shadowbq-threatinator 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +66 -0
- data/CONTRIBUTING.md +119 -0
- data/Gemfile +38 -0
- data/LICENSE +165 -0
- data/README.md +101 -0
- data/Rakefile +47 -0
- data/VERSION +1 -0
- data/bin/threatinator +5 -0
- data/bin/threatinator_loader +21 -0
- data/feeds/ET_block-ip_reputation.feed +27 -0
- data/feeds/ET_compromised-ip_reputation.feed +20 -0
- data/feeds/ET_openbadlist-ip_reputation.feed +36 -0
- data/feeds/alienvault-ip_reputation.feed +39 -0
- data/feeds/arbor_fastflux-domain_reputation.feed +19 -0
- data/feeds/arbor_ssh-ip_reputation.feed +24 -0
- data/feeds/autoshun_shunlist.feed +17 -0
- data/feeds/bambenek_c2_masterlist-domain_reputation.feed +16 -0
- data/feeds/bambenek_c2_masterlist-ip_reputation.feed +16 -0
- data/feeds/bambenek_dga_feed-domain_reputation.feed +16 -0
- data/feeds/berkeley-ip_reputation.feed +25 -0
- data/feeds/bitcash_cz_blacklist.feed +22 -0
- data/feeds/blocklist_de_apache-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_bots-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_ftp-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_imap-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_pop3-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_proftpd-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_sip-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_ssh-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_strongips-ip_reputation.feed +25 -0
- data/feeds/botscout-ip_reputation.feed +25 -0
- data/feeds/cert_mxpoison-ip_reputation.feed +22 -0
- data/feeds/chaosreigns-ip_reputation.feed +37 -0
- data/feeds/ciarmy-ip_reputation.feed +20 -0
- data/feeds/cruzit-ip_reputation.feed +30 -0
- data/feeds/cydef_torexit-ip_reputation.feed +25 -0
- data/feeds/dan_me_uk_torlist-ip_reputation.feed +25 -0
- data/feeds/danger_bruteforce-ip_reputation.feed +24 -0
- data/feeds/dshield_attackers-top1000.feed +34 -0
- data/feeds/falconcrest-ip_reputation.feed +19 -0
- data/feeds/feodo-domain_reputation.feed +19 -0
- data/feeds/feodo-ip_reputation.feed +20 -0
- data/feeds/h3x_asprox.feed +18 -0
- data/feeds/hosts-file_hphostspartial-domain_reputation.feed +19 -0
- data/feeds/infiltrated-ip_reputation.feed +26 -0
- data/feeds/infiltrated_vabl-ip_reputation.feed +30 -0
- data/feeds/isc_suspicious_high-domain_reputation.feed +26 -0
- data/feeds/isc_suspicious_low-domain_reputation.feed +26 -0
- data/feeds/isc_suspicious_medium-domain_reputation.feed +26 -0
- data/feeds/malc0de-domain_reputation.feed +24 -0
- data/feeds/malc0de-ip_reputation.feed +26 -0
- data/feeds/malwaredomainlist-url_reputation.feed +18 -0
- data/feeds/malwaredomains-domain_reputation.feed +29 -0
- data/feeds/malwaredomains_dyndns-domain_reputation.feed +29 -0
- data/feeds/malwaredomains_justdomains-domain_reputation.feed +20 -0
- data/feeds/mirc-domain_reputation.feed +30 -0
- data/feeds/multiproxy-ip_reputation.feed +22 -0
- data/feeds/nothink_irc-ip_reputation.feed +23 -0
- data/feeds/nothink_ssh-ip_reputation.feed +21 -0
- data/feeds/openbl-ip_reputation.feed +21 -0
- data/feeds/openphish-url_reputation.feed +24 -0
- data/feeds/packetmail_perimeterbad-ip_reputation.feed +28 -0
- data/feeds/palevo-domain_reputation.feed +22 -0
- data/feeds/palevo-ip_reputation.feed +23 -0
- data/feeds/phishtank.feed +22 -0
- data/feeds/sigmaproject_atma.feed +27 -0
- data/feeds/sigmaproject_spyware.feed +28 -0
- data/feeds/sigmaproject_webexploit.feed +26 -0
- data/feeds/snort_bpf-ip_reputation.feed +19 -0
- data/feeds/spyeye-domain_reputation.feed +18 -0
- data/feeds/spyeye-ip_reputation.feed +19 -0
- data/feeds/steeman-ip_reputation.feed +20 -0
- data/feeds/t-arend-de_ssh-ip_reputation.feed +20 -0
- data/feeds/the_haleys_ssh-ip_reputation.feed +20 -0
- data/feeds/trustedsec-ip_reputation.feed +18 -0
- data/feeds/virbl-ip_reputation.feed +25 -0
- data/feeds/vxvault-url_reputation.feed +23 -0
- data/feeds/yourcmc_ssh-ip_reputation.feed +20 -0
- data/feeds/yoyo_adservers-domain_reputation.feed +17 -0
- data/feeds/zeus-domain_reputation.feed +19 -0
- data/feeds/zeus-ip_reputation.feed +21 -0
- data/lib/threatinator/action.rb +14 -0
- data/lib/threatinator/actions/list/action.rb +97 -0
- data/lib/threatinator/actions/list/config.rb +12 -0
- data/lib/threatinator/actions/list.rb +2 -0
- data/lib/threatinator/actions/run/action.rb +57 -0
- data/lib/threatinator/actions/run/config.rb +32 -0
- data/lib/threatinator/actions/run/coverage_observer.rb +59 -0
- data/lib/threatinator/actions/run/output_config.rb +59 -0
- data/lib/threatinator/actions/run/status_observer.rb +37 -0
- data/lib/threatinator/actions/run.rb +2 -0
- data/lib/threatinator/cli/action_builder.rb +33 -0
- data/lib/threatinator/cli/list_action_builder.rb +19 -0
- data/lib/threatinator/cli/parser.rb +123 -0
- data/lib/threatinator/cli/run_action_builder.rb +41 -0
- data/lib/threatinator/cli.rb +19 -0
- data/lib/threatinator/config/base.rb +35 -0
- data/lib/threatinator/config/feed_search.rb +25 -0
- data/lib/threatinator/config/logger.rb +14 -0
- data/lib/threatinator/config.rb +7 -0
- data/lib/threatinator/decoder.rb +24 -0
- data/lib/threatinator/decoders/gzip.rb +30 -0
- data/lib/threatinator/event.rb +63 -0
- data/lib/threatinator/event_builder.rb +70 -0
- data/lib/threatinator/exceptions.rb +58 -0
- data/lib/threatinator/feed.rb +88 -0
- data/lib/threatinator/feed_builder.rb +161 -0
- data/lib/threatinator/feed_registry.rb +47 -0
- data/lib/threatinator/feed_runner.rb +177 -0
- data/lib/threatinator/fetcher.rb +22 -0
- data/lib/threatinator/fetchers/http.rb +50 -0
- data/lib/threatinator/filter.rb +12 -0
- data/lib/threatinator/filters/block.rb +18 -0
- data/lib/threatinator/filters/comments.rb +16 -0
- data/lib/threatinator/filters/whitespace.rb +19 -0
- data/lib/threatinator/logger.rb +66 -0
- data/lib/threatinator/logging.rb +20 -0
- data/lib/threatinator/model/base.rb +23 -0
- data/lib/threatinator/model/collection.rb +89 -0
