Ignore adblock_custom field value when discovering domains in find_domains filter

Question

Ignore adblock_custom field value when discovering domains in find_domains filter

ivanlei opened this issue 10 years ago · 1 comments

Currently find_domains filter tries to extract domain names from any value.

adblock_custom contains a lot of domains (not to mention that they are stored in just one big string) that are on the AdBlock's blacklist. It does not make sense to extract any domain names from this field as it could contain a lot of malware websites that user actually not visited.

This field is in osxcollector_section chrome and osxcollector_subsection local_storage. osxcollector_table_name is ItemTable

I have tried to analyze specificMalware and grepped for {{installmac}}.
It was found in that item and when I looked at how many domains were extracted from this single value (which apparently is the whole local storage of Chrome web browser) it was big:

$ cat foo.json | grep installmac | jq '.osxcollector_domains' | wc -l
     990

Answer 1 · 2015-12-17T19:15:46.000Z

Migrated to Yelp/osxcollector_output_filters#4