exclude private IP space Intel::ADDR items when populating Zeek intel #528

mmguero · 2024-07-30T14:25:19Z

Sometimes MISP or STIX/TAXII intel feeds end up with something silly in them like "0.0.0.0/0" or "10.0.0.0/8" as an indicator, which causes basically a whole bunch of false positives.

I can't think of a good reason to ever create a threat intel indicator of an IP address that's in private space, so we're going to exclude those.

see mmguero-dev/Malcolm@46f0fdb

The text was updated successfully, but these errors were encountered:

mmguero added bug Something isn't working zeek Relating to Malcolm's use of Zeek labels Jul 30, 2024

mmguero added this to the v24.07.0 milestone Jul 30, 2024

mmguero self-assigned this Jul 30, 2024

mmguero added this to Malcolm Jul 30, 2024

mmguero moved this to Done in Malcolm Jul 30, 2024

mmguero closed this as completed Jul 30, 2024

mmguero removed the bug Something isn't working label Jul 30, 2024

This was referenced Jul 30, 2024

Malcolm v24.07.0 #526

Merged

Malcolm v24.07.0 cisagov/Malcolm#323

Merged

mmguero moved this from Done to Released in Malcolm Jul 30, 2024

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 12, 2024

idaholab#528, add simple readiness indicator to upload page

c58ff2c

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

exclude private IP space Intel::ADDR items when populating Zeek intel #528

exclude private IP space Intel::ADDR items when populating Zeek intel #528

mmguero commented Jul 30, 2024

exclude private IP space Intel::ADDR items when populating Zeek intel #528

exclude private IP space Intel::ADDR items when populating Zeek intel #528

Comments

mmguero commented Jul 30, 2024