Filter HostLookup

Filter Name

Description

Detect if a received entry is in a malicious database.

Filter Code

0x66726570

Dependencies

No dependencies

Darwin configuration

Example of darwin configuration for this filter :

{
    "hostlookup_1": {
        "exec_path": "/path/to/darwin/build/darwin_hostlookup",
        "config_file":"/path/to/fhostlookup.conf",
        "output": "LOG",
        "next_filter": "",
        "nb_thread": 1,
        "log_level": "DEBUG",
        "cache_size": 0
    }
}

Config file

database : file describing the malicious entries
db_type (optional): the database type, either text, rsyslog or json. Default is text.
redis_socket_path (optional) : the redis in which the filter will stock the data
alert_redis_list_name (optional) : the key under which the filter will stock the raised alerts in the redis
alert_redis_channel_name (optional) : the redis channel in which the raised alerts will be publish
log_file_path (optional) : the path in which the filter will write raised alerts

Example:

{
    "database": "/path/to/database.txt",
    "redis_socket_path": "/var/sockets/redis/redis.sock",
    "alert_redis_list_name": "darwin_alerts",
    "alert_redis_channel_name": "darwin.alerts",
    "log_file_path": "/var/log/darwin/alerts.log"
}

Text Database example :

bad_host_1
  bad_host_2

bad_host_3

JSON Database example :

{
    "feed_name": "suspicious_hosts",
    "data": [
        {"entry": "bad_host_1", "score": 42},
        {"entry": "bad_host_2", "score": 100},
        {"entry": "bad_host_3"}
    ]
}

Rsyslog Database example:

Please follow this documentation to learn more about this database format.

Note:

Default score is 100. If not provided or not between 0 and 100 default will be used.
If not feed_name, data or valid entry is provided the filter will stop.
For the text databases the feed name is the file name without extension (for backward compatibility).

Body

[ 
   [<entry>], [..] 
]

Where is a string.

Example

Here is an example of a body:

[ 
   ["good_host_1"], ["bad_host_2"] 
]

Results

Send back a certitude between 0 and 100 corresponding to the score associated to the entry. A score equal to 0 should mean the entry sent is not in the database. For example we can have [0, 100] for the body given above.

The raised alert will be in the following JSON format:

{
  "evt_id": "<uuid>",
  "time": "<ISO8601>",
  "filter": "hostlookup",
  "entry": "<entry>",
  "feed": "<feed_name>",
  "certitude": <certitude>
}

Alert Details

"details": {
    "feed": "<the_threat_intell_feed_name>",
    "description": "<threat_description>"
}

Home
Darwin Configuration
Connect to Darwin with Python
Management Socket
Alert Format
Statistics
Rsyslog Configuration
Workflow
Automated Testing
Unit Testing
Available Docker images
Filters
- Template
- Anomaly
- Buffer
- Connection
- Content Inspection
- DGA
- HostLookup
- Sofa
- TAnomaly
- Test
- Yara
- (Coming) Session
- (Obsolete) End
- (Obsolete) Logs
- (Obsolete) Reputation
Tools
- Reconciler
HAproxy
- General Configuration
- SPOE Data
Contributions

Provide feedback

Saved searches

Use saved searches to filter your results more quickly