Malware Related > Malware Analysis

urlquery.net

<< < (2/5) > >>

SysAdMini:
Feature requests:

- referer url as an input parameter
- RSS feed of analyzed urls

Amishrabbit:
Very interesting project. Thanks for bringing it here.

In the report.php page, under the HTTP Transactions header:

- "Requests" column is too narrow and the text doesn't wrap.
- "Respons" column is probably too wide (and you're missing an "E" from "Response")
- Are you saving off a .pcap of the conversation?
- I find the HTTP conversation stuff more useful than the DIG and WHOIS stuff. My personal preference would be to have that appear lower in the page. Others may differ.
- How about querying the reputation scores for domains you run queries against, using tools such as the ones listed here:

http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html

Looks like there's a bit of work to do with busted secure connection attempts, eg. http://urlquery.net/screenshot.php?id=271

I look forward to seeing this progress.

tyriel:

--- Quote from: raphael ---I just need an URL like http://urlquery.net/ip.txt and ip.txt with one IP per line. And the list should be updated regularly (once a day is enough).

--- End quote ---
A list of IPs should now be available from from http://urlquery.net/ip.txt this is updated once a day (24:00 CET).
Do note that several of the IPs listed in the db are not malicious as good sites has been used for testing.


--- Quote from: Amishrabbit ---- "Requests" column is too narrow and the text doesn't wrap.
- "Respons" column is probably too wide (and you're missing an "E" from "Response")
- Are you saving off a .pcap of the conversation?
- I find the HTTP conversation stuff more useful than the DIG and WHOIS stuff. My personal preference would be to have that appear lower in the page. Others may differ.

--- End quote ---
I'm not saving any .pcap file from the network traffic. I hook into the requests and responses to browser and save those. You'll loose the data from the lower levels in OSI model, but you get what the browser actual receives/handles of data. Atm i find this sufficient, having this and pcap would be alot of duplicate data, it might come it the future but I'm not sure. When downloading the data from HTTP conversations i recommend displaying those in a hex editor like the one from McAfee, FileInsight. (its free :))

I haven't done much work on the report page yet so it will change alot in in future. Atm most of the work has gone into the backend of the system, but I'll take your views into consideration.


--- Quote from: Amishrabbit ---- How about querying the reputation scores for domains you run queries against, using tools such as the ones listed here:
http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html

--- End quote ---
Good idea, I'll have to look into how to accomplish this.



--- Quote from: Amishrabbit ---Looks like there's a bit of work to do with busted secure connection attempts, eg. http://urlquery.net/screenshot.php?id=271

--- End quote ---
Couldn't find any easy fix for this so I'll put it on my todo list.



--- Quote from: SysAdMini ---- referer url as an input parameter
- RSS feed of analyzed urls

--- End quote ---

RSS feeds of the latest submitted URLs are now available (and twitter) :)
I'm currently working on getting advanced settings and referer to work.


Thanks for the input! :)

raphael:

--- Quote from: tyriel on March 19, 2011, 04:04:47 pm ---
--- Quote from: raphael ---I just need an URL like http://urlquery.net/ip.txt and ip.txt with one IP per line. And the list should be updated regularly (once a day is enough).

--- End quote ---
A list of IPs should now be available from from http://urlquery.net/ip.txt this is updated once a day (24:00 CET).
Do note that several of the IPs listed in the db are not malicious as good sites has been used for testing.

--- End quote ---

Nice, thanks!

The results of the last list in BGP Ranking: http://bgpranking.circl.lu/asns?asn=&source=URLQuery


EDIT: are you sure the list is updated once a day? I had no changes since the 22.03.

tyriel:

--- Quote from: raphael ---EDIT: are you sure the list is updated once a day? I had no changes since the 22.03.

--- End quote ---

yes, just checked it

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version