Replies: 1 comment
-
Working towards; The command is done but I'm not ready to incorporate the new ScanCore into HRConvert2 yet. I'll get into specific ScanCore changes in a moment. I started by creating a repository for ScanCore Definitions at https://github.com/zelon88/ScanCore_Definitions and breaking our existing definitions into three separate categories. The current categories are;
These definitions are known as "Definition Subscriptions" and defined by...
Other than the filename preface and the file extension, subscriptions are arbitrary. For example, we could create a subscription for... To accomodate this functionality I recently bumped ScanCore to v1.1. This update (combined with v1.0) is a total refactor and adds the These new arguments are functionally identical and will clone the Git repository defined in "ScanCore_Config.php" for definition updates. If the repository is reachable it will be cloned and any subscriptions will be gathered from it. The subsription data will then be written to a custom "Combined" definitions file that is specifiic to the agent performing the update. Because each agent can be configured to gather separate definition subscriptions, it's possible to have separate agents installed on one machine that only scan for specific types of infections. Maybe you want to schedule scans for malware twice as often as your scans for PUPs. Maybe it's the other way around. You can control your destiny. In regards to; I'm interested in ThreatFox database and it's API because they offer bounties for quality sample submissions. I've scanned through IOCDB and AlienVault and I found many false positives, including very blatant ones. I feel like the bounty reward model that ThreatFox uses can be a key that we search off of in our automated search for IOC's. Evidence of a high bounty being paid for a malware sample would indicate that sample to be authentic. More attention needs to be paid to this to determine what already exists and what we can create for automating the collection of IOCs from ThreatFox, and other similar sources (but ThreatFox seems like a good place to start). |
Beta Was this translation helpful? Give feedback.
-
I really want to find a way to update these definitions in a clean manner, and automate the collection of IOC's somehow.
I think that we need to;
Beta Was this translation helpful? Give feedback.
All reactions