timesketch
timesketch copied to clipboard
google
IOCTypes - PR 2045
Hi @tomchop , Can you add possibility to configure from file /etc/timesketch/ioctype.yaml (by example), the choice of IOC Type that you can use in your interface intelligence ? Because today, these values are fixed: https://github.com/google/timesketch/blob/8f74f175a6ad1ce3d8903c895b9810ce5b6abe01/timesketch/frontend/src/components/Common/TsIOCMenu.vue#L67-L76
Exemple of file ioctype.yaml (user can add new IOC type like URL, email, ...):
fs_path:
regex: /^(\/[\S]+)+$/i
hostname:
regex: /^([-\w]+\.)+[a-z]{2,}$/i
ipv4:
regex: /^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/g
hash_sha256:
regex: /^[0-9a-f]{64}$/i
hash_sha1:
regex: /^[0-9a-f]{40}$/i
hash_md5:
regex: /^[0-9a-f]{32}$/i
other:
regex: /./g
Thank for your help! Lionel
Since these are pure UI components, it's a little tricky to achieve without having to rebuild the UI (I think). But I'll keep it in mind!
The most straightforward way I can think of is to have the yaml file be loaded by the API backend, and have the frontend query that to obtain the data. Maybet there's a solution somewhere with webpack, but I don't know enough about it to be sure.
I've separated the hardcoded IOCTypes into their own JavaScript file here: https://github.com/google/timesketch/pull/2123. Still, the UI will need to be rebuilt if these change.
@lprat These values are currently fixed, but we are working on another (larger) feature to include more settings in Timesketch - we'll be using that to store the regexes / IOC types. For now, the fixed values are the way to go.