shadowbq-threatinator 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +66 -0
- data/CONTRIBUTING.md +119 -0
- data/Gemfile +38 -0
- data/LICENSE +165 -0
- data/README.md +101 -0
- data/Rakefile +47 -0
- data/VERSION +1 -0
- data/bin/threatinator +5 -0
- data/bin/threatinator_loader +21 -0
- data/feeds/ET_block-ip_reputation.feed +27 -0
- data/feeds/ET_compromised-ip_reputation.feed +20 -0
- data/feeds/ET_openbadlist-ip_reputation.feed +36 -0
- data/feeds/alienvault-ip_reputation.feed +39 -0
- data/feeds/arbor_fastflux-domain_reputation.feed +19 -0
- data/feeds/arbor_ssh-ip_reputation.feed +24 -0
- data/feeds/autoshun_shunlist.feed +17 -0
- data/feeds/bambenek_c2_masterlist-domain_reputation.feed +16 -0
- data/feeds/bambenek_c2_masterlist-ip_reputation.feed +16 -0
- data/feeds/bambenek_dga_feed-domain_reputation.feed +16 -0
- data/feeds/berkeley-ip_reputation.feed +25 -0
- data/feeds/bitcash_cz_blacklist.feed +22 -0
- data/feeds/blocklist_de_apache-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_bots-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_ftp-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_imap-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_pop3-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_proftpd-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_sip-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_ssh-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_strongips-ip_reputation.feed +25 -0
- data/feeds/botscout-ip_reputation.feed +25 -0
- data/feeds/cert_mxpoison-ip_reputation.feed +22 -0
- data/feeds/chaosreigns-ip_reputation.feed +37 -0
- data/feeds/ciarmy-ip_reputation.feed +20 -0
- data/feeds/cruzit-ip_reputation.feed +30 -0
- data/feeds/cydef_torexit-ip_reputation.feed +25 -0
- data/feeds/dan_me_uk_torlist-ip_reputation.feed +25 -0
- data/feeds/danger_bruteforce-ip_reputation.feed +24 -0
- data/feeds/dshield_attackers-top1000.feed +34 -0
- data/feeds/falconcrest-ip_reputation.feed +19 -0
- data/feeds/feodo-domain_reputation.feed +19 -0
- data/feeds/feodo-ip_reputation.feed +20 -0
- data/feeds/h3x_asprox.feed +18 -0
- data/feeds/hosts-file_hphostspartial-domain_reputation.feed +19 -0
- data/feeds/infiltrated-ip_reputation.feed +26 -0
- data/feeds/infiltrated_vabl-ip_reputation.feed +30 -0
- data/feeds/isc_suspicious_high-domain_reputation.feed +26 -0
- data/feeds/isc_suspicious_low-domain_reputation.feed +26 -0
- data/feeds/isc_suspicious_medium-domain_reputation.feed +26 -0
- data/feeds/malc0de-domain_reputation.feed +24 -0
- data/feeds/malc0de-ip_reputation.feed +26 -0
- data/feeds/malwaredomainlist-url_reputation.feed +18 -0
- data/feeds/malwaredomains-domain_reputation.feed +29 -0
- data/feeds/malwaredomains_dyndns-domain_reputation.feed +29 -0
- data/feeds/malwaredomains_justdomains-domain_reputation.feed +20 -0
- data/feeds/mirc-domain_reputation.feed +30 -0
- data/feeds/multiproxy-ip_reputation.feed +22 -0
- data/feeds/nothink_irc-ip_reputation.feed +23 -0
- data/feeds/nothink_ssh-ip_reputation.feed +21 -0
- data/feeds/openbl-ip_reputation.feed +21 -0
- data/feeds/openphish-url_reputation.feed +24 -0
- data/feeds/packetmail_perimeterbad-ip_reputation.feed +28 -0
- data/feeds/palevo-domain_reputation.feed +22 -0
- data/feeds/palevo-ip_reputation.feed +23 -0
- data/feeds/phishtank.feed +22 -0
- data/feeds/sigmaproject_atma.feed +27 -0
- data/feeds/sigmaproject_spyware.feed +28 -0
- data/feeds/sigmaproject_webexploit.feed +26 -0
- data/feeds/snort_bpf-ip_reputation.feed +19 -0
- data/feeds/spyeye-domain_reputation.feed +18 -0
- data/feeds/spyeye-ip_reputation.feed +19 -0
- data/feeds/steeman-ip_reputation.feed +20 -0
- data/feeds/t-arend-de_ssh-ip_reputation.feed +20 -0
- data/feeds/the_haleys_ssh-ip_reputation.feed +20 -0
- data/feeds/trustedsec-ip_reputation.feed +18 -0
- data/feeds/virbl-ip_reputation.feed +25 -0
- data/feeds/vxvault-url_reputation.feed +23 -0
- data/feeds/yourcmc_ssh-ip_reputation.feed +20 -0
- data/feeds/yoyo_adservers-domain_reputation.feed +17 -0
- data/feeds/zeus-domain_reputation.feed +19 -0
- data/feeds/zeus-ip_reputation.feed +21 -0
- data/lib/threatinator/action.rb +14 -0
- data/lib/threatinator/actions/list/action.rb +97 -0
- data/lib/threatinator/actions/list/config.rb +12 -0
- data/lib/threatinator/actions/list.rb +2 -0
- data/lib/threatinator/actions/run/action.rb +57 -0
- data/lib/threatinator/actions/run/config.rb +32 -0
- data/lib/threatinator/actions/run/coverage_observer.rb +59 -0
- data/lib/threatinator/actions/run/output_config.rb +59 -0
- data/lib/threatinator/actions/run/status_observer.rb +37 -0
- data/lib/threatinator/actions/run.rb +2 -0
- data/lib/threatinator/cli/action_builder.rb +33 -0
- data/lib/threatinator/cli/list_action_builder.rb +19 -0
- data/lib/threatinator/cli/parser.rb +123 -0
- data/lib/threatinator/cli/run_action_builder.rb +41 -0
- data/lib/threatinator/cli.rb +19 -0
