shadowbq-threatinator 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +66 -0
- data/CONTRIBUTING.md +119 -0
- data/Gemfile +38 -0
- data/LICENSE +165 -0
- data/README.md +101 -0
- data/Rakefile +47 -0
- data/VERSION +1 -0
- data/bin/threatinator +5 -0
- data/bin/threatinator_loader +21 -0
- data/feeds/ET_block-ip_reputation.feed +27 -0
- data/feeds/ET_compromised-ip_reputation.feed +20 -0
- data/feeds/ET_openbadlist-ip_reputation.feed +36 -0
- data/feeds/alienvault-ip_reputation.feed +39 -0
- data/feeds/arbor_fastflux-domain_reputation.feed +19 -0
- data/feeds/arbor_ssh-ip_reputation.feed +24 -0
- data/feeds/autoshun_shunlist.feed +17 -0
- data/feeds/bambenek_c2_masterlist-domain_reputation.feed +16 -0
- data/feeds/bambenek_c2_masterlist-ip_reputation.feed +16 -0
- data/feeds/bambenek_dga_feed-domain_reputation.feed +16 -0
- data/feeds/berkeley-ip_reputation.feed +25 -0
- data/feeds/bitcash_cz_blacklist.feed +22 -0
- data/feeds/blocklist_de_apache-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_bots-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_ftp-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_imap-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_pop3-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_proftpd-ip_reputation.feed +26 -0
- data/feeds/blocklist_de_sip-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_ssh-ip_reputation.feed +25 -0
- data/feeds/blocklist_de_strongips-ip_reputation.feed +25 -0
- data/feeds/botscout-ip_reputation.feed +25 -0
- data/feeds/cert_mxpoison-ip_reputation.feed +22 -0
- data/feeds/chaosreigns-ip_reputation.feed +37 -0
- data/feeds/ciarmy-ip_reputation.feed +20 -0
- data/feeds/cruzit-ip_reputation.feed +30 -0
- data/feeds/cydef_torexit-ip_reputation.feed +25 -0
- data/feeds/dan_me_uk_torlist-ip_reputation.feed +25 -0
- data/feeds/danger_bruteforce-ip_reputation.feed +24 -0
- data/feeds/dshield_attackers-top1000.feed +34 -0
- data/feeds/falconcrest-ip_reputation.feed +19 -0
- data/feeds/feodo-domain_reputation.feed +19 -0
- data/feeds/feodo-ip_reputation.feed +20 -0
- data/feeds/h3x_asprox.feed +18 -0
- data/feeds/hosts-file_hphostspartial-domain_reputation.feed +19 -0
- data/feeds/infiltrated-ip_reputation.feed +26 -0
- data/feeds/infiltrated_vabl-ip_reputation.feed +30 -0
- data/feeds/isc_suspicious_high-domain_reputation.feed +26 -0
- data/feeds/isc_suspicious_low-domain_reputation.feed +26 -0
- data/feeds/isc_suspicious_medium-domain_reputation.feed +26 -0
- data/feeds/malc0de-domain_reputation.feed +24 -0
- data/feeds/malc0de-ip_reputation.feed +26 -0
- data/feeds/malwaredomainlist-url_reputation.feed +18 -0
- data/feeds/malwaredomains-domain_reputation.feed +29 -0
- data/feeds/malwaredomains_dyndns-domain_reputation.feed +29 -0
- data/feeds/malwaredomains_justdomains-domain_reputation.feed +20 -0
- data/feeds/mirc-domain_reputation.feed +30 -0
- data/feeds/multiproxy-ip_reputation.feed +22 -0
- data/feeds/nothink_irc-ip_reputation.feed +23 -0
- data/feeds/nothink_ssh-ip_reputation.feed +21 -0
- data/feeds/openbl-ip_reputation.feed +21 -0
- data/feeds/openphish-url_reputation.feed +24 -0
- data/feeds/packetmail_perimeterbad-ip_reputation.feed +28 -0
- data/feeds/palevo-domain_reputation.feed +22 -0
- data/feeds/palevo-ip_reputation.feed +23 -0
- data/feeds/phishtank.feed +22 -0
- data/feeds/sigmaproject_atma.feed +27 -0
- data/feeds/sigmaproject_spyware.feed +28 -0
- data/feeds/sigmaproject_webexploit.feed +26 -0
- data/feeds/snort_bpf-ip_reputation.feed +19 -0
- data/feeds/spyeye-domain_reputation.feed +18 -0
- data/feeds/spyeye-ip_reputation.feed +19 -0
- data/feeds/steeman-ip_reputation.feed +20 -0
- data/feeds/t-arend-de_ssh-ip_reputation.feed +20 -0
- data/feeds/the_haleys_ssh-ip_reputation.feed +20 -0
- data/feeds/trustedsec-ip_reputation.feed +18 -0
- data/feeds/virbl-ip_reputation.feed +25 -0
- data/feeds/vxvault-url_reputation.feed +23 -0
- data/feeds/yourcmc_ssh-ip_reputation.feed +20 -0
- data/feeds/yoyo_adservers-domain_reputation.feed +17 -0
- data/feeds/zeus-domain_reputation.feed +19 -0
- data/feeds/zeus-ip_reputation.feed +21 -0
- data/lib/threatinator/action.rb +14 -0
- data/lib/threatinator/actions/list/action.rb +97 -0
- data/lib/threatinator/actions/list/config.rb +12 -0
- data/lib/threatinator/actions/list.rb +2 -0
- data/lib/threatinator/actions/run/action.rb +57 -0
- data/lib/threatinator/actions/run/config.rb +32 -0
- data/lib/threatinator/actions/run/coverage_observer.rb +59 -0
- data/lib/threatinator/actions/run/output_config.rb +59 -0
- data/lib/threatinator/actions/run/status_observer.rb +37 -0
- data/lib/threatinator/actions/run.rb +2 -0
- data/lib/threatinator/cli/action_builder.rb +33 -0
- data/lib/threatinator/cli/list_action_builder.rb +19 -0
- data/lib/threatinator/cli/parser.rb +123 -0
- data/lib/threatinator/cli/run_action_builder.rb +41 -0
- data/lib/threatinator/cli.rb +19 -0
- data/lib/threatinator/config/base.rb +35 -0
- data/lib/threatinator/config/feed_search.rb +25 -0
- data/lib/threatinator/config/logger.rb +14 -0
- data/lib/threatinator/config.rb +7 -0
- data/lib/threatinator/decoder.rb +24 -0
- data/lib/threatinator/decoders/gzip.rb +30 -0
- data/lib/threatinator/event.rb +63 -0
- data/lib/threatinator/event_builder.rb +70 -0
