RubyGems - shadowserver - Versions diffs - 0.0.0 - Mend

shadowserver 0.0.0

Files changed (18) hide show

data/.document +5 -0
data/Gemfile +12 -0
data/Gemfile.lock +22 -0
data/LICENSE.txt +20 -0
data/README.rdoc +47 -0
data/Rakefile +53 -0
data/VERSION +1 -0
data/bin/shadowserver_asn +63 -0
data/bin/shadowserver_malware +23 -0
data/bin/shadowserver_whitelist +21 -0
data/lib/shadowserver.rb +3 -0
data/lib/shadowserver/asn.rb +49 -0
data/lib/shadowserver/malware.rb +68 -0
data/lib/shadowserver/whitelist.rb +47 -0
data/test/helper.rb +18 -0
data/test/notepad.exe +0 -0
data/test/test_shadowserver.rb +54 -0
metadata +176 -0

data/.document ADDED Viewed

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+-
+features/**/*.feature
+LICENSE.txt

data/Gemfile ADDED Viewed

@@ -0,0 +1,12 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+gem "json", ">= 1.4.3"
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "shoulda", ">= 0"
+  gem "bundler", "~> 1.0.0"
+  gem "jeweler", "~> 1.5.2"
+  gem "rcov", ">= 0"
+end

data/Gemfile.lock ADDED Viewed

@@ -0,0 +1,22 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    git (1.2.5)
+    jeweler (1.5.2)
+      bundler (~> 1.0.0)
+      git (>= 1.2.5)
+      rake
+    json (1.5.1)
+    rake (0.8.7)
+    rcov (0.9.9)
+    shoulda (2.11.3)
+PLATFORMS
+  ruby
+DEPENDENCIES
+  bundler (~> 1.0.0)
+  jeweler (~> 1.5.2)
+  json (>= 1.4.3)
+  rcov
+  shoulda

data/LICENSE.txt ADDED Viewed

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Chris Lee
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc ADDED Viewed

@@ -0,0 +1,47 @@
+= shadowserver
+The Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware.
+This rubygem aueries various Shadowserver services for ASN information, malware hash lookups, and whitelist hash lookups
+== Usage
+=== Whitelist
+	w = Shadowserver::Whitelist.by_hash("0E53C14A3E48D94FF596A2824307B492")
+	{"source_version"=>"$version", "language"=>"English", "os_name"=>"Windows NT", "mfg_name"=>"Corel Corporation", "filesize"=>"2226", "os_version"=>"Generic", "product_name"=>"Gallery", "filename"=>"00br2026.gif", "crc32"=>"AA6A7B16", "application_type"=>"Graphic/Drawing", "source"=>"NIST", "os_mfg"=>"Microsoft", "product_version"=>"750,000"}
+	w = Shadowserver::Whitelist.by_filename("test/notepad.exe")
+	{"source_version"=>"$version", "language"=>"English", "os_name"=>"Unknown", "mfg_name"=>"Sony", "filesize"=>"66048", "os_version"=>"Unknown", "product_name"=>"VAIO Computer Quick Start", "filename"=>"NOTEPAD.EXE", "crc32"=>"0BE7841C", "application_type"=>"System Software,System restoration", "source"=>"NIST", "os_mfg"=>"Unknown", "product_version"=>"Version G186.0"}
+	w = Shadowserver::Whitelist.by_string(File.new("test/notepad.exe").read)
+	{"source_version"=>"$version", "language"=>"English", "os_name"=>"Unknown", "mfg_name"=>"Sony", "filesize"=>"66048", "os_version"=>"Unknown", "product_name"=>"VAIO Computer Quick Start", "filename"=>"NOTEPAD.EXE", "crc32"=>"0BE7841C", "application_type"=>"System Software,System restoration", "source"=>"NIST", "os_mfg"=>"Unknown", "product_version"=>"Version G186.0"}
+=== Malware Query
+	mr = Shadowserver::Malware.query("aca4aad254280d25e74c82d440b76f79")
+	{"first_seen"=>"2010-06-15 03:09:41", "filetype"=>"exe", "avresults"=>{"TrendMicro"=>"TROJ_DLOADR.SMM", "AntiVir"=>"WORM/VB.NVA", "VirusBuster"=>"Worm.VB.FMYJ", "QuickHeal"=>"Worm.VB.at", "Clam"=>"Trojan.Downloader-50691", "VBA32"=>"Trojan.VBO.011858", "Sophos"=>"Troj/DwnLdr-HQY", "NOD32"=>"Win32/AutoRun.VB.JP", "Kaspersky"=>"Trojan.Win32.Cosmu.nyl", "Panda"=>"W32/OverDoom.A", "Vexira"=>"Trojan.DL.VB.EEDT", "G-Data"=>"Trojan.Generic.2609117", "Ikarus"=>"Trojan-Downloader.Win32.VB", "Norman"=>"Suspicious_Gen2.SKLJ", "McAfee"=>"Generic", "AVG7"=>"Downloader.Generic9.URM", "F-Secure"=>"Worm:W32/Revois.gen!A", "F-Prot6"=>"W32/Worm.BAOX", "DrWeb"=>"Win32.HLLW.Autoruner.6014", "Avast-Commercial"=>"Win32:Zbot-LRA"}, "ssdeep"=>"12288:gOqOB0v2eZJys73dOvXDpNjNe8NuMpX4aBaa48L/93zKnP6ppgg2HFZlxVPbZX:sOA2eZJ8NI8Nah8L/4PqmTVPlX", "sha1"=>"6fe80e56ad4de610304bab1675ce84d16ab6988e", "last_seen"=>"2010-06-15 03:09:41", "md5"=>"aca4aad254280d25e74c82d440b76f79"}
+=== ASN Query
+	a = Shadowserver::ASN.origin("4.2.2.5")
+	{"cc"=>"US", "domain"=>"LEVEL3.NET", "isp"=>"LEVEL 3 COMMUNICATIONS INC", "asn"=>3356, "asname"=>"LEVEL3", "cidr"=>"4.0.0.0/9"}
+	a = Shadowserver::ASN.peer("4.2.2.5")
+	{"cc"=>"US", "prefix"=>"4.0.0.0/9", "domain"=>"LEVEL3.NET", "isp"=>"LEVEL 3 COMMUNICATIONS INC", "asn"=>3356, "asname"=>"LEVEL3", "peers"=>[701, 1239]}
+	a = Shadowserver::ASN.prefix(2637)
+	["128.61.0.0/19", "128.61.32.0/19", "128.61.64.0/18", "128.61.128.0/17", "130.207.0.0/16", "143.215.0.0/16", "204.152.10.0/23"]
+== Contributing to shadowserver
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+== Copyright
+Copyright (c) 2011 Chris Lee. See LICENSE.txt for
+further details.