- data/lib/threatinator/config/base.rb +35 -0
- data/lib/threatinator/config/feed_search.rb +25 -0
- data/lib/threatinator/config/logger.rb +14 -0
- data/lib/threatinator/config.rb +7 -0
- data/lib/threatinator/decoder.rb +24 -0
- data/lib/threatinator/decoders/gzip.rb +30 -0
- data/lib/threatinator/event.rb +63 -0
- data/lib/threatinator/event_builder.rb +70 -0
- data/lib/threatinator/exceptions.rb +58 -0
- data/lib/threatinator/feed.rb +88 -0
- data/lib/threatinator/feed_builder.rb +161 -0
- data/lib/threatinator/feed_registry.rb +47 -0
- data/lib/threatinator/feed_runner.rb +177 -0
- data/lib/threatinator/fetcher.rb +22 -0
- data/lib/threatinator/fetchers/http.rb +50 -0
- data/lib/threatinator/filter.rb +12 -0
- data/lib/threatinator/filters/block.rb +18 -0
- data/lib/threatinator/filters/comments.rb +16 -0
- data/lib/threatinator/filters/whitespace.rb +19 -0
- data/lib/threatinator/logger.rb +66 -0
- data/lib/threatinator/logging.rb +20 -0
- data/lib/threatinator/model/base.rb +23 -0
- data/lib/threatinator/model/collection.rb +89 -0
- data/lib/threatinator/model/observables/fqdn_collection.rb +15 -0
- data/lib/threatinator/model/observables/ipv4.rb +33 -0
- data/lib/threatinator/model/observables/ipv4_collection.rb +14 -0
- data/lib/threatinator/model/observables/url_collection.rb +16 -0
- data/lib/threatinator/model/validations/type.rb +21 -0
- data/lib/threatinator/model/validations.rb +1 -0
- data/lib/threatinator/output.rb +50 -0
- data/lib/threatinator/parser.rb +23 -0
- data/lib/threatinator/parsers/csv/parser.rb +77 -0
- data/lib/threatinator/parsers/csv.rb +7 -0
- data/lib/threatinator/parsers/getline/parser.rb +45 -0
- data/lib/threatinator/parsers/getline.rb +8 -0
- data/lib/threatinator/parsers/json/adapters/oj.rb +65 -0
- data/lib/threatinator/parsers/json/parser.rb +45 -0
- data/lib/threatinator/parsers/json/record.rb +20 -0
- data/lib/threatinator/parsers/json.rb +8 -0
- data/lib/threatinator/parsers/xml/node.rb +79 -0
- data/lib/threatinator/parsers/xml/node_builder.rb +39 -0
- data/lib/threatinator/parsers/xml/parser.rb +44 -0
- data/lib/threatinator/parsers/xml/path.rb +70 -0
- data/lib/threatinator/parsers/xml/pattern.rb +53 -0
- data/lib/threatinator/parsers/xml/record.rb +14 -0
- data/lib/threatinator/parsers/xml/sax_document.rb +64 -0
- data/lib/threatinator/parsers/xml.rb +8 -0
- data/lib/threatinator/plugin_loader.rb +115 -0
- data/lib/threatinator/plugins/output/amqp/config.rb +18 -0
- data/lib/threatinator/plugins/output/amqp.rb +41 -0
- data/lib/threatinator/plugins/output/csv.rb +58 -0
- data/lib/threatinator/plugins/output/json/config.rb +14 -0
- data/lib/threatinator/plugins/output/json.rb +53 -0
- data/lib/threatinator/plugins/output/null.rb +17 -0
- data/lib/threatinator/plugins/output/rubydebug.rb +16 -0
- data/lib/threatinator/record.rb +22 -0
- data/lib/threatinator/registry.rb +53 -0
- data/lib/threatinator/util.rb +15 -0
- data/lib/threatinator.rb +3 -0
- data/spec/feeds/ET_block-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ET_compromised-ip_reputation_spec.rb +47 -0
- data/spec/feeds/ET_openbadlist-ip_reputation_spec.rb +56 -0
- data/spec/feeds/alienvault-ip_reputation_spec.rb +46 -0
- data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb +46 -0
- data/spec/feeds/arbor_ssh-ip_reputation_spec.rb +46 -0
- data/spec/feeds/autoshun_shunlist_spec.rb +38 -0
- data/spec/feeds/bambenek_c2_masterlist-domain_reputation_spec.rb +38 -0
- data/spec/feeds/bambenek_c2_masterlist-ip_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_dga_feed-domain_reputation_spec.rb +39 -0
- data/spec/feeds/berkeley-ip_reputation_spec.rb +47 -0
- data/spec/feeds/bitcash_cz_blacklist-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_imap-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_pop3-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_proftpd-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_sip-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_strongips-ip_reputation_spec.rb +47 -0
- data/spec/feeds/botscout-ip_reputation_spec.rb +50 -0
- data/spec/feeds/cert_mxpoison-ip_reputation_spec.rb +47 -0
- data/spec/feeds/chaosreigns-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ciarmy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/cruzit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/cydef_torexit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/dan_me_uk_torlist-ip_reputation_spec.rb +47 -0
- data/spec/feeds/danger_bruteforce-ip_reputation_spec.rb +47 -0
- data/spec/feeds/data/ET_block-ip_reputation.txt +80 -0
- data/spec/feeds/data/ET_compromised-ip_reputation.txt +11 -0
- data/spec/feeds/data/ET_openbadlist-ip_reputation.txt +62 -0
- data/spec/feeds/data/alienvault-ip_reputation.txt +18 -0
- data/spec/feeds/data/arbor_domainlist.txt +11 -0
- data/spec/feeds/data/arbor_ssh.txt +16 -0
- data/spec/feeds/data/autoshun_shunlist.csv +20 -0