- data/lib/threatinator/model/observables/fqdn_collection.rb +15 -0
- data/lib/threatinator/model/observables/ipv4.rb +33 -0
- data/lib/threatinator/model/observables/ipv4_collection.rb +14 -0
- data/lib/threatinator/model/observables/url_collection.rb +16 -0
- data/lib/threatinator/model/validations/type.rb +21 -0
- data/lib/threatinator/model/validations.rb +1 -0
- data/lib/threatinator/output.rb +50 -0
- data/lib/threatinator/parser.rb +23 -0
- data/lib/threatinator/parsers/csv/parser.rb +77 -0
- data/lib/threatinator/parsers/csv.rb +7 -0
- data/lib/threatinator/parsers/getline/parser.rb +45 -0
- data/lib/threatinator/parsers/getline.rb +8 -0
- data/lib/threatinator/parsers/json/adapters/oj.rb +65 -0
- data/lib/threatinator/parsers/json/parser.rb +45 -0
- data/lib/threatinator/parsers/json/record.rb +20 -0
- data/lib/threatinator/parsers/json.rb +8 -0
- data/lib/threatinator/parsers/xml/node.rb +79 -0
- data/lib/threatinator/parsers/xml/node_builder.rb +39 -0
- data/lib/threatinator/parsers/xml/parser.rb +44 -0
- data/lib/threatinator/parsers/xml/path.rb +70 -0
- data/lib/threatinator/parsers/xml/pattern.rb +53 -0
- data/lib/threatinator/parsers/xml/record.rb +14 -0
- data/lib/threatinator/parsers/xml/sax_document.rb +64 -0
- data/lib/threatinator/parsers/xml.rb +8 -0
- data/lib/threatinator/plugin_loader.rb +115 -0
- data/lib/threatinator/plugins/output/amqp/config.rb +18 -0
- data/lib/threatinator/plugins/output/amqp.rb +41 -0
- data/lib/threatinator/plugins/output/csv.rb +58 -0
- data/lib/threatinator/plugins/output/json/config.rb +14 -0
- data/lib/threatinator/plugins/output/json.rb +53 -0
- data/lib/threatinator/plugins/output/null.rb +17 -0
- data/lib/threatinator/plugins/output/rubydebug.rb +16 -0
- data/lib/threatinator/record.rb +22 -0
- data/lib/threatinator/registry.rb +53 -0
- data/lib/threatinator/util.rb +15 -0
- data/lib/threatinator.rb +3 -0
- data/spec/feeds/ET_block-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ET_compromised-ip_reputation_spec.rb +47 -0
- data/spec/feeds/ET_openbadlist-ip_reputation_spec.rb +56 -0
- data/spec/feeds/alienvault-ip_reputation_spec.rb +46 -0
- data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb +46 -0
- data/spec/feeds/arbor_ssh-ip_reputation_spec.rb +46 -0
- data/spec/feeds/autoshun_shunlist_spec.rb +38 -0
- data/spec/feeds/bambenek_c2_masterlist-domain_reputation_spec.rb +38 -0
- data/spec/feeds/bambenek_c2_masterlist-ip_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_dga_feed-domain_reputation_spec.rb +39 -0
- data/spec/feeds/berkeley-ip_reputation_spec.rb +47 -0
- data/spec/feeds/bitcash_cz_blacklist-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_imap-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_pop3-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_proftpd-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_sip-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_strongips-ip_reputation_spec.rb +47 -0
- data/spec/feeds/botscout-ip_reputation_spec.rb +50 -0
- data/spec/feeds/cert_mxpoison-ip_reputation_spec.rb +47 -0
- data/spec/feeds/chaosreigns-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ciarmy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/cruzit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/cydef_torexit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/dan_me_uk_torlist-ip_reputation_spec.rb +47 -0
- data/spec/feeds/danger_bruteforce-ip_reputation_spec.rb +47 -0
- data/spec/feeds/data/ET_block-ip_reputation.txt +80 -0
- data/spec/feeds/data/ET_compromised-ip_reputation.txt +11 -0
- data/spec/feeds/data/ET_openbadlist-ip_reputation.txt +62 -0
- data/spec/feeds/data/alienvault-ip_reputation.txt +18 -0
- data/spec/feeds/data/arbor_domainlist.txt +11 -0
- data/spec/feeds/data/arbor_ssh.txt +16 -0
- data/spec/feeds/data/autoshun_shunlist.csv +20 -0
- data/spec/feeds/data/bambenek_c2-dommasterlist.csv +30 -0
- data/spec/feeds/data/bambenek_c2-ipmasterlist.csv +27 -0
- data/spec/feeds/data/bambenek_dga_feed.csv +42 -0
- data/spec/feeds/data/berkeley.txt +29 -0
- data/spec/feeds/data/bitcash_cz_blacklist.txt +7 -0
- data/spec/feeds/data/blocklist_de_apache-ip-reputation.txt +17 -0
- data/spec/feeds/data/blocklist_de_bots-ip-reputation.txt +15 -0
- data/spec/feeds/data/blocklist_de_ftp-ip-reputation.txt +7 -0
- data/spec/feeds/data/blocklist_de_imap-ip-reputation.txt +8 -0
- data/spec/feeds/data/blocklist_de_pop3-ip-reputation.txt +11 -0
- data/spec/feeds/data/blocklist_de_proftpd-ip-reputation.txt +12 -0
- data/spec/feeds/data/blocklist_de_sip-ip-reputation.txt +9 -0
- data/spec/feeds/data/blocklist_de_ssh-ip-reputation.txt +10 -0
- data/spec/feeds/data/blocklist_de_strongips-ip-reputation.txt +11 -0
- data/spec/feeds/data/botscout-ip-reputation.txt +713 -0
- data/spec/feeds/data/cert_mxpoison-ip_reputation.txt +17 -0
- data/spec/feeds/data/chaosreigns-ip-reputation.txt +26 -0
- data/spec/feeds/data/ciarmy-ip-reputation.txt +11 -0
- data/spec/feeds/data/cruzit-ip-reputation.txt +14 -0
- data/spec/feeds/data/cydef_torexit-ip_reputation.txt +27 -0
- data/spec/feeds/data/dan_me_uk_torlist-ip-reputation.txt +11 -0
- data/spec/feeds/data/danger_bruteforce-ip_reputation.txt +12 -0
- data/spec/feeds/data/dshield_topattackers.xml +4 -0
- data/spec/feeds/data/falconcrest_iplist.txt +345 -0
- data/spec/feeds/data/feodo_domainlist.txt +18 -0
- data/spec/feeds/data/feodo_iplist.txt +20 -0
- data/spec/feeds/data/h3x_asprox.txt +20 -0
- data/spec/feeds/data/hosts-file_hphostspartial_domainlist.txt +24 -0
- data/spec/feeds/data/infiltrated_iplist.txt +16 -0
- data/spec/feeds/data/infiltrated_vabl_iplist.txt +33 -0
- data/spec/feeds/data/isc_suspicious_high_domainlist.txt +26 -0
- data/spec/feeds/data/isc_suspicious_low_domainlist.txt +34 -0
- data/spec/feeds/data/isc_suspicious_medium_domainlist.txt +32 -0
- data/spec/feeds/data/malc0de_domainlist.txt +18 -0
- data/spec/feeds/data/malc0de_iplist.txt +14 -0
- data/spec/feeds/data/malwaredomainlist-url-reputation.txt +8 -0
- data/spec/feeds/data/malwaredomains_domainlist.txt +24 -0
- data/spec/feeds/data/malwaredomains_dyndns_domainlist.txt +34 -0
- data/spec/feeds/data/malwaredomains_justdomains_domainlist.txt +18 -0
- data/spec/feeds/data/mirc_domainlist.txt +31 -0
- data/spec/feeds/data/multiproxy_iplist.txt +15 -0
- data/spec/feeds/data/nothink_irc_iplist.txt +14 -0
- data/spec/feeds/data/nothink_ssh_iplist.txt +10 -0
- data/spec/feeds/data/openbl_iplist.txt +12 -0
- data/spec/feeds/data/openphish-url-reputation.txt +16 -0
- data/spec/feeds/data/packetmail_perimeterbad-ip_reputation.txt +44 -0
- data/spec/feeds/data/palevo_domainlist.txt +25 -0
- data/spec/feeds/data/palevo_iplist.txt +24 -0
- data/spec/feeds/data/phishtank-sample.json.gz +0 -0
- data/spec/feeds/data/sigmaproject_atma.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_spyware.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_webexploit.return.gz +0 -0
- data/spec/feeds/data/snort_bpf-ip_reputation.txt +16 -0
- data/spec/feeds/data/spyeye_domainlist.txt +16 -0
- data/spec/feeds/data/spyeye_iplist.txt +19 -0
- data/spec/feeds/data/steeman-ip-reputation.txt +13 -0
- data/spec/feeds/data/t-arend-de_ssh_iplist.txt +17 -0
- data/spec/feeds/data/the_haleys_ssh_iplist.txt +12 -0
- data/spec/feeds/data/trustedsec-ip-reputation.txt +12 -0
- data/spec/feeds/data/valid.json +2908 -0
- data/spec/feeds/data/virbl-ip_reputation.txt +14 -0
- data/spec/feeds/data/vxvault-url-reputation.txt +15 -0
- data/spec/feeds/data/yourcmc_ssh-ip_reputation.txt +27 -0
- data/spec/feeds/data/yoyo_adservers.txt +25 -0
- data/spec/feeds/data/zeus-ip_reputation.txt +285 -0
- data/spec/feeds/data/zeus_domainlist.txt +27 -0
- data/spec/feeds/dshield_attackers-top1000_spec.rb +39 -0
- data/spec/feeds/falconcrest-ip_reputation_spec.rb +39 -0
- data/spec/feeds/feodo-domain_reputation_spec.rb +47 -0
- data/spec/feeds/feodo-ip_reputation_spec.rb +47 -0
- data/spec/feeds/h3x_asprox-ip_reputation_spec.rb +50 -0
- data/spec/feeds/hosts-file_hphostspartial-domain_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated-ip_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated_vabl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_high-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_low-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_medium-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-ip_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomainlist_url_reputation_spec.rb +50 -0
- data/spec/feeds/malwaredomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_dyndns-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_justdomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/mirc-domain_reputation_spec.rb +47 -0
- data/spec/feeds/multiproxy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_irc-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/openbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/openphish_url_reputation_spec.rb +50 -0
- data/spec/feeds/packetmail_perimeterbad-ip_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-domain_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-ip_reputation_spec.rb +47 -0
- data/spec/feeds/phishtank_spec.rb +41 -0
- data/spec/feeds/sigmaproject_atma_spec.rb +62 -0
- data/spec/feeds/sigmaproject_spyware_spec.rb +63 -0
- data/spec/feeds/sigmaproject_webexploit_spec.rb +62 -0
- data/spec/feeds/snort_bpf-ip_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-domain_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-ip_reputation_spec.rb +47 -0
- data/spec/feeds/steeman-ip_reputation_spec.rb +50 -0
- data/spec/feeds/t-arend-de_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/the_haleys_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/trustedsec-ip_reputation_spec.rb +47 -0
- data/spec/feeds/virbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/vxvault_url_reputation_spec.rb +50 -0
- data/spec/feeds/yourcmc_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/yoyo_adservers_spec.rb +47 -0
- data/spec/feeds/zeus-domain_reputation_spec.rb +47 -0
- data/spec/feeds/zeus-ip_reputation_spec.rb +47 -0
- data/spec/fixtures/feed/provider1/feed1.feed +6 -0
- data/spec/fixtures/parsers/test.xml +13 -0
- data/spec/fixtures/parsers/test_self_closing.xml +20 -0
- data/spec/fixtures/plugins/bad/threatinator/plugins/test_error1/plugin.rb +1 -0
- data/spec/fixtures/plugins/bad/threatinator/plugins/test_missing1/plugin.rb +0 -0
- data/spec/fixtures/plugins/fake.rb +19 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type1/plugin_a.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type1/plugin_b.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type2/plugin_c.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type2/plugin_d.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type3/plugin_e.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type3/plugin_f.rb +8 -0
- data/spec/spec_helper.rb +54 -0
- data/spec/support/bad_feeds/missing_fetcher.feed +7 -0
- data/spec/support/bad_feeds/missing_name.feed +6 -0
- data/spec/support/bad_feeds/missing_parser.feed +3 -0
- data/spec/support/bad_feeds/missing_provider.feed +5 -0
- data/spec/support/factories/event.rb +31 -0
- data/spec/support/factories/feed.rb +59 -0
- data/spec/support/factories/feed_builder.rb +65 -0
- data/spec/support/factories/feed_registry.rb +8 -0
- data/spec/support/factories/ipv4.rb +36 -0
- data/spec/support/factories/output.rb +11 -0
- data/spec/support/factories/record.rb +17 -0
- data/spec/support/factories/url.rb +34 -0
- data/spec/support/factories/xml_node.rb +33 -0
- data/spec/support/helpers/io.rb +11 -0
- data/spec/support/helpers/models.rb +13 -0
- data/spec/support/shared/action_builder.rb +47 -0
- data/spec/support/shared/decoder.rb +70 -0
- data/spec/support/shared/feed_runner_observer.rb +136 -0
- data/spec/support/shared/feeds.rb +233 -0
- data/spec/support/shared/fetcher.rb +48 -0
