Analysis Information Leak framework

14 KiB

Raw 고유링크 Blame 히스토리

Overview

Redis and ARDB overview

Redis on TCP port 6379
- DB 0 - Cache hostname/dns
- DB 1 - Paste meta-data
Redis on TCP port 6380 - Redis Log only
Redis on TCP port 6381
- DB 0 - PubSub + Queue and Paste content LRU cache
- DB 1 - Mixer Cache
ARDB on TCP port 6382

DB 1 - Curve DB 2 - TermFreq DB 3 - Trending/Trackers DB 4 - Sentiments DB 5 - TermCred DB 6 - Tags DB 7 - Metadata DB 8 - Statistics DB 9 - Crawler DB 10 - Objects
ARDB on TCP port
- DB 0 - Lines duplicate
- DB 1 - Hashes

Database Map:

Redis cache

Brute force protection:

Set Key	Value
failed_login_ip:ip	nb login failed
failed_login_user_id:user_id	nb login failed

Item Import:

Key	Value
uuid:nb_total	nb total
uuid:nb_end	nb
uuid:nb_sucess	nb success
uuid:end	0 (in progress) or (item imported)
uuid:processing	process status: 0 or 1
uuid:error	error message

Set Key	Value
uuid:paste_submit_link	item_path

DB0 - Core:

Update keys:

Key	Value

ail:version	current version

ail:update_update_version	background update name
	background update name
	...

ail:update_error	update message error

ail:update_in_progress	update version in progress
ail:current_background_update	current update version

ail:current_background_script	name of the background script currently executed
ail:current_background_script_stat	progress in % of the background script

Hset Key	Field	Value
ail:update_date	update tag	update date

User Management:

Hset Key	Field	Value
user:all	user id	password hash

user:tokens	token	user id

user_metadata:user id	token	token
	change_passwd	boolean
	role	role

Set Key	Value
user_role:role	user id

Zrank Key	Field	Value
ail:all_role	role	int, role priority (1=admin)

MISP Modules:

Set Key	Value
enabled_misp_modules	module name

Key	Value
misp_module:module name	module dict

Item Import:

Key	Value
uuid:isfile	boolean
uuid:paste_content	item_content

DB2 - TermFreq:

Set Key	Value
submitted:uuid	uuid
uuid:ltags	tag
uuid:ltagsgalaxies	tag

DB3 - Leak Hunter:

Tracker metadata:

Hset - Key	Field	Value
tracker:uuid	tracker	tacked word/set/regex
	type	word/set/regex
	date	date added
	user_id	created by user_id
	dashboard	0/1 Display alert on dashboard
	description	Tracker description
	level	0/1 Tracker visibility

Tracker by user_id (visibility level: user only):

Set - Key	Value
user:tracker:user_id	uuid - tracker uuid
user:tracker:user_id:word/set/regex - tracker type	uuid - tracker uuid

Global Tracker (visibility level: all users):

Set - Key	Value
gobal:tracker	uuid - tracker uuid
gobal:tracker:word/set/regex - tracker type	uuid - tracker uuid

All Tracker by type:

Set - Key	Value
all:tracker:word/set/regex - tracker type	tracked item

Set - Key	Value
all:tracker_uuid:tracker type:tracked item	uuid - tracker uuid

All Tracked items:

Set - Key	Value
tracker:item:uuid:date	item_id

All Tracked tags:

Set - Key	Value
tracker:tags:uuid	tag

All Tracked mail:

Set - Key	Value
tracker:mail:uuid	mail

Refresh Tracker:

Key	Value
tracker:refresh:word	last refreshed epoch
tracker:refresh:set	-
tracker:refresh:regex	-

Zset Stat Tracker:

Key	Field	Value
tracker:stat:uuid	date	nb_seen

Stat token:

Key	Field	Value
stat_token_total_by_day:date	word	nb_seen

stat_token_per_item_by_day:date	word	nb_seen

Set - Key	Value
stat_token_history	date

DB6 - Tags:

Hset:

