legal contact
 

Adding more sources

I've create a simple bash script to check a certain folder for new text files that hold IP's of known malicious hosts.

Every file is added to the CIF.

By using this simple script, I can add any new sourcefiles I find in the Internet to my CIF and use it as reputational reference.

Datei "createconf.sh"

Add the AS known to host Chinese Espionage department

Do a "crontab -e" as user cif:

The new file will be placed into the directory that will automatically be read as the one holding the new sources.

# add the AS4808 - Known to be the host of the Chinas espionage 
0 6 * * * /usr/bin/whois -h whois.radb.net -- '-i origin AS4808' | grep -Eo "([0-9.]+){4}/[0-9]+" > /opt/cif/pfiprep/pf/AS4808_CN_Unit61398.txt 2>&1 

The "pfiprep" project

Another cool source of threat data is the pfiprep project.

I'm using this as the main source of data to feed into my CIF after adjusting the destination directory for the downloads to the directory that is processed by the "createconf.sh" script.

userfolder=/opt/cif/pfiprep
pfdir=$userfolder/pf/

Cheap (private use only) professional sources of threat data

While looking around, I found https://www.iblocklist.com/ to sell a one year subscription for 10$.

The downside, they only provide the the IP's as a range. (x.x.x.x-x.x.x.y). In the first attempt I was playing around with converting the ranges to a host-list, but it turned out, while using the pfiprep scribt above, it does all for you. Just add the appropriate link from iBlock which already contains your credentials: