-
Notifications
You must be signed in to change notification settings - Fork 1
/
config.yml
75 lines (65 loc) · 2.57 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
##############################
# Example configuration file #
##############################
# Global plugin configuration. Anything set here applies to all plugins.
global:
example: Example global configuration
# Example configuration that applies to all instances of a plugin.
# Configuration in the plugin list will override it.
filter-misp-warning:
revoke: true
# List of plugins to run, and the configuration for each plugin instance
plugins:
# Grab a block of text from stdin
- name: input-stdin
# Parse freeform text, extract indicators, and refang them
- name: filter-freeform
# Compare indicators to the MISP warning lists for hostnames
# See https://github.com/MISP/misp-warninglists
- name: filter-misp-warning
# Configuration for this instance of this plugin
# If revoke is set to true, the indicator will be removed. If set to
# false, a sighting will be added for it.
revoke: false
warning_list_dir: ./misp-warninglists
warning_lists: [
alexa, automated-malware-analysis, bank-website, cisco_top1000, google,
microsoft, microsoft-attack-simulator, microsoft-office365,
microsoft-win10-connection-endpoints, public-dns-hostname, rfc6761,
second-level-tlds, security-provider-blogpost, tlds, url-shortener,
whats-my-ip
]
# Extract IPs from hostnames using FarSight DNSDB
# - name: filter-pdns
# apikey: your_key_here
# # Optional max age for an rrset. Ignore any older records.
# max_age: 180
# Run indicators past the warning lists that relate to IPs or CIDRs
- name: filter-misp-warning
revoke: false
warning_list_dir: ./misp-warninglists
warning_lists: [
amazon-aws, ipv6-linklocal, microsoft-attack-simulator, microsoft-azure,
microsoft-office365, microsoft-office365-cn, multicast, ovh-cluster,
public-dns-v4, public-dns-v6, rfc1918, rfc3849, rfc5735, rfc6598,
sinkholes
]
# Check the OIL
# See https://github.com/MattCarothers/oil-netflow
# - name: filter-oil-redis
# server: 172.17.0.2
# namespace: oil
# Check Moloch using its API for any domain with an IP seen in OIL
# - name: filter-moloch
# url: https://moloch.yourcompany.com
# username: your_username
# password: your_password
# Optional: apply a base expression to every Moloch query.
# base_query: ip != 1.2.3.4
# Don't check Moloch for any IP sighted more than max_age days ago
# max_age: 30
# Verify the TLS certificate?
# Verify can be true, false, or a directory with your CA cert
# verify: /etc/ssl/certs
# Output a CSV file
- name: output-stdout-csv