- data/spec/feeds/data/bambenek_c2-dommasterlist.csv +30 -0
- data/spec/feeds/data/bambenek_c2-ipmasterlist.csv +27 -0
- data/spec/feeds/data/bambenek_dga_feed.csv +42 -0
- data/spec/feeds/data/berkeley.txt +29 -0
- data/spec/feeds/data/bitcash_cz_blacklist.txt +7 -0
- data/spec/feeds/data/blocklist_de_apache-ip-reputation.txt +17 -0
- data/spec/feeds/data/blocklist_de_bots-ip-reputation.txt +15 -0
- data/spec/feeds/data/blocklist_de_ftp-ip-reputation.txt +7 -0
- data/spec/feeds/data/blocklist_de_imap-ip-reputation.txt +8 -0
- data/spec/feeds/data/blocklist_de_pop3-ip-reputation.txt +11 -0
- data/spec/feeds/data/blocklist_de_proftpd-ip-reputation.txt +12 -0
- data/spec/feeds/data/blocklist_de_sip-ip-reputation.txt +9 -0
- data/spec/feeds/data/blocklist_de_ssh-ip-reputation.txt +10 -0
- data/spec/feeds/data/blocklist_de_strongips-ip-reputation.txt +11 -0
- data/spec/feeds/data/botscout-ip-reputation.txt +713 -0
- data/spec/feeds/data/cert_mxpoison-ip_reputation.txt +17 -0
- data/spec/feeds/data/chaosreigns-ip-reputation.txt +26 -0
- data/spec/feeds/data/ciarmy-ip-reputation.txt +11 -0
- data/spec/feeds/data/cruzit-ip-reputation.txt +14 -0
- data/spec/feeds/data/cydef_torexit-ip_reputation.txt +27 -0
- data/spec/feeds/data/dan_me_uk_torlist-ip-reputation.txt +11 -0
- data/spec/feeds/data/danger_bruteforce-ip_reputation.txt +12 -0
- data/spec/feeds/data/dshield_topattackers.xml +4 -0
- data/spec/feeds/data/falconcrest_iplist.txt +345 -0
- data/spec/feeds/data/feodo_domainlist.txt +18 -0
- data/spec/feeds/data/feodo_iplist.txt +20 -0
- data/spec/feeds/data/h3x_asprox.txt +20 -0
- data/spec/feeds/data/hosts-file_hphostspartial_domainlist.txt +24 -0
- data/spec/feeds/data/infiltrated_iplist.txt +16 -0
- data/spec/feeds/data/infiltrated_vabl_iplist.txt +33 -0
- data/spec/feeds/data/isc_suspicious_high_domainlist.txt +26 -0
- data/spec/feeds/data/isc_suspicious_low_domainlist.txt +34 -0
- data/spec/feeds/data/isc_suspicious_medium_domainlist.txt +32 -0
- data/spec/feeds/data/malc0de_domainlist.txt +18 -0
- data/spec/feeds/data/malc0de_iplist.txt +14 -0
- data/spec/feeds/data/malwaredomainlist-url-reputation.txt +8 -0
- data/spec/feeds/data/malwaredomains_domainlist.txt +24 -0
- data/spec/feeds/data/malwaredomains_dyndns_domainlist.txt +34 -0
- data/spec/feeds/data/malwaredomains_justdomains_domainlist.txt +18 -0
- data/spec/feeds/data/mirc_domainlist.txt +31 -0
- data/spec/feeds/data/multiproxy_iplist.txt +15 -0
- data/spec/feeds/data/nothink_irc_iplist.txt +14 -0
- data/spec/feeds/data/nothink_ssh_iplist.txt +10 -0
- data/spec/feeds/data/openbl_iplist.txt +12 -0
- data/spec/feeds/data/openphish-url-reputation.txt +16 -0
- data/spec/feeds/data/packetmail_perimeterbad-ip_reputation.txt +44 -0
- data/spec/feeds/data/palevo_domainlist.txt +25 -0
- data/spec/feeds/data/palevo_iplist.txt +24 -0
- data/spec/feeds/data/phishtank-sample.json.gz +0 -0
- data/spec/feeds/data/sigmaproject_atma.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_spyware.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_webexploit.return.gz +0 -0
- data/spec/feeds/data/snort_bpf-ip_reputation.txt +16 -0
- data/spec/feeds/data/spyeye_domainlist.txt +16 -0
- data/spec/feeds/data/spyeye_iplist.txt +19 -0
- data/spec/feeds/data/steeman-ip-reputation.txt +13 -0
- data/spec/feeds/data/t-arend-de_ssh_iplist.txt +17 -0
- data/spec/feeds/data/the_haleys_ssh_iplist.txt +12 -0
- data/spec/feeds/data/trustedsec-ip-reputation.txt +12 -0
- data/spec/feeds/data/valid.json +2908 -0
- data/spec/feeds/data/virbl-ip_reputation.txt +14 -0
- data/spec/feeds/data/vxvault-url-reputation.txt +15 -0
- data/spec/feeds/data/yourcmc_ssh-ip_reputation.txt +27 -0
- data/spec/feeds/data/yoyo_adservers.txt +25 -0
- data/spec/feeds/data/zeus-ip_reputation.txt +285 -0
- data/spec/feeds/data/zeus_domainlist.txt +27 -0
- data/spec/feeds/dshield_attackers-top1000_spec.rb +39 -0
- data/spec/feeds/falconcrest-ip_reputation_spec.rb +39 -0
- data/spec/feeds/feodo-domain_reputation_spec.rb +47 -0
- data/spec/feeds/feodo-ip_reputation_spec.rb +47 -0
- data/spec/feeds/h3x_asprox-ip_reputation_spec.rb +50 -0
- data/spec/feeds/hosts-file_hphostspartial-domain_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated-ip_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated_vabl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_high-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_low-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_medium-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-ip_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomainlist_url_reputation_spec.rb +50 -0
- data/spec/feeds/malwaredomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_dyndns-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_justdomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/mirc-domain_reputation_spec.rb +47 -0
