Project

General

Profile

Actions

Feature #14875

open

Snort + VirusTotal could analyse suspicious domains, IPs and URLs to detect malware and other breaches, automatically

Added by Jonathan Lee about 1 year ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Hello fellow pfSense Redmine members,

I noticed in Snort we have a resolve IP address option however, time and time again I find myself constantly going to Virustotal's website to check on single IP addresses for invasive activity. Today I noticed that VirusTotal has an API key option. Leading to, is there anyway to add in an option for a IP address check with something like VirusTotal or another analysis site? I know we can dump the logs into Security Onion or Kibana. Again, it would be really nice if we could check a single IP address on the fly in Snort's GUI dashboard and get a quick check with a reply similar to VirusTotal's one time IP address check.

https://developers.virustotal.com/docs/api-overview


Files

Screenshot 2023-10-13 at 8.56.11 PM.png (721 KB) Screenshot 2023-10-13 at 8.56.11 PM.png What if we could have a quick check outside of just resolve Jonathan Lee, 10/14/2023 04:01 AM
Actions #1

Updated by Bill Meeks about 1 year ago

I see a potential issue here. Careful reading of the API overview at the link provided yields an important piece of information.

  1. The API must not be used in commercial products or services

pfSense Plus is likely considered a commercial product since it is licensed. Even though complimentary home licenses for Plus are available, I still believe the VirusTotal folks would consider it a commercial product. pfSense CE might could get by with being classified as non-commercial. But we don't want a split Snort package with different features for different pfSense branches (CE versus Plus).

Actions

Also available in: Atom PDF