chris/styx
chris/styx
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
styx/DEMO.md
Christopher Talib 1528c28d7e Changing Type to NodeType to avoid issues
2020-08-28 15:55:18 +02:00

1 KiB
Raw Permalink Blame History

Demo notes

{
  Node(func: eq(nodeType, "matcher")){
    id
    target
    nodeType
    full
    nodes {
      uid
      full
      meta {
        full_url
      }
    }
  }
}

{
  Node(func: has(nodes)  ) {
    uid
    nodeType
    target
    timestamp
    nodes {
      uid
      type
      full
      hostnames

    }
  }
}

{
  Node(func: eq(nodeType, "certstream")){
    id
    nodeType
    certNode {
      cn
      sourceName
      fingerprint
      notBefore
      notAfter
    }
    }
  }

Notes

  • There is TOO MUCH junk data
  • Upsert is not optimal
  • What do we do with the data so it can be exploitable by analysts
  • Sould we store matched data in an SQL-like db?

TDH

  • patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)
  • any canonical name that is a IP address and not a domain name