data/Rakefile ADDED Viewed

@@ -0,0 +1,53 @@
+require 'rubygems'
+require 'bundler'
+begin
+	Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+	$stderr.puts e.message
+	$stderr.puts "Run `bundle install` to install missing gems"
+	exit e.status_code
+end
+require 'rake'
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+	# gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+	gem.name = "shadowserver"
+	gem.homepage = "http://github.com/chrislee35/shadowserver"
+	gem.license = "MIT"
+	gem.summary = %Q{Queries various Shadowserver services for ASN information, malware hash lookups, and whitelist hash lookups}
+	gem.description = %Q{The Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware.}
+	gem.email = "rubygems@chrislee.dhs.org"
+	gem.authors = ["Chris Lee"]
+	gem.executables = ["shadowserver_asn", "shadowserver_whitelist", "shadowserver_malware"]
+	# Include your dependencies below. Runtime dependencies are required when using your gem,
+	# and development dependencies are only needed for development (ie running rake tasks, tests, etc)
+	gem.add_runtime_dependency "json", ">= 1.4.3"
+end
+Jeweler::RubygemsDotOrgTasks.new
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+	test.libs << 'lib' << 'test'
+	test.pattern = 'test/**/test_*.rb'
+	test.verbose = true
+end
+require 'rcov/rcovtask'
+Rcov::RcovTask.new do |test|
+	test.libs << 'test'
+	test.pattern = 'test/**/test_*.rb'
+	test.verbose = true
+end
+task :default => :test
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+	version = File.exist?('VERSION') ? File.read('VERSION') : ""
+	rdoc.rdoc_dir = 'rdoc'
+	rdoc.title = "shadowserver #{version}"
+	rdoc.rdoc_files.include('README*')
+	rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION ADDED Viewed

