csirtgadgets / cif-v1 Goto Github PK
View Code? Open in Web Editor NEWDEPRECATED USE v3!
Home Page: http://github.com/csirtgadgets/bearded-avenger-deploymentkit
License: GNU Lesser General Public License v3.0
DEPRECATED USE v3!
Home Page: http://github.com/csirtgadgets/bearded-avenger-deploymentkit
License: GNU Lesser General Public License v3.0
08:33 < akreffett> I found something wonky with cif_crontool/cif_smrt: depending on where you put a -P on the command line post
processors will either be enabled or not
08:34 < _wes_> :-/
08:34 < _wes_> RC3?
08:34 < akreffett> For instance this does not seem to enable post processors: /cif_smrt -C /opt/cif/cif.conf -r
/opt/cif/etc/misc.cfg -f sshbl.org -d -T medium -A root -N 1 -P
08:35 < akreffett> While this does: /cif_smrt -P -C /opt/cif/cif.conf -r /opt/cif/etc/misc.cfg -f sshbl.org -d -T medium -A root
-N 1
08:35 < _wes_> k
08:35 < _wes_> i've had issues with the underlying library in the past that does this
08:35 < akreffett> Let me check to see if I have all the relevant changesets in
08:35 < _wes_> i think i need to dig into their module.
Note: there's a potential error there if the size specified by the feed_limit matches the size of the input exactly, and the Csv/Delim didn't come from File.pm. Like if you want feed_limit = 1,10 to always remove the first line, and the data from an HTTP pull has exactly 10 lines already, the first line won’t be removed.
/opt/cif/bin/cif_smrt -C /home/cif/.cif -r /opt/cif/etc/mpatrol.cfg -f md5 -d -T medium -P at /opt/cif/bin/cif_crontool line 205.
[DEBUG][2013-04-24T21:03:15Z]: fail closed: 0
[DEBUG][2013-04-24T21:03:15Z]: postprocessing enabled…
[DEBUG][2013-04-24T21:03:15Z]: setting up zmq interfaces…
[DEBUG][2013-04-24T21:03:15Z]: sending ctrl warm-up msg…
[DEBUG][2013-04-24T21:03:15Z]: starting sender thread…
[DEBUG][2013-04-24T21:03:16Z]: creating 32 worker threads…
[DEBUG][2013-04-24T21:03:18Z]: done…
[DEBUG][2013-04-24T21:03:18Z]: running preprocessor routine…
[DEBUG][2013-04-24T21:03:18Z]: parsing…
[DEBUG][2013-04-24T21:03:18Z]: pulling feed: http://www.malware.com.br/cgi/submit?action=list_hashes
[cif-smrt] failure: malware.com.br
ERROR: failed to get feed: http://www.malware.com.br/cgi/submit?action=list_hashes
504 Gateway Time-out
check with the authors, see if they need help.
I saw this today while running cif_crontool -p daily -d -P
Not sure it's an issue, but putting it out there.
[DEBUG][2013-07-18T12:02:42Z]: starting with 548 recs...
***
*** WARNING!!! The program has attempted to call the method
*** "address" for the following RR object:
***
*** 0/24.204.21.72.origin.asn.cymru.com. 14399 IN TXT "16509 | 72.21.192.0/19 | US | arin | 2004-12-30"
***
*** This object does not have a method "address". THIS IS A BUG
*** IN THE CALLING SOFTWARE, which has incorrectly assumed that
*** the object would be of a particular type. The calling
*** software should check the type of each RR object before
*** calling any of its methods.
***
*** Net::DNS has returned undef to the caller.
***
collectiveintel/cif-smrt/pull/55
On a related note, I used the 1,9999 feed limit because CIF chokes on a header row when one of the columns should be a date:
Can't call method "epoch" on an undefined value at /opt/cif/bin/../lib/CIF/Smrt.pm line 411.
The first row of the Shadowserver CSV is a header:
"timestamp","ip","asn","geo","url","type" …
So it tried to normalize_timestamp() the string “timestamp” and then call epoch() on the result. Maybe it makes sense to have a header row parameter in the config file that makes CIF skip the first line?
The regex to match a CSV file doesn't match if the first column has white space in it. E.g. ..
"2013-08-02 00:00:00","68.102.208.67",22773,"US"
... doesn't get matched by /^#?\s?"\S+","\S+"/
Are there any plans / thoughts about enabling cif to output ipsets instead of raw iptables rules? It seems like ipsets would work better since you can build up a set and then swap the new set with an existing set to update your rules without having to flush it. You could also use the same set for both output and input, referencing it in the appropriate iptables chains.
I receive the following error message when attempting to generate the initial apikey to be used by the client.
"Can't insert new CIF::APIKey: DBD::Pg::st execute failed: ERROR: relation "apikeys" does not exist"
I am attempting a new server install and cannot seem to get past this point.
Distro: Ubuntu 12.04
Thank you in advance,
should auto-clean up any spaces that show up in the query:
https://groups.google.com/forum/#!topic/ci-framework/nKiHiBrcJu4
cif_apikeys -k <key>
cif_apikeys --key <key>
CIF::APIKey can't SELECT uuid
FROM apikeys
WHERE uuid = ?
: DBD::Pg::st execute failed: ERROR: invalid input syntax for uuid: "ey" [for Statement "SELECT uuid
FROM apikeys
WHERE uuid = ?
