Advanced information categories

Advanced information categories are the ones only accessible to Entreprise Plan users. Of course, these users will also have access to standard information categories.

The following categories are defined as advanced:

  • ctl
  • onionscan
  • sniffer

Note: having access to a category doesn’t necessarily means that you have access to every fields (or filters) of an entry. There is also the concept of standard filters and advanced filters.

Advanced information categories description

Each collected information is enriched with a timestamp and geolocation information (where applicable).

ctl category

We collect some Certificate Transparency Logs (CTLs) X509 cerfificates information. As with some other information categories, we perform DNS requests (IP v4 and v6) to enrich collected data with DNS-related information and also feed our passive DNS (resolver information category).

{
  "count": 1,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "ctl",
      "@timestamp": "2018-11-01T12:26:52.000Z",
      "@type": "doc",
      "basicconstraints": [
        "critical"
      ],
      "ca": "false",
      "domain": "okcpride.org",
      "extkeyusage": [
        "serverAuth",
        "clientAuth"
      ],
      "fingerprint": {
        "md5": "52f97eff2804873fb4fd5ae479697f17",
        "sha1": "78a27b289c7f5b03a4ab4627fe48cdc940d9658f",
        "sha256": "9a6881c653b2a23891cdb64e3b933a624a0d7637f9a4b3ac57064baf79ec7dae"
      },
      "host": "www",
      "hostname": [
        "www.okcpride.org"
      ],
      "ip": "184.168.131.241",
      "issuer": {
        "commonname": "Go Daddy Secure Certificate Authority - G2",
        "country": "US",
        "organization": "GoDaddy.com, Inc."
      },
      "keyusage": [
        "critical",
        "digitalSignature",
        "keyEncipherment"
      ],
      "publickey": {
        "algorithm": "rsaEncryption",
        "exponent": "65537",
        "length": "2048"
      },
      "seen_date": "2018-11-01",
      "serial": "c3:27:2f:1c:3f:ca:39:f5",
      "signature": {
        "algorithm": "sha256WithRSAEncryption"
      },
      "source": "Cloudflare Nimbus 2021",
      "subject": {
        "altname": [
          "www.okcpride.org",
          "okcpride.org"
        ],
        "commonname": "okcpride.org"
      },
      "tld": "org",
      "validity": {
        "notafter": "2021-01-08T20:53:00.000Z",
        "notbefore": "2018-01-08T20:53:00.000Z"
      },
      "version": "v3",
      "wildcard": "false"
    }
  ],
  "status": "ok",
  "took": "0.003",
  "total": 1
}

onionscan category

As well as crawling the clear Net and the clear Web with the datascan information category, we are also crawling the Dark Web (also known as the onion land). As of today, we are only crawling using the HTTP protocol.

{
  "count": 2,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "onionscan",
      "@timestamp": "2018-10-24T19:03:31.000Z",
      "@type": "doc",
      "app": {
        "extract": {
          "domain": [
            "wikipedia.org",
            "wikibooks.org",
            "haskell.org",
            "ats-lang.org"
          ],
          "file": [
            "grdt-popl03.pdf"
          ],
          "hostname": [
            "en.wikibooks.org",
            "en.wikipedia.org",
            "wiki.haskell.org",
            "www.ats-lang.org"
          ],
          "url": [
            "http://www.ats-lang.org/MYDATA/GRDT-popl03.pdf",
            "http://www.ats-lang.org/",
            "https://en.wikibooks.org/wiki/Haskell/GADT",
            "https://wiki.haskell.org/GADTs_for_dummies",
            "https://en.wikipedia.org/wiki/Generalized_algebraic_data_type"
          ]
        },
        "http": {
          "bodymd5": "d41d8cd98f00b204e9800998ecf8427e",
          "headermd5": "297ee2062d5eab6d7a30bd8656730536",
          "title": "Bluish Coder"
        },
        "length": "4096"
      },
      "cpe": [
        "cpe:/a:igor_sysoev:nginx:1.10.3"
      ],
      "data": "HTTP/1.1 200 OK\r\nContent-Length: 93915\r\nETag: \"5bc71236-16edb\"\r\nDate: Wed, 24 Oct 2018 19:03:31 GMT\r\nLast-Modified: Wed, 17 Oct 2018 10:43:02 GMT\r\nServer: nginx/1.10.3 (Ubuntu)\r\nContent-Type: text/html\r\nAccept-Ranges: bytes\r\nConnection: keep-alive\r\n\r\n\n<!DOCTYPE html>\n<html>\n<head>\n   <meta http-equiv=\"content-type\" content=\"text/html; cha
[..]
      "datamd5": "6f50408650910af16c5f8b229202264e",
      "device": {
        "class": "Web Server"
      },
      "domain": "mh7mkfvezts5j6yu.onion",
      "hostname": "mh7mkfvezts5j6yu.onion",
      "onion": "mh7mkfvezts5j6yu.onion",
      "os": "Linux",
      "osdistribution": "Ubuntu",
      "port": 80,
      "product": "Nginx",
      "productvendor": "Igor Sysoev",
      "productversion": "1.10.3",
      "protocol": "http",
      "protocolversion": "1.1",
      "reason": "OK",
      "seen_date": "2018-10-24",
      "source": "datascan",
      "status": "200",
      "tag": [
        "ok"
      ],
      "tls": "false",
      "url": "/"
    },
[..]
  ],
  "status": "ok",
  "took": "0.004",
  "total": 2
}

sniffer category

We have a number of distributed honeypots on the Internet. We are listening to Internet background noise and performing passive operating system identification (using our own TCP/IP stack fingerprinting technic).

Furthermore, when a malicious pattern is found, we are performing a synscan along with a datascan to collect more information regarding the source IP address. synscan, datascan, resolver and threatlist information categories are enriched thanks to this information category.

{
  "count": 10,
  "error": 0,
  "max_page": 3,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "sniffer",
      "@timestamp": "2018-11-01T12:20:53.000Z",
      "@type": "doc",
      "asn": "AS20952",
      "city": "London",
      "country": "GB",
      "data": "\\x0e\\xc2\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\x00\\x00!\\x00\\x01",
      "datamd5": "a5cc89fe2f131f33759daf33d1906649",
      "destport": "137",
      "ip": "217.138.28.194",
      "ipv6": "false",
      "location": "51.5085,-0.1257",
      "organization": "Venus Business Communications Limited",
      "seen_date": "2018-11-01",
      "srcport": "137",
      "subnet": "217.138.0.0/16",
      "tag": [
        "netbiosns",
        "udpdata"
      ],
      "transport": "udp",
      "type": "udpdata"
    },
[..]
  ],
  "status": "ok",
  "took": "0.049",
  "total": 30
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.