Intro to CIF
Click here to load reader
-
Upload
eherna2000 -
Category
Technology
-
view
1.567 -
download
0
description
Transcript of Intro to CIF
Collective Information Framework (CIF)
Public spammer/malware/botnet data -->CIF --> Results!
CIF
What is CIF and Why Care
Developed by Wes Young at REN-ISACCIF is a Feed Indexer, Feed Generator, Data parser and normalizer.
Built for Response Teams, Forensic Teams
Allows you to query multiple feeds of data that are consumed easily and quickly. Also, you can add your own data set.
Have you seen this?
Or even this?
Guess they are all consuming some sort of Feed
They are Intelligence Services Offered by Security
Companies
What Feeds? Where can I get that Data?
Any set of data that can be parsed using regex and has distinctive fields that would help you with your investigation.
Examples:Alien Vaults Zeus Trackerphishtank
What Have I done? Public Service!
Request an API Key from http://www.josehelps.com/p/feeds.htmlIndex Feeds:
● spamhaus.org● zeustracker.abuse.ch● alienvault.com● malwaredomains.com● dragonresearchgroup.org - cymru● sshbl.org● danger.rulez.sk● malware.com.br● malwareblacklist.com● threatexpert.com● malwaredomainlist.com
● malc0de.com● paste bin rsa dump - http://pastebin.com/raw.
php?i=yKSQd5Z5● phishtank.com● shadowserver.org● spyeyetracker.abuse.ch● infiltrated.net
Use CasesREST APIhttps://feed.josehelps.com/api/188.127.229.182?apikey=e2d33811-d415-404a-9c4a-04ea04c2b11dhttps://feed.josehelps.com/api/72.52.2.1?apikey=e2d33811-d415-404a-9c4a-04ea04c2b11d&fmt=json
Browser Pluginaddweb.ru, or 193.106.173.198, or725c56b06b00b5a9f31e72e01f6ee164...
Perl Clientcif -q addweb.rucif -q 193.106.173.198for i in `cat maliciousthings.txt`; do cif -r need-to-know -Sq $i >> results.txt; done
Automated Mitigation and Alerting
Perl Client Only:
cif -q infrastructure/network -s low -p snortcif -q infrastructure/spam -s medium -c 95cif -q domain/malware -p bindzone -c 30 -s lowcif -q infrastructure/botnet -s low -c 50 -p snortcif -q infrastructure/botnet -c 50 -p iptablesReference: http://code.google.com/p/collective-intelligence-framework/wiki/WebAPI
What d
Ideas and Questions
● pastebin keyword parser that generates a feed
● php based or similar web UI for perl client● vmware appliance● Honeypot Integration ● Splunk App