- data/spec/feeds/multiproxy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_irc-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/openbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/openphish_url_reputation_spec.rb +50 -0
- data/spec/feeds/packetmail_perimeterbad-ip_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-domain_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-ip_reputation_spec.rb +47 -0
- data/spec/feeds/phishtank_spec.rb +41 -0
- data/spec/feeds/sigmaproject_atma_spec.rb +62 -0
- data/spec/feeds/sigmaproject_spyware_spec.rb +63 -0
- data/spec/feeds/sigmaproject_webexploit_spec.rb +62 -0
- data/spec/feeds/snort_bpf-ip_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-domain_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-ip_reputation_spec.rb +47 -0
- data/spec/feeds/steeman-ip_reputation_spec.rb +50 -0
- data/spec/feeds/t-arend-de_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/the_haleys_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/trustedsec-ip_reputation_spec.rb +47 -0
- data/spec/feeds/virbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/vxvault_url_reputation_spec.rb +50 -0
- data/spec/feeds/yourcmc_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/yoyo_adservers_spec.rb +47 -0
- data/spec/feeds/zeus-domain_reputation_spec.rb +47 -0
- data/spec/feeds/zeus-ip_reputation_spec.rb +47 -0
- data/spec/fixtures/feed/provider1/feed1.feed +6 -0
- data/spec/fixtures/parsers/test.xml +13 -0
- data/spec/fixtures/parsers/test_self_closing.xml +20 -0
- data/spec/fixtures/plugins/bad/threatinator/plugins/test_error1/plugin.rb +1 -0
- data/spec/fixtures/plugins/bad/threatinator/plugins/test_missing1/plugin.rb +0 -0
- data/spec/fixtures/plugins/fake.rb +19 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type1/plugin_a.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type1/plugin_b.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type2/plugin_c.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type2/plugin_d.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type3/plugin_e.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type3/plugin_f.rb +8 -0
- data/spec/spec_helper.rb +54 -0
- data/spec/support/bad_feeds/missing_fetcher.feed +7 -0
- data/spec/support/bad_feeds/missing_name.feed +6 -0
- data/spec/support/bad_feeds/missing_parser.feed +3 -0
- data/spec/support/bad_feeds/missing_provider.feed +5 -0
- data/spec/support/factories/event.rb +31 -0
- data/spec/support/factories/feed.rb +59 -0
- data/spec/support/factories/feed_builder.rb +65 -0
- data/spec/support/factories/feed_registry.rb +8 -0
- data/spec/support/factories/ipv4.rb +36 -0
- data/spec/support/factories/output.rb +11 -0
- data/spec/support/factories/record.rb +17 -0
- data/spec/support/factories/url.rb +34 -0
- data/spec/support/factories/xml_node.rb +33 -0
- data/spec/support/helpers/io.rb +11 -0
- data/spec/support/helpers/models.rb +13 -0
- data/spec/support/shared/action_builder.rb +47 -0
- data/spec/support/shared/decoder.rb +70 -0
- data/spec/support/shared/feed_runner_observer.rb +136 -0
- data/spec/support/shared/feeds.rb +233 -0
- data/spec/support/shared/fetcher.rb +48 -0
- data/spec/support/shared/filter.rb +14 -0
- data/spec/support/shared/io-like.rb +7 -0
- data/spec/support/shared/model/collection.rb +164 -0
- data/spec/support/shared/output.rb +120 -0
- data/spec/support/shared/parsers.rb +51 -0
- data/spec/support/shared/record.rb +111 -0
- data/spec/threatinator/actions/list/action_spec.rb +148 -0
- data/spec/threatinator/actions/run/action_spec.rb +106 -0
- data/spec/threatinator/actions/run/config_spec.rb +39 -0
- data/spec/threatinator/actions/run/coverage_observer_spec.rb +151 -0
- data/spec/threatinator/actions/run/output_config_spec.rb +89 -0
- data/spec/threatinator/actions/run/status_observer_spec.rb +86 -0
- data/spec/threatinator/cli/list_action_builder_spec.rb +57 -0
- data/spec/threatinator/cli/run_action_builder_spec.rb +133 -0
- data/spec/threatinator/cli_spec.rb +175 -0
- data/spec/threatinator/config/base_spec.rb +39 -0
- data/spec/threatinator/config/feed_search_spec.rb +76 -0
- data/spec/threatinator/decoders/gzip_spec.rb +75 -0
- data/spec/threatinator/event_builder_spec.rb +123 -0
- data/spec/threatinator/event_spec.rb +254 -0
- data/spec/threatinator/event_spec.rb.new +319 -0
- data/spec/threatinator/feed_builder_spec.rb +633 -0
- data/spec/threatinator/feed_registry_spec.rb +198 -0
- data/spec/threatinator/feed_runner_spec.rb +372 -0
- data/spec/threatinator/feed_spec.rb +169 -0
- data/spec/threatinator/fetcher_spec.rb +12 -0
- data/spec/threatinator/fetchers/http_spec.rb +32 -0
- data/spec/threatinator/filter_spec.rb +13 -0
- data/spec/threatinator/filters/block_spec.rb +16 -0
- data/spec/threatinator/filters/comments_spec.rb +13 -0
- data/spec/threatinator/filters/whitespace_spec.rb +12 -0
- data/spec/threatinator/logger_spec.rb +29 -0
- data/spec/threatinator/model/observables/fqdn_collection_spec.rb +41 -0