- data/lib/threatinator/exceptions.rb +58 -0
- data/lib/threatinator/feed.rb +88 -0
- data/lib/threatinator/feed_builder.rb +161 -0
- data/lib/threatinator/feed_registry.rb +47 -0
- data/lib/threatinator/feed_runner.rb +177 -0
- data/lib/threatinator/fetcher.rb +22 -0
- data/lib/threatinator/fetchers/http.rb +50 -0
- data/lib/threatinator/filter.rb +12 -0
- data/lib/threatinator/filters/block.rb +18 -0
- data/lib/threatinator/filters/comments.rb +16 -0
- data/lib/threatinator/filters/whitespace.rb +19 -0
- data/lib/threatinator/logger.rb +66 -0
- data/lib/threatinator/logging.rb +20 -0
- data/lib/threatinator/model/base.rb +23 -0
- data/lib/threatinator/model/collection.rb +89 -0
- data/lib/threatinator/model/observables/fqdn_collection.rb +15 -0
- data/lib/threatinator/model/observables/ipv4.rb +33 -0
- data/lib/threatinator/model/observables/ipv4_collection.rb +14 -0
- data/lib/threatinator/model/observables/url_collection.rb +16 -0
- data/lib/threatinator/model/validations/type.rb +21 -0
- data/lib/threatinator/model/validations.rb +1 -0
- data/lib/threatinator/output.rb +50 -0
- data/lib/threatinator/parser.rb +23 -0
- data/lib/threatinator/parsers/csv/parser.rb +77 -0
- data/lib/threatinator/parsers/csv.rb +7 -0
- data/lib/threatinator/parsers/getline/parser.rb +45 -0
- data/lib/threatinator/parsers/getline.rb +8 -0
- data/lib/threatinator/parsers/json/adapters/oj.rb +65 -0
- data/lib/threatinator/parsers/json/parser.rb +45 -0
- data/lib/threatinator/parsers/json/record.rb +20 -0
- data/lib/threatinator/parsers/json.rb +8 -0
- data/lib/threatinator/parsers/xml/node.rb +79 -0
- data/lib/threatinator/parsers/xml/node_builder.rb +39 -0
- data/lib/threatinator/parsers/xml/parser.rb +44 -0
- data/lib/threatinator/parsers/xml/path.rb +70 -0
- data/lib/threatinator/parsers/xml/pattern.rb +53 -0
- data/lib/threatinator/parsers/xml/record.rb +14 -0
- data/lib/threatinator/parsers/xml/sax_document.rb +64 -0
- data/lib/threatinator/parsers/xml.rb +8 -0
- data/lib/threatinator/plugin_loader.rb +115 -0
- data/lib/threatinator/plugins/output/amqp/config.rb +18 -0
- data/lib/threatinator/plugins/output/amqp.rb +41 -0
- data/lib/threatinator/plugins/output/csv.rb +58 -0
- data/lib/threatinator/plugins/output/json/config.rb +14 -0
- data/lib/threatinator/plugins/output/json.rb +53 -0
- data/lib/threatinator/plugins/output/null.rb +17 -0
- data/lib/threatinator/plugins/output/rubydebug.rb +16 -0
- data/lib/threatinator/record.rb +22 -0
- data/lib/threatinator/registry.rb +53 -0
- data/lib/threatinator/util.rb +15 -0
- data/lib/threatinator.rb +3 -0
- data/spec/feeds/ET_block-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ET_compromised-ip_reputation_spec.rb +47 -0
- data/spec/feeds/ET_openbadlist-ip_reputation_spec.rb +56 -0
- data/spec/feeds/alienvault-ip_reputation_spec.rb +46 -0
- data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb +46 -0
- data/spec/feeds/arbor_ssh-ip_reputation_spec.rb +46 -0
- data/spec/feeds/autoshun_shunlist_spec.rb +38 -0
- data/spec/feeds/bambenek_c2_masterlist-domain_reputation_spec.rb +38 -0
- data/spec/feeds/bambenek_c2_masterlist-ip_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_dga_feed-domain_reputation_spec.rb +39 -0
- data/spec/feeds/berkeley-ip_reputation_spec.rb +47 -0
- data/spec/feeds/bitcash_cz_blacklist-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_imap-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_pop3-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_proftpd-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_sip-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/blocklist_de_strongips-ip_reputation_spec.rb +47 -0
- data/spec/feeds/botscout-ip_reputation_spec.rb +50 -0
- data/spec/feeds/cert_mxpoison-ip_reputation_spec.rb +47 -0
- data/spec/feeds/chaosreigns-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ciarmy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/cruzit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/cydef_torexit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/dan_me_uk_torlist-ip_reputation_spec.rb +47 -0
- data/spec/feeds/danger_bruteforce-ip_reputation_spec.rb +47 -0
- data/spec/feeds/data/ET_block-ip_reputation.txt +80 -0
- data/spec/feeds/data/ET_compromised-ip_reputation.txt +11 -0
- data/spec/feeds/data/ET_openbadlist-ip_reputation.txt +62 -0
- data/spec/feeds/data/alienvault-ip_reputation.txt +18 -0
- data/spec/feeds/data/arbor_domainlist.txt +11 -0
- data/spec/feeds/data/arbor_ssh.txt +16 -0
- data/spec/feeds/data/autoshun_shunlist.csv +20 -0
- data/spec/feeds/data/bambenek_c2-dommasterlist.csv +30 -0
- data/spec/feeds/data/bambenek_c2-ipmasterlist.csv +27 -0
- data/spec/feeds/data/bambenek_dga_feed.csv +42 -0
- data/spec/feeds/data/berkeley.txt +29 -0
- data/spec/feeds/data/bitcash_cz_blacklist.txt +7 -0
- data/spec/feeds/data/blocklist_de_apache-ip-reputation.txt +17 -0
- data/spec/feeds/data/blocklist_de_bots-ip-reputation.txt +15 -0
- data/spec/feeds/data/blocklist_de_ftp-ip-reputation.txt +7 -0
- data/spec/feeds/data/blocklist_de_imap-ip-reputation.txt +8 -0
- data/spec/feeds/data/blocklist_de_pop3-ip-reputation.txt +11 -0
- data/spec/feeds/data/blocklist_de_proftpd-ip-reputation.txt +12 -0
