This repository has been archived by the owner on Apr 30, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Whitelist
wes edited this page May 21, 2019
·
1 revision
CIF has the capability to whitelist indicators from entering a feed during the feed generation process.
Any indicator (IP, domain, URL) with the following will be whitelisted during feed generation:
- tag == whitelist
- confidence >= 2
By default CIF is configured with the following whitelists:
When these feeds are processed, the CIF API applies the following logic:
- resolve all domains to their ip's, slightly degrade the confidence value, whitelist the ip's
- resolve all ip's to their bgp prefix, slightly degrade the confidence value, whitelist the prefix (/16, /18, /22, /24, etc).
For example:
- google.com is given the assessment 'whitelist' with a confidence value of 4
- google.com resolves to: 173.194.46.64-78, which are whitelisted at 2 confidence
- 173.194.46.64-78 resolves to 173.194.46.0/24 (bgp prefix lookup)
- 173.194.46.0/24 is whitelisted
When a feed is generated, a whitelist data-set is pre-populated with these values and the feed items are checked against them (sub-domains included).