Threat Level: green Handler on Duty: Russ McRee

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Security Detection & Response Alert Output Usability Survey https://www.surveymonkey.com/r/TAOvsVAO

Gordon for fast cyber reputation checks

Published: 2021-01-19
Last Updated: 2021-01-19 03:15:48 UTC
by Russ McRee (Version: 1)
0 comment(s)

Gordon quickly provides threat & risk information about observables

Gordon is a great website for security analysis and threat intelligence practitioners courtesy of Marc-Henry Geay of France.
It’s a fine offering that quickly provides threat and risk information about observables such as IPv4 addresses, URLs, Domains/FQDNs, MD5, SHA-1, SHA-256 hashes, or email addresses.

All aspirations and architecture for Gordon are available in Marc-Henry’s Medium post, as well as his About content.
You really need only know the following in any detail:

  • Gordon submits your observables (IOCs) to multiple sources (30+ engines) to ensure good coverage.
  • Observables are only searched in open security databases’ existing records (passive).
  • Results can be viewed and shared for up to 3 days, thereafter they are deleted, Marc-Henry has EU privacy regulations to contend with.
  • Results are available as Summary Reports with risk-based coloration for some engines, and can be exported as PDF, CSV, and XLSX.

I gave Gordon a quick test using IPv4 IOCs from the Cisco Talos Threat Advisory: SolarWinds supply chain attack. Gordon limits you to 15 observables at most, and note that it favors non-Microsoft browsers, so I experimented via Firefox. Using ten IP IOCs, separated one per line, I received swift results as seen in Figure 1.

Gordon

Figure 1: Gordon IPv4 SUNBURST results

As noted, Figure 1: shows IPvs SUNBURST IOC results that are precise and color coded by risk.
Using ten SHA-256 hashes from the Talos report for my next query I opted to export the results as an Excel document, then sorted by malicious results only.

Gordon

Figure 2: Gordon SHA-256 query results

Again, the SUNBURST SHA-256 IOC results are robust and detailed. I’ve certainly added Gordon to my favorites list and suggest you consider doing the same.

Cheers…until next time.

Russ McRee | @holisticinfosec

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Doc & RTF Malicious Document
Jan 18th 2021
1 day ago by DidierStevens (0 comments)

New Release of Sysmon Adding Detection for Process Tampering
Jan 17th 2021
2 days ago by DidierStevens (0 comments)

Obfuscated DNS Queries
Jan 16th 2021
2 days ago by Guy (0 comments)

Throwback Friday: An Example of Rig Exploit Kit
Jan 15th 2021
4 days ago by Brad (0 comments)

Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file
Jan 14th 2021
5 days ago by Bojan (0 comments)

Hancitor activity resumes after a hoilday break
Jan 13th 2021
6 days ago by Brad (0 comments)

Microsoft January 2021 Patch Tuesday
Jan 12th 2021
6 days ago by Renato (0 comments)

View All Diaries →

Latest Discussions

PFSense
created Dec 23rd 2020
3 weeks ago by bas.auer@auerplace.nl (3 replies)

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
2 months ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
3 months ago by Anonymous (3 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
4 months ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
4 months ago by Martin (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Old Worm But New Obfuscation Technique
Nov 13th 2020
2 months ago by Xme (0 comments)

Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?
Dec 5th 2020
1 month ago by Guy (0 comments)

AV Cleaned Maldoc
Nov 2nd 2020
2 months ago by DidierStevens (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
3 months ago by Brad (0 comments)