cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Google Safebrowsing miner

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
chirss
L3 Networker
‎10-03-2017 11:58 AM
‎10-03-2017 11:58 AM

Google Safebrowsing miner

Google has a threat list api, has anyone created a miner for it?

 

https://developers.google.com/safe-browsing/v4/lists

0 Likes
Reply
xhoms
L5 Sessionator
‎10-05-2017 06:48 AM
‎10-05-2017 06:48 AM

@chirss Google Safe Browsing lists are not really "lists". It is an API that will give you information about a given URL. I mean: you have a URL and you're wondering what Google's Safe Browsing thinks about that URL. You can use the API for such a case.

 

I'm planning an "Enrichement Framework" for MineMeld that will be able to attach additional attributes to indicators. A Google Safe Browsing node for the Enrichement Framework would be awesome.

0 Likes
Reply
chirss
L3 Networker
‎10-05-2017 08:31 AM
‎10-05-2017 08:31 AM

Ya that's what I want as well. If I can compare url information from a feed with what safebrowsing thinks of it and then come up with a ranking to be used by different outputs that would be ideal. Is this what you are thinking? I haven't played enough with miner creation to build anything like this out.

0 Likes
Reply
chirss
L3 Networker
‎10-05-2017 08:32 AM
‎10-05-2017 08:32 AM

Also maybe a miner isn't the right thing so much as a processor. If an ioc hits the processor it then queries the api (within limits of the api). 

 

There are an awful lot of reputation type things which could possibly be used in a similar manner.

0 Likes
Reply
xhoms
L5 Sessionator
‎10-05-2017 08:44 AM
‎10-05-2017 08:44 AM

You're following my same path.

  • I started thinking on miners calling enrichement API's to attach additional attributes to the indicators.
  • Then I though it would be better implemented as an aggregator node (once for many nodes)
  • Then I realized a same indicator (i.e. a URL) could be enriched by many sources (i.e. Safe Browsing, PAN-DB, etc.) and that a cache should be put in place to avoid continous calls for the same indicatos.

This is why I reached to the point that a "Enrichement Framework" for MineMeld would be welcome by the community. So I have it in my current plan of intentions.

 

0 Likes
Reply
chirss
L3 Networker
‎10-05-2017 09:50 AM
‎10-05-2017 09:50 AM

Ya exactly. 

 

The problem I'm finding is a lot of the miners likely have duplicate entries of some kind. So I'm sending them all to the same processor for similar types of feeds (phishing type miners to phishing processor for example). However I have to validate everything coming in before being able to trust it, i.e. verify before trusting.

 

The scenario you're talking about would be very beneficial in at least this scenario.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks