C1fApp script for retrieving threat intelligence lists with API
This is a script developed for convenience for retrieving C1fApp threat feed lists via command line. You can use it in your own script or as a cronjob:
$ git clone https://github.com/EvoxComputing/c1fget.git
$ cd c1fget/
$ chmod +x c1fget.sh
$ ./c1fget.sh -h
If you're using the GitHub for Mac, simply sync your repository and you'll see the new branch.
C1fapp lists when downloaded from the API interface are available at the following formats:
Currently only (-b/-op and -bl) feeds are supported.
Bro IDS supports threat intelligence lists by default. All you have to do is:
$ ./c1fget.sh -h
$ ./c1fget.sh -k API_KEY -b
$ cp c1fapp_Threat_Feed/c1fapp_malware /usr/local/bro/intel/c1fapp_malware.bro
const feed_directory = "/usr/local/bro/intel/";
@load frameworks/intel/seen
redef Intel::read_files += {
feed_directory + "/c1fapp_malware.bro"
};
We follow the same concept as the Collective Intelligence Framework concept. We provide 4 main "assesments":
Botnet Typically a host used to control another host or malicious process. Matching traffic would usually indicate infection typically used to identify compromised hosts
Malware Typically a host used to exploit and/or drop malware to a host for the first time but NOT a botnet controller (although they could overlap) Communications with these indicators may lead to a compromise and then to a possible botnet controller communication (if the infection was successful). Typically used in preemptive blocking, alerts may not indicate infection was successful
Suspicious Used as the "default" assessment, combined with the source "description" for more accurate assessment. In suspicious you will also fin Tor Exit nodes and anonymous proxy connections.
Whitelists Denotes that specific entity (usually an address) should be considered harmless in nature based on well known 3rd party lists such as Alexa Ranking. It also denotes that blocking an entity which is whitelisted would result in mass collateral damage (eg: Yahoo Virtual hosted services) Confidence is attempted to be applied to each entry to help calculate risk associated with whitelist entry. Some times you will find that a well known domain hosts malware. So it will appear with both tags "Malware" and "Whitelist"
Register for free at https://www.c1fapp.com ! Please use a valid email address to get your account approved faster. Business emails are approved in very short time
Script by @verestio
Contact info@evoxco.com