Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] non-domain indicators parser for /maltrail-malware-domains.txt #19161

Open
MikhailKasimov opened this issue Jun 9, 2023 · 7 comments
Open

[Feature Request] non-domain indicators parser for /maltrail-malware-domains.txt #19161

MikhailKasimov opened this issue Jun 9, 2023 · 7 comments
Labels
enhancement

Comments

@MikhailKasimov
Copy link
Collaborator

Inspired by: stamparm/aux#8

[i] Target: https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt
[✓] Status: Retrieval successful
[✓] Parsed 290973 exact domains and 0 ABP-style domains (ignored 13 non-domain entries)

To have a filter\parser for non-domain indicators when collecting domains from maltrail static trails to /maltrail-malware-domains.txt:

maltrail static trails --> [non-domain indicators] --> /maltrail-malware-domains.txt

In case of non-domain indicator != 0, to send emails to MS and MK (e.g. ...| mail -s "non-domain entries found" email@email.email).

This should speed up correction, if junk/orphan records are going to get incorporate into /maltrail-malware-domains.txt.
@MikhailKasimov
Copy link
Collaborator Author

Domain validator (preliminary): ^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)+[A-Za-z]{2,7}$

@MikhailKasimov
Copy link
Collaborator Author

mail.tsinghua.institute <-- ^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)+[A-Za-z]{2,9}$

@MikhailKasimov
Copy link
Collaborator Author

MikhailKasimov commented Aug 8, 2023
edited
Loading

https://data.iana.org/TLD/tlds-alpha-by-domain.txt <-- ^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)+[A-Za-z-0-9]{2,24}(?<![0-9-])$

@MikhailKasimov
Copy link
Collaborator Author

Relative reports on invalid domains:

stamparm/aux#8
stamparm/aux#10

@MikhailKasimov
Copy link
Collaborator Author

@stamparm Any implementations for /maltrail-malware-domains.txt ?

@dspruell
Copy link

dspruell commented May 3, 2024

@MikhailKasimov @stamparm Hey. 👋 I noticed this issue may be applicable today when attempting to load data from maltrail-malware-domains.txt into a DNS server for content filtering. A number of invalid domains are in the data:

$ fgrep .. maltrail-malware-domains.txt
saldirmorukss222..net
saldirmoruksas282..net
saldirmorukss122..net
saldirmoruks6s22..net
saldirmoruk7ss22..net
nj1337..ddns.net
saldirmoruk4ss22..net
saldirmoruks8s22..net
saldirmorukss2322..net

The double dots would need to be cleaned out or collapsed to a single dot, but figured the validation/parser might be applicable. Let me know if you'd prefer this as a separate issue.

@MikhailKasimov
Copy link
Collaborator Author

@MikhailKasimov @stamparm Hey. 👋 I noticed this issue may be applicable today when attempting to load data from maltrail-malware-domains.txt into a DNS server for content filtering. A number of invalid domains are in the data:

$ fgrep .. maltrail-malware-domains.txt
saldirmorukss222..net
saldirmoruksas282..net
saldirmorukss122..net
saldirmoruks6s22..net
saldirmoruk7ss22..net
nj1337..ddns.net
saldirmoruk4ss22..net
saldirmoruks8s22..net
saldirmorukss2322..net

The double dots would need to be cleaned out or collapsed to a single dot, but figured the validation/parser might be applicable. Let me know if you'd prefer this as a separate issue.

Fixed:

feeb969
d48bf83

Pretty thank you for pointing this problem out!

Let me know if you'd prefer this as a separate issue. <-- let it be in current one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dspruell @MikhailKasimov