Currently, we're tracking different things network-wise:

• C2
• Websites
• C2 that are also Websites
• IP Addresses, that are C2, websites, and sometimes both

Are we ok with this state of affairs? Either way, we should document what we're tracking network-wise, to avoid surprising netops/partners/users/…

Tasks :

• Update the README to clarify what we consider stalkerware
• Update the README to clarify what we include in network indicators and different files
• Migrate network.csv to network.yml
• Include information on C2/website in network.yml
• Update generation scripts, include a network.csv file for readability

If we stick to the definition of stalkerware proposed by the Coalition Against Stalkerware, a stalkerware is a software offering a precise set of features.

Stalkerware refers to tools – software programs, apps and devices – that enable someone to secretly spy on another person’s private life via their mobile device. The abuser can remotely monitor the whole device including web searches, geolocation, text messages, photos, voice calls and much more.

So, for me, we should list all softwares fitting with the definition above without making any distinction between software meant to spy on partner or meant to spy on employees.

I think it is a critical question if we want to have people blocking domains automatically.

On what to block at network level, I think it makes sense to block C2 domains/IPs but not really websites (and if it is both a C2 and a website, let's block it). I am not sure how to reflect that in the data we have right now, maybe add a column to the network CSV ? Or even convert the csv to a yaml file so that everything is in YAML? We could keep it empty for those we don't know. If we do that, then we could automatically generate the quad9 file too, instead of me checking manually (which doesn't make much sense)

Then there is the other question about what is a "legitimate" spying tool and what is not. The CAS has this definition of being secret, which is a good one but not always easy to apply. Some apps for instance have multiple services and apps, some allowing to be hidden some not, and all using the same code and infrastructure. Some apps cannot be hidden on the phone but still be used for spying.
I think we should take a broad definition of stalkerware and include all these sketchy apps, as long as we are clear in the README.

I think that there is no universal answer to that question. We list indicators and people using those listings are free to choose what to block. In the CSV file, we can add another column explaining the purpose of each indicator such as Website, Agent, C2. If a domain serves as both website and C2, we tag it as C2.

Sounds good, so :

• We take a broad definition of stalkerware
• We need to clarify what is C2 and domain in network.csv (and make it a YAML file)

I have added a list of tasks to the ticket, I can work on it this week-end

One last question to solve is : which types of network indicator do we include in each IOC file? So far I have limited suricata and host file to C2 only