Key	Field	Value
tag_metadata:tag	first_seen	date
tag_metadata:tag	last_seen	date

Set:

Key	Value
list_tags	tag
list_tags:object_type	tag
list_tags:domain	tag

active_taxonomies	taxonomie
active_galaxies	galaxie
active_tag_taxonomie or galaxy	tag
synonym_tag_misp-galaxy:galaxy	tag synonym
list_export_tags	user_tag

tag:date	paste
object_type:tag	object_id

DB7
tag:object_id	tag

old:

Key	Value
tag	paste

DB7 - Metadata:

Crawled Items:

Hset:

Key	Field	Value
paste_metadata:item path	super_father	first url crawled
	father	item father
	domain	crawled domain:domain port
	screenshot	screenshot hash

Set:

Key	Field
tag:item path	tag

paste_children:item path	item path

hash_paste:item path	hash
base64_paste:item path	hash
hexadecimal_paste:item path	hash
binary_paste:item path	hash

Zset:

Key	Field	Value
nb_seen_hash:hash	item	nb_seen
base64_hash:hash	item	nb_seen
binary_hash:hash	item	nb_seen
hexadecimal_hash:hash	item	nb_seen

PgpDump

Hset:

Key	Field	Value
pgpdump_metadata_key:key id	first_seen	date
	last_seen	date

pgpdump_metadata_name:name	first_seen	date
	last_seen	date

pgpdump_metadata_mail:mail	first_seen	date
	last_seen	date

set:

Key	Value
set_pgpdump_key:key id	item_path

set_pgpdump_name:name	item_path

set_pgpdump_mail:mail	item_path


set_domain_pgpdump_pgp_type:key	domain

Hset date:

| Key | Field | Value | | ------ | ------ | | pgpdump🔑date | key | nb seen | | | | | pgpdump:name:date | name | nb seen | | | | | pgpdump:mail:date | mail | nb seen |

zset:

Key	Field	Value
pgpdump_all:key	key	nb seen

pgpdump_all:name	name	nb seen

pgpdump_all:mail	mail	nb seen

set:

Key	Value
item_pgpdump_key:item_path	key

item_pgpdump_name:item_path	name

item_pgpdump_mail:item_path	mail


domain_pgpdump_pgp_type:domain	key

SimpleCorrelation:

zset:

Key	Field	Value
s_correl:correlation name:all	object_id	nb_seen
s_correl📅correlation name:date_day	object_id	*nb_seen

set:

Key	Value
s_correl:set_object type_correlation name:object_id	item_id
object type:s_correl:correlation name:object_id	correlation_id

object type: item + domain

hset:

Key	Field	Value
's_correl:correlation name:metadata:obj_id	first_seen	first_seen
's_correl:correlation name:metadata:obj_id	last_seen	last_seen

Cryptocurrency

Supported cryptocurrency:

bitcoin
bitcoin-cash
dash
etherum
litecoin
monero
zcash

Hset:

Key	Field	Value
cryptocurrency_metadata_cryptocurrency name:cryptocurrency address	first_seen	date
	last_seen	date

set:

Key	Value
set_cryptocurrency_cryptocurrency name:cryptocurrency address	item_path
domain_cryptocurrency_cryptocurrency name:cryptocurrency address	domain

Hset date:

| Key | Field | Value | | ------ | ------ | | cryptocurrency:cryptocurrency name:date | cryptocurrency address | nb seen |

zset:

Key	Field	Value
cryptocurrency_all:cryptocurrency name	cryptocurrency address	nb seen

set:

Key	Value
item_cryptocurrency_cryptocurrency name:item_path	cryptocurrency address
domain_cryptocurrency_cryptocurrency name:item_path	cryptocurrency address

HASH

Key	Value
hash_domain:domain	hash
domain_hash:hash	domain

DB9 - Crawler:

Hset:

Key	Field	Value
service type_metadata:domain	first_seen	date
	last_check	date
	ports	port;port;port ...
	paste_parent	parent last crawling (can be auto or manual)

Zset:

