• clean up pyinstaller code, create binaries
• edit makefile to create debian packages based on binaries (somewhat done)
• create debian ppa
• create script to publish packages to ppa on release

https://packagecloud.io/

https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/example/alienvault.yml

in cifv2 we cache a feed appended with the feed name in the feed config. This causes us to download the same feed multiple times if we were to do something like this:

dga-feed-cryptolocker:
  remote: http://osint.bambenekconsulting.com/feeds/dga-feed.txt
  pattern: ^([^,]+)\,Domain used by (Cryptolocker[^,]+)\,([^,]+)\,([^\r\n]+)
dga-feed-p2p-gameover-zeus:
  remote: http://osint.bambenekconsulting.com/feeds/dga-feed.txt
  pattern: ^([^,]+)\,Domain used by (P2P Gameover Zeus[^,]+)\,([^,]+)\,([^\r\n]+)

This results in dga-feed.txt downloaded multiple times:

ls -lh /var/smrt/cache/osint.bambenekconsulting.com-dga*
-rw-rw-r-- 1 cif cif 83M Sep 20 20:15 /var/smrt/cache/osint.bambenekconsulting.com-dga-feed-cryptolocker
-rw-rw-r-- 1 cif cif 83M Sep 20 20:15 /var/smrt/cache/osint.bambenekconsulting.com-dga-feed-p2p-gameover-zeus

In v3 let's attempt to only download dga-feed.txt one time, cache it and then parsed the single cached feed.

1. Add the ability to limit the largest cidr found in a feed (e.g. /24, /16, /8)
2. Make this configurable so people can change the default

• bring over old wiki topics from https://github.com/csirtgadgets/massive-octo-spice/wiki/The-CIF-Book
• update with new information

How hard would it be to be able manipulate parsed feed data before mapping it to a cif parameter. Here's an example:

cybercrime rss feed:

<item>
<title>datatransfer.0xhost.net/25asejd14c2f5r7d4e5f63g2v5d41s/adsf544s2d5f778rg45j6hv32bn41h5j4f/solar/index.php?login</title>
<link>http://cybercrime-tracker.net/index.php</link>
<pubDate>22-07-2015</pubDate>
<description>Solar</description>
</item>

The date format is not one DateTime::Format::DateParse; likes.

It would be neat to be able to do something like this on parsed data:

pubDate:
  pattern: '(\S+)'
  subparse: (\d{1,2})-(\d{1,2})-(\d{4})
  new: $3-$2-$1
  values: lasttime

create advanced testing that spins up threads, etc

• can't do more than 1 thread at a time..
• mocker?
• test functions first...
• remove complex tests, push to complex folder?

https://github.com/zeromq/pyre/blob/master/tests/test_pyre.py
https://github.com/zeromq/pyre/blob/master/tests/test_zactor.py
https://github.com/zeromq/pyzmq/tree/master/zmq/tests

https://docs.python.org/2/library/csv.html#csv.Sniffer

see if this might reduce some of our code.

• Failure because pip not present
• Failure pip install -r requirements.txt not run with sudo, Python.h unavailable

Solution:
sudo apt-get install python-pip python-dev
sudo pip install -r requirements.txt

https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/example/bambenekconsulting_com.yml

add elasticsearch support to cif.store

https://build.opensuse.org/
http://openbuildservice.org/

• add deployment testing to circleci / travis

• httpd
• router
• storage

etc...

• ping
• ping?write=true
• default ping should check for /help ?

Look at using rrdtool + holt winters forecasting to monitor feed changes.

Create the ability for the cif client to pull a feed from one CIF server and push that data into another CIF server (localhost). Example command:

cif -C org_a_cif.yml --feed fqdn --tags botnet -f cif_api --recipient-config localhost_cif.yml

http://flask-limiter.readthedocs.io/en/stable/

• internal tables
• by provider
• by country / asn / etc
• provide msg type, interface, etc
• cif-store should provide this and keep track of.

• build aws deployment scripts
• create live api-testing scripts
  • populate database
  • test ping / query / submission

https://github.com/Mazon/Jorgmundr

https://nylas.com/blog/packaging-deploying-python

• create development role that takes in local code base
• create role that's publishable to ansible galaxy

https://github.com/csirtgadgets/bearded-avenger/wiki/Probability

https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/rules/example/garwarn.yml

• find and merge older data (configurable) using firsttime/lasttime/reporttime into weekly or monthly using count
• should run on router? (router should figure out if something's been merged or not if multiple routers are running and merging data)

create the ability to cif-smrt to easily interact with RESTful APIs (CIF API).

• passing parameters
• keeping state of last ingested data

pull from https://github.com/csirtgadgets/massive-octo-spice/wiki

feeds logic should go from code to the API so you can do things like:

/feeds?itype=ipv4&confidence=35

and it does the timestamp logic for you vs query. get this out of the client code make them easier to maintain.

deployment/centos

http://stackoverflow.com/questions/1057431/loading-all-modules-in-a-folder-in-python/1057534#1057534

make new types of routes a drop-in (storage?)

1. this is probably informational, it's usually adjacent to a primary indicator
   1. could be the MX or NS record of a FQDN name
8. i trust who observed this, it's probably an ip address or fqdn combined with a timestamp
9. i trust who saw this and what they think it was
   1. probably a url or binary hash
   2. could be an ip address when combined with a port, protocol and timestamp
10. i [as a human analyst, non-machine generated] saw this, i know what it is
    1. most likely a url, binary hash
    2. a search

Consider having two "limit" knob's in the SDK:

1. --query-limit - this adjusts the default database query limit specified by the client.
   • max-query-limit is set on the server (e.g. 225k)
   • default-sdk-query-limit is set within the SDK (e.g. 50K)
   • --query-limit allows 0 - 225k effectively
2. --output-limit - this adjusts the output limit specified in the SDN
   • default-output-limit is NULL
   • --output-limit allows 0 through MAX records

ability to do:

--tags botnet --not-tags dns,smtp,facilitator