Ability to choose which IOCs to scan for.

Question

Ability to choose which IOCs to scan for.

greyl0cke opened this issue 4 years ago · 1 comments

💡 Summary

Add the ability to choose which IOCs to scan for.

Motivation and context

I started using this tool to look for IOCs related to the recent Exchange server vulnerabilities. The SolarWinds IOCs, albeit helpful to have, are of no use to me in those environments. It would be nice to select only the IOCs that pertain to the environment which you are scanning.

It would be helpful not only from a convenience factor, but also I would imagine it would speed up the scanning speed somewhat, depending on how many IOCs there are to look for obviously.

Implementation notes

I think this could implemented via command-line switch. For example, if you only wanted to look for SolarFire IOCs;
chirp.exe -i cisa_solarfire

Another option might be if you wanted to run all the cisa IOCs (cisa_raindrop, cisa_solarfire, cisa_sunshuttle, etc..);
chirp.exe -i cisa

Acceptance criteria

How do we know when this work is done?

Specific IOCs can be scanned for by specifying the indicator filename or group by way of a command-line switch (-i for example)
Changes follow cisagov coding conventions
Tests have been written to ensure future compliance

Answer 1 · 2021-03-24T09:51:47.000Z

I've been thinking about this recently too. Since we would like to release more IoCs in the future related to various threat activity, our best method may be to reorganize our indicators folder some to look like this:

indicators/
| -- AA21XXXX/
| -- -- indicator1.yaml
| -- -- indicato2.yaml
| -- AA21XXXX/
| ....

then invoking what activity you want to search for with a switch, like -a AA2177A.