- data/spec/support/shared/filter.rb +14 -0
- data/spec/support/shared/io-like.rb +7 -0
- data/spec/support/shared/model/collection.rb +164 -0
- data/spec/support/shared/output.rb +120 -0
- data/spec/support/shared/parsers.rb +51 -0
- data/spec/support/shared/record.rb +111 -0
- data/spec/threatinator/actions/list/action_spec.rb +148 -0
- data/spec/threatinator/actions/run/action_spec.rb +106 -0
- data/spec/threatinator/actions/run/config_spec.rb +39 -0
- data/spec/threatinator/actions/run/coverage_observer_spec.rb +151 -0
- data/spec/threatinator/actions/run/output_config_spec.rb +89 -0
- data/spec/threatinator/actions/run/status_observer_spec.rb +86 -0
- data/spec/threatinator/cli/list_action_builder_spec.rb +57 -0
- data/spec/threatinator/cli/run_action_builder_spec.rb +133 -0
- data/spec/threatinator/cli_spec.rb +175 -0
- data/spec/threatinator/config/base_spec.rb +39 -0
- data/spec/threatinator/config/feed_search_spec.rb +76 -0
- data/spec/threatinator/decoders/gzip_spec.rb +75 -0
- data/spec/threatinator/event_builder_spec.rb +123 -0
- data/spec/threatinator/event_spec.rb +254 -0
- data/spec/threatinator/event_spec.rb.new +319 -0
- data/spec/threatinator/feed_builder_spec.rb +633 -0
- data/spec/threatinator/feed_registry_spec.rb +198 -0
- data/spec/threatinator/feed_runner_spec.rb +372 -0
- data/spec/threatinator/feed_spec.rb +169 -0
- data/spec/threatinator/fetcher_spec.rb +12 -0
- data/spec/threatinator/fetchers/http_spec.rb +32 -0
- data/spec/threatinator/filter_spec.rb +13 -0
- data/spec/threatinator/filters/block_spec.rb +16 -0
- data/spec/threatinator/filters/comments_spec.rb +13 -0
- data/spec/threatinator/filters/whitespace_spec.rb +12 -0
- data/spec/threatinator/logger_spec.rb +29 -0
- data/spec/threatinator/model/observables/fqdn_collection_spec.rb +41 -0
- data/spec/threatinator/model/observables/ipv4_collection_spec.rb +36 -0
- data/spec/threatinator/model/observables/ipv4_spec.rb +75 -0
- data/spec/threatinator/model/observables/url_collection_spec.rb +45 -0
- data/spec/threatinator/model/validations/type_spec.rb +37 -0
- data/spec/threatinator/parser_spec.rb +13 -0
- data/spec/threatinator/parsers/csv/parser_spec.rb +202 -0
- data/spec/threatinator/parsers/getline/parser_spec.rb +83 -0
- data/spec/threatinator/parsers/json/parser_spec.rb +106 -0
- data/spec/threatinator/parsers/json/record_spec.rb +30 -0
- data/spec/threatinator/parsers/xml/node_spec.rb +335 -0
- data/spec/threatinator/parsers/xml/parser_spec.rb +263 -0
- data/spec/threatinator/parsers/xml/path_spec.rb +209 -0
- data/spec/threatinator/parsers/xml/pattern_spec.rb +72 -0
- data/spec/threatinator/parsers/xml/record_spec.rb +27 -0
- data/spec/threatinator/plugin_loader_spec.rb +238 -0
- data/spec/threatinator/plugins/output/csv_spec.rb +47 -0
- data/spec/threatinator/plugins/output/null_spec.rb +17 -0
- data/spec/threatinator/plugins/output/rubydebug_spec.rb +37 -0
- data/spec/threatinator/record_spec.rb +19 -0
- data/spec/threatinator/registry_spec.rb +97 -0
- data/spec/threatinator/runner_spec.rb +273 -0
- metadata +674 -0
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/dan_me_uk_torlist-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'dan_me_uk' }
|
5
|
+
let(:name) { 'torlist_ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'https://www.dan.me.uk/torlist/'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('dan_me_uk_torlist-ip-reputation.txt') do
|
12
|
+
it "should have parsed 11 records" do
|
13
|
+
expect(num_records_parsed).to eq(11)
|
14
|
+
end
|
15
|
+
it "should have filtered 0 records" do
|
16
|
+
expect(num_records_filtered).to eq(0)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe_parsing_a_record '100.34.32.230' do
|
21
|
+
it "should have parsed" do
|
22
|
+
expect(status).to eq(:parsed)
|
23
|
+
end
|
24
|
+
it "should have parsed 1 event" do
|
25
|
+
expect(events.count).to eq(1)
|
26
|
+
end
|
27
|
+
describe 'event 0' do
|
28
|
+
subject { events[0] }
|
29
|
+
its(:type) { is_expected.to be(:scanning) }
|
30
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['100.34.32.230'])) }
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe_parsing_a_record '101.55.12.75' do
|
35
|
+
it "should have parsed" do
|
36
|
+
expect(status).to eq(:parsed)
|
37
|
+
end
|
38
|
+
it "should have parsed 1 event" do
|
39
|
+
expect(events.count).to eq(1)
|
40
|
+
end
|
41
|
+
describe 'event 0' do
|
42
|
+
subject { events[0] }
|
43
|
+
its(:type) { is_expected.to be(:scanning) }
|
44
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['101.55.12.75'])) }
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/danger_bruteforce-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'danger' }
|
5
|
+
let(:name) { 'bruteforce_ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'http://danger.rulez.sk/projects/bruteforceblocker/blist.php'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('danger_bruteforce-ip_reputation.txt') do
|
12
|
+
it "should have parsed 11 records" do
|
13
|
+
expect(num_records_parsed).to eq(11)
|
14
|
+
end
|
15
|
+
it "should have filtered 1 records" do
|
16
|
+
expect(num_records_filtered).to eq(1)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe_parsing_a_record '192.168.0.66 # 2014-07-02 16:01:22 148 532953' do
|
21
|
+
it "should have parsed" do
|
22
|
+
expect(status).to eq(:parsed)
|
23
|
+
end
|
24
|
+
it "should have parsed 1 event" do
|
25
|
+
expect(events.count).to eq(1)
|
26
|
+
end
|
27
|
+
describe 'event 0' do
|
28
|
+
subject { events[0] }
|
29
|
+
its(:type) { is_expected.to be(:scanning) }
|
30
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['192.168.0.66'])) }
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe_parsing_a_record '125.65.245.146 # 2014-07-06 16:04:46 64 359660' do
|
35
|
+
it "should have parsed" do
|
36
|
+
expect(status).to eq(:parsed)
|
37
|
+
end
|
38
|
+
it "should have parsed 1 event" do
|
39
|
+
expect(events.count).to eq(1)