	@@ -0,0 +1 @@
1	+ 0.0.0

data/bin/shadowserver_asn ADDED Viewed

@@ -0,0 +1,63 @@
+#!/usr/bin/env ruby
+require 'shadowserver'
+require 'pp'
+require 'getoptlong'
+def lookup(item)
+	if item =~ /^AS(\d+)$/i
+		Shadowserver::ASN.prefix($1.to_i)
+	elsif item =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/
+		case $mode
+		when 'origin'
+			Shadowserver::ASN.origin(item)
+		when 'peer'
+			Shadowserver::ASN.peer(item)
+		else
+			"Unknown argument type: #{item}"
+		end
+	end
+end
+def usage
+	puts "Usage: #{$0} [-h|-p|-o] [<ip or asn>] [<ip or asn> ...]"
+	puts "-h usage information"
+	puts "-p display peering information"
+	puts "-o display origin information"
+	puts
+	puts "If no arguments are provided, then the tool reads from standard input."
+	puts "If an ASN is provided, then the prefixes are listed"
+	puts "Examples"
+	puts "  #{$0} -p 4.2.2.5"
+	puts "  #{$0} -o 4.2.2.5"
+	puts "  #{$0} AS2637"
+	exit
+end
+$mode = 'origin'
+opts = GetoptLong.new(
+	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+	[ '--origin', '-o', GetoptLong::NO_ARGUMENT ],
+	[ '--peer', '-p', GetoptLong::NO_ARGUMENT ]
+)
+opts.each do |opt, arg|
+	case opt
+	when '--help'
+		usage
+	when '--origin'
+		$mode = 'origin'
+	when '--peer'
+		$mode = 'peer'
+	else
+		usage
+	end
+end
+if ARGV.length > 0
+	ARGV.each do |item|
+		pp lookup(item)
+	end
+else
+	$stdin.each_line do |item|
+		pp lookup(item.chomp)
+	end
+end

data/bin/shadowserver_malware ADDED Viewed

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+require 'shadowserver'
+require 'digest/md5'
+require 'pp'
+def usage
+	puts "Usage: #{$0} (<hash>|<filename>) [<hash>|<filename> ...]"
+	puts "this tool will query the malware list for each hash or filename provided at the commandline"
+	exit
+end
+usage unless ARGV.length > 0
+ARGV.each do |item|
+	if item =~ /^[a-f0-9]{32}([a-f0-9]{8})?$/i
+		pp Shadowserver::Malware.query(item)
+	elsif File.exists?(item)
+		hash = Digest::MD5.hexdigest(File.open(item).read)
+		pp Shadowserver::Malware.query(hash)
+	else
+		puts "#{item} isn't a hash or a filename (that I can find)"
+	end
+end

data/bin/shadowserver_whitelist ADDED Viewed

@@ -0,0 +1,21 @@
+#!/usr/bin/env ruby
+require 'shadowserver'
+require 'pp'
+def usage
+	puts "Usage: #{$0} (<hash>|<filename>) [<hash>|<filename> ...]"
+	puts "this tool will query the whitelist for each hash or filename provided at the commandline"
+	exit
+end
+usage unless ARGV.length > 0
+ARGV.each do |item|
+	if item =~ /^[a-f0-9]{32}([a-f0-9]{8})?$/i
+		pp Shadowserver::Whitelist.by_hash(item)
+	elsif File.exists?(item)
+		pp Shadowserver::Whitelist.by_filename(item)
+	else
+		puts "#{item} isn't a hash or a filename (that I can find)"
+	end
+end

data/lib/shadowserver.rb ADDED Viewed

@@ -0,0 +1,3 @@
+require 'shadowserver/whitelist'
+require 'shadowserver/malware'
+require 'shadowserver/asn'

data/lib/shadowserver/asn.rb ADDED Viewed

@@ -0,0 +1,49 @@
+require 'socket'
+module Shadowserver
+	class ASN
+		@@server = 'asn.shadowserver.org'
+		@@port = 43
+		def ASN::origin(ip)
+			t = TCPSocket.new(@@server,@@port)
+			t.write("origin #{ip}\n")
+			asn, cidr, asname, cc, domain, isp = t.read.chomp.split(/\|/).map{|x| x.strip}
+			asn = asn.to_i
+			t.close
+			{
+				"asn" => asn,
+				"cidr" => cidr,
+				"asname" => asname,
+				"cc" => cc,
+				"domain" => domain,
+				"isp" => isp
+			}
+		end
+		def ASN::peer(ip)
+			t = TCPSocket.new(@@server,@@port)
+			t.write("peer #{ip}\n")
+			peers, asn, prefix, asname, cc, domain, isp = t.read.chomp.split(/\|/).map{|x| x.strip}
+			asn = asn.to_i
+			peers = peers.split(/ /).map{|x| x.to_i}
+			t.close
+			{
+				"peers" => peers,
+				"asn" => asn,
+				"prefix" => prefix,
+				"asname" => asname,
+				"cc" => cc,
+				"domain" => domain,
+				"isp" => isp
+			}
+		end
+		def ASN::prefix(asn)
+			t = TCPSocket.new(@@server,@@port)
+			t.write("prefix #{asn}\n")
+			prefixes = t.read.chomp.split(/\n/)
+			t.close
+			prefixes
+		end
+	end
+end