- data/spec/feeds/data/blocklist_de_sip-ip-reputation.txt +9 -0
- data/spec/feeds/data/blocklist_de_ssh-ip-reputation.txt +10 -0
- data/spec/feeds/data/blocklist_de_strongips-ip-reputation.txt +11 -0
- data/spec/feeds/data/botscout-ip-reputation.txt +713 -0
- data/spec/feeds/data/cert_mxpoison-ip_reputation.txt +17 -0
- data/spec/feeds/data/chaosreigns-ip-reputation.txt +26 -0
- data/spec/feeds/data/ciarmy-ip-reputation.txt +11 -0
- data/spec/feeds/data/cruzit-ip-reputation.txt +14 -0
- data/spec/feeds/data/cydef_torexit-ip_reputation.txt +27 -0
- data/spec/feeds/data/dan_me_uk_torlist-ip-reputation.txt +11 -0
- data/spec/feeds/data/danger_bruteforce-ip_reputation.txt +12 -0
- data/spec/feeds/data/dshield_topattackers.xml +4 -0
- data/spec/feeds/data/falconcrest_iplist.txt +345 -0
- data/spec/feeds/data/feodo_domainlist.txt +18 -0
- data/spec/feeds/data/feodo_iplist.txt +20 -0
- data/spec/feeds/data/h3x_asprox.txt +20 -0
- data/spec/feeds/data/hosts-file_hphostspartial_domainlist.txt +24 -0
- data/spec/feeds/data/infiltrated_iplist.txt +16 -0
- data/spec/feeds/data/infiltrated_vabl_iplist.txt +33 -0
- data/spec/feeds/data/isc_suspicious_high_domainlist.txt +26 -0
- data/spec/feeds/data/isc_suspicious_low_domainlist.txt +34 -0
- data/spec/feeds/data/isc_suspicious_medium_domainlist.txt +32 -0
- data/spec/feeds/data/malc0de_domainlist.txt +18 -0
- data/spec/feeds/data/malc0de_iplist.txt +14 -0
- data/spec/feeds/data/malwaredomainlist-url-reputation.txt +8 -0
- data/spec/feeds/data/malwaredomains_domainlist.txt +24 -0
- data/spec/feeds/data/malwaredomains_dyndns_domainlist.txt +34 -0
- data/spec/feeds/data/malwaredomains_justdomains_domainlist.txt +18 -0
- data/spec/feeds/data/mirc_domainlist.txt +31 -0
- data/spec/feeds/data/multiproxy_iplist.txt +15 -0
- data/spec/feeds/data/nothink_irc_iplist.txt +14 -0
- data/spec/feeds/data/nothink_ssh_iplist.txt +10 -0
- data/spec/feeds/data/openbl_iplist.txt +12 -0
- data/spec/feeds/data/openphish-url-reputation.txt +16 -0
- data/spec/feeds/data/packetmail_perimeterbad-ip_reputation.txt +44 -0
- data/spec/feeds/data/palevo_domainlist.txt +25 -0
- data/spec/feeds/data/palevo_iplist.txt +24 -0
- data/spec/feeds/data/phishtank-sample.json.gz +0 -0
- data/spec/feeds/data/sigmaproject_atma.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_spyware.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_webexploit.return.gz +0 -0
- data/spec/feeds/data/snort_bpf-ip_reputation.txt +16 -0
- data/spec/feeds/data/spyeye_domainlist.txt +16 -0
- data/spec/feeds/data/spyeye_iplist.txt +19 -0
- data/spec/feeds/data/steeman-ip-reputation.txt +13 -0
- data/spec/feeds/data/t-arend-de_ssh_iplist.txt +17 -0
- data/spec/feeds/data/the_haleys_ssh_iplist.txt +12 -0
- data/spec/feeds/data/trustedsec-ip-reputation.txt +12 -0
- data/spec/feeds/data/valid.json +2908 -0
- data/spec/feeds/data/virbl-ip_reputation.txt +14 -0
- data/spec/feeds/data/vxvault-url-reputation.txt +15 -0
- data/spec/feeds/data/yourcmc_ssh-ip_reputation.txt +27 -0
- data/spec/feeds/data/yoyo_adservers.txt +25 -0
- data/spec/feeds/data/zeus-ip_reputation.txt +285 -0
- data/spec/feeds/data/zeus_domainlist.txt +27 -0
- data/spec/feeds/dshield_attackers-top1000_spec.rb +39 -0
- data/spec/feeds/falconcrest-ip_reputation_spec.rb +39 -0
- data/spec/feeds/feodo-domain_reputation_spec.rb +47 -0
- data/spec/feeds/feodo-ip_reputation_spec.rb +47 -0
- data/spec/feeds/h3x_asprox-ip_reputation_spec.rb +50 -0
- data/spec/feeds/hosts-file_hphostspartial-domain_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated-ip_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated_vabl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_high-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_low-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_medium-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-ip_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomainlist_url_reputation_spec.rb +50 -0
- data/spec/feeds/malwaredomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_dyndns-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_justdomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/mirc-domain_reputation_spec.rb +47 -0
- data/spec/feeds/multiproxy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_irc-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/openbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/openphish_url_reputation_spec.rb +50 -0
- data/spec/feeds/packetmail_perimeterbad-ip_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-domain_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-ip_reputation_spec.rb +47 -0
- data/spec/feeds/phishtank_spec.rb +41 -0
- data/spec/feeds/sigmaproject_atma_spec.rb +62 -0
- data/spec/feeds/sigmaproject_spyware_spec.rb +63 -0
- data/spec/feeds/sigmaproject_webexploit_spec.rb +62 -0
- data/spec/feeds/snort_bpf-ip_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-domain_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-ip_reputation_spec.rb +47 -0
- data/spec/feeds/steeman-ip_reputation_spec.rb +50 -0
- data/spec/feeds/t-arend-de_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/the_haleys_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/trustedsec-ip_reputation_spec.rb +47 -0