|
40
|
+
end
|
41
|
+
describe 'event 0' do
|
42
|
+
subject { events[0] }
|
43
|
+
its(:type) { is_expected.to be(:scanning) }
|
44
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['125.65.245.146'])) }
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,80 @@
|
|
1
|
+
#
|
2
|
+
# Emerging Threats fwip rules.
|
3
|
+
#
|
4
|
+
# Raw IPs for the firewall block lists. These come from:
|
5
|
+
#
|
6
|
+
# C&C servers identified by Shadowserver (www.shadowserver.org)
|
7
|
+
# Spam nets identified by Spamhaus (www.spamhaus.org)
|
8
|
+
# Top Attackers listed by DShield (www.dshield.org)
|
9
|
+
#
|
10
|
+
# More information available at www.emergingthreats.net
|
11
|
+
#
|
12
|
+
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
|
13
|
+
#
|
14
|
+
#*************************************************************
|
15
|
+
#
|
16
|
+
# Copyright (c) 2003-2014, Emerging Threats
|
17
|
+
# All rights reserved.
|
18
|
+
#
|
19
|
+
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
|
20
|
+
# following conditions are met:
|
21
|
+
#
|
22
|
+
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
|
23
|
+
# disclaimer.
|
24
|
+
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
|
25
|
+
# following disclaimer in the documentation and/or other materials provided with the distribution.
|
26
|
+
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
|
27
|
+
# from this software without specific prior written permission.
|
28
|
+
#
|
29
|
+
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
30
|
+
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
31
|
+
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
32
|
+
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
33
|
+
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
34
|
+
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
35
|
+
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
36
|
+
#
|
37
|
+
#
|
38
|
+
# Rev 3577
|
39
|
+
|
40
|
+
# Shadowserver C&C List
|
41
|
+
|
42
|
+
|
43
|
+
1.179.136.7
|
44
|
+
103.13.232.232
|
45
|
+
103.16.199.232
|
46
|
+
103.230.84.239
|
47
|
+
103.24.3.198
|
48
|
+
103.241.0.100
|
49
|
+
103.4.52.150
|
50
|
+
103.6.207.37
|
51
|
+
97.107.134.249
|
52
|
+
98.126.44.98
|
53
|
+
98.131.185.136
|
54
|
+
99.181.5.83
|
55
|
+
|
56
|
+
|
57
|
+
#Spamhaus DROP Nets
|
58
|
+
|
59
|
+
|
60
|
+
1.116.0.0/14
|
61
|
+
5.34.242.0/23
|
62
|
+
5.72.0.0/14
|
63
|
+
14.4.0.0/14
|
64
|
+
223.172.0.0/16
|
65
|
+
223.173.0.0/16
|
66
|
+
223.201.0.0/16
|
67
|
+
223.254.0.0/16
|
68
|
+
|
69
|
+
|
70
|
+
#Dshield Top Attackers
|
71
|
+
|
72
|
+
|
73
|
+
162.212.181.0/24
|
74
|
+
184.105.247.0/24
|
75
|
+
218.77.79.0/24
|
76
|
+
216.218.206.0/24
|
77
|
+
194.79.16.0/24
|
78
|
+
141.212.121.0/24
|
79
|
+
74.82.47.0/24
|
80
|
+
14.129.0.0/16
|
@@ -0,0 +1,62 @@
|
|
1
|
+
# Disclaimer - You may not use this list without acceptance of the below:
|
2
|
+
#
|
3
|
+
# No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts inclusive
|
4
|
+
# of any descriptions in the context field. Use this list at your own risk. By using this list in any capacity or capability you release all claims of
|
5
|
+
# damages and shall not hold or perceive any liablity against the publisher for: damage, unexpected events or results, decision, or reputation damage,
|
6
|
+
# even those resulting from willful or intentional neglect.
|
7
|
+
#
|
8
|
+
# No claims made against this data shall be honored; no assertions have been made about the quality, accuracy, useability, actionability,
|
9
|
+
# reputation, merit, or hostility of the below findings, inclusive of context and nomenclature used to describe the findings.
