Added DigitalSide.IT warninglist (false positive detection)

2023-06-22 15:34:20 +02:00 · 2023-06-22 15:34:20 +02:00 · fdbfb29eba
parent 9f55a9b6fd
commit fdbfb29eba
4 changed files with 75 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -89,7 +89,7 @@ are reused in many other open source projects.
 - [vpn-ipv6/list.json](./lists/vpn-ipv6/list.json) - **Specialized list of IPv6 addresses belonging to common VPN providers and datacenters** - _Specialized list of IPv6 addresses belonging to common VPN providers and datacenters_
 - [whats-my-ip/list.json](./lists/whats-my-ip/list.json) - **List of known domains to know external IP** - _Event contains one or more entries of known 'what's my ip' domains_
 - [wikimedia/list.json](./lists/wikimedia/list.json) - **List of known Wikimedia address ranges** - _Wikimedia address ranges (http://noc.wikimedia.org/conf/reverse-proxy.php.txt)_
-
+- [digitalside/list.json](./lists/digitalside/list.json) - **List of known domains to be marked as false positive** - _Malicious urls are spread using legitimate domains. File sharing services, CDN hosts and social netowrks are common examples._
 # Format of a warning list

 ~~~~json
--- a/generate_all.sh
+++ b/generate_all.sh
@ -35,6 +35,7 @@ python3 generate-smtp.py
 python3 generate-tenable.py
 python3 generate-microsoft-azure-appid.py
 python3 generate-chrome-crux-1m.py
+python3 generate-digitalside.py
 popd

 ./jq_all_the_things.sh
--- a/lists/digitalside/list.json
+++ b/lists/digitalside/list.json
@ -0,0 +1,47 @@
+{
+  "description": "\"OSINT DigitalSide Threat-Intel Repository - MISP Warninglist - List of domains should be marked as false positive in the related MISP event with IDS attribute not flagged",
+  "list": [
+    "amazonaws.com",
+    "backblaze.com",
+    "backblazeb2.com",
+    "bitbucket.org",
+    "box.com",
+    "cdn.discordapp.com",
+    "codeberg.org",
+    "codeload.github.com",
+    "deac-ams.dl.sourceforge.net",
+    "dl.dropboxusercontent.com",
+    "drive.google.com",
+    "dropbox.com",
+    "dropboxusercontent.com",
+    "files.catbox.moe",
+    "files.slack.com",
+    "github.com",
+    "gitlab.com",
+    "google.com",
+    "i.imgur.com",
+    "icloud.com",
+    "link.storjshare.io",
+    "media.discordapp.net",
+    "pastebin.com",
+    "raw.githubusercontent.com",
+    "s3.amazonaws.com",
+    "s3.eu-central-2.wasabisys.com",
+    "sptrack.trello.com",
+    "static.wixstatic.com",
+    "storage.googleapis.com",
+    "transfer.sh",
+    "trello.com",
+    "vk.com",
+    "www.dl.dropboxusercontent.com",
+    "www.zipshare.com",
+    "zipshare.com"
+  ],
+  "matching_attributes": [
+    "hostname",
+    "domain"
+  ],
+  "name": "OSINT.DigitalSide.IT Warning List",
+  "type": "hostname",
+  "version": 20230622
+}
--- a/tools/generate-digitalside.py
+++ b/tools/generate-digitalside.py
@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from generator import download, get_version, write_to_file
+
+
+def process(url, dst):
+    DSList = download(url).text.strip().split("\n")
+    
+    warninglist = {
+        'name': 'OSINT.DigitalSide.IT Warning List',
+        'version': get_version(),
+        'description': '"OSINT DigitalSide Threat-Intel Repository - MISP Warninglist - List of domains should be marked as false positive in the related MISP event with IDS attribute not flagged',
+        'type': 'hostname',
+        'list': DSList,
+        'matching_attributes': ["hostname", "domain"]
+    }
+    
+    write_to_file(warninglist, dst)
+
+
+if __name__ == '__main__':
+    digitalside_url = 'https://raw.githubusercontent.com/davidonzo/Threat-Intel-Domain-WL/main/OSINT.DigitalSide-Threat-Intel-Domain-WL.txt'
+    digitalside_dst = 'digitalside'
+
+    process(digitalside_url, digitalside_dst)