91 lines
5.2 KiB
Markdown
Executable File
91 lines
5.2 KiB
Markdown
Executable File
# misp-warninglist
|
|
|
|
misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.
|
|
|
|
[![Build Status](https://travis-ci.org/MISP/misp-warninglists.svg?branch=master)](https://travis-ci.org/MISP/misp-warninglists)
|
|
|
|
The warning lists are integrated in MISP to display an info/warning box at the event and attribute level if such indicators
|
|
are available in one of the list. The list can be globally enabled or disabled in MISP following the practices of the organization.
|
|
|
|
# lists
|
|
|
|
- [lists/akamai](lists/akamai) - Akamai networks
|
|
- [lists/alexa](lists/alexa) - Top 1000 websites from Alexa
|
|
- [lists/amazon-aws](lists/amazon-aws) - Known Amazon AWS IP address ranges
|
|
- [lists/automated-malware-analysis](lists/automated-malware-analysis) - known domains used by automated malware analysis services
|
|
- [lists/bank-website](lists/bank-website) - List of known banking website
|
|
- [lists/cisco_top1000](lists/cisco_top1000) - Cisco (Umbrella) top 1000 websites
|
|
- [lists/common-ioc-false-positive](lists/common-ioc-false-positive) - common false-positives in IOCs
|
|
- [lists/crl](lists/crl-ip-hostname) - Source IP addresses, hostname and url from CRL (certificate revocation list)
|
|
- [lists/eicar.com](lists/eicar.com) - hashes for EICAR test virus
|
|
- [lists/disposable-email](lists/disposable-email) - List of disposable email domains
|
|
- [lists/empty-hashes](lists/empty-hashes) - hash values of empty files
|
|
- [lists/google](lists/google) - known domains and hostnames from Google
|
|
- [lists/ipv6-linklocal](lists/ipv6-linklocal) - IPv6 link local prefix
|
|
- [lists/microsoft](lists/microsoft) - known Microsoft domains
|
|
- [lists/microsoft-azure](lists/microsoft-azure) - known Microsoft Azure Datacenter IP Ranges
|
|
- [lists/microsoft-office365](lists/microsoft-office365) - known Office 365 URLs
|
|
- [lists/microsoft-office365-ip](lists/microsoft-office365-ip) - known Office 365 IP address ranges
|
|
- [lists/microsoft-office365-cn](lists/microsoft-office365-cn) - known Office 365 IP address ranges in China
|
|
- [lists/microsoft-attack-simulator](lists/microsoft-attack-simulator/) - known Office 365 hostnames and IP address used for Microsoft "Attack Simulator"
|
|
- [lists/microsoft-win10-connection-endpoints](lists/microsoft-win10-connection-endpoints/) - known Windows 10 connection endpoints
|
|
- [lists/multicast](lists/multicast) - known IPv4 multicast CIDR blocks
|
|
- [lists/ovh-cluster](lists/ovh-cluster) - List of known OVH Cluster IP
|
|
- [lists/public-dns-v4](lists/public-dns-v4) - IPv4 addresses and reverse of public DNS resolver
|
|
- [lists/public-dns-v6](lists/public-dns-v6) - IPv6 addresses and reverse of public DNS resolver
|
|
- [lists/rfc1918](lists/rfc1918) - RFC 1918 network subnets
|
|
- [lists/rfc3849](lists/rfc3849) - RFC 3849 - Documentation prefix for ipv6
|
|
- [lists/rfc5735](lists/rfc5735) - RFC 5735 CIDR blocks - Special Use IPv4 Addresses
|
|
- [lists/rfc6598](lists/rfc6598) - RFC 6598 IANA-Reserved IPv4 Prefix for Shared Address Space (Carrier- Grade NAT (CGN) devices)
|
|
- [lists/rfc6761](lists/rfc6761) - RFC 6761 Special-Use Domain Names
|
|
- [lists/security-provider-blogpost](lists/security-provider-blogpost) - Security providers or vendors blog domains
|
|
- [lists/second-level-tlds](lists/second-level-tlds) - Mozilla list of second level top-level domains
|
|
- [lists/sinkholes](lists/sinkholes) - List of known sinkholes
|
|
- [lists/tlds](lists/tlds) - top-level domains
|
|
- [lists/url-shortener](lists/url-shortener) - URL shorteners services
|
|
- [lists/university_domains](lists/university_domains) - University domain names
|
|
- [lists/vpn-ipv4](lists/vpn-ipv4) - Specialized list of IPv4 addresses belonging to common VPN providers and datacenters
|
|
- [lists/vpn-ipv6](lists/vpn-ipv6) - Specialized list of IPv6 addresses belonging to common VPN providers and datacenters
|
|
- [lists/whats-my-ip](lists/whats-my-ip) - "What's my IP" service
|
|
|
|
# Format of a warning list
|
|
|
|
~~~~json
|
|
{
|
|
"name": "List of known public DNS resolvers",
|
|
"version": 1,
|
|
"description": "Event contains one or more public DNS resolvers as attribute with an IDS flag set",
|
|
"matching_attributes": [
|
|
"ip-src",
|
|
"ip-dst"
|
|
],
|
|
"list": [
|
|
"8.8.8.8",
|
|
"8.8.4.4",
|
|
"208.67.222.222",
|
|
"208.67.220.220",
|
|
"195.46.39.39",
|
|
"195.46.39.40"
|
|
]
|
|
}
|
|
~~~~
|
|
|
|
If matching_attributes are not set, the list is matched against any type of attributes.
|
|
|
|
## type of warning list
|
|
|
|
- ```string``` (default) - perfect match of a string in the warning list against matching attributes
|
|
- ```substring``` - substring matching of a string in the warning list against matching attributes
|
|
- ```hostname``` - hostname matching (e.g. domain matching from URL) of a string in the warning list against matching attributes
|
|
- ```cidr``` - IP or CDIR block matching in the warning list against matching attributes
|
|
- ```regex``` - regex matching of a string matching attributes
|
|
|
|
# Processing warning lists in python
|
|
|
|
See [PyMISPWarningLists](https://github.com/MISP/PyMISPWarningLists) for a
|
|
python interface to warning lists.
|
|
|
|
# License
|
|
|
|
MISP warning-lists are licensed under [CC0 1.0 Universal (CC0 1.0)](https://creativecommons.org/publicdomain/zero/1.0/) - Public Domain Dedication. If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested.
|