data/lib/shadowserver/malware.rb ADDED Viewed

@@ -0,0 +1,68 @@
+require 'net/http'
+require 'net/https'
+require 'json'
+require 'uri'
+module Shadowserver
+	class Malware
+		def Malware::query(hash)
+			doc = _get("http://innocuous.shadowserver.org/api/?query=#{hash}")
+			return nil if doc =~ /^\!/
+			lines = doc.split(/\n/)
+			md5, sha1, first_seen, last_seen, filetype, ssdeep = lines[0].gsub(/\"/,'').split(/,/)
+			avresults = JSON.parse(lines[1])
+			{
+				"md5" => md5,
+				"sha1" => sha1,
+				"first_seen" => first_seen,
+				"last_seen" => last_seen,
+				"filetype" => filetype,
+				"ssdeep" => ssdeep,
+				"avresults" => avresults
+			}
+		end
+		# untested
+		def Malware::download(hash,filename=nil)
+			doc = _get("https://innocuous.shadowserver.org/api/?download=#{hash}")
+			raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
+			return nil if doc =~ /^\!/
+			if filename
+				File.open(filename,"w") do |f|
+					f.write(doc)
+				end
+			end
+			doc
+		end
+		# untested
+		def Malware::avresult(hash)
+			doc = _get("http://innocuous.shadowserver.org/api/?avresult=#{hash}")
+			raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
+			return nil if doc =~ /^\!/
+			JSON.parse(doc)
+		end
+		# untested
+		def Malware::ssdeep(hash)
+			doc = _get("http://innocuous.shadowserver.org/api/?ssdeep=#{hash}")
+			raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
+			return nil if doc =~ /^\!/
+			JSON.parse(doc)
+		end
+	end
+	def  Malware::_get(url)
+		url = URI.parse(url)
+		request = Net::HTTP::Get.new(url.path+"?"+url.query)
+		request.add_field("User-Agent", "Ruby/#{RUBY_VERSION} shadowserver rubygem (https://github.com/chrislee35/shadowserver)")
+		http = Net::HTTP.new(url.host, url.port)
+		if url.scheme == 'https'
+			http.use_ssl = true
+			http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+			http.verify_depth = 5
+		end
+		resp = http.request(request)
+		resp.body
+	end
+end

data/lib/shadowserver/whitelist.rb ADDED Viewed

@@ -0,0 +1,47 @@
+require 'net/http'
+require 'digest/sha1'
+require 'uri'
+require 'json'
+module Shadowserver
+	class Whitelist
+		@@baseurl = "http://bin-test.shadowserver.org/api"
+		def Whitelist::by_hash(hash)
+			url = @@baseurl
+			if hash.length == 32
+				url += "?md5=#{hash.upcase}"
+			elsif hash.length == 40
+				url += "?sha1=#{hash.upcase}"
+			else
+				raise "The hash must be either 32 or 40 characters long"
+			end
+			url = URI.parse(url)
+			request = Net::HTTP::Get.new(url.path+"?"+url.query)
+			request.add_field("User-Agent", "Ruby/#{RUBY_VERSION} shadowserver rubygem (https://github.com/chrislee35/shadowserver)")
+			http = Net::HTTP.new(url.host, url.port)
+			if url.scheme == 'https'
+				http.use_ssl = true
+				http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+				http.verify_depth = 5
+			end
+			resp = http.request(request)
+			if resp.body =~ /^[0-9A-F]{32,40} (.+)/
+				JSON.parse($1)
+			else
+				nil
+			end
+		end
+		def Whitelist::by_filename(filename)
+			if File.exists?(filename)
+				hash = Digest::SHA1.hexdigest(File.open(filename).read)
+			else
+				raise "Whitelist::by_filename: Could not find file, #{filename}"
+			end
+			Whitelist::by_hash(hash)
+		end
+		def Whitelist::by_string(string)
+			hash = Digest::SHA1.hexdigest(string)
+			Whitelist::by_hash(hash)
+		end
+	end
+end