- data/spec/feeds/virbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/vxvault_url_reputation_spec.rb +50 -0
- data/spec/feeds/yourcmc_ssh-ip_reputation_spec.rb +47 -0
- data/spec/feeds/yoyo_adservers_spec.rb +47 -0
- data/spec/feeds/zeus-domain_reputation_spec.rb +47 -0
- data/spec/feeds/zeus-ip_reputation_spec.rb +47 -0
- data/spec/fixtures/feed/provider1/feed1.feed +6 -0
- data/spec/fixtures/parsers/test.xml +13 -0
- data/spec/fixtures/parsers/test_self_closing.xml +20 -0
- data/spec/fixtures/plugins/bad/threatinator/plugins/test_error1/plugin.rb +1 -0
- data/spec/fixtures/plugins/bad/threatinator/plugins/test_missing1/plugin.rb +0 -0
- data/spec/fixtures/plugins/fake.rb +19 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type1/plugin_a.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type1/plugin_b.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type2/plugin_c.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type2/plugin_d.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type3/plugin_e.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type3/plugin_f.rb +8 -0
- data/spec/spec_helper.rb +54 -0
- data/spec/support/bad_feeds/missing_fetcher.feed +7 -0
- data/spec/support/bad_feeds/missing_name.feed +6 -0
- data/spec/support/bad_feeds/missing_parser.feed +3 -0
- data/spec/support/bad_feeds/missing_provider.feed +5 -0
- data/spec/support/factories/event.rb +31 -0
- data/spec/support/factories/feed.rb +59 -0
- data/spec/support/factories/feed_builder.rb +65 -0
- data/spec/support/factories/feed_registry.rb +8 -0
- data/spec/support/factories/ipv4.rb +36 -0
- data/spec/support/factories/output.rb +11 -0
- data/spec/support/factories/record.rb +17 -0
- data/spec/support/factories/url.rb +34 -0
- data/spec/support/factories/xml_node.rb +33 -0
- data/spec/support/helpers/io.rb +11 -0
- data/spec/support/helpers/models.rb +13 -0
- data/spec/support/shared/action_builder.rb +47 -0
- data/spec/support/shared/decoder.rb +70 -0
- data/spec/support/shared/feed_runner_observer.rb +136 -0
- data/spec/support/shared/feeds.rb +233 -0
- data/spec/support/shared/fetcher.rb +48 -0
- data/spec/support/shared/filter.rb +14 -0
- data/spec/support/shared/io-like.rb +7 -0
- data/spec/support/shared/model/collection.rb +164 -0
- data/spec/support/shared/output.rb +120 -0
- data/spec/support/shared/parsers.rb +51 -0
- data/spec/support/shared/record.rb +111 -0
- data/spec/threatinator/actions/list/action_spec.rb +148 -0
- data/spec/threatinator/actions/run/action_spec.rb +106 -0
- data/spec/threatinator/actions/run/config_spec.rb +39 -0
- data/spec/threatinator/actions/run/coverage_observer_spec.rb +151 -0
- data/spec/threatinator/actions/run/output_config_spec.rb +89 -0
- data/spec/threatinator/actions/run/status_observer_spec.rb +86 -0
- data/spec/threatinator/cli/list_action_builder_spec.rb +57 -0
- data/spec/threatinator/cli/run_action_builder_spec.rb +133 -0
- data/spec/threatinator/cli_spec.rb +175 -0
- data/spec/threatinator/config/base_spec.rb +39 -0
- data/spec/threatinator/config/feed_search_spec.rb +76 -0
- data/spec/threatinator/decoders/gzip_spec.rb +75 -0
- data/spec/threatinator/event_builder_spec.rb +123 -0
- data/spec/threatinator/event_spec.rb +254 -0
- data/spec/threatinator/event_spec.rb.new +319 -0
- data/spec/threatinator/feed_builder_spec.rb +633 -0
- data/spec/threatinator/feed_registry_spec.rb +198 -0
- data/spec/threatinator/feed_runner_spec.rb +372 -0
- data/spec/threatinator/feed_spec.rb +169 -0
- data/spec/threatinator/fetcher_spec.rb +12 -0
- data/spec/threatinator/fetchers/http_spec.rb +32 -0
- data/spec/threatinator/filter_spec.rb +13 -0
- data/spec/threatinator/filters/block_spec.rb +16 -0
- data/spec/threatinator/filters/comments_spec.rb +13 -0
- data/spec/threatinator/filters/whitespace_spec.rb +12 -0
- data/spec/threatinator/logger_spec.rb +29 -0
- data/spec/threatinator/model/observables/fqdn_collection_spec.rb +41 -0
- data/spec/threatinator/model/observables/ipv4_collection_spec.rb +36 -0
- data/spec/threatinator/model/observables/ipv4_spec.rb +75 -0
- data/spec/threatinator/model/observables/url_collection_spec.rb +45 -0
- data/spec/threatinator/model/validations/type_spec.rb +37 -0
- data/spec/threatinator/parser_spec.rb +13 -0
- data/spec/threatinator/parsers/csv/parser_spec.rb +202 -0
- data/spec/threatinator/parsers/getline/parser_spec.rb +83 -0
- data/spec/threatinator/parsers/json/parser_spec.rb +106 -0
- data/spec/threatinator/parsers/json/record_spec.rb +30 -0
- data/spec/threatinator/parsers/xml/node_spec.rb +335 -0
- data/spec/threatinator/parsers/xml/parser_spec.rb +263 -0
- data/spec/threatinator/parsers/xml/path_spec.rb +209 -0
- data/spec/threatinator/parsers/xml/pattern_spec.rb +72 -0
- data/spec/threatinator/parsers/xml/record_spec.rb +27 -0
- data/spec/threatinator/plugin_loader_spec.rb +238 -0
- data/spec/threatinator/plugins/output/csv_spec.rb +47 -0
- data/spec/threatinator/plugins/output/null_spec.rb +17 -0
- data/spec/threatinator/plugins/output/rubydebug_spec.rb +37 -0
- data/spec/threatinator/record_spec.rb +19 -0
- data/spec/threatinator/registry_spec.rb +97 -0
- data/spec/threatinator/runner_spec.rb +273 -0
- metadata +674 -0
@@ -0,0 +1,53 @@
|
|
1
|
+
require 'threatinator/exceptions'
