threatexpert 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
data/.document ADDED
@@ -0,0 +1,5 @@
1
+ lib/**/*.rb
2
+ bin/*
3
+ -
4
+ features/**/*.feature
5
+ LICENSE.txt
data/Gemfile ADDED
@@ -0,0 +1,14 @@
1
+ source "http://rubygems.org"
2
+ # Add dependencies required to use your gem here.
3
+ # Example:
4
+ gem "nokogiri", ">= 1.4.4"
5
+ gem "multipart-post", ">= 1.1.0"
6
+
7
+ # Add dependencies to develop your gem here.
8
+ # Include everything needed to run rake, tests, features, etc.
9
+ group :development do
10
+ gem "shoulda", ">= 0"
11
+ gem "bundler", "~> 1.0.0"
12
+ gem "jeweler", "~> 1.5.2"
13
+ gem "rcov", ">= 0"
14
+ end
data/Gemfile.lock ADDED
@@ -0,0 +1,24 @@
1
+ GEM
2
+ remote: http://rubygems.org/
3
+ specs:
4
+ git (1.2.5)
5
+ jeweler (1.5.2)
6
+ bundler (~> 1.0.0)
7
+ git (>= 1.2.5)
8
+ rake
9
+ multipart-post (1.1.0)
10
+ nokogiri (1.4.4)
11
+ rake (0.8.7)
12
+ rcov (0.9.9)
13
+ shoulda (2.11.3)
14
+
15
+ PLATFORMS
16
+ ruby
17
+
18
+ DEPENDENCIES
19
+ bundler (~> 1.0.0)
20
+ jeweler (~> 1.5.2)
21
+ multipart-post (>= 1.1.0)
22
+ nokogiri (>= 1.4.4)
23
+ rcov
24
+ shoulda
data/LICENSE.txt ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2011 Chris Lee
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.rdoc ADDED
@@ -0,0 +1,28 @@
1
+ = threatexpert
2
+
3
+ The threatexpert gem provides a simple API to query ThreatExpert by malware name (to receive a list of matching hashes) or hash (to receive a malware report). This also provides a simple upload feature.
4
+
5
+ require 'threatexpert'
6
+
7
+ t = ThreatExpert::Search.new
8
+ hashes = t.name("Worm.Hamweg.Gen")
9
+ html = t.md5(hashes[0])
10
+ sb = ThreatExpert::Submit.new
11
+ filename = "/malware_share/downadup/62c6c217e7980e53aa3b234e19a5a25e.dll"
12
+ sb.submit(filename, youremailhere)
13
+
14
+ == Contributing to threatexpert
15
+
16
+ * Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
17
+ * Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
18
+ * Fork the project
19
+ * Start a feature/bugfix branch
20
+ * Commit and push until you are happy with your contribution
21
+ * Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
22
+ * Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
23
+
24
+ == Copyright
25
+
26
+ Copyright (c) 2011 Chris Lee. See LICENSE.txt for
27
+ further details.
28
+
data/Rakefile ADDED
@@ -0,0 +1,51 @@
1
+ require 'rubygems'
2
+ require 'bundler'
3
+ begin
4
+ Bundler.setup(:default, :development)
5
+ rescue Bundler::BundlerError => e
6
+ $stderr.puts e.message
7
+ $stderr.puts "Run `bundle install` to install missing gems"
8
+ exit e.status_code
9
+ end
10
+ require 'rake'
11
+
12
+ require 'jeweler'
13
+ Jeweler::Tasks.new do |gem|
14
+ # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
15
+ gem.name = "threatexpert"
16
+ gem.homepage = "http://github.com/chrislee35/threatexpert"
17
+ gem.license = "MIT"
18
+ gem.summary = %Q{Allows for malware name and md5 hash searching of, and malware submission to ThreatExpert.com.}
19
+ gem.description = %Q{Provides a simple API to query ThreatExpert by malware name (to receive a list of matching hashes) or hash (to receive a malware report). This also provides a simple upload feature.}
20
+ gem.email = "rubygems@chrislee.dhs.org"
21
