Eric Partington

Script - Sinkhole communication feed

Blog Post created by Eric Partington Employee on Apr 17, 2017

This script grabs the sinkhole_*.txt files from the Maltrail GitHub page and creates a single csv used to import into RSA NetWitness as a recurring feed.  This will allow you to detect ip communication to known sinkholes in the ioc metakey.

 

https://github.com/stamparm/maltrail/tree/master/trails/static/malware

 

From there you can choose to alert on that metakey if required.

 

script is designed to run from SA server, you can crontab it to grab the latest information on a schedule (then create the recurring schedule to load new versions into RSA NW)

 

Included a report pack as well as the new 10.6.3 cleartext output for the report engine.

Outcomes