On Tue, Aug 30, 2016 at 3:03 AM, Jochen Schalanda <joc...@graylog.com> wrote:
> there's currently no official integration of TAXII with Graylog. I guess > you would need to write a custom plugin for integrating TAXII or other IoC > feeds and check against them. > I've just been thinking about this myself. It should be handled in a similar way to the GeoIP processor IMHO. Let's call it the "Reputation" processor. it could load an external 'database' of 'name,field,value' and when the INPUT data stream contains 'field: value' then trigger a new 'reputation:name' record. eg TALOS, src_ip, 1.2.3.4 SPAMHAUS, email_ip, 3.2.1.2 Then your firewall logs involving src_ip == 1.2.3.4 would get a "reputation:TALO" record and your email logs (email_ip == 3.2.1.2) would get a "reputation:SPAMHAUS" record This would be a more generalised solution - could be abused in all sorts of ways :-) Hmm, I thought I added this to the Ideas site a few days ago - can't find it now? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAFChrgK0n3A%2BWvFyvb1dCE60Eh0UyhVB-UNvHd9-Dnp-1mt8sQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