|
10
|
+
#
|
11
|
+
Jan 03 2014; 64.202.116.125/32; Fiesta EK
|
12
|
+
Jan 03 2014; 67.159.16.250/32; Fiesta EK Gate
|
13
|
+
Jan 03 2014; 69.64.52.64/32; Fiesta EK
|
14
|
+
Jan 03 2014; 212.83.189.84/32; Neutrino EK
|
15
|
+
Jan 03 2014; 193.169.245.76/32; Magnitude EK
|
16
|
+
Jan 06 2014; 193.169.244.179/32; Magnitude EK
|
17
|
+
Jan 06 2014; 81.169.145.162/32; ASPROX/Kuluoz
|
18
|
+
Jan 06 2014; 212.83.191.176/32; Neutrino EK
|
19
|
+
Jan 06 2014; 188.116.34.246/32; Styx Exploit Kit
|
20
|
+
Jan 06 2014; 193.169.244.224/32; Magnitude EK
|
21
|
+
Jan 07 2014; 65.111.171.183/32; Styx/Magnitude EK
|
22
|
+
Jan 07 2014; 178.218.218.21/32; Asprox
|
23
|
+
Jan 07 2014; 194.28.172.163/32; Asprox
|
24
|
+
Jan 07 2014; 60.249.109.45/32; Asprox
|
25
|
+
Jan 08 2014; 212.83.188.39/32; Neutrino EK
|
26
|
+
Jan 09 2014; 193.169.244.228/32; Magnitude EK
|
27
|
+
Jan 09 2014; 46.20.227.195/32; FakeAV/SEO
|
28
|
+
Jan 13 2014; 212.83.186.134/32; Neutrino EK
|
29
|
+
Jan 13 2014; 103.31.186.40/32; Dotka Chef EK
|
30
|
+
Jan 14 2014; 212.83.137.192/32; Neutrino EK
|
31
|
+
Jan 16 2014; 192.95.10.211/32; Nuclear EK
|
32
|
+
Jan 16 2014; 192.95.10.212/32; Nuclear EK
|
33
|
+
Jan 16 2014; 192.95.10.209/32; Nuclear EK
|
34
|
+
Jan 17 2014; 212.83.142.197/32; Neutrino EK
|
35
|
+
Jan 22 2014; 148.251.21.48/32; Zusy C&C
|
36
|
+
Jan 24 2014; 212.83.160.187/32; Neutrino EK
|
37
|
+
Jan 24 2014; 192.95.6.121/32; Nuclear EK
|
38
|
+
Jan 27 2014; 71.18.27.55/32; Goon EK
|
39
|
+
Jan 27 2014; 176.31.24.102/32; Goon EK
|
40
|
+
Jan 27 2014; 46.4.149.201/32; Goon EK
|
41
|
+
Jan 27 2014; 95.211.169.162/32; TDLv4+ Alphaeffects.net see https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020431.html
|
42
|
+
Jan 28 2014; 149.154.64.180/32; [a-z]{3,6}\.pp\.ua DGA cesspool
|
43
|
+
Jan 29 2014; 212.83.162.125/32; Neutrino EK
|
44
|
+
Jan 29 2014; 67.205.117.121/32; Darkleech -- it's back
|
45
|
+
Jan 31 2014; 50.7.248.170/32; Zusy C&C
|
46
|
+
Feb 18 2014; 67.228.43.248/32; Goon EK jhls.com.br
|
47
|
+
Feb 18 2014; 212.83.165.96/32; Neutrino EK
|
48
|
+
Feb 18 2014; 212.83.166.174/32; Neutrino EK
|
49
|
+
Feb 18 2014; 89.45.14.0/24; Infinity/Redkit2/Goon EK landing or EK gate.
|
50
|
+
Feb 20 2014; 209.239.113.39/32; Phoenix EK
|
51
|
+
Feb 20 2014; 31.41.221.130/32; Nuclear EK
|
52
|
+
Feb 25 2014; 64.120.137.0/27; TDS EK redirect /27 WHOIS allocated on Hostnoc
|
53
|
+
Feb 27 2014; 64.202.116.124/32; counter.php?id= gate
|
54
|
+
Feb 27 2014; 216.155.145.105/32; Phoenix EK
|
55
|
+
Feb 27 2014; 216.155.145.96/28; Magnitude EK
|
56
|
+
Mar 03 2014; 85.17.23.216/32; Fake Flash/8x8 byte gate possible Andromeda gang
|
57
|
+
Mar 05 2014; 190.123.47.198/32; Unknown 16-byte JavaScript EK initial landing
|
58
|
+
Mar 11 2014; 23.229.34.64/26; yellowtailmedia/rfpmedia TDLv4+ malvertising and payload
|
59
|
+
Jun 30 2014; 83.166.234.0/24; Hostile cesspool network with repeated hosting the WxH Sweet Orange redirector
|
60
|
+
Aug 06 2014; 70.186.131.0/24; Win32/BrowseFox.H C&Cs
|
61
|
+
|
62
|
+
|
@@ -0,0 +1,18 @@
|
|
1
|
+
|
2
|
+
###
|
3
|
+
# Alienvault IP Reputation Database
|
4
|
+
# https://reputation.alienvault.com/
|
5
|
+
###
|
6
|
+
|
7
|
+
# Generic format
|
8
|
+
|
9
|
+
37.205.198.162 # Scanning Host IT,,42.8333015442,12.8332996368
|
10
|
+
182.131.22.235 # Scanning Host CN,Chengdu,30.6667003632,104.066703796
|
11
|
+
58.250.71.43 # Scanning Host CN,Guangzhou,23.1166992188,113.25
|
12
|
+
211.160.19.250 # Scanning Host CN,Hang,30.2936000824,120.161399841
|
13
|
+
203.121.165.16 # C&C TH,,15.0,100.0
|
14
|
+
211.151.57.196 # Scanning Host CN,Beijing,39.9289016724,116.388298035
|
15
|
+
108.59.1.5 # Scanning Host A1,,0.0,0.0
|
16
|
+
108.59.5.139 # Scanning Host US,,39.6734008789,-75.7052001953
|
17
|
+
108.85.139.165 # Scanning Host US,Los Angeles,34.043800354,-118.251197815
|
18
|
+
109.169.60.121 # Scanning Host US,,38.0,-97.0
|
@@ -0,0 +1,16 @@
|
|
1
|
+
190.255.48.99 2257.0
|
2
|
+
91.217.82.135 1984.0
|
3
|
+
113.31.19.111 1832.0
|
4
|
+
125.65.112.133 1714.0
|
5
|
+
204.93.219.147 1408.0
|
6
|
+
46.20.10.101 1295.0
|
7
|
+
85.25.191.144 1198.0
|
8
|
+
199.119.227.17 1168.0
|
9
|
+
58.26.187.6 1135.0
|
10
|
+
221.2.227.118 1.0
|
11
|
+
186.18.67.167 1.0
|
12
|
+
190.248.54.165 1.0
|
13
|
+
186.169.181.150 1.0
|
14
|
+
186.22.21.101 1.0
|
15
|
+
186.113.86.157 1.0
|
16
|
+
other 0
|
@@ -0,0 +1,20 @@
|
|
1
|
+
Shunlist as of Mon, 21 Jul 2014 13:30:02 -0500
|
2
|
+
1.93.25.165,2014-07-11 09:58:15,SSH Brute Force
|
3
|
+
1.93.26.130,2014-07-14 09:55:26,SSH Brute Force
|
4
|
+
1.93.30.188,2014-07-09 08:36:42,SSH Brute Force
|
5
|
+
1.93.34.230,2014-07-16 08:01:23,SSH Brute Force
|
6
|
+
1.169.130.159,2014-07-07 23:10:08,Attempted MS SQL Server version enumeration
|
7
|
+
1.214.212.74,2014-07-09 03:35:12,SSH Brute Force
|
8
|
+
1.235.28.170,2014-07-16 03:13:39,SSH Brute Force
|
9
|
+
2.133.208.102,2014-07-16 23:48:25,Malware Distribution Site
|
10
|
+
2.184.57.192,2014-07-21 02:26:17,Teminal Server (RDP) brute force
|
11
|
+
4.31.171.50,2014-07-07 06:58:50,Sipvicious Scan
|
12
|
+
5.1.13.241,2014-07-16 23:48:23,Malware Distribution Site
|
13
|
+
5.104.226.12,2014-07-16 09:01:23,SSH Brute Force
