https://d427a9a8.blog-zbi.pages.dev/tags/blacklist/Recent content in Blacklist on Michael EdieHugoen-usThu, 30 Apr 2020 21:46:05 +0000https://d427a9a8.blog-zbi.pages.dev/2020/04/30/diy-ip-threat-feed/Thu, 30 Apr 2020 21:46:05 +0000https://d427a9a8.blog-zbi.pages.dev/2020/04/30/diy-ip-threat-feed/<p>A threat feed is a collection of actionable information about threats that allows for mitigating harmful events. This blog post is concerned with developing an IP based threat feed or blacklist. We will look at how to gather, aggregate, enrich, and extract threat data for consumption.</p> <nav class="toc-a" aria-label="Table of Contents"> <div class="toc-a-head"> <span class="toc-a-chevron">&gt;</span> <span class="toc-a-label">Table of Contents</span> </div> <ul class="toc-a-list"> <li class="h2"> <a href="#gathering-the-threat-data" data-id="gathering-the-threat-data">01&nbsp;&nbsp;Gathering the threat data</a> </li> <li class="h2"> <a href="#aggregation-of-the-threat-data" data-id="aggregation-of-the-threat-data">02&nbsp;&nbsp;Aggregation of the threat data</a> </li> <li class="h2"> <a href="#data-enrichment" data-id="data-enrichment">03&nbsp;&nbsp;Data Enrichment</a> </li> <li class="h2"> <a href="#extraction" data-id="extraction">04&nbsp;&nbsp;Extraction</a> </li> </ul> <div class="toc-a-progress"> <div class="toc-a-progress-fill"></div> </div> </nav> <h2 id="gathering-the-threat-data">Gathering the threat data</h2> <p>I have several servers in the US, Europe, and Asia running modified versions of <a href="https://github.com/cowrie/cowrie">cowrie</a>, a medium interaction honey pot. These honey pots allow ssh access by accepting logins based on a random number of guesses for each attacker. The configuration setting is below:</p>