data/test/helper.rb ADDED Viewed

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'shadowserver'
+class Test::Unit::TestCase
+end

data/test/notepad.exe ADDED Viewed

Binary file

data/test/test_shadowserver.rb ADDED Viewed

@@ -0,0 +1,54 @@
+require 'helper'
+class TestShadowserver < Test::Unit::TestCase
+	should "return whitelist results for 0E53C14A3E48D94FF596A2824307B492" do
+		w = Shadowserver::Whitelist.by_hash("0E53C14A3E48D94FF596A2824307B492")
+		assert_not_nil(w)
+		assert_equal({"source_version"=>"$version", "language"=>"English", "os_name"=>"Windows NT", "mfg_name"=>"Corel Corporation", "filesize"=>"2226", "os_version"=>"Generic", "product_name"=>"Gallery", "filename"=>"00br2026.gif", "crc32"=>"AA6A7B16", "application_type"=>"Graphic/Drawing", "source"=>"NIST", "os_mfg"=>"Microsoft", "product_version"=>"750,000"}, w)
+	end
+	should "return nil for whitelist query for 0E53C14A3E48D94FF596A2824307B493" do
+		w = Shadowserver::Whitelist.by_hash("0E53C14A3E48D94FF596A2824307B493")
+		assert_nil(w)
+	end
+	should "return whitelist results for notepad.exe" do
+		w = Shadowserver::Whitelist.by_filename("test/notepad.exe")
+		assert_not_nil(w)
+		assert_equal({"source_version"=>"$version", "language"=>"English", "os_name"=>"Unknown", "mfg_name"=>"Sony", "filesize"=>"66048", "os_version"=>"Unknown", "product_name"=>"VAIO Computer Quick Start", "filename"=>"NOTEPAD.EXE", "crc32"=>"0BE7841C", "application_type"=>"System Software,System restoration", "source"=>"NIST", "os_mfg"=>"Unknown", "product_version"=>"Version G186.0"}, w)
+	end
+	should "return whitelist results for the string version of notepad.exe" do
+		w = Shadowserver::Whitelist.by_string(File.new("test/notepad.exe").read)
+		assert_not_nil(w)
+		assert_equal({"source_version"=>"$version", "language"=>"English", "os_name"=>"Unknown", "mfg_name"=>"Sony", "filesize"=>"66048", "os_version"=>"Unknown", "product_name"=>"VAIO Computer Quick Start", "filename"=>"NOTEPAD.EXE", "crc32"=>"0BE7841C", "application_type"=>"System Software,System restoration", "source"=>"NIST", "os_mfg"=>"Unknown", "product_version"=>"Version G186.0"}, w)
+	end
+	should "return malware results for aca4aad254280d25e74c82d440b76f79" do
+		mr = Shadowserver::Malware.query("aca4aad254280d25e74c82d440b76f79")
+		assert_equal({"first_seen"=>"2010-06-15 03:09:41", "filetype"=>"exe", "avresults"=>{"TrendMicro"=>"TROJ_DLOADR.SMM", "AntiVir"=>"WORM/VB.NVA", "VirusBuster"=>"Worm.VB.FMYJ", "QuickHeal"=>"Worm.VB.at", "Clam"=>"Trojan.Downloader-50691", "VBA32"=>"Trojan.VBO.011858", "Sophos"=>"Troj/DwnLdr-HQY", "NOD32"=>"Win32/AutoRun.VB.JP", "Kaspersky"=>"Trojan.Win32.Cosmu.nyl", "Panda"=>"W32/OverDoom.A", "Vexira"=>"Trojan.DL.VB.EEDT", "G-Data"=>"Trojan.Generic.2609117", "Ikarus"=>"Trojan-Downloader.Win32.VB", "Norman"=>"Suspicious_Gen2.SKLJ", "McAfee"=>"Generic", "AVG7"=>"Downloader.Generic9.URM", "F-Secure"=>"Worm:W32/Revois.gen!A", "F-Prot6"=>"W32/Worm.BAOX", "DrWeb"=>"Win32.HLLW.Autoruner.6014", "Avast-Commercial"=>"Win32:Zbot-LRA"}, "ssdeep"=>"12288:gOqOB0v2eZJys73dOvXDpNjNe8NuMpX4aBaa48L/93zKnP6ppgg2HFZlxVPbZX:sOA2eZJ8NI8Nah8L/4PqmTVPlX", "sha1"=>"6fe80e56ad4de610304bab1675ce84d16ab6988e", "last_seen"=>"2010-06-15 03:09:41", "md5"=>"aca4aad254280d25e74c82d440b76f79"}, mr)
+	end
+	should "return nil for malware query for 0E53C14A3E48D94FF596A2824307B492" do
+		mr = Shadowserver::Malware.query("0E53C14A3E48D94FF596A2824307B492")
+		assert_nil(mr)
+	end
+	should "return origin for 4.2.2.5" do
+		a = Shadowserver::ASN.origin("4.2.2.5")
+		assert_not_nil(a)
+		assert_equal({"cc"=>"US", "domain"=>"LEVEL3.NET", "isp"=>"LEVEL 3 COMMUNICATIONS INC", "asn"=>3356, "asname"=>"LEVEL3", "cidr"=>"4.0.0.0/9"}, a)
+	end
+	should "return peer for 4.2.2.5" do
+		a = Shadowserver::ASN.peer("4.2.2.5")
+		assert_not_nil(a)
+		assert_equal({"cc"=>"US", "prefix"=>"4.0.0.0/9", "domain"=>"LEVEL3.NET", "isp"=>"LEVEL 3 COMMUNICATIONS INC", "asn"=>3356, "asname"=>"LEVEL3", "peers"=>[701, 1239]}, a)
+	end
+	should "retun prefixes for AS2637" do
+		a = Shadowserver::ASN.prefix(2637)
+		assert_not_nil(a)
+		assert_equal(["128.61.0.0/19", "128.61.32.0/19", "128.61.64.0/18", "128.61.128.0/17", "130.207.0.0/16", "143.215.0.0/16", "204.152.10.0/23"], a)
+	end
+end

