misp-warninglists icon indicating copy to clipboard operation
misp-warninglists copied to clipboard

Published 20 hours ago verified publisher icon MISP

Missing some generate scripts

Open sustefil opened this issue 4 years ago • 4 comments

Hi guys,

I wondered whether it would be possible to provide some more generate scripts to the repo.

For example the google-gmail-sending-ips list has a "date" version, so I assume you already have the generate script.

Thanks in advance.

sustefil avatar Aug 17 '20 12:08 sustefil

Good question. I find that the way the get the records, it's use the SPF records (which a kind of recursive maze at Google).

adulau@dobbertin:~$ dig -t TXT _netblocks4.google.com +short
"v=spf1 ip4:74.114.24.0/21 ip4:136.112.0.0/12 ip4:172.217.224.0/19 ip4:208.81.188.0/22 ~all"
adulau@dobbertin:~$ dig -t TXT _netblocks.google.com +short
"v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
adulau@dobbertin:~$ dig -t TXT _netblocks2.google.com +short
"v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
adulau@dobbertin:~$ dig -t TXT _netblocks3.google.com +short
"v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

It seems to match the current warning list.

adulau avatar Aug 17 '20 12:08 adulau

Good :)

Another lists of this kind would be:

List of known Ovh Cluster IP List of known Office 365 Attack Simulator used for phishing awareness campaigns List of known Akamai IP ranges LIST OF KNOWN GOOGLEBOT IP RANGES

Thanks

sustefil avatar Aug 17 '20 12:08 sustefil

We might update the warning list for format to add the source url as providers tend to change those very often...

adulau avatar Aug 17 '20 13:08 adulau

That would be nice, to provide the source for the warning lists (e.g. in description), I could create some of the generate scripts and contribute them to the repo :)

Some of the WL where the source (and the generate script) is missing:

LIST OF KNOWN BANK DOMAINS LIST OF KNOWN GOOGLE DOMAINS LIST OF KNOWN OFFICE 365 ATTACK SIMULATOR USED FOR PHISHING AWARENESS CAMPAIGNS LIST OF KNOWN OFFICE 365 URLS AND IP ADDRESS RANGES LIST OF KNOWN OFFICE 365 IP ADDRESS RANGES IN CHINA LIST OF KNOWN SINKHOLES LIST OF KNOWN AKAMAI IP RANGES LIST OF KNOWN DOMAINS USED BY AUTOMATED MALWARE ANALYSIS SERVICES & SECURITY VENDORS LIST OF KNOWN MICROSOFT DOMAINS LIST OF KNOWN SECURITY PROVIDERS/VENDORS BLOG DOMAIN LIST OF KNOWN URL SHORTENERS DOMAINS

sustefil avatar Aug 18 '20 09:08 sustefil