2022-11-06 15:51:33 +01:00
|
|
|
|
|
|
|
definitions = {
|
|
|
|
"iocs_types" : [
|
|
|
|
{
|
|
|
|
"type" : "ip4addr",
|
|
|
|
"regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",
|
|
|
|
"name" : "IPv4 Address",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "ip6addr",
|
|
|
|
"regex" : r"^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$",
|
|
|
|
"name" : "IPv6 Address",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "cidr",
|
|
|
|
"regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$",
|
|
|
|
"name" : "Network range",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "domain",
|
|
|
|
"regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
|
|
|
|
"name" : "Domain name",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "sha1cert",
|
|
|
|
"regex" : r"^[0-9a-f]{40}$",
|
|
|
|
"name" : "Certificate SHA1",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "jarm",
|
|
|
|
"regex" : r"^[0-9a-f]{62}$",
|
|
|
|
"name" : "Jarm hash",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "snort",
|
|
|
|
"regex" : False,
|
|
|
|
"name" : "Snort rule",
|
|
|
|
"auto" : False
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "ns",
|
|
|
|
"regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
|
|
|
|
"name" : "Name Server",
|
|
|
|
"auto" : False
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "freedns",
|
|
|
|
"regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
|
|
|
|
"name" : "Free DNS",
|
|
|
|
"auto" : False
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "tld",
|
|
|
|
"regex" : r"^\.[a-z]{2,63}$",
|
|
|
|
"name" : "Suspect TLD",
|
|
|
|
"auto" : False
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"iocs_tags" : [
|
|
|
|
{
|
|
|
|
"tag" : "apt",
|
|
|
|
"name" : "APT"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"tag" : "stalkerware",
|
|
|
|
"name" : "Stalkerware"
|
|
|
|
},
|
|
|
|
{
|
2023-09-05 21:44:37 +02:00
|
|
|
"tag" : "suspicious",
|
|
|
|
"name" : "Suspicious"
|
2022-11-06 15:51:33 +01:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"tag" : "malicious",
|
|
|
|
"name" : "Malicious"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"tag" : "spyware",
|
|
|
|
"name" : "Spyware"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"tag" : "cybercrime",
|
|
|
|
"name" : "Cybercrime"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"tag" : "doh",
|
|
|
|
"name" : "DNS over HTTPs"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"tag" : "dual",
|
|
|
|
"name" : "Dual use"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"whitelist_types" : [
|
|
|
|
{
|
|
|
|
"type" : "ip4addr",
|
|
|
|
"regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",
|
|
|
|
"name" : "IPv4 Address",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "ip6addr",
|
|
|
|
"regex" : r"^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$",
|
|
|
|
"name" : "IPv6 Address",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "cidr",
|
|
|
|
"regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$",
|
|
|
|
"name" : "Network range",
|
|
|
|
"auto" : True
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type" : "domain",
|
|
|
|
"regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
|
|
|
|
"name" : "Domain name",
|
|
|
|
"auto" : True
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|