84e4937f85
This new work implements the server and the loader in two different binaries allowing the code while updating the IOC list. It updates also the documentation to reflect the new changes.
48 lines
824 B
Markdown
48 lines
824 B
Markdown
# Demo notes
|
|
|
|
```graphql
|
|
{
|
|
Node(func: eq(type, "matcher")){
|
|
id
|
|
target
|
|
type
|
|
full
|
|
nodes {
|
|
uid
|
|
full
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
```graphql
|
|
{
|
|
Node(func: has(nodes) ) {
|
|
uid
|
|
type
|
|
target
|
|
timestamp
|
|
nodes {
|
|
uid
|
|
type
|
|
full
|
|
hostnames
|
|
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## Notes
|
|
|
|
* There is TOO MUCH junk data
|
|
* Upsert is not optimal
|
|
* What do we do with the data so it can be exploitable by analysts
|
|
* Sould we store matched data in an SQL-like db?
|
|
|
|
|
|
## TDH
|
|
|
|
* patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)
|
|
* any canonical name that is a IP address and not a domain name
|