|
2
|
+
|
3
|
+
module Threatinator
|
4
|
+
# Just a simple class that holds stuff. Yup, a glorified hash.
|
5
|
+
class Registry
|
6
|
+
include Threatinator::Exceptions
|
7
|
+
|
8
|
+
def initialize()
|
9
|
+
@data= Hash.new
|
10
|
+
end
|
11
|
+
|
12
|
+
# @param [Object] key The object to use as the key for storing the object
|
13
|
+
# @param [Object] object The object to be stored
|
14
|
+
# @raise [Threatinator::Exceptions::dAlreadyRegisteredError] if an object
|
15
|
+
# with the same key is already registered.
|
16
|
+
def register(key, object)
|
17
|
+
if @data.has_key?(key)
|
18
|
+
raise AlreadyRegisteredError.new(key)
|
19
|
+
end
|
20
|
+
@data[key] = object
|
21
|
+
end
|
22
|
+
|
23
|
+
# @param [Object] key
|
24
|
+
# @return [Object]
|
25
|
+
def get(key)
|
26
|
+
@data[key]
|
27
|
+
end
|
28
|
+
|
29
|
+
# @return [Array<Object>] an array of keys
|
30
|
+
def keys
|
31
|
+
@data.keys
|
32
|
+
end
|
33
|
+
|
34
|
+
# @return [Integer] the number of objects in the registry
|
35
|
+
def count
|
36
|
+
@data.count
|
37
|
+
end
|
38
|
+
|
39
|
+
# Enumerates through each object in our registry
|
40
|
+
# @yield [object]
|
41
|
+
# @yieldparam [Object] object An object within the registry
|
42
|
+
def each(&block)
|
43
|
+
return enum_for(:each) unless block_given?
|
44
|
+
@data.each_pair(&block)
|
45
|
+
end
|
46
|
+
|
47
|
+
# Removes all objects from the registry
|
48
|
+
def clear
|
49
|
+
@data.clear
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
@@ -0,0 +1,15 @@
|
|
1
|
+
|
2
|
+
module Threatinator
|
3
|
+
module Util
|
4
|
+
def underscore2cc(str)
|
5
|
+
str.to_s.split('_').map {|e| e.capitalize }.join
|
6
|
+
end
|
7
|
+
module_function :underscore2cc
|
8
|
+
|
9
|
+
def cc2underscore(str)
|
10
|
+
str.to_s.split('_').map {|e| e.capitalize }.join
|
11
|
+
end
|
12
|
+
module_function :underscore2cc
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
data/lib/threatinator.rb
ADDED
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/ET_block-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'emergingthreats' }
|
5
|
+
let(:name) { 'block_ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('ET_block-ip_reputation.txt') do
|
12
|
+
it "should have parsed 12 records" do
|
13
|
+
expect(num_records_parsed).to eq(12)
|
14
|
+
end
|
15
|
+
it "should have filtered 68 records" do
|
16
|
+
expect(num_records_filtered).to eq(68)
|
17
|
+
end
|
18
|
+
it "should have missed 0 records" do
|
19
|
+
expect(num_records_missed).to eq(0)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
describe_parsing_a_record '103.230.84.239' do
|
24
|
+
it "should have parsed" do
|
25
|
+
expect(status).to eq(:parsed)
|
26
|
+
end
|
27
|
+
it "should have parsed 1 event" do
|
28
|
+
expect(events.count).to eq(1)
|
29
|
+
end
|
30
|
+
describe 'event 0' do
|
31
|
+
subject { events[0] }
|
32
|
+
its(:type) { is_expected.to be(:c2) }
|
33
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['103.230.84.239'])) }
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
describe_parsing_a_record '97.107.134.249' do
|
38
|
+
it "should have parsed" do
|
39
|
+
expect(status).to eq(:parsed)
|
40
|
+
end
|
41
|
+
it "should have parsed 1 event" do
|
42
|
+
expect(events.count).to eq(1)
|
43
|
+
end
|
44
|
+
describe 'event 0' do
|
45
|
+
subject { events[0] }
|
46
|
+
its(:type) { is_expected.to be(:c2) }
|
47
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['97.107.134.249'])) }
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/ET_compromised-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'emergingthreats' }
|
5
|
+
let(:name) { 'compromised_ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('ET_compromised-ip_reputation.txt') do
|
12
|
+
it "should have parsed 11 records" do
|
13
|
+
expect(num_records_parsed).to eq(11)
|
14
|
+
end
|
15
|
+
it "should have filtered 0 records" do
|
16
|
+
expect(num_records_filtered).to eq(0)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe_parsing_a_record '1.93.24.90' do
|
21
|
+
it "should have parsed" do
|
22
|
+
expect(status).to eq(:parsed)
|
23
|
+
end
|
24
|
+
it "should have parsed 1 event" do
|
25
|
+
expect(events.count).to eq(1)
|
26
|
+
end
|
27
|
+
describe 'event 0' do
|
28
|
+
subject { events[0] }
|
29
|
+
its(:type) { is_expected.to be(:scanning) }
|
30
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['1.93.24.90'])) }
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe_parsing_a_record '1.93.26.32' do
|
35
|
+
it "should have parsed" do
|
36
|
+
expect(status).to eq(:parsed)
|
37
|
+
end
|
38
|
+
it "should have parsed 1 event" do
|
39
|
+
expect(events.count).to eq(1)
|
40
|
+
end
|
41
|
+
describe 'event 0' do
|
42
|
+
subject { events[0] }
|
43
|
+
its(:type) { is_expected.to be(:scanning) }
|
44
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['1.93.26.32'])) }
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,56 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/ET_openbadlist-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'emergingthreats' }
|
5
|
+
let(:name) { 'openbadlist_ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'https://raw.githubusercontent.com/EmergingThreats/et-open-bad-ip-list/master/IPs.txt'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('ET_openbadlist-ip_reputation.txt') do
|
12
|
+
it "should have parsed 44 records" do
|
13
|
+
expect(num_records_parsed).to eq(44)
|
14
|
+
end
|
15
|
+
