68 lines
1 KiB
Markdown
68 lines
1 KiB
Markdown
# Demo notes
|
|
|
|
```graphql
|
|
{
|
|
Node(func: eq(nodeType, "matcher")){
|
|
id
|
|
target
|
|
nodeType
|
|
full
|
|
nodes {
|
|
uid
|
|
full
|
|
meta {
|
|
full_url
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
```graphql
|
|
{
|
|
Node(func: has(nodes) ) {
|
|
uid
|
|
nodeType
|
|
target
|
|
timestamp
|
|
nodes {
|
|
uid
|
|
type
|
|
full
|
|
hostnames
|
|
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
```graphql
|
|
{
|
|
Node(func: eq(nodeType, "certstream")){
|
|
id
|
|
nodeType
|
|
certNode {
|
|
cn
|
|
sourceName
|
|
fingerprint
|
|
notBefore
|
|
notAfter
|
|
}
|
|
}
|
|
}
|
|
|
|
```
|
|
|
|
## Notes
|
|
|
|
* There is TOO MUCH junk data
|
|
* Upsert is not optimal
|
|
* What do we do with the data so it can be exploitable by analysts
|
|
* Sould we store matched data in an SQL-like db?
|
|
|
|
|
|
## TDH
|
|
|
|
* patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)
|
|
* any canonical name that is a IP address and not a domain name
|