+ gem.authors = ["Chris Lee"]
22
+ gem.add_runtime_dependency "nokogiri", ">= 1.4.4"
23
+ gem.add_runtime_dependency "multipart-post", ">= 1.1.0"
24
+ end
25
+ Jeweler::RubygemsDotOrgTasks.new
26
+
27
+ require 'rake/testtask'
28
+ Rake::TestTask.new(:test) do |test|
29
+ test.libs << 'lib' << 'test'
30
+ test.pattern = 'test/**/test_*.rb'
31
+ test.verbose = true
32
+ end
33
+
34
+ require 'rcov/rcovtask'
35
+ Rcov::RcovTask.new do |test|
36
+ test.libs << 'test'
37
+ test.pattern = 'test/**/test_*.rb'
38
+ test.verbose = true
39
+ end
40
+
41
+ task :default => :test
42
+
43
+ require 'rake/rdoctask'
44
+ Rake::RDocTask.new do |rdoc|
45
+ version = File.exist?('VERSION') ? File.read('VERSION') : ""
46
+
47
+ rdoc.rdoc_dir = 'rdoc'
48
+ rdoc.title = "threatexpert #{version}"
49
+ rdoc.rdoc_files.include('README*')
50
+ rdoc.rdoc_files.include('lib/**/*.rb')
51
+ end
data/VERSION ADDED
@@ -0,0 +1 @@
1
+ 0.1.0
@@ -0,0 +1,2 @@
1
+ require 'threatexpert/search'
2
+ require 'threatexpert/submit'
@@ -0,0 +1,45 @@
1
+ require 'nokogiri'
2
+ require 'open-uri'
3
+
4
+ module ThreatExpert
5
+ class Search
6
+ @@baseurl = 'http://www.threatexpert.com'
7
+ def initialize
8
+ end
9
+
10
+ def md5(hash)
11
+ url = @@baseurl+"/report.aspx?md5=#{hash}"
12
+ _parse_report(url)
13
+ end
14
+
15
+ def name(mwname)
16
+ url = @@baseurl+"/reports.aspx?find=#{mwname}"
17
+ _parse_list(url)
18
+ end
19
+
20
+ def _parse_list(nextpage)
21
+ hashes = []
22
+ while nextpage
23
+ page = open(nextpage).read
24
+ nextpage = nil
25
+ n = Nokogiri::HTML.parse(page)
26
+ n.xpath('//a').each do |a|
27
+ if a['href'] =~ /report\.aspx\?md5=([0-9a-fA-F]{32,128})/
28
+ hashes << $1
29
+ elsif a.text == 'Next'
30
+ nextpage = "http://www.threatexpert.com/"+a['href']
31
+ end
32
+ end
33
+ end
34
+ hashes
35
+ end
36
+
37
+ def _parse_report(page)
38
+ page = open(page).read
39
+ return nil unless page =~ /Submission Summary:/
40
+ n = Nokogiri::HTML.parse(page)
41
+ ul = n.xpath('//ul')
42
+ t = ul.to_s.gsub(/<img.*?>/,'')
43
+ end
44
+ end
45
+ end
@@ -0,0 +1,54 @@
1
+ require 'net/http'
2
+ require 'net/http/post/multipart'
3
+ require 'uri'
4
+ require 'nokogiri'
5
+ require 'pp'
6
+
7
+ module ThreatExpert
8
+ class Submit
9
+ @@submiturl = "http://www.threatexpert.com/submit.aspx"
10
+
11
+ def submit(filename, email, headers={})
12
+ uri = URI.parse(@@submiturl)
13
+ http = Net::HTTP.new(uri.host, uri.port)
14
+ headers['User-Agent'] ||= "Ruby/#{RUBY_VERSION} threatexpert gem (https://github.com/chrislee35/threatexpert)"
15
+ headers['Referer'] ||= @@submiturl
16
+ resp, data = http.get(uri.path, headers)
17
+ cookie = resp.header["set-cookie"] if resp.header["set-cookie"]
18
+
19
+ doc = Nokogiri::HTML.parse(data)
20
+ forms = doc.xpath('//form')
21
+ inputs = forms[0].xpath('//input')
22
+ params = {}
23
+ inputs.each do |input|
24
+ name = input['name']
25
+ value = input['value']
26
+ if name =~ /Agree/
27
+ params[name] = 1
28
+ elsif name =~ /Upload/
29
+ file = File.open(filename)
30
+ params[name] = UploadIO.new(file, "application/octet-stream", File.basename(filename))
31
+ elsif name =~ /Email/
32
+ params[name] = email
33
+ elsif name =~ /btnSubmit/
34
+ params[name+".x"] = rand(100)
35
+ params[name+".y"] = rand(27)
