Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analyzers: domain vs fqdn #350

Open
garanews opened this issue Oct 3, 2018 · 3 comments
Open

Analyzers: domain vs fqdn #350

garanews opened this issue Oct 3, 2018 · 3 comments
Assignees
@garanews
Labels
scope:analyzer Issue is analyzer related status:needs-review

Comments

@garanews
Copy link
Contributor

garanews commented Oct 3, 2018

Request Type

Question

Description

Analyzing attributes with datatype "hostname" and "domain" in MISP:

domain
Page 1 of 1615, showing 60 records out of 96849 total, starting on record 1, ending on 60
image

hostname
Page 1 of 1393, showing 60 records out of 83522 total, starting on record 1, ending on 60
image

when imported in The Hive they become type "fqdn" and "domain".
In this situation the analyzers available for the 2 types are different:

image

But all the fqdn above mentioned can be analyzed with (almost?) all analyzers used for domain type.

Possible Solutions

In order to access to other analyzers (VT,etc), analyst is removing manually all fqdn imported and adds again as domain...
An option would be configure the "domain" analyzers to analyze also fqdn type.

What do you think?
@phpsystems
Copy link
Contributor

There is also URLs to consider too.

FYI, the Fortiguard plugin was fixed with #358

@3c7 3c7 added scope:analyzer Issue is analyzer related status:needs-review labels Nov 19, 2018
@nadouani
Copy link
Contributor

Hello @garanews I've just spotted this one. Can you list all the analyzers that need to be updated to include FQDN as possible datatype? We can add them to this issue's description as checklist and fix them.

@garanews
Copy link
Contributor Author

garanews commented Mar 1, 2019

Hello @nadouani , I think all analyzers that have "domain" but not fqdn:

Abuse_Finder
C1fApp
CIRCLPassiveDNS
Censys
Crtsh
DNSSinkhole
FireEyeiSight
Fortiguard
GoogleSafebrowsing
IBMXForce
Malwares
MnemonicPDNS
OTXQuery
Pulsedive
Shodan
Threatcrowd
URLhaus
VirusTotal

Here you can see the full matrix:
image

For everyone would generate this table, here there is the code (need python 3.5+, pandas, glob):
https://gist.github.com/garanews/02e051a555bbf83cde527b9f086b1b26

phpsystems added a commit to phpsystems/Cortex-Analyzers that referenced this issue Oct 9, 2019
@phpsystems
Adding FQDN support to Abuse Finder TheHive-Project#350
6440529
@phpsystems phpsystems mentioned this issue Oct 9, 2019
Merged
This was referenced Oct 27, 2019
Merged
Closed
Merged
Merged
nadouani pushed a commit that referenced this issue Dec 25, 2019
@phpsystems @nadouani
Fix for the Abuse_Finder and Fortiguard (#541)
9b35265 
* Fix for issue #493

* Adding FQDN support to Abuse Finder #350

* Addition of FQDN to C1fApp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@garanews garanews

Labels
scope:analyzer Issue is analyzer related status:needs-review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nadouani @3c7 @phpsystems @garanews