This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Script - Sinkhole communication feed

EricPartington
Employee
Employee
‎2017-04-17 05:51 PM

This script grabs the sinkhole_*.txt files from the Maltrail GitHub page and creates a single csv used to import into RSA NetWitness as a recurring feed.  This will allow you to detect ip communication to known sinkholes in the ioc metakey.

 

https://github.com/stamparm/maltrail/tree/master/trails/static/malware

 

From there you can choose to alert on that metakey if required.

 

script is designed to run from SA server, you can crontab it to grab the latest information on a schedule (then create the recurring schedule to load new versions into RSA NW)

 

Included a report pack as well as the new 10.6.3 cleartext output for the report engine.

script-rsa-wellknown-sinkhole.zip
Threats-Sinkhole-cleartext.zip
Threats-Sinkhole.zip
Labels:
script-rsa-wellknown-sinkhole.zip
Threats-Sinkhole-cleartext.zip
Threats-Sinkhole.zip
1 Comment
© 2022 RSA Security LLC or its affiliates. All rights reserved.