This blog post explains how to import external intelligence as a NetWitness recurring feed. As an example, the Locky Ransomware C2 domain blocklist from https://ransomwaretracker.abuse.ch is used.
We will use the SA Server Head Unit to perform all the operations described in this blog post.
At first the list offered by the external provider must be downloaded to the local environment:
curl https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt > locky.txt
The file contains a comment block at the top followed by one domain per line:
##########################################################################
# Locky Ransomware C2 domain blocklist (LY_C2_DOMBL) #
# Generated on 2016-10-18 09:10:02 UTC #
# #
# For questions please refer to: #
# https://ransomwaretracker.abuse.ch/blocklist/ #
##########################################################################
wrubyjtvqhxaqkh.pw
jfmiondv.xyz
tswsgajtwhqkosd.su
xofguhypjgvxrm.pw
yofkhfskdyiqo.biz
[...]
To be able to schedule the feed import for the decoders, we create a path dedicated for feed deployment on the local webserver:
mkdir /var/netwitness/srv/www/rsa/feeds
Now we need to perform the following operations on the file:
The following command will do all those tasks at once. It may look very complicated at first, but all parts of the command will be explained below:
cat locky.txt | grep -v '#' | awk -F $'\n' '{print $1",Locky Ransomware,ransomwaretracker.abuse.ch,Ransomware"}' > /var/netwitness/srv/www/rsa/feeds/locky.csv
Explanation:
- cat locky.txt: Read the file locky.txt in the current folder
- grep -v '#': Remove all lines that include the hash symbol
- awk -F $'\n' '{print $1"[...]"}': for each line return the first column (which is the domain name) and add the static text within the double quotes (which are the meta values to be generated later).
- > /var/netwitness/srv/www/rsa/feeds/locky.csv: Save the result to the locky.csv file to the path created before
As these lists usually change quite often (some providers update their feeds every 30 minutes), a bash script can be created and scheduled to automate the process (some minimal error handling is added in case the file could not be downloaded):
vi /root/lockyC2.sh
#!/bin/bash
curl https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt > locky.txt
firstLine=$(head -n 1 locky.txt)
if [[ ${firstLine:0:1} == '#' ]]; then
cat locky.txt | grep -v '#' | awk -F $'\n' '{print $1",Locky Ransomware,ransomwaretracker.abuse.ch,Ransomware"}' > /var/netwitness/srv/www/rsa/feeds/locky.csv
else
echo "File not downloaded successfully"
fi
crontab -e
*/30 * * * * /root/lockyC2.sh
After completing the steps mentioned above, a recurring custom feed can be created in Live > Feeds:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.