- data/spec/threatinator/model/observables/ipv4_collection_spec.rb +36 -0
- data/spec/threatinator/model/observables/ipv4_spec.rb +75 -0
- data/spec/threatinator/model/observables/url_collection_spec.rb +45 -0
- data/spec/threatinator/model/validations/type_spec.rb +37 -0
- data/spec/threatinator/parser_spec.rb +13 -0
- data/spec/threatinator/parsers/csv/parser_spec.rb +202 -0
- data/spec/threatinator/parsers/getline/parser_spec.rb +83 -0
- data/spec/threatinator/parsers/json/parser_spec.rb +106 -0
- data/spec/threatinator/parsers/json/record_spec.rb +30 -0
- data/spec/threatinator/parsers/xml/node_spec.rb +335 -0
- data/spec/threatinator/parsers/xml/parser_spec.rb +263 -0
- data/spec/threatinator/parsers/xml/path_spec.rb +209 -0
- data/spec/threatinator/parsers/xml/pattern_spec.rb +72 -0
- data/spec/threatinator/parsers/xml/record_spec.rb +27 -0
- data/spec/threatinator/plugin_loader_spec.rb +238 -0
- data/spec/threatinator/plugins/output/csv_spec.rb +47 -0
- data/spec/threatinator/plugins/output/null_spec.rb +17 -0
- data/spec/threatinator/plugins/output/rubydebug_spec.rb +37 -0
- data/spec/threatinator/record_spec.rb +19 -0
- data/spec/threatinator/registry_spec.rb +97 -0
- data/spec/threatinator/runner_spec.rb +273 -0
- metadata +674 -0
@@ -0,0 +1,27 @@
|
|
1
|
+
provider "sigmaproject"
|
2
|
+
name "atma_ip_reputation"
|
3
|
+
event_types [:scanning]
|
4
|
+
|
5
|
+
|
6
|
+
fetch_http('https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=atma')
|
7
|
+
|
8
|
+
# Filter out ip's
|
9
|
+
filter do |record|
|
10
|
+
!(record.data =~ /\/32/)
|
11
|
+
end
|
12
|
+
|
13
|
+
extract_gzip
|
14
|
+
parse_eachline() do |event_generator, record|
|
15
|
+
|
16
|
+
# We're tossing anything that's not a /32
|
17
|
+
|
18
|
+
ip = record.data
|
19
|
+
ip.gsub!(/\/32/, '')
|
20
|
+
ip.strip!
|
21
|
+
|
22
|
+
event_generator.call() do |event|
|
23
|
+
event.type = :scanning
|
24
|
+
event.add_ipv4(ip) do |ipv4_event|
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
provider "sigmaproject"
|
2
|
+
name "spyware_ip_reputation"
|
3
|
+
|
4
|
+
event_types [:c2]
|
5
|
+
|
6
|
+
|
7
|
+
|
8
|
+
fetch_http('https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=spyware')
|
9
|
+
extract_gzip
|
10
|
+
|
11
|
+
# Filter out ip's
|
12
|
+
filter do |record|
|
13
|
+
# TODO handle subnets
|
14
|
+
!(record.data =~ /\/32/)
|
15
|
+
end
|
16
|
+
|
17
|
+
parse_eachline() do |event_generator, record|
|
18
|
+
|
19
|
+
ip = record.data
|
20
|
+
ip.gsub!(/\/32/, '')
|
21
|
+
ip.strip!
|
22
|
+
|
23
|
+
event_generator.call() do |event|
|
24
|
+
event.type = :c2
|
25
|
+
event.add_ipv4(ip) do |ipv4_event|
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
provider "sigmaproject"
|
2
|
+
name "webexploit_ip_reputation"
|
3
|
+
event_types [:attacker]
|
4
|
+
fetch_http('https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=webexploit')
|
5
|
+
extract_gzip
|
6
|
+
|
7
|
+
# Filter out ip's
|
8
|
+
filter do |record|
|
9
|
+
# TODO handle subnets
|
10
|
+
!(record.data =~ /\/32/)
|
11
|
+
end
|
12
|
+
|
13
|
+
parse_eachline() do |event_generator, record|
|
14
|
+
|
15
|
+
# We're tossing anything that's not a /32
|
16
|
+
|
17
|
+
ip = record.data
|
18
|
+
ip.gsub!(/\/32/, '')
|
19
|
+
ip.strip!
|
20
|
+
|
21
|
+
event_generator.call() do |event|
|
22
|
+
event.type = :attacker
|
23
|
+
event.add_ipv4(ip) do |ipv4_event|
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
provider "snort"
|
2
|
+
name "bpf_ip_reputation"
|
3
|
+
fetch_http('http://labs.snort.org/feeds/ip-filter.blf')
|
4
|
+
event_types [:scannning]
|
5
|
+
feed_re = /(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
+
|
7
|
+
filter_whitespace
|
8
|
+
filter_comments
|
9
|
+
|
10
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
+
m = feed_re.match(record.data)
|
12
|
+
next if m.nil?
|
13
|
+
|
14
|
+
event_generator.call() do |event|
|
15
|
+
event.type = :scanning
|
16
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
provider "abuse_ch"
|
2
|
+
name "spyeye_domain_reputation"
|
3
|
+
fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist')
|
4
|
+
event_types [:c2]
|
5
|
+
feed_re = /^(?<domain>.*)/
|
6
|
+
|
7
|
+
filter_whitespace
|
8
|
+
filter_comments
|
9
|
+
|
10
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
+
m = feed_re.match(record.data)
|
12
|
+
next if m.nil?
|
13
|
+
|
14
|
+
event_generator.call() do |event|
|
15
|
+
event.type = :c2
|
16
|
+
event.add_fqdn(m[:domain])
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
provider "abuse_ch"
|
2
|
+
name "spyeye_ip_reputation"
|
3
|
+
fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist')
|
4
|
+
event_types [:c2]
|
5
|
+
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
+
|
7
|
+
filter_whitespace
|
8
|
+
filter_comments
|
9
|
+
|
10
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
+
m = feed_re.match(record.data)
|
12
|
+
next if m.nil?
