are just knowledge databases that can be hooked to any project.