sroberts / cacador Goto Github PK

Could be useful, but would generate a lot of files. Am I the only one who thinks this could be useful?

Make the project pass golint and go vet

"http://www.w3.org/2001/XMLSchema-instance", "http://stix.mitre.org/stix-1", "http://stix.mitre.org/default_vocabularies-1", "http://data-marking.mitre.org/Marking-1", "http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1", "http://www.us-cert.gov/STIXMarkingStructure#AISConsentMarking-2", "http://stix.mitre.org/common-1", "http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1", "http://cybox.mitre.org/common-2", "http://stix.mitre.org/Indicator-2", "http://cybox.mitre.org/cybox-2", "http://cybox.mitre.org/objects#FileObject-2", "http://cybox.mitre.org/default_vocabularies-2", "http://cybox.mitre.org/objects#DomainNameObject-1", "http://cybox.mitre.org/objects#AddressObject-2", "http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd", "http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd", "http://stix.mitre.org/XMLSchema/data_marking/1.1.1/data_marking.xsd", "http://stix.mitre.org/XMLSchema/extensions/marking/tlp/1.1.1/tlp_marking.xsd", "http://www.us-cert.gov/sites/default/files/STIX_Namespace/AIS_Bundle_Marking_1.1.1_v1.0.xsd", "http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd", "http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd", "http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd", "http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd", "http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd", "http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd", "http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd", "http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd", "http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd", "http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd", "http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf", "https://www.us-cert.gov/tlp", "http://msdn.microsoft.com/en-us/library/ff648653.aspx", "https://www.us-cert.gov/ccubedvp", "https://www.cert.org/resilience/rmm.html", "https://www.nist.gov/cyberframework", "https://www.us-cert.gov/forms/feedback.INDICATOR_VALUE,TYPE,COMMENT,ROLE,ATTACK_PHASE,OBSERVED_DATE,HANDLING,DESCRIPTION"

There are plenty of values that it would be great to whitelist, especially for domains, emails, and IPv4s.

https://gobyexample.com/channels

It would be great if there was a way to pull automated information for all extracted indicators.

• VirusTotal
• PassiveTotal
• etc

https://github.com/urandom/text-summary

"utilities": {
    "md5s": []
},

Should be cves.

• RFC1918 IPv4Addresses
• Localhost URLs

YAML could be a much cleaner solution for both patterns and the white/black lists. Just have to sort out the how.

Organize the project so it is go get-able

It'd be nice to be able to grab Snort signatures from the text block.

Could help simplify workflow for improving.

https://goreleaser.com/

The illustrious @StabbyCutyou called out a cool idea that he implimented:

Having Cacador as a service could be really useful moving beyond a single system. I'd love to see this implemented as a "mode" that cacador can run in.

It'd be nice to be able to grab Yara signatures from the text block.

Turns out cacador opens the file handle way too early and actually doesn't write until much later. That seems pretty dumb, we can do better.

This isn't right. No tags should be realized as an empty list.

"www.us", "-cert.gov",

Not great.