|
13
|
+
|
14
|
+
event_generator.call() do |event|
|
15
|
+
event.type = :c2
|
16
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
@@ -0,0 +1,20 @@
|
|
1
|
+
provider "steeman"
|
2
|
+
name "ip_reputation"
|
3
|
+
fetch_http('http://jeroen.steeman.org/FS-PlainText')
|
4
|
+
event_types [:scanning]
|
5
|
+
|
6
|
+
feed_re = /(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
7
|
+
|
8
|
+
filter_whitespace
|
9
|
+
filter_comments
|
10
|
+
|
11
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
12
|
+
m = feed_re.match(record.data)
|
13
|
+
next if m.nil?
|
14
|
+
|
15
|
+
event_generator.call() do |event|
|
16
|
+
event.type = :scanning
|
17
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
@@ -0,0 +1,20 @@
|
|
1
|
+
provider "t-arend-de"
|
2
|
+
name "ssh_ip_reputation"
|
3
|
+
fetch_http('http://www.t-arend.de/linux/badguys.txt')
|
4
|
+
event_types [:c2]
|
5
|
+
|
6
|
+
feed_re = /^sshd\: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
7
|
+
|
8
|
+
filter_whitespace
|
9
|
+
filter_comments
|
10
|
+
|
11
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
12
|
+
m = feed_re.match(record.data)
|
13
|
+
next if m.nil?
|
14
|
+
|
15
|
+
event_generator.call() do |event|
|
16
|
+
event.type = :c2
|
17
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
@@ -0,0 +1,20 @@
|
|
1
|
+
provider "the_haleys"
|
2
|
+
name "ssh_ip_reputation"
|
3
|
+
fetch_http('http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt')
|
4
|
+
event_types [:scanning]
|
5
|
+
|
6
|
+
feed_re = /^ALL \: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
7
|
+
|
8
|
+
filter_whitespace
|
9
|
+
filter_comments
|
10
|
+
|
11
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
12
|
+
m = feed_re.match(record.data)
|
13
|
+
next if m.nil?
|
14
|
+
|
15
|
+
event_generator.call() do |event|
|
16
|
+
event.type = :scanning
|
17
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
provider "trustedsec"
|
2
|
+
name "ip_reputation"
|
3
|
+
fetch_http('https://www.trustedsec.com/banlist.txt')
|
4
|
+
event_types [:scanning]
|
5
|
+
|
6
|
+
filter_whitespace
|
7
|
+
filter_comments
|
8
|
+
|
9
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
10
|
+
next if record.nil?
|
11
|
+
ip = record.data.strip
|
12
|
+
|
13
|
+
event_generator.call() do |event|
|
14
|
+
event.type = :scanning
|
15
|
+
event.add_ipv4(ip) do |ipv4_event|
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,25 @@
|
|
1
|
+
provider "virbl"
|
2
|
+
name "ip_reputation"
|
3
|
+
fetch_http('http://virbl.org/download/virbl.dnsbl.bit.nl.txt')
|
4
|
+
event_types [:malware_host]
|
5
|
+
|
6
|
+
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
7
|
+
|
8
|
+
filter_whitespace
|
9
|
+
filter_comments
|
10
|
+
|
11
|
+
# Filter out ip's
|
12
|
+
filter do |record|
|
13
|
+
!(record.data =~ /^\d/)
|
14
|
+
end
|
15
|
+
|
16
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
17
|
+
m = feed_re.match(record.data)
|
18
|
+
next if m.nil?
|
19
|
+
|
20
|
+
event_generator.call() do |event|
|
21
|
+
event.type = :malware_host
|
22
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
provider "vxvault"
|
2
|
+
name "url_reputation"
|
3
|
+
fetch_http('http://vxvault.siri-urz.net/URL_List.php')
|
4
|
+
event_types [:malware_host]
|
5
|
+
|
6
|
+
filter_whitespace
|
7
|
+
filter_comments
|
8
|
+
|
9
|
+
# Filter out any lines that don't start with a URL
|
10
|
+
filter do |record|
|
11
|
+
!(record.data =~ /^http/)
|
12
|
+
end
|
13
|
+
|
14
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
15
|
+
url = record.data.strip
|
16
|
+
next if url.nil?
|
17
|
+
|
18
|
+
event_generator.call() do |event|
|
19
|
+
event.type = :malware_host
|
20
|
+
event.add_url(url) do |url_event|
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
@@ -0,0 +1,20 @@
|
|
1
|
+
provider "yourcmc"
|
2
|
+
name "ssh-ip_reputation"
|
3
|
+
fetch_http('http://vmx.yourcmc.ru/BAD_HOSTS.IP4')
|
4
|
+
event_types [:scanning]
|
5
|
+
|
6
|
+
feed_re = /^(?<ip>.*)/
|
7
|
+
|
8
|
+
filter_whitespace
|
9
|
+
filter_comments
|
10
|
+
|
11
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
12
|
+
m = feed_re.match(record.data)
|
13
|
+
next if m.nil?
|
14
|
+
|
15
|
+
event_generator.call() do |event|
|
16
|
+
event.type = :scanning
|
17
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
provider "yoyo"
|
2
|
+
name "adservers"
|
3
|
+
fetch_http('http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml')
|
4
|
+
event_types [:scanning]
|
5
|
+
|
6
|
+
filter_whitespace
|
7
|
+
filter_comments
|
8
|
+
|
9
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
10
|
+
domain = record.data.strip()
|
11
|
+
next if domain.nil?
|
12
|
+
|
13
|
+
event_generator.call() do |event|
|
14
|
+
event.type = :scanning
|
15
|
+
event.add_fqdn(domain)
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
provider "abuse_ch"
|
2
|
+
name "zeus_domain_reputation"
|
3
|
+
fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist')
|
4
|
+
event_types [:c2]
|
5
|
+
|
6
|
+
feed_re = /^(?<domain>.*)/
|
7
|
+
|
8
|
+
filter_whitespace
|
9
|
+
filter_comments
|
10
|
+
|
11
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
12
|
+
m = feed_re.match(record.data)
|
13
|
+
next if m.nil?
