URLhaus Malware URL Data Adapter
  • 09 Aug 2022
  • 1 Minute to read
  • Dark
    Light

URLhaus Malware URL Data Adapter

  • Dark
    Light

URLhaus is a project from abuse.ch that maintains a database of malicious URLs used for malware distribution. When you create the data adapter, URLhaus downloads and stores the appropriate data set in MongoDB. Refresh Interval configuration identifies when to fetch new sets.

Note

This is a Graylog Operations Integrations feature and is only available since Graylog version 4.1. A valid Graylog Operations license is required.

Sample Lookup Data

A lookup for the URL http://192.168.100.100:35564/Mozi.m might produce the following output:

{
  "single_value": "malware_download",
  "multi_value": {
    "date_added": "2021-06-22T17:53:07.000+0000",
    "url_status": "online",
    "threat_type": "malware_download",
    "tags": "elf,Mozi",
    "url": "http://192.168.100.100:35564/Mozi.m",
    "urlhaus_link": "https://urlhaus.abuse.ch/url/1234567/"
  },
  "string_list_value": null,
  "has_error": false,
  "ttl": 9223372036854776000
}

Data Adapter Configuration

  • Title

    • A short title for the data adapter.
  • Description

    • A description of the data adapter.
  • Name

    • A unique name to refer to the data adapter.
  • Custom Error TTL

    • Optional custom TTL for caching erroneous results. If no value is specified, the default is 5 seconds.
  • URLhaus Feed Type

    • Determines which URLhaus feed the data adapter will use.

    • Online URLs is the smaller data set and includes only URLs that have been currently detected online.

    • Recently Added URLs is the larger data set and includes all online and offline URLs added in the last 30 days.

  • Refresh Interval - Determines how often new data is fetched. The minimum refresh interval is 300 seconds (5 minutes) because that is how often the source data can be updated.

  • Case Insensitive Lookups - allows the data adapter to perform case-insensitive lookups.


Was this article helpful?

What's Next