36
+ else
37
+ params[name] = value
38
+ end
39
+ end
40
+
41
+ headers['Referer'] = @@submiturl
42
+ request = Net::HTTP::Post::Multipart.new(uri.path, params)
43
+ headers.each do |name,value|
44
+ request.add_field(name, value)
45
+ end
46
+ response = http.request(request)
47
+ if response.body =~ /The file has been accepted/
48
+ true
49
+ else
50
+ false
51
+ end
52
+ end
53
+ end
54
+ end
data/test/helper.rb ADDED
@@ -0,0 +1,18 @@
1
+ require 'rubygems'
2
+ require 'bundler'
3
+ begin
4
+ Bundler.setup(:default, :development)
5
+ rescue Bundler::BundlerError => e
6
+ $stderr.puts e.message
7
+ $stderr.puts "Run `bundle install` to install missing gems"
8
+ exit e.status_code
9
+ end
10
+ require 'test/unit'
11
+ require 'shoulda'
12
+
13
+ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
14
+ $LOAD_PATH.unshift(File.dirname(__FILE__))
15
+ require 'threatexpert'
16
+
17
+ class Test::Unit::TestCase
18
+ end
@@ -0,0 +1,28 @@
1
+ require 'helper'
2
+ require 'pp'
3
+ class TestThreatexpert < Test::Unit::TestCase
4
+ should "parse the page for 70cf23409191820593022ca797fbcbd0" do
5
+ t = ThreatExpert::Search.new
6
+ html = t.md5("70cf23409191820593022ca797fbcbd0")
7
+ assert_not_nil(html)
8
+ puts html
9
+ end
10
+
11
+ should "return nil for 70cf23409191820593022ca797fbcbd1" do
12
+ t = ThreatExpert::Search.new
13
+ html = t.md5("70cf23409191820593022ca797fbcbd1")
14
+ assert_nil(html)
15
+ end
16
+
17
+ should "parse the list for Worm.Hamweg.Gen" do
18
+ t = ThreatExpert::Search.new
19
+ hashes = t.name("Worm.Hamweg.Gen")
20
+ assert_equal(159, hashes.length)
21
+ end
22
+
23
+ should "return no results for Worm.Hamwex.Gen" do
24
+ t = ThreatExpert::Search.new
25
+ hashes = t.name("Worm.Hamwex.Gen")
26
+ assert_equal(0, hashes.length)
27
+ end
28
+ end
metadata ADDED
@@ -0,0 +1,201 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: threatexpert
3
+ version: !ruby/object:Gem::Version
4
+ hash: 27
5
+ prerelease:
6
+ segments:
7
+ - 0
8
+ - 1
9
+ - 0
10
+ version: 0.1.0
11
+ platform: ruby
12
+ authors:
13
+ - Chris Lee
14
+ autorequire:
15
+ bindir: bin
16
+ cert_chain: []
17
+
18
+ date: 2011-04-27 00:00:00 Z
19
+ dependencies:
20
+ - !ruby/object:Gem::Dependency
21
+ version_requirements: &id001 !ruby/object:Gem::Requirement
22
+ none: false
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ hash: 15
27
+ segments:
28
+ - 1
29
+ - 4
30
+ - 4
31
+ version: 1.4.4
32
+ requirement: *id001
33
+ prerelease: false
34
+ name: nokogiri
35
+ type: :runtime
36
+ - !ruby/object:Gem::Dependency
37
+ version_requirements: &id002 !ruby/object:Gem::Requirement
38
+ none: false
39
+ requirements:
40
+ - - ">="
41
+ - !ruby/object:Gem::Version
42
+ hash: 19
43
+ segments:
44
+ - 1
45
+ - 1
46
+ - 0
47
+ version: 1.1.0
48
+ requirement: *id002
49
+ prerelease: false
50
+ name: multipart-post
51
+ type: :runtime
52
+ - !ruby/object:Gem::Dependency
53
+ version_requirements: &id003 !ruby/object:Gem::Requirement
54
+ none: false
55
+ requirements:
56
+ - - ">="
57
+ - !ruby/object:Gem::Version
58
+ hash: 3
59
+ segments:
60
+ - 0
61
+ version: "0"
62
+ requirement: *id003
63
+ prerelease: false
64
+ name: shoulda
65
+ type: :development
66
+ - !ruby/object:Gem::Dependency
67
