chris/styx
chris/styx
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
styx/DEMO.md
Christopher Talib 84e4937f85 Major version update 
This new work implements the server and the loader in two different
binaries allowing the code while updating the IOC list.

It updates also the documentation to reflect the new changes.
2020-08-24 17:20:07 +02:00

824 B
Raw Blame History

Demo notes

{
  Node(func: eq(type, "matcher")){
    id
    target
    type
    full
    nodes {
      uid
      full
    }
  }
}

{
  Node(func: has(nodes)  ) {
    uid
    type
    target
    timestamp
    nodes {
      uid
      type
      full
      hostnames

    }
  }
}

Notes

  • There is TOO MUCH junk data
  • Upsert is not optimal
  • What do we do with the data so it can be exploitable by analysts
  • Sould we store matched data in an SQL-like db?

TDH

  • patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)
  • any canonical name that is a IP address and not a domain name