" with ParamValues: 1='ey'] at /usr/share/perl5/DBIx/ContextualFetch.pm line 52.
at /usr/share/perl5/Class/DBI/Search/Basic.pm line 169
re: the comments section of the doc
https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_CentOS6_v1
Also, is it possible to more granularly control how that process works? For instance, if I only one one url feed list to be resolved, but not others, is there a cfg directive or something that I can use to do so?
ability to turn on / off postprocessors per feed in the config.
https://groups.google.com/d/msg/ci-framework/q-NYUO5A8p4/3yCwJij-rNoJ
A few different issues
cif_apikeys -a -u [email protected] -g group -G group -D group
cif_apikeys -a -u [email protected] -g group -G group --desc group
cif_apikeys -a -u [email protected] -D group -g group -G group
cif_apikeys -D group -a -u [email protected] -g group -G group
[/opt/cif/bin/cif]
If the -m flag had the ability to specify how many minutes/hours back in time you wanted to go, one could use that in combination with a cronjob to display the new data in x minutes.
For example
cif -q 192.168.1.0/24 -m -min 60
This would give you all the results for 192.168.1.0/24 in the previous 60 minutes. Combine this with with an hourly cron and you get the ability to show everything new in the last 60 minutes.
dumbass.
yea, technically is possible (we have the same issue), i'm just working out code "to make it easier"..
something like:
$ cif_apikeys -u [email protected] -E 'domain/botnet,AS701,malware/md5,AS123'
https://groups.google.com/d/msg/ci-framework/LKZTkJ5qero/LXzt1WiIXm0J
Can't locate Iodef/Pb/Simple.pm in @inc (@inc contains: /opt/cif/bin/../../libcif/lib /opt/cif/bin/../local/lib /opt/cif/bin/../lib /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl .) at /opt/cif/bin/../lib/CIF/Client.pm line 13.
BEGIN failed--compilation aborted at /opt/cif/bin/../lib/CIF/Client.pm line 13.
Compilation failed in require at /opt/cif/bin/cif line 33.
BEGIN failed--compilation aborted at /opt/cif/bin/cif line 33.
cif-smrt, cif-feeds, etc
Also, the Snort plugin perl module throws an uninitialized value error on line 45 when running the whitelist query:
Use of uninitialized value in lc at /usr/local/share/perl/5.14.2/Iodef/Pb/Format/Snort.pm line 45.
Here's a diff of my fix:
$ diff /usr/local/share/perl/5.14.2/Iodef/Pb/Format/Snort.pm /usr/local/share/perl/5.14.2/Iodef/Pb/Format/Snort.pm.orig
45,46c45
< my $severity = ($_->{'severity'}) ? lc($_->{'severity'}) : 'none';
< for($severity){
---
> for(lc($_->{'severity'})){
ref: https://groups.google.com/forum/#!topic/ci-framework/DxBisGjBLqw
Issue 1: If an IP address in a list contains a '0', the Iptables plugin omits that octet, resulting in a malformed IP address.
Fix to Iodef/Pb/Format/Iptables.pm:
45c45
< next unless(/^0{1,2}/);
---
> next unless(/^0{1,2}[1-9]{1,2}/);
Output diff between the original Iptables.pm and the fixed Iptables.pm:
< iptables -A CIF_IN -s 222.36..48 -j DROP
< iptables -A CIF_OUT -d 222.36..48 -j DROP
---
> iptables -A CIF_IN -s 222.36.0.48 -j DROP
> iptables -A CIF_OUT -d 222.36.0.48 -j DROP
< iptables -A CIF_IN -s 177..161.133 -j DROP
< iptables -A CIF_OUT -d 177..161.133 -j DROP
---
> iptables -A CIF_IN -s 177.0.161.133 -j DROP
> iptables -A CIF_OUT -d 177.0.161.133 -j DROP
< iptables -A CIF_IN -s 68.144..18 -j DROP
< iptables -A CIF_OUT -d 68.144..18 -j DROP
---
> iptables -A CIF_IN -s 68.144.0.18 -j DROP
> iptables -A CIF_OUT -d 68.144.0.18 -j DROP
need a way to purge data-sets from the database based on description or assessment, etc...
limit_days (7)
feed_retention (7)
https://github.com/collectiveintel/libcif-dbi/blob/v1/lib/CIF/Feed.pm#L85
installer gets confused with certain updates...
Use case: I have a DNS resolver specifically for use by CIF and would like to point only CIF at this resolver without modifying the local system resolvers. Think HTTP proxy for DNS.
I will hack this in to the Fqdn.pm module locally but a general solution would be the best fix and probably of use to others as well.
https://groups.google.com/forum/?hl=en&fromgroups=#!topic/ci-framework/dvwGdgCfFT8
cif_apikeys -d -k <key>
cif_apikeys --delete -k <key>
Executable pull method. Execute a program and insert whatever it outputs. This is a possible alternative method for the Shadowserver bot feeds. It would also support anything that needs to be fetched via complex API calls rather than simple HTTP pulls. E.g. it could support data pulled from Arbor or Titan or Symantec’s reputation feeds.
Was the "fmt" option deprecated from v0 to v1? I'd like to get a table return instead of JSON as I am using the API to query from ESM.
I receive the following error message when attempting to generate the initial apikey to be used by the client.
"Can't insert new CIF::APIKey: DBD::Pg::st execute failed: ERROR: relation "apikeys" does not exist"
I am attempting a new server install and cannot seem to get past this point.
Distro: Ubuntu 12.04
Thank you in advance,
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.