File location of black listed or malacious data in CIF server.

Question

File location of black listed or malacious data in CIF server.

diveshshah opened this issue 8 years ago · comments

Hi,

We want to send updated Data ( Malicious IP, url, domian name etc), provided by CIF to our Arcsight ESM.
Could you please let us know the location of these file(combined one) or files( all septate 32) where CIF is storing all the data (feed from the all sites).

Thanks and Regards,
Divesh Shah

wes · Answer 1 · Sat Aug 20 2016 02:18:51 GMT+0800 (China Standard Time)

have you read / tested this out?

https://github.com/csirtgadgets/massive-octo-spice/wiki/where-do-i-start-feeds

diveshshah · Answer 2 · Mon Aug 22 2016 19:35:33 GMT+0800 (China Standard Time)

Hi,

I go throught that document and run various command like:-
cif --feed --otype fqdn -c 95 --tags phishing --today -f csv
cif --feed --otype ipv4 -c 85 --last-day -f csv

it is giving out-put on terminal .

but want to know from CIF where it is showing this result .in data base where all value is store?
or it is giving out by checking online on scripted websites??

Thanks & regards
Divesh Shah

From: "Wes" notifications@github.com
To: "csirtgadgets" massive-octo-spice@noreply.github.com
Cc: "diveshshah" divesh.shah@sequretek.com, "Author" author@noreply.github.com
Sent: Friday, August 19, 2016 11:48:54 PM
Subject: Re: [csirtgadgets/massive-octo-spice] File location of black listed or malacious data in CIF server. (#443)

have you read / tested this out?

https://github.com/csirtgadgets/massive-octo-spice/wiki/where-do-i-start-feeds

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub , or mute the thread .

wes · Answer 3 · Mon Aug 22 2016 21:58:46 GMT+0800 (China Standard Time)

the data is stored in an embedded elasticsearch instance:

https://www.elastic.co/guide/en/elasticsearch/reference/1.4/getting-started.html
https://www.elastic.co/guide/en/elasticsearch/reference/1.4/setup-dir-layout.html

somewhere under /var/lib/elasticsearch you'll see all the lucene indicies. cif-smrt fetches the data, sends it to cif-router where cif-router stores it in elasticsearch using the elasticsearch REST API.

if you want to learn more about elasticsearch, i'd read throw their doc and examples, it's not as simple as "can i read through all the files" given the way lucene indexes and stores the data to make searching the data faster..

diveshshah · Answer 4 · Thu Aug 25 2016 16:33:41 GMT+0800 (China Standard Time)

Hi,
Thanks a lot.
your guidance and support helping us.

Thanks
Divesh Shah