misp-warninglists icon indicating copy to clipboard operation
misp-warninglists copied to clipboard
verified publisher icon MISP

New Feat.: Warninglists can be a dict with value and comments + New list: List of IPs from the SANS ISC research feed

Open HiS3 opened this issue 4 months ago • 4 comments

Add a list of IPs from the SANS ISC research feed and the matching generator scripts generate-isc-sans-research.py. Simultaneous inclusion in generate_all.sh

I would actually like to have the list in this form

    "102.165.30.98 # netsystems",
    "102.165.30.99 # netsystems",
    "103.187.190.0 # odin",

so that you then have a direct assignment of which researcher is behind the IP.

But in contrast to how it is with Add List via the Web GUI in MISP, I only get hits in search results if I enter the complete string, e.g.102.165.30.99 # netsystems and not with 102.165.30.99.

If @adulau or someone else has an idea what I need to change, I'll be happy to add it.

HiS3 avatar Aug 29 '25 13:08 HiS3

I have managed to ensure that the values can now also have comments, as mentioned above and already possible in the GUI. If the lists use the type string, the comments are also displayed directly in the MISP events, as here

grafik

For this to be possible, the warning list must become a dict. This is also permitted in the MISP code. However, it is not provided in generator.py. Likewise in make_liste_unique.py, which ensures that the tests also fail here. With the adjustments also made here, dicts are now also accepted and the tests run as usual.

Since some fundamental changes are now to be made here so that the new warning list also works in this way. I can also store these changes in a separate pull request. In general, however, I think that this would be a good extension of the lists, which more people will certainly want to use.

@adulau what do you think about this ? (best regards from Bayern-CERT ;) )

HiS3 avatar Sep 06 '25 06:09 HiS3

I love the idea. I just need to dig a bit deeper to be sure it fits in the pipeline. The only issue I see is with existing lists and organisations using it as-is without MISP, if the format changes, it might break some people’s code.

adulau avatar Sep 06 '25 07:09 adulau

I'm glad to hear that you like the idea :) Therefore, I have adapted the changes to generator.py and make_liste_unique.py so that dict and lists are still allowed. So that existing variants do not throw errors or have to be changed.
But feel free to take a look at it at your leisure.

HiS3 avatar Sep 06 '25 08:09 HiS3

@adulau As a little friendly reminder of this idea. 😊 Did you have time to check whether it might cause problems elsewhere?

HiS3 avatar Dec 01 '25 22:12 HiS3