Warning lists to inform users of MISP about potential false-positives or other information in indicators
Go to file
Alexandre Dulaunoy 1ad7a75480
chg: [warning-lists] updated
2023-02-05 12:50:15 +01:00
.github/workflows fix: [github workflow] fix Python version 2022-12-15 14:50:41 +01:00
doc/manual_generated chg: [park_domain] new info source 2022-11-04 17:02:23 +01:00
lists chg: [warning-lists] updated 2023-02-05 12:50:15 +01:00
tools generator-vpn.py did not saved the generated list because of incorrect destination folder name 2023-01-10 19:41:59 +01:00
.gitchangelog.rc chg: [config] gitchangelog configuration added 2021-04-26 11:15:36 +02:00
.gitignore Refactor last scripts, logging, central directory for downloads 2020-07-27 10:44:30 +02:00
.travis.yml Update travis 2017-02-13 11:25:39 +01:00
README.md Update README.md 2023-01-30 21:34:49 +01:00
_config.yml Set theme jekyll-theme-minimal 2021-05-01 11:00:30 +02:00
generate_all.sh chg: [generate_all] add generate-chrome-crux-1m.py 2023-01-02 11:25:37 +01:00
jq_all_the_things.sh chg: Add script to make lists unique, and sort the keys. 2020-04-03 13:37:17 +02:00
requirements.txt chg: [generator] logging updated 2022-02-01 16:52:09 +01:00
schema.json fix: [microsoft-azure-appid] Remove azure-application-id from schema 2022-12-01 13:42:01 +00:00
validate_all.sh Validate values in CI 2020-05-22 19:28:04 +02:00

README.md

misp-warninglist

misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.

Python application

The warning lists are integrated in MISP to display an info/warning box at the event and attribute level if such indicators are available in one of the list. The lists are also used to filter potential false-positive at API level. The list can be globally enabled or disabled in MISP following the practices of the organization. The warning lists are reused in many other open source projects.

lists

Format of a warning list

{
  "name": "List of known public DNS resolvers",
  "version": 1,
  "description": "Event contains one or more public DNS resolvers as attribute with an IDS flag set",
  "matching_attributes": [
    "ip-src",
    "ip-dst"
  ],
  "list": [
    "8.8.8.8",
    "8.8.4.4",
    "208.67.222.222",
    "208.67.220.220",
    "195.46.39.39",
    "195.46.39.40"
  ]
}

If matching_attributes are not set, the list is matched against any type of attributes.

type of warning list

  • string (default) - perfect match of a string in the warning list against matching attributes
  • substring - substring matching of a string in the warning list against matching attributes
  • hostname - hostname matching (e.g. domain matching from URL) of a string in the warning list against matching attributes
  • cidr - IP or CDIR block matching in the warning list against matching attributes
  • regex - regex matching of a string matching attributes

Processing warning lists in python

See PyMISPWarningLists for a python interface to warning lists.

License

MISP warning-lists are licensed under CC0 1.0 Universal (CC0 1.0) - Public Domain Dedication. If a specific author of a warning-list (or associated source) wants to license it under a different license, a pull request can be requested.