1 KiB
1 KiB
Demo notes
{
Node(func: eq(nodeType, "matcher")){
id
target
nodeType
full
nodes {
uid
full
meta {
full_url
}
}
}
}
{
Node(func: has(nodes) ) {
uid
nodeType
target
timestamp
nodes {
uid
type
full
hostnames
}
}
}
{
Node(func: eq(nodeType, "certstream")){
id
nodeType
certNode {
cn
sourceName
fingerprint
notBefore
notAfter
}
}
}
Notes
- There is TOO MUCH junk data
- Upsert is not optimal
- What do we do with the data so it can be exploitable by analysts
- Sould we store matched data in an SQL-like db?
TDH
- patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)
- any canonical name that is a IP address and not a domain name