On Tue, Aug 30, 2016 at 3:03 AM, Jochen Schalanda <[email protected]> wrote:
> there's currently no official integration of TAXII with Graylog. I guess > you would need to write a custom plugin for integrating TAXII or other IoC > feeds and check against them. > I've just been thinking about this myself. It should be handled in a similar way to the GeoIP processor IMHO. Let's call it the "Reputation" processor. it could load an external 'database' of 'name,field,value' and when the INPUT data stream contains 'field: value' then trigger a new 'reputation:name' record. eg TALOS, src_ip, 1.2.3.4 SPAMHAUS, email_ip, 3.2.1.2 Then your firewall logs involving src_ip == 1.2.3.4 would get a "reputation:TALO" record and your email logs (email_ip == 3.2.1.2) would get a "reputation:SPAMHAUS" record This would be a more generalised solution - could be abused in all sorts of ways :-) Hmm, I thought I added this to the Ideas site a few days ago - can't find it now? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAFChrgK0n3A%2BWvFyvb1dCE60Eh0UyhVB-UNvHd9-Dnp-1mt8sQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