+ version_requirements: &id004 !ruby/object:Gem::Requirement
68
+ none: false
69
+ requirements:
70
+ - - ~>
71
+ - !ruby/object:Gem::Version
72
+ hash: 23
73
+ segments:
74
+ - 1
75
+ - 0
76
+ - 0
77
+ version: 1.0.0
78
+ requirement: *id004
79
+ prerelease: false
80
+ name: bundler
81
+ type: :development
82
+ - !ruby/object:Gem::Dependency
83
+ version_requirements: &id005 !ruby/object:Gem::Requirement
84
+ none: false
85
+ requirements:
86
+ - - ~>
87
+ - !ruby/object:Gem::Version
88
+ hash: 7
89
+ segments:
90
+ - 1
91
+ - 5
92
+ - 2
93
+ version: 1.5.2
94
+ requirement: *id005
95
+ prerelease: false
96
+ name: jeweler
97
+ type: :development
98
+ - !ruby/object:Gem::Dependency
99
+ version_requirements: &id006 !ruby/object:Gem::Requirement
100
+ none: false
101
+ requirements:
102
+ - - ">="
103
+ - !ruby/object:Gem::Version
104
+ hash: 3
105
+ segments:
106
+ - 0
107
+ version: "0"
108
+ requirement: *id006
109
+ prerelease: false
110
+ name: rcov
111
+ type: :development
112
+ - !ruby/object:Gem::Dependency
113
+ version_requirements: &id007 !ruby/object:Gem::Requirement
114
+ none: false
115
+ requirements:
116
+ - - ">="
117
+ - !ruby/object:Gem::Version
118
+ hash: 15
119
+ segments:
120
+ - 1
121
+ - 4
122
+ - 4
123
+ version: 1.4.4
124
+ requirement: *id007
125
+ prerelease: false
126
+ name: nokogiri
127
+ type: :runtime
128
+ - !ruby/object:Gem::Dependency
129
+ version_requirements: &id008 !ruby/object:Gem::Requirement
130
+ none: false
131
+ requirements:
132
+ - - ">="
133
+ - !ruby/object:Gem::Version
134
+ hash: 19
135
+ segments:
136
+ - 1
137
+ - 1
138
+ - 0
139
+ version: 1.1.0
140
+ requirement: *id008
141
+ prerelease: false
142
+ name: multipart-post
143
+ type: :runtime
144
+ description: Provides a simple API to query ThreatExpert by malware name (to receive a list of matching hashes) or hash (to receive a malware report). This also provides a simple upload feature.
145
+ email: rubygems@chrislee.dhs.org
146
+ executables: []
147
+
148
+ extensions: []
149
+
150
+ extra_rdoc_files:
151
+ - LICENSE.txt
152
+ - README.rdoc
153
+ files:
154
+ - .document
155
+ - Gemfile
156
+ - Gemfile.lock
157
+ - LICENSE.txt
158
+ - README.rdoc
159
+ - Rakefile
160
+ - VERSION
161
+ - lib/threatexpert.rb
162
+ - lib/threatexpert/search.rb
163
+ - lib/threatexpert/submit.rb
164
+ - test/helper.rb
165
+ - test/test_threatexpert.rb
166
+ homepage: http://github.com/chrislee35/threatexpert
167
+ licenses:
168
+ - MIT
169
+ post_install_message:
170
+ rdoc_options: []
171
+
172
+ require_paths:
173
+ - lib
174
+ required_ruby_version: !ruby/object:Gem::Requirement
175
+ none: false
176
+ requirements:
177
+ - - ">="
178
+ - !ruby/object:Gem::Version
179
+ hash: 3
180
+ segments:
181
+ - 0
182
+ version: "0"
183
+ required_rubygems_version: !ruby/object:Gem::Requirement
184
+ none: false
185
+ requirements:
186
+ - - ">="
187
+ - !ruby/object:Gem::Version
188
+ hash: 3
189
+ segments:
190
+ - 0
191
+ version: "0"
192
+ requirements: []
193
+
194
+ rubyforge_project:
195
+ rubygems_version: 1.7.2
196
+ signing_key:
197
+ specification_version: 3
198
+ summary: Allows for malware name and md5 hash searching of, and malware submission to ThreatExpert.com.
199
+ test_files:
200
+ - test/helper.rb
201
+ - test/test_threatexpert.rb