CERT-FR's IOC

Question

CERT-FR's IOC

18info opened this issue 3 years ago · 4 comments

Hi again!

I try to add IOC from cert-fr without success. I tried:

c/p raw json
import json file
In all cases, I get
✗ 303 IOCs not imported, see details below.
with

[…]
&#34;galaxy&#34;:,                                   | Wrong IOC format
&#34;shadowattribute&#34;:,                          | Wrong IOC format
&#34;tag&#34;:,                                      | Wrong IOC format
&#34;category&#34;:&#34;network activity&#34;,       | Wrong IOC format
&#34;comment&#34;:&#34;adresses ip reliu00e9es&#34;, | Wrong IOC format
&#34;deleted&#34;:false,                             | Wrong IOC format
&#34;disable_correlation&#34;:false,                 | Wrong IOC format
[…]

I suppose it's parsing related. Can I do something to get it work?
(for example a script to preprocessing the file before importing it in TC)

Wich IOC format is used by TC?

'good'day!

Answer 1 · 2021-08-05T07:46:34.000Z

Hello,

Sorry for the late reply, I don't have internet since few weeks. Yeah, it is possible that they are MISP-or-whatever formatted. You can try with jq to get the IOCs, here is a command line example:

curl -s https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-IOC-003-IOC.json 2>&1 | jq -r '.Event.Attribute[].value'

And then, copy paste the result in the backend.

Félix.

Answer 2 · 2021-08-05T13:16:03.000Z

Hello,
No problem about the delay, thanks for reply.
I ran a loop to download all of them (see AD) and cleaned it out since I found dates, e-mail addresses or URL
cert-fr_iocs.txt
I try it by copy/past, TC seems to stop randomly before the end.
Is there a limit to import or something like this?

Thanks again,

Answer 3 · 2021-08-12T06:57:17.000Z

Yeah,

I've seen that the other day by adding the Pegasus-liked domains.
I'll see how to work on that, maybe import them in bulk in the next update and not one by one...

Félix.

Answer 4 · 2021-08-12T07:23:25.000Z

Many thanks, Félix! :)