From fdbfb29ebac68306f4da7d1580886ab42919b512 Mon Sep 17 00:00:00 2001 From: Davide Date: Thu, 22 Jun 2023 15:34:20 +0200 Subject: [PATCH] Added DigitalSide.IT warninglist (false positive detection) --- README.md | 2 +- generate_all.sh | 1 + lists/digitalside/list.json | 47 +++++++++++++++++++++++++++++++++++ tools/generate-digitalside.py | 26 +++++++++++++++++++ 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 lists/digitalside/list.json create mode 100644 tools/generate-digitalside.py diff --git a/README.md b/README.md index 5698f1b..cb18821 100755 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ are reused in many other open source projects. - [vpn-ipv6/list.json](./lists/vpn-ipv6/list.json) - **Specialized list of IPv6 addresses belonging to common VPN providers and datacenters** - _Specialized list of IPv6 addresses belonging to common VPN providers and datacenters_ - [whats-my-ip/list.json](./lists/whats-my-ip/list.json) - **List of known domains to know external IP** - _Event contains one or more entries of known 'what's my ip' domains_ - [wikimedia/list.json](./lists/wikimedia/list.json) - **List of known Wikimedia address ranges** - _Wikimedia address ranges (http://noc.wikimedia.org/conf/reverse-proxy.php.txt)_ - +- [digitalside/list.json](./lists/digitalside/list.json) - **List of known domains to be marked as false positive** - _Malicious urls are spread using legitimate domains. File sharing services, CDN hosts and social netowrks are common examples._ # Format of a warning list ~~~~json diff --git a/generate_all.sh b/generate_all.sh index aa1535c..cb33900 100755 --- a/generate_all.sh +++ b/generate_all.sh @@ -35,6 +35,7 @@ python3 generate-smtp.py python3 generate-tenable.py python3 generate-microsoft-azure-appid.py python3 generate-chrome-crux-1m.py +python3 generate-digitalside.py popd ./jq_all_the_things.sh diff --git a/lists/digitalside/list.json b/lists/digitalside/list.json new file mode 100644 index 0000000..268b15c --- /dev/null +++ b/lists/digitalside/list.json @@ -0,0 +1,47 @@ +{ + "description": "\"OSINT DigitalSide Threat-Intel Repository - MISP Warninglist - List of domains should be marked as false positive in the related MISP event with IDS attribute not flagged", + "list": [ + "amazonaws.com", + "backblaze.com", + "backblazeb2.com", + "bitbucket.org", + "box.com", + "cdn.discordapp.com", + "codeberg.org", + "codeload.github.com", + "deac-ams.dl.sourceforge.net", + "dl.dropboxusercontent.com", + "drive.google.com", + "dropbox.com", + "dropboxusercontent.com", + "files.catbox.moe", + "files.slack.com", + "github.com", + "gitlab.com", + "google.com", + "i.imgur.com", + "icloud.com", + "link.storjshare.io", + "media.discordapp.net", + "pastebin.com", + "raw.githubusercontent.com", + "s3.amazonaws.com", + "s3.eu-central-2.wasabisys.com", + "sptrack.trello.com", + "static.wixstatic.com", + "storage.googleapis.com", + "transfer.sh", + "trello.com", + "vk.com", + "www.dl.dropboxusercontent.com", + "www.zipshare.com", + "zipshare.com" + ], + "matching_attributes": [ + "hostname", + "domain" + ], + "name": "OSINT.DigitalSide.IT Warning List", + "type": "hostname", + "version": 20230622 +} diff --git a/tools/generate-digitalside.py b/tools/generate-digitalside.py new file mode 100644 index 0000000..2febde9 --- /dev/null +++ b/tools/generate-digitalside.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +from generator import download, get_version, write_to_file + + +def process(url, dst): + DSList = download(url).text.strip().split("\n") + + warninglist = { + 'name': 'OSINT.DigitalSide.IT Warning List', + 'version': get_version(), + 'description': '"OSINT DigitalSide Threat-Intel Repository - MISP Warninglist - List of domains should be marked as false positive in the related MISP event with IDS attribute not flagged', + 'type': 'hostname', + 'list': DSList, + 'matching_attributes': ["hostname", "domain"] + } + + write_to_file(warninglist, dst) + + +if __name__ == '__main__': + digitalside_url = 'https://raw.githubusercontent.com/davidonzo/Threat-Intel-Domain-WL/main/OSINT.DigitalSide-Threat-Intel-Domain-WL.txt' + digitalside_dst = 'digitalside' + + process(digitalside_url, digitalside_dst)