This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Google Safebrowsing miner

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Google Safebrowsing miner

chirss
L3 Networker

‎10-03-2017 11:58 AM

Google has a threat list api, has anyone created a miner for it?

 

https://developers.google.com/safe-browsing/v4/lists

0 Likes Likes
5 REPLIES 5

xhoms
L5 Sessionator

‎10-05-2017 06:48 AM

@chirss Google Safe Browsing lists are not really "lists". It is an API that will give you information about a given URL. I mean: you have a URL and you're wondering what Google's Safe Browsing thinks about that URL. You can use the API for such a case.

 

I'm planning an "Enrichement Framework" for MineMeld that will be able to attach additional attributes to indicators. A Google Safe Browsing node for the Enrichement Framework would be awesome.

0 Likes Likes

chirss
L3 Networker
In response to xhoms

‎10-05-2017 08:31 AM

Ya that's what I want as well. If I can compare url information from a feed with what safebrowsing thinks of it and then come up with a ranking to be used by different outputs that would be ideal. Is this what you are thinking? I haven't played enough with miner creation to build anything like this out.

0 Likes Likes

chirss
L3 Networker
In response to xhoms

‎10-05-2017 08:32 AM

Also maybe a miner isn't the right thing so much as a processor. If an ioc hits the processor it then queries the api (within limits of the api). 

 

There are an awful lot of reputation type things which could possibly be used in a similar manner.

0 Likes Likes

xhoms
L5 Sessionator
In response to chirss

‎10-05-2017 08:44 AM

You're following my same path.

  • I started thinking on miners calling enrichement API's to attach additional attributes to the indicators.
  • Then I though it would be better implemented as an aggregator node (once for many nodes)
  • Then I realized a same indicator (i.e. a URL) could be enriched by many sources (i.e. Safe Browsing, PAN-DB, etc.) and that a cache should be put in place to avoid continous calls for the same indicatos.

This is why I reached to the point that a "Enrichement Framework" for MineMeld would be welcome by the community. So I have it in my current plan of intentions.

 

0 Likes Likes

chirss
L3 Networker
In response to xhoms

‎10-05-2017 09:50 AM

Ya exactly. 

 

The problem I'm finding is a lot of the miners likely have duplicate entries of some kind. So I'm sending them all to the same processor for similar types of feeds (phishing type miners to phishing processor for example). However I have to validate everything coming in before being able to trust it, i.e. verify before trusting.

 

The scenario you're talking about would be very beneficial in at least this scenario.

0 Likes Likes
  • 4782 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks