threatinator 0.1.1

data/spec/feeds/data/palevo_iplist.txt

@@ -0,0 +1,24 @@
+# Palevo C&C IP Blocklist by abuse.ch
+107.150.36.226
+109.123.109.132
+115.236.76.168
+144.76.143.4
+173.230.133.99
+176.31.117.59
+187.214.120.147
+189.135.116.163
+189.236.206.143
+193.23.48.228
+194.116.174.85
+208.185.82.133
+50.63.202.42
+67.198.207.34
+67.210.170.140
+67.210.170.141
+67.210.170.169
+69.43.161.141
+76.74.255.138
+80.83.124.187
+82.196.6.164
+91.208.194.18
+98.126.44.98

data/spec/feeds/data/spyeye_domainlist.txt

@@ -0,0 +1,16 @@
+################################################################################
+# abuse.ch SpyEye domain blocklist                                             #
+#                                                                              #
+# For questions please referer to https://spyeyetracker.abuse.ch/blocklist.php #
+################################################################################
+
+beromder56.com
+detadomain.su
+doemguing.net
+firexiasds.wha.la
+futuretelefonica.com
+gate.eyeonarte.it
+helen33nasanorth.com
+sebortemesd5.com
+stendtlong.net
+

data/spec/feeds/data/spyeye_iplist.txt

@@ -0,0 +1,19 @@
+################################################################################
+# abuse.ch SpyEye IP blocklist                                                 #
+#                                                                              #
+# For questions please referer to https://spyeyetracker.abuse.ch/blocklist.php #
+################################################################################
+
+188.190.126.173
+188.190.126.175
+188.190.126.176
+193.106.31.12
+193.107.17.62
+194.44.157.130
+46.166.143.56
+91.213.217.36
+91.220.62.112
+91.220.62.190
+93.171.202.70
+94.63.149.51
+

data/spec/feeds/data/t-arend-de_ssh_iplist.txt

@@ -0,0 +1,17 @@
+#Bad Guys List
+#From: thomas@t-arend.de
+#Date: So 6. Sep 13:03:16 CEST 2009
+sshd: 113.11.200.191
+sshd: 116.122.107.58
+sshd: 116.127.93.201
+sshd: 116.58.96.55
+sshd: 116.68.194.45
+sshd: 117.21.249.75
+sshd: 117.32.128.141
+sshd: 118.128.150.210
+sshd: 119.113.0.4
+sshd: 119.113.0.7
+sshd: 121.13.229.221
+sshd: 121.138.192.152
+sshd: 121.14.142.46
+sshd: 121.15.167.243

data/spec/feeds/data/the_haleys_ssh_iplist.txt

@@ -0,0 +1,12 @@
+# IP addresses launching SSH dictionary attacks. As of Fri, 11 Jul 2014 15:22:17 +0100
+ALL : 1.30.20.146 
+ALL : 1.82.184.23 
+ALL : 1.82.184.25 
+ALL : 1.85.2.246 
+ALL : 1.93.22.107 
+ALL : 1.93.24.62 
+ALL : 1.93.24.72 
+ALL : 1.93.25.63 
+ALL : 1.93.25.165 
+ALL : 1.93.25.234 
+ALL : 1.93.25.253 

data/spec/feeds/data/yourcmc_ssh-ip_reputation.txt

@@ -0,0 +1,27 @@
+#
+# EVIL SSH HOSTLIST
+#
+
+#
+# Hosts having these IPv4 addresses were caught bruteforcing ssh login attempts
+# Thanks to pam_abl module -- http://sourceforge.net/projects/pam-abl/
+# VitaliF, 2008-*
+# http://vmx.yourcmc.ru/BAD_HOSTS.IP4
+#
+
+101.109.85.141
+101.64.234.130
+101.78.134.166
+108.162.193.155
+108.162.193.55
+108.174.52.186
+109.120.157.63
+109.123.105.154
+109.123.105.217
+109.123.125.85
+109.123.91.52
+109.123.95.92
+109.165.10.125
+109.165.15.113
+109.165.35.137
+109.165.75.40

data/spec/feeds/data/zeus-ip_reputation.txt

@@ -0,0 +1,285 @@
+##############################################################################
+# abuse.ch ZeuS IP blocklist                                                 #
+#                                                                            #
+# For questions please refer to https://zeustracker.abuse.ch/blocklist.php   #
+##############################################################################
+
+103.11.74.118
+103.23.201.219
+103.241.0.100
+103.4.52.150
+103.7.59.135
+107.161.123.138
+107.182.142.41
+107.182.163.196
+108.162.196.114
+108.162.199.22
+108.61.63.78
+109.120.150.19
+109.127.8.242
+109.169.92.40
+109.229.210.250
+109.229.36.65
+109.235.59.44
+109.237.108.92
+109.68.33.64
+113.108.204.30
+114.215.185.196
+116.0.23.234
+116.193.76.135
+119.81.52.54
+121.199.57.56
+122.155.3.150
+123.30.129.179
+124.150.141.42
+128.199.230.64
+128.210.157.251
+141.101.116.203
+141.105.67.94
+144.76.40.132
+146.185.174.81
+146.185.220.4
+148.251.7.40
+15.185.99.202
+151.248.125.64
+151.97.190.239
+159.253.147.248
+162.144.3.101
+162.211.84.6
+173.193.105.244
+173.230.253.193
+173.242.112.135
+173.243.112.192
+173.243.112.2
+173.243.112.20
+173.243.112.46
+173.245.71.100
+173.249.152.23
+176.119.2.90
+176.119.2.91
+177.140.22.150
+178.19.99.42
+178.217.187.129
+178.75.246.57
+180.151.58.244
+180.182.234.200
+184.169.145.165
+185.10.58.170
+185.10.58.171
+185.10.58.180
+185.10.58.181
+185.12.46.131
+185.16.212.70
+185.20.227.39
+185.24.233.35
+185.24.233.97
+185.25.117.49
+185.25.49.128
+185.25.49.227
+185.26.122.13
+185.28.21.32
+185.5.55.248
+186.64.120.104
+188.219.154.228
+188.247.135.53
+188.247.135.58
+188.247.135.74
+188.247.135.99
+190.128.29.1
+190.14.37.122
+190.14.37.138
+190.15.192.25
+192.225.175.71
+192.254.79.85
+192.64.11.244
+192.64.177.143
+192.64.9.116
+192.95.12.34
+193.106.177.243
+193.107.19.24
+193.120.55.242
+193.169.244.174
+195.12.39.33
+195.244.39.64
+195.3.146.47
+195.64.154.38
+198.1.77.78
+198.15.117.228
+198.15.127.170
+198.245.202.92
+198.50.198.162
+198.58.126.85
+198.58.93.4
+199.187.129.193
+199.188.100.169
+199.201.121.185
+199.204.248.106
+199.231.186.170
+199.7.234.100
+200.98.165.88
+202.142.215.16
+202.29.230.198
+203.170.193.23
+204.188.238.141
+204.197.248.143
+204.45.30.19
+204.93.211.115
+205.234.195.93
+207.244.75.136
+208.91.197.197
+208.91.197.207
+209.188.18.94
+209.54.49.111
+209.99.17.27
+210.211.108.215
+212.193.228.167
+212.225.213.253
+212.44.64.202
+213.147.67.20
+213.152.26.146
+216.176.100.240
+216.215.112.149
+216.240.159.134
+217.23.138.114
+222.29.197.232
+23.227.196.105
+23.227.196.17
+23.227.196.6
+23.227.196.7
+23.227.196.81
+23.227.196.95
+23.235.237.197
+23.238.230.237
+27.124.125.18
+31.148.219.85
+31.170.164.5
+31.220.1.175
+31.6.71.83
+31.7.63.146
+37.0.123.133
+37.0.123.149
+37.0.123.161
+37.0.123.204
+37.0.123.226
+37.0.123.84
+37.0.124.118
+37.0.124.145
+37.0.127.101
+37.0.127.107
+37.0.127.108
+37.0.127.110
+37.0.127.112
+37.0.127.115
+37.0.127.96
+37.143.11.189
+37.143.14.207
+37.187.131.39
+37.187.144.39
+37.187.146.148
+37.58.49.144
+37.58.51.133
+37.58.51.135
+37.58.51.137
+37.58.51.138
+37.58.51.144
+37.58.51.150
+37.58.51.163
+37.59.217.219
+41.186.24.58
+41.71.188.2
+46.102.246.202
+46.137.118.69
+46.166.131.154
+46.166.141.107
+46.166.145.113
+46.19.143.249
+46.21.157.219
+46.22.211.47
+46.30.40.95
+46.4.150.111
+49.50.8.213
+5.45.179.132
+5.45.68.91
+5.61.34.211
+5.63.158.126
+50.63.202.86
+50.63.202.95
+50.87.153.3
+54.208.246.4
+59.157.4.2
+60.13.186.5
+62.109.18.114
+62.173.151.82
+64.127.71.73
+64.32.12.51
+64.32.20.100
+64.32.7.118
+64.85.233.8
+65.200.132.20
+65.75.164.128
+66.225.192.214
+66.85.137.59
+66.96.160.153
+67.225.220.254
+68.89.11.90
+69.163.201.158
+76.73.57.130
+77.222.42.250
+77.40.30.111
+78.110.9.77
+78.129.158.15
+78.46.75.138
+79.143.178.105
+80.243.184.237
+80.81.193.66
+81.17.25.191
+81.17.25.235
+81.17.25.62
+81.177.141.32
+81.4.108.109
+81.88.48.95
+81.88.57.96
+82.131.180.72
+83.15.254.242
+83.222.112.221
+83.69.233.121
+84.201.32.125
+85.153.34.112
+85.25.4.28
+86.106.188.120
+87.236.211.148
+87.236.211.185
+87.246.143.242
+87.254.167.37
+89.248.160.159
+89.31.143.20
+89.32.150.234
+89.36.31.215
+89.46.251.146
+89.46.251.158
+89.46.251.169
+91.218.121.136
+91.221.36.162
+91.223.82.17
+91.226.212.11
+91.226.212.170
+91.227.18.17
+91.228.160.170
+91.228.160.201
+91.230.60.107
+91.231.86.213
+91.231.87.190
+91.239.15.219
+92.53.119.248
+92.53.124.62
+93.125.99.4
+93.125.99.8
+93.174.88.3
+93.186.120.112
+93.186.120.42
+93.188.160.4
+93.90.182.90
+94.103.36.55
+95.154.228.163
+95.181.178.177
+98.131.185.136

data/spec/feeds/data/zeus_domainlist.txt

@@ -0,0 +1,27 @@
+##############################################################################
+# abuse.ch ZeuS domain blocklist                                             #
+#                                                                            #
+# For questions please refer to https://zeustracker.abuse.ch/blocklist.php   #
+##############################################################################
+
+039b1ee.netsolhost.com
+1day.su
+1shot2shot3shot.ru
+2719719.com
+3apa3a.tomsk.tw
+4btc.cc
+4sen.pl
+abans.ru
+acgplug.org
+achionline.com
+aconfideeeeeracia200.com
+acorp.su
+adcarapicuiba.org.br
+advanc1.co.vu
+advanc118.co.vu
+advanc3.co.vu
+advanc320.co.vu
+advanc420.co.vu
+advanc520.co.vu
+advwinntdigiplus.net
+ajahdelta.eu

data/spec/feeds/dshield_attackers-top1000_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe 'feeds/dshield_attackers-top1000.feed', :feed do
+  let(:provider) { 'dshield' }
+  let(:name) { 'attackers-top1000' }
+
+  it_fetches_url 'https://isc.sans.edu/api/sources/attacks/1000/'
+
+  describe_parsing_the_file feed_data('dshield_topattackers.xml') do
+    it "should have parsed 10 records" do
+      expect(num_records_parsed).to eq(10)
+    end
+    it "should have filtered 0 records" do
+      expect(num_records_filtered).to eq(0)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+
+    describe "the records" do
+      it "should total 10" do
+        expect(num_records).to eq(10)
+      end
+
+      it "each record should have generated exactly one event" do
+        counts = events.map { |event_array| event_array.count }
+        expect(counts).to eq([1,1,1,1,1,1,1,1,1,1])
+      end
+
+      describe "the event for record 0" do
+        let(:record) { records[0] }
+        let(:event) { events[0].first }
+        subject { event } 
+
+        its(:type) { is_expected.to be(:attacker) }
+        its(:ipv4s) { is_expected.to match_array(['150.164.82.10']) }
+      end
+    end
+  end
+end
+
+
+