In this second post, I'll explain how to use OSINT domain and URL indicators for the same purpose.
Like in previous post, I'll show a real scenario where this intel feeds detect malicious activity.
The same way there are multiple sources of OSINT IP indicator, there are also multiple sources of OSINT for URL and Domain indicators, for example:
- etc, etc, etc
Besides Criticalstack, I'll use Bro (network Security Monitor) integrated in Security Onion ( I assume Security Onion is fully working)
Setting up the feeds in CriticalStack
First thing is to create an account in https://intel.criticalstack.com.
Once the account is setup, it is necessary to create a 'Collection'. This basically is a set of feeds we want to use.
Following to this, it is necessary to include the feeds in the collection
Lastly, a sensor is defind, which will consume the feeds. The collection needs to be assigned to the sensor.
When this is done, a KEY will be assigned to the sensor. This will be used by the sensor to access the API.
Installing CriticalStack Client in SecurityOnion
Now it is time to integrate CriticalStack in Security Onion. These are the set of commands to run
Finally, a summary of the installed feeds are showed with the command 'critical-stack-intel list'
Performing analysis with Bro in ELSA
Now, I can search in ELSA. For example, with the "class=BRO_INTEL" I find all the matches based on intel indicators. I can refine the search with additional information.
In this case, I see there 3 matches to a Zeus C&C Domain (hxxp://atmape.ru)
I can also search for any match to any URL indicator. For example, I see some Phising website has been visited
When dealing with URL indicators, the traffic is captured, hence the 'pcap' file can be extracted and analysed in 'capme', integrated in Security Onion.