it "should have filtered 18 records" do
|
16
|
+
expect(num_records_filtered).to eq(18)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
|
21
|
+
describe_parsing_a_record 'Feb 18 2014; 89.45.14.0/24; Infinity/Redkit2/Goon EK landing or EK gate.' do
|
22
|
+
it "should have been filtered" do
|
23
|
+
expect(status).to eq(:filtered)
|
24
|
+
end
|
25
|
+
it "should have parsed 0 events" do
|
26
|
+
expect(events.count).to eq(0)
|
27
|
+
end
|
28
|
+
end
|
29
|
+
describe_parsing_a_record 'Jan 24 2014; 212.83.160.187/32; Neutrino EK' do
|
30
|
+
it "should have parsed" do
|
31
|
+
expect(status).to eq(:parsed)
|
32
|
+
end
|
33
|
+
it "should have parsed 1 event" do
|
34
|
+
expect(events.count).to eq(1)
|
35
|
+
end
|
36
|
+
describe 'event 0' do
|
37
|
+
subject { events[0] }
|
38
|
+
its(:type) { is_expected.to be(:c2) }
|
39
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['212.83.160.187'])) }
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
describe_parsing_a_record 'Jan 28 2014; 149.154.64.180/32; [a-z]{3,6}\.pp\.ua DGA cesspool' do
|
44
|
+
it "should have parsed" do
|
45
|
+
expect(status).to eq(:parsed)
|
46
|
+
end
|
47
|
+
it "should have parsed 1 event" do
|
48
|
+
expect(events.count).to eq(1)
|
49
|
+
end
|
50
|
+
describe 'event 0' do
|
51
|
+
subject { events[0] }
|
52
|
+
its(:type) { is_expected.to be(:c2) }
|
53
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['149.154.64.180'])) }
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/alienvault-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'alienvault' }
|
5
|
+
let(:name) { 'ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
it_fetches_url 'https://reputation.alienvault.com/reputation.generic'
|
9
|
+
|
10
|
+
describe_parsing_the_file feed_data('alienvault-ip_reputation.txt') do
|
11
|
+
it "should have parsed 10 records" do
|
12
|
+
expect(num_records_parsed).to eq(10)
|
13
|
+
end
|
14
|
+
it "should have filtered 8 records" do
|
15
|
+
expect(num_records_filtered).to eq(8)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
describe_parsing_a_record '37.205.198.162 # Scanning Host IT,,42.8333015442,12.8332996368' do
|
20
|
+
it "should have parsed" do
|
21
|
+
expect(status).to eq(:parsed)
|
22
|
+
end
|
23
|
+
it "should have parsed 1 event" do
|
24
|
+
expect(events.count).to eq(1)
|
25
|
+
end
|
26
|
+
describe 'event 0' do
|
27
|
+
subject { events[0] }
|
28
|
+
its(:type) { is_expected.to be(:scanning) }
|
29
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['37.205.198.162'])) }
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
describe_parsing_a_record '108.59.1.5 # Scanning Host A1,,0.0,0.0' do
|
34
|
+
it "should have parsed" do
|
35
|
+
expect(status).to eq(:parsed)
|
36
|
+
end
|
37
|
+
it "should have parsed 1 event" do
|
38
|
+
expect(events.count).to eq(1)
|
39
|
+
end
|
40
|
+
describe 'event 0' do
|
41
|
+
subject { events[0] }
|
42
|
+
its(:type) { is_expected.to be(:scanning) }
|
43
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['108.59.1.5'])) }
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/arbor_fastflux-domain_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'arbor' }
|
5
|
+
let(:name) { 'fastflux_domain_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
it_fetches_url 'http://atlas.arbor.net/summary/domainlist'
|
9
|
+
|
10
|
+
describe_parsing_the_file feed_data('arbor_domainlist.txt') do
|
11
|
+
it "should have parsed 2 records" do
|
12
|
+
expect(num_records_parsed).to eq(2)
|
13
|
+
end
|
14
|
+
it "should have filtered 9 records" do
|
15
|
+
expect(num_records_filtered).to eq(9)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
describe_parsing_a_record 'brylanehome.com' do
|
20
|
+
it "should have parsed" do
|
21
|
+
expect(status).to eq(:parsed)
|
22
|
+
end
|
23
|
+
it "should have parsed 1 event" do
|
24
|
+
expect(events.count).to eq(1)
|
25
|
+
end
|
26
|
+
describe 'event 0' do
|
27
|
+
subject { events[0] }
|
28
|
+
its(:type) { is_expected.to be(:c2) }
|
29
|
+
its(:fqdns) { is_expected.to match_array(['brylanehome.com']) }
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
describe_parsing_a_record 'emltrk.com' do
|
34
|
+
it "should have parsed" do
|
35
|
+
expect(status).to eq(:parsed)
|
36
|
+
end
|
37
|
+
it "should have parsed 1 event" do
|
38
|
+
expect(events.count).to eq(1)
|
39
|
+
end
|
40
|
+
describe 'event 0' do
|
41
|
+
subject { events[0] }
|
42
|
+
its(:type) { is_expected.to be(:c2) }
|
43
|
+
its(:fqdns) { is_expected.to match_array(['emltrk.com']) }
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/arbor_ssh-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'arbor' }
|
5
|
+
let(:name) { 'ssh_ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
it_fetches_url 'http://atlas-public.ec2.arbor.net/public/ssh_attackers'
|
9
|
+
|
10
|
+
describe_parsing_the_file feed_data('arbor_ssh.txt') do
|
11
|
+
it "should have parsed 15 records" do
|
12
|
+
expect(num_records_parsed).to eq(15)
|
13
|
+
end
|
14
|
+
it "should have filtered 1 records" do
|
15
|
+
expect(num_records_filtered).to eq(1)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
describe_parsing_a_record '190.255.48.99' do
|
20
|
+
it "should have parsed" do
|
21
|
+
expect(status).to eq(:parsed)
|
22
|
+
end
|
23
|
+
it "should have parsed 1 event" do
|
24
|
+
expect(events.count).to eq(1)
|
25
|
+
end
|
26
|
+
describe 'event 0' do
|
27
|
+
subject { events[0] }
|
28
|
+
its(:type) { is_expected.to be(:scanning) }