|
14
|
+
5.135.112.45,2014-07-21 08:01:22,Sipvicious Scan
|
15
|
+
5.135.176.35,2014-07-12 16:18:47,SSH Brute Force
|
16
|
+
5.148.172.116,2014-07-07 06:58:09,SSH Brute Force
|
17
|
+
5.159.232.139,2014-07-07 06:58:09,SSH Brute Force
|
18
|
+
5.178.71.246,2014-07-20 21:16:07,SSH Brute Force
|
19
|
+
5.199.165.189,2014-07-19 05:48:09,Sipvicious Scan
|
20
|
+
5.199.166.61,2014-07-20 08:06:28,Sipvicious Scan
|
@@ -0,0 +1,30 @@
|
|
1
|
+
#############################################################
|
2
|
+
## Master Feed of known, active and non-sinkholed C&Cs domain
|
3
|
+
## names
|
4
|
+
##
|
5
|
+
## Feed generated at: 2014-11-03 16:36
|
6
|
+
##
|
7
|
+
## Feed Provided By: John Bambenek of Bambenek Consulting
|
8
|
+
## jcb@bambenekconsulting.com // http://bambenekconsulting.com
|
9
|
+
## Use of this feed is governed by the license here:
|
10
|
+
## http://osint.bambenekconsulting.com/license.txt
|
11
|
+
##
|
12
|
+
## For more information on this feed go to:
|
13
|
+
## http://osint.bambenekconsulting.com/manual/c2-dommasterlist.txt
|
14
|
+
##
|
15
|
+
## All times are in UTC
|
16
|
+
#############################################################
|
17
|
+
o5bt6e1jnpq906zrnmj8wqzrq.net,Domain used by GOZ,2014-11-03 16:33,http://osint.bambenekconsulting.com/manual/goz-iplist.txt
|
18
|
+
1bzy3oc1hd8aofsudjpuzge4qq.net,Domain used by GOZ,2014-11-03 16:33,http://osint.bambenekconsulting.com/manual/goz-iplist.txt
|
19
|
+
15g39fiel3aemyw14eo1i412vo.com,Domain used by GOZ,2014-11-03 16:33,http://osint.bambenekconsulting.com/manual/goz-iplist.txt
|
20
|
+
chairexamineeye.com,Domain used by matsnu,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
21
|
+
distancejoborder.com,Domain used by matsnu,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
22
|
+
objectsecuredoor.com,Domain used by matsnu,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
23
|
+
researchbuilding.com,Domain used by matsnu,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
24
|
+
softwareperfect.com,Domain used by matsnu,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
25
|
+
varietyspeakwall.com,Domain used by matsnu,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
26
|
+
measeodirc.com,Domain used by pushdo,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/pushdo-iplist.txt
|
27
|
+
ebfchfbqetts.com,Domain used by tinba,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/tinba-iplist.txt
|
28
|
+
edckdgwgtytw.com,Domain used by tinba,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/tinba-iplist.txt
|
29
|
+
eidchpddeqmt.com,Domain used by tinba,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/tinba-iplist.txt
|
30
|
+
hhvohslwvpww.ru,Domain used by tinba,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/tinba-iplist.txt
|
@@ -0,0 +1,27 @@
|
|
1
|
+
#############################################################
|
2
|
+
## Master Feed of known, active and non-sinkholed C&Cs IP
|
3
|
+
## addresses
|
4
|
+
##
|
5
|
+
## Feed generated at: 2014-11-03 16:46
|
6
|
+
##
|
7
|
+
## Feed Provided By: John Bambenek of Bambenek Consulting
|
8
|
+
## jcb@bambenekconsulting.com // http://bambenekconsulting.com
|
9
|
+
## Use of this feed is governed by the license here:
|
10
|
+
## http://osint.bambenekconsulting.com/license.txt
|
11
|
+
##
|
12
|
+
## For more information on this feed go to:
|
13
|
+
## http://osint.bambenekconsulting.com/manual/c2-ipmasterlist.txt
|
14
|
+
##
|
15
|
+
## All times are in UTC
|
16
|
+
#############################################################
|
17
|
+
103.241.144.184,IP used by GOZ C&C,2014-11-03 16:43,http://osint.bambenekconsulting.com/manual/goz-iplist.txt
|
18
|
+
122.166.11.34,IP used by GOZ C&C,2014-11-03 16:43,http://osint.bambenekconsulting.com/manual/goz-iplist.txt
|
19
|
+
156.56.179.160,IP used by GOZ C&C,2014-11-03 16:43,http://osint.bambenekconsulting.com/manual/goz-iplist.txt
|
20
|
+
70.32.74.243,IP used by matsnu C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
21
|
+
186.194.174.101,IP used by matsnu C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
22
|
+
192.64.147.150,IP used by matsnu C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
23
|
+
200.41.119.92,IP used by matsnu C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
24
|
+
212.175.66.70,IP used by matsnu C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt
|
25
|
+
141.8.224.169,IP used by pushdo C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/pushdo-iplist.txt
|
26
|
+
46.254.17.36,IP used by tinba C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/tinba-iplist.txt
|
27
|
+
82.165.37.127,IP used by tinba C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/tinba-iplist.txt
|
@@ -0,0 +1,42 @@
|
|
1
|
+
#############################################################
|
2
|
+
## Domain feed of known DGA domains from -2 to +3 days
|
3
|
+
##
|
4
|
+
## Feed generated at: Mon Nov 3 00:15:01 UTC 2014
|
5
|
+
##
|
6
|
+
## Feed Provided By: John Bambenek of Bambenek Consulting
|
7
|
+
## jcb@bambenekconsulting.com // http://bambenekconsulting.com
|
8
|
+
##
|
9
|
+
## Use of this feed is governed by the license here:
|