metadata ADDED Viewed

@@ -0,0 +1,176 @@
+--- !ruby/object:Gem::Specification
+name: shadowserver
+version: !ruby/object:Gem::Version
+  hash: 31
+  prerelease:
+  segments:
+  - 0
+  - 0
+  - 0
+  version: 0.0.0
+platform: ruby
+authors:
+- Chris Lee
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2011-05-29 00:00:00 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  version_requirements: &id001 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 1
+        segments:
+        - 1
+        - 4
+        - 3
+        version: 1.4.3
+  requirement: *id001
+  prerelease: false
+  name: json
+  type: :runtime
+- !ruby/object:Gem::Dependency
+  version_requirements: &id002 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 3
+        segments:
+        - 0
+        version: "0"
+  requirement: *id002
+  prerelease: false
+  name: shoulda
+  type: :development
+- !ruby/object:Gem::Dependency
+  version_requirements: &id003 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 23
+        segments:
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  requirement: *id003
+  prerelease: false
+  name: bundler
+  type: :development
+- !ruby/object:Gem::Dependency
+  version_requirements: &id004 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 7
+        segments:
+        - 1
+        - 5
+        - 2
+        version: 1.5.2
+  requirement: *id004
+  prerelease: false
+  name: jeweler
+  type: :development
+- !ruby/object:Gem::Dependency
+  version_requirements: &id005 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 3
+        segments:
+        - 0
+        version: "0"
+  requirement: *id005
+  prerelease: false
+  name: rcov
+  type: :development
+- !ruby/object:Gem::Dependency
+  version_requirements: &id006 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 1
+        segments:
+        - 1
+        - 4
+        - 3
+        version: 1.4.3
+  requirement: *id006
+  prerelease: false
+  name: json
+  type: :runtime
+description: The Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware.
+email: rubygems@chrislee.dhs.org
+executables:
+- shadowserver_asn
+- shadowserver_whitelist
+- shadowserver_malware
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.rdoc
+files:
+- .document
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- bin/shadowserver_asn
+- bin/shadowserver_malware
+- bin/shadowserver_whitelist
+- lib/shadowserver.rb
+- lib/shadowserver/asn.rb
+- lib/shadowserver/malware.rb
+- lib/shadowserver/whitelist.rb
+- test/helper.rb
+- test/notepad.exe
+- test/test_shadowserver.rb
+homepage: http://github.com/chrislee35/shadowserver
+licenses:
+- MIT
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      hash: 3
+      segments:
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      hash: 3
+      segments:
+      - 0
+      version: "0"
+requirements: []
+rubyforge_project:
+rubygems_version: 1.7.2
+signing_key:
+specification_version: 3
+summary: Queries various Shadowserver services for ASN information, malware hash lookups, and whitelist hash lookups
+test_files:
+- test/helper.rb
+- test/test_shadowserver.rb