|
29
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['190.255.48.99'])) }
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
describe_parsing_a_record '184.172.196.132' do
|
34
|
+
it "should have parsed" do
|
35
|
+
expect(status).to eq(:parsed)
|
36
|
+
end
|
37
|
+
it "should have parsed 1 event" do
|
38
|
+
expect(events.count).to eq(1)
|
39
|
+
end
|
40
|
+
describe 'event 0' do
|
41
|
+
subject { events[0] }
|
42
|
+
its(:type) { is_expected.to be(:scanning) }
|
43
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['184.172.196.132'])) }
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/autoshun_shunlist.feed', :feed do
|
4
|
+
let(:provider) { 'autoshun' }
|
5
|
+
let(:name) { 'shunlist' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
it_fetches_url 'http://www.autoshun.org/files/shunlist.csv'
|
9
|
+
|
10
|
+
describe_parsing_the_file feed_data('autoshun_shunlist.csv') do
|
11
|
+
it "should have parsed 19 records" do
|
12
|
+
expect(num_records_parsed).to eq(19)
|
13
|
+
end
|
14
|
+
it "should have filtered 1 records" do
|
15
|
+
expect(num_records_filtered).to eq(1)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
describe_parsing_a_record '1.93.34.230,2014-07-16 08:01:23,SSH Brute Force' do
|
20
|
+
it "should have parsed" do
|
21
|
+
expect(status).to eq(:parsed)
|
22
|
+
end
|
23
|
+
it "should have parsed 1 event" do
|
24
|
+
expect(events.count).to eq(1)
|
25
|
+
end
|
26
|
+
describe 'event 0' do
|
27
|
+
subject { events[0] }
|
28
|
+
its(:type) { is_expected.to be(:scanning) }
|
29
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['1.93.34.230'])) }
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
describe_parsing_a_record 'Shunlist as of Mon, 21 Jul 2014 13:30:02 -0500' do
|
34
|
+
it "should have been filtered" do
|
35
|
+
expect(status).to eq(:filtered)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/bambenek_c2_masterlist-domain_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'bambenek' }
|
5
|
+
let(:name) { 'c2_masterlist' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
it_fetches_url 'http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt'
|
9
|
+
|
10
|
+
describe_parsing_the_file feed_data('bambenek_c2-dommasterlist.csv') do
|
11
|
+
it "should have parsed 14 records" do
|
12
|
+
expect(num_records_parsed).to eq(14)
|
13
|
+
end
|
14
|
+
it "should have filtered 16 records" do
|
15
|
+
expect(num_records_filtered).to eq(16)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
describe_parsing_a_record 'hhvohslwvpww.ru,Domain used by tinba,2014-11-03 16:30,http://osint.bambenekconsulting.com/manual/tinba-iplist.txt' do
|
20
|
+
it "should have parsed" do
|
21
|
+
expect(status).to eq(:parsed)
|
22
|
+
end
|
23
|
+
it "should have parsed 1 event" do
|
24
|
+
expect(events.count).to eq(1)
|
25
|
+
end
|
26
|
+
describe 'event 0' do
|
27
|
+
subject { events[0] }
|
28
|
+
its(:type) { is_expected.to be(:c2) }
|
29
|
+
its(:fqdns) { is_expected.to match_array(['hhvohslwvpww.ru']) }
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
describe_parsing_a_record '## jcb@bambenekconsulting.com // http://bambenekconsulting.com' do
|
34
|
+
it "should have been filtered" do
|
35
|
+
expect(status).to eq(:filtered)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,39 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/bambenek_c2_masterlist-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'bambenek' }
|
5
|
+
let(:name) { 'c2_masterlist_ip' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('bambenek_c2-ipmasterlist.csv') do
|
12
|
+
it "should have parsed 11 records" do
|
13
|
+
expect(num_records_parsed).to eq(11)
|
14
|
+
end
|
15
|
+
it "should have filtered 16 records" do
|
16
|
+
expect(num_records_filtered).to eq(16)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe_parsing_a_record '212.175.66.70,IP used by matsnu C&C,2014-11-03 16:40,http://osint.bambenekconsulting.com/manual/matsnu-iplist.txt' do
|
21
|
+
it "should have parsed" do
|
22
|
+
expect(status).to eq(:parsed)
|
23
|
+
end
|
24
|
+
it "should have parsed 1 event" do
|
25
|
+
expect(events.count).to eq(1)
|
26
|
+
end
|
27
|
+
describe 'event 0' do
|
28
|
+
subject { events[0] }
|
29
|
+
its(:type) { is_expected.to be(:c2) }
|
30
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['212.175.66.70'])) }
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe_parsing_a_record '## jcb@bambenekconsulting.com // http://bambenekconsulting.com' do
|
35
|
+
it "should have been filtered" do
|
36
|
+
expect(status).to eq(:filtered)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
@@ -0,0 +1,39 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/bambenek_dga_feed-domain_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'bambenek' }
|
5
|
+
let(:name) { 'dga_feed' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'http://osint.bambenekconsulting.com/feeds/dga-feed.txt'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('bambenek_dga_feed.csv') do
|
12
|
+
it "should have parsed 28 records" do
|
13
|
+
expect(num_records_parsed).to eq(28)
|
14
|
+
end
|
15
|
+
it "should have filtered 14 records" do
|
16
|
+
expect(num_records_filtered).to eq(14)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe_parsing_a_record 'rjfifeogqukyjdw.ru,Domain used by Wikipedia 25 DGA for 01 Nov 2014,20141101,http://osint.bambenekconsulting.com/manual/wiki25.txt' do
|
21
|
+
it "should have parsed" do
