[Feature Request] Use ThreatFox as an emitter
r0ny123 opened this issue · comments
-
ThreatFox is crowdsourced. So, it makes sense to push the IOCs here in a automated way, so other could be benifited from the service.
-
The API key for submitting Indicators is free! According to their site
In order to share indicators of compromise (IOCs) on ThreatFox, an API key is needed. You can obtain one by [logging](https://threatfox.abuse.ch/login/) in to ThreatFox with your Twitter account. Afterwards you can access your API key in your [Account settings](https://threatfox.abuse.ch/account/).
- API docs: https://threatfox.abuse.ch/api/#api-key
I think you should provide verified IoCs to ThreatFox to prevent false positives.
But, unfortunately, Mihari can have false positives because of its nature. (It depends on the quality of a query though)
So I don't think it is a good idea.
Your thought is right, one should provide verified IoCs to ThreatFox, but I had seen some folks pushing unverified ones too and personally reported to remove them. So, one should consider some extra caution before ingesting threatfox IoCs either way. And Exactly, it depends on a query. If one understands a C2 well, there's very low chance that it will produce FP. Even if it get FPs, those can be removed easily. So, I request you to rethink about this integration.
I don't have willingness to create the ThreatFox emitter but I created a general purpose HTTP emitter.
You can use it for the ThreatFox integration.
https://github.com/ninoseki/mihari/releases/tag/v4.3.0
Thanks.
Just checked the documentation https://www.notion.so/HTTP-ec6a0e3dfc644b88a34263d22f026cd3, but where the .erb
files should be placed or from where mihari will load it?