Update pdnssoccli.yml

CERN-CERT · Sep 3, 2024 · 0d83ee1 · 0d83ee1
1 parent e105485
commit 0d83ee1
Showing 1 changed file with 27 additions and 30 deletions.
diff --git a/files/configuration/pdnssoccli/pdnssoccli.yml b/files/configuration/pdnssoccli/pdnssoccli.yml
@@ -1,47 +1,44 @@
----
 logging_level: "INFO"
+#logging_level: "DEBUG"
 misp_servers:
-  - domain: "https://example-misp-instance.com"
-    api_key: "API_KEY"
-    verify_ssl: True
-    debug: False
+  - domain: "https://your.misp.server/"
+    api_key: "<API_key>j"
+    verify_ssl: true
+    debug: false 
     # misp.search() arguments
     args:
       enforce_warninglist: True
     periods:
       generic:
         delta:
-          days: 30
+          days: 7
       tags:
       - names:
-          - "tag_name"
-        delta: False 
+          - "apt"
+          - "tlp:amber"
+        delta: 
+          days: 150 
+
 correlation:
-  input_dir: /var/dnscollector/matches 
+  input_dir: /var/dnscollector/queries # use this if no files are defined from commmand line
   output_dir: /var/dnscollector/alerts
   archive_dir: /var/dnscollector/archive # use this as input for looking back
+  alerts_database: /var/dnscollector/alerts_db.txt
+  alerts_database_max_size: 300 #This is how many alerts we keep in the buffer before re-notifying  
   malicious_domains_file: /var/dnscollector/misp_domains.txt
   malicious_ips_file: /var/dnscollector/misp_ips.txt
-  last_correlation_pointer_file: /var/dnscollector/correlation.last
-  last_retro_pointer_file: /var/dnscollector/retro.last
-schedules:
-  fetch_iocs:
-    interval: 10 # minutes
-  correlation:
-    interval: 1 # minutes
-  retro:
-    interval: 1440 # minutes
-  alerting:
-    interval: 60 # minutes
+
 alerting:
-  last_alerting_pointer_file: /var/dnscollector/alert.last
-# email:
-#   from: "[email protected]"
-#   subject: "[pDNSSOC] Community XYZ alert"
-#   summary_to: "[email protected]"
-#   server: "localhost"
+  # method: slack or email
+  slack: 
+    slack_hook: "https://hooks.slack.com/services/your_hook"
+#  email:
+#    from: "security@your_org.net"
+#    subject: "[pDNSSOC] your_org DNS alert"
+#    summary_to: "me@your_org.net"
+#    server: "localhost"
 #   port: 25
-#   template: /etc/pdnssoccli/alert_email.html
-#   mappings:
-#     - client_id: client_1
-#       contact: [email protected]
+#    template: /etc/pdnssoccli/alert_email.html
+#    mappings:
+#      - client_id: client_1
+#        contact: [email protected]