|
22
|
+
expect(status).to eq(:parsed)
|
23
|
+
end
|
24
|
+
it "should have parsed 1 event" do
|
25
|
+
expect(events.count).to eq(1)
|
26
|
+
end
|
27
|
+
describe 'event 0' do
|
28
|
+
subject { events[0] }
|
29
|
+
its(:type) { is_expected.to be(:c2) }
|
30
|
+
its(:fqdns) { is_expected.to match_array(['rjfifeogqukyjdw.ru']) }
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe_parsing_a_record '## http://osint.bambenekconsulting.com/manual/dga-feed.txt' do
|
35
|
+
it "should have been filtered" do
|
36
|
+
expect(status).to eq(:filtered)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/berkeley-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'berkeley' }
|
5
|
+
let(:name) { 'ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'https://security.berkeley.edu/aggressive_ips/ips'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('berkeley.txt') do
|
12
|
+
it "should have parsed 16 records" do
|
13
|
+
expect(num_records_parsed).to eq(16)
|
14
|
+
end
|
15
|
+
it "should have filtered 13 records" do
|
16
|
+
expect(num_records_filtered).to eq(13)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe_parsing_a_record 'HOSTILE_IP: 116.10.191.182 LAST_SEEN: 1403615662' do
|
21
|
+
it "should have parsed" do
|
22
|
+
expect(status).to eq(:parsed)
|
23
|
+
end
|
24
|
+
it "should have parsed 1 event" do
|
25
|
+
expect(events.count).to eq(1)
|
26
|
+
end
|
27
|
+
describe 'event 0' do
|
28
|
+
subject { events[0] }
|
29
|
+
its(:type) { is_expected.to be(:scanning) }
|
30
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['116.10.191.182'])) }
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe_parsing_a_record 'HOSTILE_IP: 144.0.0.22 LAST_SEEN: 1404389169' do
|
35
|
+
it "should have parsed" do
|
36
|
+
expect(status).to eq(:parsed)
|
37
|
+
end
|
38
|
+
it "should have parsed 1 event" do
|
39
|
+
expect(events.count).to eq(1)
|
40
|
+
end
|
41
|
+
describe 'event 0' do
|
42
|
+
subject { events[0] }
|
43
|
+
its(:type) { is_expected.to be(:scanning) }
|
44
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['144.0.0.22'])) }
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/bitcash_cz_blacklist.feed', :feed do
|
4
|
+
let(:provider) { 'bitcash_cz' }
|
5
|
+
let(:name) { 'blacklist' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'http://bitcash.cz/misc/log/blacklist'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('bitcash_cz_blacklist.txt') do
|
12
|
+
it "should have parsed 3 records" do
|
13
|
+
expect(num_records_parsed).to eq(3)
|
14
|
+
end
|
15
|
+
it "should have filtered 4 records" do
|
16
|
+
expect(num_records_filtered).to eq(4)
|
17
|
+
end
|
18
|
+
it "should have missed 0 records" do
|
19
|
+
expect(num_records_missed).to eq(0)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
describe_parsing_a_record '107.22.93.75 # ec2-107-22-93-75.compute-1.amazonaws.com last access 2014-07-30 01:45:02' do
|
24
|
+
it "should have parsed" do
|
25
|
+
expect(status).to eq(:parsed)
|
26
|
+
end
|
27
|
+
it "should have parsed 1 event" do
|
28
|
+
expect(events.count).to eq(1)
|
29
|
+
end
|
30
|
+
describe 'event 0' do
|
31
|
+
subject { events[0] }
|
32
|
+
its(:type) { is_expected.to be(:scanning) }
|
33
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['107.22.93.75'])) }
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
describe_parsing_a_record '195.98.179.106 # broadband-195-98-179-106.2com.net last access 2014-09-02 17:01:01' do
|
38
|
+
it "should have parsed" do
|
39
|
+
expect(status).to eq(:parsed)
|
40
|
+
end
|
41
|
+
it "should have parsed 1 event" do
|
42
|
+
expect(events.count).to eq(1)
|
43
|
+
end
|
44
|
+
describe 'event 0' do
|
45
|
+
subject { events[0] }
|
46
|
+
its(:type) { is_expected.to be(:scanning) }
|
47
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['195.98.179.106'])) }
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/blocklist_de_apache-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'blocklist_de' }
|
5
|
+
let(:name) { 'apache_ip_reputation' }
|
6
|
+
let(:event_types) { [:scanning]}
|
7
|
+
|
8
|
+
|
9
|
+
it_fetches_url 'http://www.blocklist.de/lists/apache.txt'
|
10
|
+
|
11
|
+
describe_parsing_the_file feed_data('blocklist_de_apache-ip-reputation.txt') do
|
12
|
+
it "should have parsed 15 records" do
|
13
|
+
expect(num_records_parsed).to eq(15)
|
14
|
+
end
|
15
|
+
it "should have filtered 2 records" do
|
16
|
+
expect(num_records_filtered).to eq(2)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe_parsing_a_record '109.228.235.167' do
|
21
|
+
it "should have parsed" do
|
22
|
+
expect(status).to eq(:parsed)
|
23
|
+
end
|
24
|
+
it "should have parsed 1 event" do
|
25
|
+
expect(events.count).to eq(1)
|
26
|
+
end
|
27
|
+
describe 'event 0' do
|
28
|
+
subject { events[0] }
|
29
|
+
its(:type) { is_expected.to be(:scanning) }
|
30
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['109.228.235.167'])) }
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe_parsing_a_record '109.70.54.11' do
|
35
|
+
it "should have parsed" do
|
36
|
+
expect(status).to eq(:parsed)
|
37
|
+
end
|
38
|
+
it "should have parsed 1 event" do
|
39
|
+
expect(events.count).to eq(1)
|
40
|
+
end
|
41
|
+
describe 'event 0' do
|
42
|
+
subject { events[0] }
|
43
|
+
its(:type) { is_expected.to be(:scanning) }
|
44
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['109.70.54.11'])) }
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|