Feature #14875
open
Snort + VirusTotal could analyse suspicious domains, IPs and URLs to detect malware and other breaches, automatically
0%
Description
Hello fellow pfSense Redmine members,
I noticed in Snort we have a resolve IP address option however, time and time again I find myself constantly going to Virustotal's website to check on single IP addresses for invasive activity. Today I noticed that VirusTotal has an API key option. Leading to, is there anyway to add in an option for a IP address check with something like VirusTotal or another analysis site? I know we can dump the logs into Security Onion or Kibana. Again, it would be really nice if we could check a single IP address on the fly in Snort's GUI dashboard and get a quick check with a reply similar to VirusTotal's one time IP address check.
Files
| Screenshot 2023-10-13 at 8.56.11 PM.png (721 KB) Screenshot 2023-10-13 at 8.56.11 PM.png | What if we could have a quick check outside of just resolve |
Updated by Bill Meeks 7 months ago
I see a potential issue here. Careful reading of the API overview at the link provided yields an important piece of information.
- The API must not be used in commercial products or services
pfSense Plus is likely considered a commercial product since it is licensed. Even though complimentary home licenses for Plus are available, I still believe the VirusTotal folks would consider it a commercial product. pfSense CE might could get by with being classified as non-commercial. But we don't want a split Snort package with different features for different pfSense branches (CE versus Plus).