This repository has been archived by the owner on Jun 17, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 18
Whitelist
Wes edited this page Aug 18, 2017
·
1 revision
CIF has the capability to whitelist observations from entering a feed during the feed generation process.
Any observation (IP, domain, URL) with the following will be whitelisted during feed generation:
- tag == whitelist
- Confidence >= 2
By default CIF is configured with the following whitelists:
When these feeds are processed, the CIF API applies the following logic:
- resolve all domains to their ip's, slightly degrade the confidence value, whitelist the ip's
- resolve all ip's to their bgp prefix, slightly degrade the confidence value, whitelist the prefix (/16, /18, /22, /24, etc).
For example:
- google.com is given the assessment 'whitelist' with a confidence value of 9
- google.com resolves to: 173.194.46.64-78, which are whitelisted at ~ 6 confidence
- 173.194.46.64-78 resolves to 173.194.46.0/24 (bgp prefix lookup)
- 173.194.46.0/24 is whitelisted 4% confidence
When a feed is generated, a whitelist data-set is pre-populated with these values and the feed items are checked against them (sub-domains included).