Skip to content

ValidateObservable#

README

The ValidateObservable analyzer is designed to validate multiple observable datatypes.

  • ip
  • domain
  • url
  • fqdn
  • mail
  • hash
  • filename
  • uri_path
  • user-agent

Supported Data Types / Features#

  1. IP Addresses

  2. Validates individual IPs and CIDR ranges.

  3. Flags reserved, private, and loopback IPs with appropriate notes.

  4. Domains

  5. Detects valid domain names.

  6. Flags domains using Punycode (e.g., xn--) as suspicious.

  7. Identifies unusual characters in domain names.

  8. URLs

  9. Validates URLs with or without schemes.

  10. Flags URLs containing Punycode domains or unusual characters as suspicious.

  11. Detects malformed URLs.

  12. Fully Qualified Domain Names (FQDNs)

  13. Validates FQDNs for proper structure and length.

  14. Flags FQDNs using Punycode and unusual characters as suspicious.

  15. Emails

  16. Checks email structure for validity.

  17. Detects unusual characters in email addresses.

  18. Validates against length constraints.

  19. File Hashes

  20. Validates MD5, SHA1, SHA256, and SHA512 hash formats.

  21. Filenames

  22. Flags invalid characters in filenames (<, >, :, |, etc.).

  23. Detects multiple extensions (for example, .txt.exe) as suspicious.

  24. Identifies Unicode bidirectional override characters (U+202E, etc.) to prevent obfuscated extensions.

  25. URI Paths

  26. Ensures paths start with / and are well-formed.

  27. User Agents

  28. Checks for excessive length and control characters.

Special Features#

  • Unicode Detection:
    • Identifies Unicode bidirectional override characters (for example, U+202E) across domains, URLs, emails, filenames, and more.
    • Flags their usage as suspicious to prevent obfuscation attacks.
  • Punycode Detection:
    • Flags internationalized domain names (IDNs) using xn-- prefix or uncommon characters.
  • Structured Output:
    • Returns valid, invalid, or suspicious statuses with detailed reasons.
  • Short reports:
    • Generates short reports to indicate the validation status and risk level : info (blue) or invalid / suspicious (orange).

ValidateObservable#

Author: nusantara-self, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- ip
- domain
- url
- fqdn
- mail
- hash
- filename
- uri_path
- user-agent
Registration required: False
Subscription required: False
Free subscription: False
Third party service: N/A

Description#

Use regexes and libraries to indicate if observable is valid

Configuration#

No specific configuration required.

Templates samples for TheHive#

No template samples to display.