[Intelmq-dev] Destination host in malware feeds

Sebastian Wagner wagner at cert.at
Wed Apr 12 12:54:14 CEST 2017


Hi,

we have this IP vs FQDN problem in some parsers, not only the
shadowserver. Stripping the port there can be simply achieved by use a
conversion function. But the main problem is IP/FQDN.

Instead of implementing the logic in many parsers we could add this
"intelligence" in the libs.
One possibility: If the parser tries to add an FQDN as IP, save the IP.
But I don't like this simple approach as this implicitness raises other
problems.
Other possibility: Use a new "logic" (actually non-existing) field, e.g.
`destination.host-info`, same applies to source. If some data is added
to this field, the data will be parsed and added to ip, fqdn, port
(,network?)

Example 1:
event['destination.host-info'] = 'example.com:8080'
results in:
{'destination.fqdn': 'example.com', 'destination.port': 8080}
Example2:
event['destination.host-info'] = '10.0.0.1'
results in:
{'source.ip': '10.0.0.1'}

Sebastian

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 50564167201 
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 854 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20170412/761c6e89/attachment.sig>


More information about the Intelmq-dev mailing list