|
14
|
+
|
15
|
+
event_generator.call() do |event|
|
16
|
+
event.type = :c2
|
17
|
+
event.add_fqdn(m[:domain])
|
18
|
+
end
|
19
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
# threatinator_dsl "2.0"
|
2
|
+
provider "abuse_ch"
|
3
|
+
name "zeus_ip_reputation"
|
4
|
+
fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist')
|
5
|
+
event_types [:c2]
|
6
|
+
|
7
|
+
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
8
|
+
|
9
|
+
filter_whitespace
|
10
|
+
filter_comments
|
11
|
+
|
12
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
13
|
+
m = feed_re.match(record.data)
|
14
|
+
next if m.nil?
|
15
|
+
|
16
|
+
event_generator.call() do |event|
|
17
|
+
event.type = :c2
|
18
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
@@ -0,0 +1,97 @@
|
|
1
|
+
require 'threatinator/action'
|
2
|
+
require 'threatinator/exceptions'
|
3
|
+
require 'csv'
|
4
|
+
require 'multi_json'
|
5
|
+
|
6
|
+
module Threatinator
|
7
|
+
module Actions
|
8
|
+
module List
|
9
|
+
class Action < Threatinator::Action
|
10
|
+
def initialize(registry, config)
|
11
|
+
super(registry)
|
12
|
+
@config = config
|
13
|
+
end
|
14
|
+
|
15
|
+
def output_table(io_out)
|
16
|
+
|
17
|
+
feed_info = [['provider', 'name', 'type', 'link/path', 'event_types']]
|
18
|
+
|
19
|
+
registry.each do |feed|
|
20
|
+
#binding.pry
|
21
|
+
info = [ feed.provider, feed.name ]
|
22
|
+
fetcher = feed.fetcher_builder.call()
|
23
|
+
type = "unknown"
|
24
|
+
link = "unknown"
|
25
|
+
case fetcher
|
26
|
+
when Threatinator::Fetchers::Http
|
27
|
+
type = "http"
|
28
|
+
link = fetcher.url
|
29
|
+
end
|
30
|
+
info << type
|
31
|
+
info << link
|
32
|
+
info << feed.event_types
|
33
|
+
feed_info << info
|
34
|
+
end
|
35
|
+
|
36
|
+
# This will never happen
|
37
|
+
return if feed_info.count == 0
|
38
|
+
|
39
|
+
fmts = []
|
40
|
+
widths = []
|
41
|
+
0.upto(4) do |i|
|
42
|
+
max = feed_info.max { |a,b| a[i].to_s.length <=> b[i].to_s.length }[i].to_s.length
|
43
|
+
widths << max
|
44
|
+
fmts << "%#{max}s"
|
45
|
+
end
|
46
|
+
fmt = "%-#{widths[0]}s %-#{widths[1]}s %-#{widths[2]}s %-#{widths[3]}s %-#{widths[4]}s\n"
|
47
|
+
io_out.printf(fmt, *(feed_info.shift)) # Pop the Header from the feed_info
|
48
|
+
|
49
|
+
sep = widths.map {|x| '-' * x }
|
50
|
+
io_out.printf(fmt, *sep)
|
51
|
+
|
52
|
+
feed_info.sort! { |a,b| [a[0], a[1]] <=> [b[0], b[1]] }
|
53
|
+
feed_info.each do |info|
|
54
|
+
io_out.printf(fmt, *info)
|
55
|
+
end
|
56
|
+
|
57
|
+
io_out.printf(fmt, *sep)
|
58
|
+
io_out.puts("Total: #{feed_info.count}")
|
59
|
+
end
|
60
|
+
|
61
|
+
def output_json(io_out)
|
62
|
+
feeds = []
|
63
|
+
registry.each do |feed|
|
64
|
+
info = {
|
65
|
+
provider: feed.provider,
|
66
|
+
name: feed.name,
|
67
|
+
type: 'unknown',
|
68
|
+
link: 'unknown'
|
69
|
+
}
|
70
|
+
fetcher = feed.fetcher_builder.call()
|
71
|
+
case fetcher
|
72
|
+
when Threatinator::Fetchers::Http
|
73
|
+
info[:type] = "http"
|
74
|
+
info[:link] = fetcher.url
|
75
|
+
end
|
76
|
+
|
77
|
+
feeds << info
|
78
|
+
end
|
79
|
+
feeds.sort! { |a,b| [a[:provider], a[:name]] <=> [b[:provider], b[:name]] }
|
80
|
+
|
81
|
+
io_out.write(MultiJson.dump(feeds))
|
82
|
+
end
|
83
|
+
|
84
|
+
def exec
|
85
|
+
case @config.format
|
86
|
+
when 'table'
|
87
|
+
output_table($stdout)
|
88
|
+
when 'json'
|
89
|
+
output_json($stdout)
|
90
|
+
else
|
91
|
+
raise ArgumentError, "Invalid argument for 'format' = '#{@config.format}'"
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
require 'threatinator/config/base'
|
2
|
+
|
3
|
+
module Threatinator
|
4
|
+
module Actions
|
5
|
+
module List
|
6
|
+
class Config < Threatinator::Config::Base
|
7
|
+
attribute :format, String, default: lambda { |c,a| 'table' },
|
8
|
+
description: "The format in which to generate output: 'table' (default), 'json'"
|
9
|
+
end
|
10
|
+
end
|
11
|
+
end
|
12
|
+
end
|
@@ -0,0 +1,57 @@
|
|
1
|
+
require 'threatinator/action'
|
2
|
+
require 'threatinator/exceptions'
|
3
|
+
require 'threatinator/feed_runner'
|
4
|
+
require 'threatinator/logging'
|
5
|
+
require 'threatinator/actions/run/status_observer'
|
6
|
+
require 'csv'
|
7
|
+
|
8
|
+
module Threatinator
|
9
|
+
module Actions
|
10
|
+
module Run
|
11
|
+
class Action < Threatinator::Action
|
12
|
+
include Logging
|
13
|
+
|
14
|
+
def initialize(registry, config)
|
15
|
+
super(registry)
|
16
|
+
@config = config
|
17
|
+
end
|
18
|
+
|
19
|
+
def build_output
|
20
|
+
@config.output.build_output
|
21
|
+
end
|
22
|
+
|
23
|
+
def exec
|
24
|
+
opts = {}
|
25
|
+
|
26
|
+
feed = registry.get(@config.feed_provider, @config.feed_name)
|
27
|
+
if feed.nil?
