Merge pull request #250 from davidonzo/main

Added DigitalSide.IT warninglist (false positive detection)
pull/251/head
Alexandre Dulaunoy 2023-06-22 18:38:07 +02:00 committed by GitHub
commit a345cc1f7d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 75 additions and 1 deletions

View File

@ -89,7 +89,7 @@ are reused in many other open source projects.
- [vpn-ipv6/list.json](./lists/vpn-ipv6/list.json) - **Specialized list of IPv6 addresses belonging to common VPN providers and datacenters** - _Specialized list of IPv6 addresses belonging to common VPN providers and datacenters_ - [vpn-ipv6/list.json](./lists/vpn-ipv6/list.json) - **Specialized list of IPv6 addresses belonging to common VPN providers and datacenters** - _Specialized list of IPv6 addresses belonging to common VPN providers and datacenters_
- [whats-my-ip/list.json](./lists/whats-my-ip/list.json) - **List of known domains to know external IP** - _Event contains one or more entries of known 'what's my ip' domains_ - [whats-my-ip/list.json](./lists/whats-my-ip/list.json) - **List of known domains to know external IP** - _Event contains one or more entries of known 'what's my ip' domains_
- [wikimedia/list.json](./lists/wikimedia/list.json) - **List of known Wikimedia address ranges** - _Wikimedia address ranges (http://noc.wikimedia.org/conf/reverse-proxy.php.txt)_ - [wikimedia/list.json](./lists/wikimedia/list.json) - **List of known Wikimedia address ranges** - _Wikimedia address ranges (http://noc.wikimedia.org/conf/reverse-proxy.php.txt)_
- [digitalside/list.json](./lists/digitalside/list.json) - **List of known domains to be marked as false positive** - _Malicious urls are spread using legitimate domains. File sharing services, CDN hosts and social netowrks are common examples._
# Format of a warning list # Format of a warning list
~~~~json ~~~~json

View File

@ -35,6 +35,7 @@ python3 generate-smtp.py
python3 generate-tenable.py python3 generate-tenable.py
python3 generate-microsoft-azure-appid.py python3 generate-microsoft-azure-appid.py
python3 generate-chrome-crux-1m.py python3 generate-chrome-crux-1m.py
python3 generate-digitalside.py
popd popd
./jq_all_the_things.sh ./jq_all_the_things.sh

View File

@ -0,0 +1,47 @@
{
"description": "\"OSINT DigitalSide Threat-Intel Repository - MISP Warninglist - List of domains should be marked as false positive in the related MISP event with IDS attribute not flagged",
"list": [
"amazonaws.com",
"backblaze.com",
"backblazeb2.com",
"bitbucket.org",
"box.com",
"cdn.discordapp.com",
"codeberg.org",
"codeload.github.com",
"deac-ams.dl.sourceforge.net",
"dl.dropboxusercontent.com",
"drive.google.com",
"dropbox.com",
"dropboxusercontent.com",
"files.catbox.moe",
"files.slack.com",
"github.com",
"gitlab.com",
"google.com",
"i.imgur.com",
"icloud.com",
"link.storjshare.io",
"media.discordapp.net",
"pastebin.com",
"raw.githubusercontent.com",
"s3.amazonaws.com",
"s3.eu-central-2.wasabisys.com",
"sptrack.trello.com",
"static.wixstatic.com",
"storage.googleapis.com",
"transfer.sh",
"trello.com",
"vk.com",
"www.dl.dropboxusercontent.com",
"www.zipshare.com",
"zipshare.com"
],
"matching_attributes": [
"hostname",
"domain"
],
"name": "OSINT.DigitalSide.IT Warning List",
"type": "hostname",
"version": 20230622
}

View File

@ -0,0 +1,26 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from generator import download, get_version, write_to_file
def process(url, dst):
DSList = download(url).text.strip().split("\n")
warninglist = {
'name': 'OSINT.DigitalSide.IT Warning List',
'version': get_version(),
'description': '"OSINT DigitalSide Threat-Intel Repository - MISP Warninglist - List of domains should be marked as false positive in the related MISP event with IDS attribute not flagged',
'type': 'hostname',
'list': DSList,
'matching_attributes': ["hostname", "domain"]
}
write_to_file(warninglist, dst)
if __name__ == '__main__':
digitalside_url = 'https://raw.githubusercontent.com/davidonzo/Threat-Intel-Domain-WL/main/OSINT.DigitalSide-Threat-Intel-Domain-WL.txt'
digitalside_dst = 'digitalside'
process(digitalside_url, digitalside_dst)