Key	Field	Value
crawler_history_service type:domain:port	item root (first crawled item)	epoch (seconds)

Set:

Key	Value
screenshot:sha256	item path

crawler config:

Key	Value
crawler_config:crawler mode:service type:domain	json config

automatic crawler config:

Key	Value
crawler_config:crawler mode:service type:domain:url	json config

exemple json config:

{
  "closespider_pagecount": 1,
  "time": 3600,
  "depth_limit": 0,
  "har": 0,
  "png": 0
}

Splash containers and proxies:

SET - Key	Value
all_proxy	proxy name
all_splash	splash name

HSET - Key	Field	Value
proxy:metadata:proxy name	host	host
proxy:metadata:proxy name	port	port
proxy:metadata:proxy name	type	type
proxy:metadata:proxy name	crawler_type	crawler_type
proxy:metadata:proxy name	description	proxy description

splash:metadata:splash name	description	splash description
splash:metadata:splash name	crawler_type	crawler_type
splash:metadata:splash name	proxy	splash proxy (None if null)

SET - Key	Value
splash:url:container name	splash url
proxy:splash:proxy name	container name

Key	Value
splash:map:url:name:splash url	container name

CRAWLER QUEUES:

SET - Key	Value
onion_crawler_queue	url;item_id
regular_crawler_queue	-

onion_crawler_priority_queue	url;item_id
regular_crawler_priority_queue	-

onion_crawler_discovery_queue	url;item_id
regular_crawler_discovery_queue	-

TO CHANGE:

ARDB overview

----------------------------------------- SENTIMENT ------------------------------------

SET - 'Provider_set'				Provider

KEY - 'UniqID' 					INT

SET - provider_timestamp			UniqID

SET - UniqID					avg_score

DB 7 - Metadata:

----------------------------------------- BASE64 ----------------------------------------

HSET - 'metadata_hash:'+hash 'saved_path' saved_path 'size' size 'first_seen' first_seen 'last_seen' last_seen 'estimated_type' estimated_type 'vt_link' vt_link 'vt_report' vt_report 'nb_seen_in_all_pastes' nb_seen_in_all_pastes 'base64_decoder' nb_encoded 'binary_decoder' nb_encoded

SET - 'all_decoder' decoder*

SET - 'hash_all_type' hash_type * SET - 'hash_base64_all_type' hash_type * SET - 'hash_binary_all_type' hash_type *

ZADD - 'hash_date:'+20180622 hash * nb_seen_this_day ZADD - 'base64_date:'+20180622 hash * nb_seen_this_day ZADD - 'binary_date:'+20180622 hash * nb_seen_this_day

ZADD - 'base64_type:'+type date nb_seen ZADD - 'binary_type:'+type date nb_seen

GET - 'base64_decoded:'+date nd_decoded GET - 'binary_decoded:'+date nd_decoded

14 KiB Raw 고유링크 Blame 히스토리

Overview

Redis and ARDB overview

Database Map:

Redis cache

Brute force protection:

Item Import:

DB0 - Core:

Update keys:

User Management:

MISP Modules:

Item Import:

DB2 - TermFreq:

DB3 - Leak Hunter:

Tracker metadata:

Tracker by user_id (visibility level: user only):

Global Tracker (visibility level: all users):

All Tracker by type:

All Tracked items:

All Tracked tags:

All Tracked mail:

Refresh Tracker:

Zset Stat Tracker:

Stat token:

DB6 - Tags:

Hset:

Set:

old:

DB7 - Metadata:

Crawled Items:

Hset:

Set:

Zset:

PgpDump

Hset:

set:

Hset date:

zset:

set:

SimpleCorrelation:

zset:

set:

hset:

Cryptocurrency

Hset:

set:

Hset date:

zset:

set:

HASH

DB9 - Crawler:

Hset:

Zset:

Set:

crawler config:

automatic crawler config:

exemple json config:

Splash containers and proxies:

CRAWLER QUEUES:

TO CHANGE:

14 KiB

Raw 고유링크 Blame 히스토리