|
28
|
+
logger.error("Unknown feed: provider = #{@config.feed_provider}, name = #{@config.feed_name}")
|
29
|
+
raise Threatinator::Exceptions::UnknownFeed.new(@config.feed_provider, @config.feed_name)
|
30
|
+
end
|
31
|
+
|
32
|
+
output = build_output
|
33
|
+
|
34
|
+
feed_runner = Threatinator::FeedRunner.new(feed, output)
|
35
|
+
status = StatusObserver.new
|
36
|
+
feed_runner.add_observer(status)
|
37
|
+
|
38
|
+
@config.observers.each do |observer|
|
39
|
+
feed_runner.add_observer(observer)
|
40
|
+
end
|
41
|
+
|
42
|
+
feed_runner.run
|
43
|
+
|
44
|
+
if status.missed?
|
45
|
+
logger.error "#{status.missed} records were MISSED (neither parsed nor filtered). You may need to update your feed specification! Try increasing the logging level to DEBUG, or re-run with run.coverage_output='output.csv' to see which records were parsed/filtered/missed."
|
46
|
+
end
|
47
|
+
|
48
|
+
if status.errors?
|
49
|
+
logger.error "#{status.errors} records had errors! You may have a bug in your feed specification! Try increasing the logging level to DEBUG, or re-run with run.coverage_output='output.csv' to see which records had errors."
|
50
|
+
end
|
51
|
+
|
52
|
+
logger.info "#{status.total} records processed. #{status.parsed} parsed, #{status.filtered} filtered, #{status.missed} missed, #{status.errors} errors"
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
require 'threatinator/config/base'
|
2
|
+
require 'threatinator/actions/run/output_config'
|
3
|
+
|
4
|
+
module Threatinator
|
5
|
+
module Actions
|
6
|
+
module Run
|
7
|
+
module Config
|
8
|
+
# @param [Threatinator::PluginLoader] plugin_loader
|
9
|
+
# @return [Class] a class that represents the config for Action::Run
|
10
|
+
def self.generate(plugin_loader)
|
11
|
+
output_config_class = Threatinator::Actions::Run::OutputConfig.generate(plugin_loader)
|
12
|
+
config_class = Class.new(Threatinator::Config::Base) do
|
13
|
+
attribute :output, output_config_class,
|
14
|
+
default: lambda { |c,a| output_config_class.new }
|
15
|
+
|
16
|
+
attribute :feed_provider, String,
|
17
|
+
description: "The feed provider"
|
18
|
+
|
19
|
+
attribute :feed_name, String,
|
20
|
+
description: "The feed name"
|
21
|
+
|
22
|
+
attribute :fetch_from_file, String,
|
23
|
+
description: "Read data from the specified file rather than fetching"
|
24
|
+
|
25
|
+
attribute :observers, Array, default: lambda {|c,a| Array.new }
|
26
|
+
end
|
27
|
+
config_class
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -0,0 +1,59 @@
|
|
1
|
+
require 'csv'
|
2
|
+
|
3
|
+
module Threatinator
|
4
|
+
module Actions
|
5
|
+
module Run
|
6
|
+
class CoverageObserver
|
7
|
+
attr_reader :filename
|
8
|
+
def initialize(filename)
|
9
|
+
@filename = filename
|
10
|
+
@csv = nil
|
11
|
+
end
|
12
|
+
|
13
|
+
def closed?
|
14
|
+
return false if @csv.nil?
|
15
|
+
@csv.closed?
|
16
|
+
end
|
17
|
+
|
18
|
+
def open
|
19
|
+
@csv = ::CSV.open(@filename, "wb", :headers => [:status, :event_count, :line_number, :pos_start, :pos_end, :data, :message], :write_headers => true)
|
20
|
+
end
|
21
|
+
|
22
|
+
# Handles FeedRunner observations
|
23
|
+
def update(message, *args)
|
24
|
+
case message
|
25
|
+
when :record_missed
|
26
|
+
log_record(:missed, args.shift, 0)
|
27
|
+
when :record_filtered
|
28
|
+
log_record(:filtered, args.shift, 0)
|
29
|
+
when :record_parsed
|
30
|
+
log_record(:parsed, args.shift, args.shift.count)
|
31
|
+
when :record_error
|
32
|
+
record = args.shift
|
33
|
+
errors = args.shift
|
34
|
+
message = errors.map { |e| e.message }.join(', ')
|
35
|
+
log_record(:error, record, 0, message)
|
36
|
+
when :end
|
37
|
+
close
|
38
|
+
when :start
|
39
|
+
open
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
# @param [Symbol] status :parsed, :missed, :filtered
|
44
|
+
# @param [Threatinator::Record] record
|
45
|
+
# @param [Array<Threatinator::Event>] events
|
46
|
+
def log_record(status, record, event_count, message = '')
|
47
|
+
return if closed?
|
48
|
+
@csv.add_row( [
|
49
|
+
status, event_count, record.line_number,
|
50
|
+
record.pos_start, record.pos_end, record.data.inspect, message])
|
51
|
+
end
|
52
|
+
|
53
|
+
def close
|
54
|
+
@csv.close unless closed?
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|