differences in MISP object/attribute formatting cause Malcolm to ignore some threat feed indicators #753
Description
this Reddit thread (cross-posted by me in the discussion forums) brought to my attention that some MISP feeds from this list were suspiciously returning zero indicators.
After debugging down into the ProcessMISP function I determined that some of these MISP feeds store their attributes (which are the individual entities that basically translate into an "indicator" that gets written out to the Zeek intel file) in a different way than other ones.
So I've adjusted the iterator that loops over those attributes to account for all of the ways the attributes can show up:
- a single attribute outside of an event
- the attributes list in the event object
- the attributes list in each sub-object of the event object (this is the new one)
After doing that, here's the new output compared to what I shared in this this comment:
| Source | 1w | 2w | 3w | 4w | 5w | 6w | 7w | 8w | 13w | 26w | 52w |
|---|---|---|---|---|---|---|---|---|---|---|---|
| bazaar.abuse.ch | 12,305 | 27,365 | 41,025 | 53,145 | 63,765 | 79,917 | 94,857 | 107,745 | 174,174 | 355,718 | 635,009 |
| raw.githubusercontent.com | 0 | 0 | 2,098 | 2,098 | 2,098 | 2,098 | 2,098 | 2,098 | 104,120 | 105,125 | 105,464 |
| threatfox.abuse.ch | 1,975 | 3,441 | 4,442 | 5,311 | 6,123 | 7,087 | 7,767 | 9,501 | 18,444 | 101,548 | 159,344 |
| urlhaus.abuse.ch | 7,745 | 15,839 | 24,647 | 33,877 | 42,015 | 52,611 | 63,126 | 71,292 | 106,862 | 314,331 | 849,855 |
| www.botvrij.eu | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 134 | 134 | 169 | 960 |
| www.circl.lu | 0 | 0 | 40 | 1,440 | 1,458 | 1,458 | 1,458 | 3,674 | 4,374 | 7,456 | 10,713 |
Metadata
Metadata
Assignees
Type
Projects
Status