10
|
+
## http://osint.bambenekconsulting.com/license.txt
|
11
|
+
## For more information on this feed go to:
|
12
|
+
## http://osint.bambenekconsulting.com/manual/dga-feed.txt
|
13
|
+
##
|
14
|
+
#############################################################
|
15
|
+
shlseqvjbqhmxtw.com,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
16
|
+
tlqthvpenlvsoij.net,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
17
|
+
jfwinsmxrfpuxbq.biz,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
18
|
+
wucvibyhpimbwgx.ru,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
19
|
+
kayamdnyujjhoun.org,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
20
|
+
xpenhlaismgnwjm.co.uk,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
21
|
+
fnbkaamjtgdrcsk.info,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
22
|
+
sdgxuiysrjaxbqv.com,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
23
|
+
gidcyknkwkweafq.net,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
24
|
+
txiptsatuntkimt.biz,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
25
|
+
rjfifeogqukyjdw.ru,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
26
|
+
snkjimyuojqnasv.org,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
27
|
+
sehaeophtyelail.co.uk,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
28
|
+
timbhwavrnkaaks.info,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
29
|
+
nrjkrlorsvxvcoj.com,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
30
|
+
ovolutygqkekswm.net,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
31
|
+
omlcqvpsvariamh.biz,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
32
|
+
pqqdteahtoxwahs.ru,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
33
|
+
xhwonhwdkiaujib.org,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
34
|
+
lwccimspwrojrdj.co.uk,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
35
|
+
ayyrjrxqlsltjwh.info,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
36
|
+
noefewtdxcaiifh.com,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
37
|
+
tpbqaowomjnrnwe.net,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
38
|
+
hfgeutsbyscgvkq.biz,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
39
|
+
vhdtvyxcntyqukb.ru,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
40
|
+
jwihqetoadnftlf.org,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
41
|
+
glfofsywjxmhrxx.co.uk,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
42
|
+
hpkpixsrvsbnrdx.info,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt
|
@@ -0,0 +1,29 @@
|
|
1
|
+
-----BEGIN PGP SIGNED MESSAGE-----
|
2
|
+
Hash: SHA1
|
3
|
+
|
4
|
+
LIST_GENERATION_TIME: 1404398100
|
5
|
+
|
6
|
+
HOSTILE_IP: 116.10.191.182 LAST_SEEN: 1403615662
|
7
|
+
HOSTILE_IP: 61.174.51.196 LAST_SEEN: 1404375289
|
8
|
+
HOSTILE_IP: 61.174.51.222 LAST_SEEN: 1404148214
|
9
|
+
HOSTILE_IP: 222.186.56.106 LAST_SEEN: 1403213378
|
10
|
+
HOSTILE_IP: 116.10.191.195 LAST_SEEN: 1404312629
|
11
|
+
HOSTILE_IP: 116.10.191.187 LAST_SEEN: 1403615573
|
12
|
+
HOSTILE_IP: 128.199.221.93 LAST_SEEN: 1403190519
|
13
|
+
HOSTILE_IP: 116.10.191.215 LAST_SEEN: 1404397785
|
14
|
+
HOSTILE_IP: 150.140.141.107 LAST_SEEN: 1403394797
|
15
|
+
HOSTILE_IP: 116.10.191.201 LAST_SEEN: 1403601842
|
16
|
+
HOSTILE_IP: 110.45.244.147 LAST_SEEN: 1404236724
|
17
|
+
HOSTILE_IP: 212.90.33.127 LAST_SEEN: 1404377393
|
18
|
+
HOSTILE_IP: 122.224.9.32 LAST_SEEN: 1404386486
|
19
|
+
HOSTILE_IP: 144.0.0.22 LAST_SEEN: 1404389169
|
20
|
+
HOSTILE_IP: 113.171.10.12 LAST_SEEN: 1404391045
|
21
|
+
HOSTILE_IP: 222.186.15.86 LAST_SEEN: 1404391047
|
22
|
+
|
23
|
+
-----BEGIN PGP SIGNATURE-----
|
24
|
+
Version: GnuPG v2.0.22 (FreeBSD)
|
25
|
+
|
26
|
+
iEYEARECAAYFAlO1ahUACgkQUqmAXhGE1wQBtgCg1XspfLGXU9TAL+rJCVALNhVL
|
27
|
+
WC8An3f2I2RWeu1sa8QaUEvUiiUOprt4
|
28
|
+
=244H
|
29
|
+
-----END PGP SIGNATURE-----
|
@@ -0,0 +1,7 @@
|
|
1
|
+
# Bitcash auto-blacklisting by carlos@bitcash.cz
|
2
|
+
# IPs banned for serious abusing of our services (scanning, sniffing, harvesting, dos attacks)
|
3
|
+
107.22.93.75 # ec2-107-22-93-75.compute-1.amazonaws.com last access 2014-07-30 01:45:02
|
4
|
+
195.98.179.106 # broadband-195-98-179-106.2com.net last access 2014-09-02 17:01:01
|
5
|
+
89.223.47.197 # 89.223.47.197 last access 2014-09-21 13:47:02
|
6
|
+
|
7
|
+
|
@@ -0,0 +1,17 @@
|
|
1
|
+
106.187.47.170
|
2
|
+
107.150.59.170
|
3
|
+
107.23.78.119
|
4
|
+
108.59.252.133
|
5
|
+
109.197.193.202
|
6
|
+
109.200.1.211
|
7
|
+
109.228.235.167
|
8
|
+
109.70.54.11
|
9
|
+
110.168.195.5
|
10
|
+
110.44.123.159
|
11
|
+
110.77.136.102
|
12
|
+
23.91.115.60
|
13
|
+
24.114.29.162
|
14
|
+
2a00:1210:fffe:72::1
|
15
|
+
2a01:238:20a:202:1000::25
|
16
|
+
31.23.230.60
|
17
|
+
31.28.99.108
|
@@ -0,0 +1,15 @@
|
|
1
|
+
1.23.110.131
|
2
|
+
101.255.170.18
|
3
|
+
101.66.202.183
|
4
|
+
101.66.204.111
|
5
|
+
101.66.251.72
|
6
|
+
101.71.196.164
|
7
|
+
101.78.144.2
|
8
|
+
103.18.80.99
|
9
|
+
103.20.220.205
|
10
|
+
200.93.43.157
|
11
|
+
200.93.92.234
|
12
|
+
2001:250:4001:4001:e23f:49ff:fe44:595c
|
13
|
+
2002:5bbc:75c1::5bbc:75c1
|
14
|
+
201.144.141.194
|
15
|
+
201.18.145.149
|