threatinator 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +23 -0
- data/CONTRIBUTING.md +119 -0
- data/Gemfile +28 -0
- data/LICENSE +165 -0
- data/README.md +45 -0
- data/Rakefile +45 -0
- data/VERSION +1 -0
- data/bin/threatinator +5 -0
- data/lib/threatinator.rb +3 -0
- data/lib/threatinator/action.rb +14 -0
- data/lib/threatinator/actions/list.rb +2 -0
- data/lib/threatinator/actions/list/action.rb +53 -0
- data/lib/threatinator/actions/list/config.rb +10 -0
- data/lib/threatinator/actions/run.rb +2 -0
- data/lib/threatinator/actions/run/action.rb +45 -0
- data/lib/threatinator/actions/run/config.rb +32 -0
- data/lib/threatinator/actions/run/coverage_observer.rb +54 -0
- data/lib/threatinator/actions/run/output_config.rb +59 -0
- data/lib/threatinator/cli.rb +13 -0
- data/lib/threatinator/cli/action_builder.rb +33 -0
- data/lib/threatinator/cli/list_action_builder.rb +19 -0
- data/lib/threatinator/cli/parser.rb +113 -0
- data/lib/threatinator/cli/run_action_builder.rb +41 -0
- data/lib/threatinator/config.rb +6 -0
- data/lib/threatinator/config/base.rb +35 -0
- data/lib/threatinator/config/feed_search.rb +25 -0
- data/lib/threatinator/decoder.rb +24 -0
- data/lib/threatinator/decoders/gzip.rb +30 -0
- data/lib/threatinator/event.rb +27 -0
- data/lib/threatinator/event_builder.rb +41 -0
- data/lib/threatinator/exceptions.rb +61 -0
- data/lib/threatinator/feed.rb +82 -0
- data/lib/threatinator/feed_builder.rb +156 -0
- data/lib/threatinator/feed_registry.rb +47 -0
- data/lib/threatinator/feed_runner.rb +118 -0
- data/lib/threatinator/fetcher.rb +22 -0
- data/lib/threatinator/fetchers/http.rb +46 -0
- data/lib/threatinator/filter.rb +12 -0
- data/lib/threatinator/filters/block.rb +18 -0
- data/lib/threatinator/filters/comments.rb +16 -0
- data/lib/threatinator/filters/whitespace.rb +19 -0
- data/lib/threatinator/output.rb +50 -0
- data/lib/threatinator/parser.rb +23 -0
- data/lib/threatinator/parsers/csv.rb +7 -0
- data/lib/threatinator/parsers/csv/parser.rb +77 -0
- data/lib/threatinator/parsers/getline.rb +8 -0
- data/lib/threatinator/parsers/getline/parser.rb +45 -0
- data/lib/threatinator/parsers/json.rb +8 -0
- data/lib/threatinator/parsers/json/adapters/oj.rb +65 -0
- data/lib/threatinator/parsers/json/parser.rb +45 -0
- data/lib/threatinator/parsers/json/record.rb +20 -0
- data/lib/threatinator/parsers/xml.rb +8 -0
- data/lib/threatinator/parsers/xml/node.rb +79 -0
- data/lib/threatinator/parsers/xml/node_builder.rb +39 -0
- data/lib/threatinator/parsers/xml/parser.rb +44 -0
- data/lib/threatinator/parsers/xml/path.rb +70 -0
- data/lib/threatinator/parsers/xml/pattern.rb +53 -0
- data/lib/threatinator/parsers/xml/record.rb +14 -0
- data/lib/threatinator/parsers/xml/sax_document.rb +64 -0
- data/lib/threatinator/plugin_loader.rb +115 -0
- data/lib/threatinator/plugins/output/csv.rb +47 -0
- data/lib/threatinator/plugins/output/null.rb +17 -0
- data/lib/threatinator/plugins/output/rubydebug.rb +16 -0
- data/lib/threatinator/property_definer.rb +101 -0
- data/lib/threatinator/record.rb +22 -0
- data/lib/threatinator/registry.rb +53 -0
- data/lib/threatinator/util.rb +15 -0
- data/spec/feeds/ET_compromised-ip_reputation_spec.rb +50 -0
- data/spec/feeds/alienvault-ip_reputation_spec.rb +50 -0
- data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb +50 -0
- data/spec/feeds/arbor_ssh-ip_reputation_spec.rb +50 -0
- data/spec/feeds/autoshun_shunlist_spec.rb +42 -0
- data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_imap-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_pop3-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_proftpd-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_sip-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_ssh-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_strongips-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ciarmy-ip_reputation_spec.rb +50 -0
- data/spec/feeds/cruzit-ip_reputation_spec.rb +50 -0
- data/spec/feeds/dan_me_uk_torlist-ip_reputation_spec.rb +50 -0
- data/spec/feeds/data/ET_compromised-ip_reputation.txt +11 -0
- data/spec/feeds/data/alienvault-ip_reputation.txt +18 -0
- data/spec/feeds/data/arbor_domainlist.txt +11 -0
- data/spec/feeds/data/arbor_ssh.txt +16 -0
- data/spec/feeds/data/autoshun_shunlist.csv +20 -0
- data/spec/feeds/data/blocklist_de_apache-ip-reputation.txt +17 -0
- data/spec/feeds/data/blocklist_de_bots-ip-reputation.txt +15 -0
- data/spec/feeds/data/blocklist_de_ftp-ip-reputation.txt +7 -0
- data/spec/feeds/data/blocklist_de_imap-ip-reputation.txt +8 -0
- data/spec/feeds/data/blocklist_de_pop3-ip-reputation.txt +11 -0
- data/spec/feeds/data/blocklist_de_proftpd-ip-reputation.txt +12 -0
- data/spec/feeds/data/blocklist_de_sip-ip-reputation.txt +9 -0
- data/spec/feeds/data/blocklist_de_ssh-ip-reputation.txt +10 -0
- data/spec/feeds/data/blocklist_de_strongips-ip-reputation.txt +11 -0
- data/spec/feeds/data/ciarmy-ip-reputation.txt +11 -0
- data/spec/feeds/data/cruzit-ip-reputation.txt +14 -0
- data/spec/feeds/data/dan_me_uk_torlist-ip-reputation.txt +11 -0
- data/spec/feeds/data/dshield_topattackers.xml +4 -0
- data/spec/feeds/data/feodo_domainlist.txt +18 -0
- data/spec/feeds/data/feodo_iplist.txt +20 -0
- data/spec/feeds/data/infiltrated_iplist.txt +16 -0
- data/spec/feeds/data/malc0de_domainlist.txt +18 -0
- data/spec/feeds/data/malc0de_iplist.txt +14 -0
- data/spec/feeds/data/mirc_domainlist.txt +31 -0
- data/spec/feeds/data/nothink_irc_iplist.txt +14 -0
- data/spec/feeds/data/nothink_ssh_iplist.txt +10 -0
- data/spec/feeds/data/openbl_iplist.txt +12 -0
- data/spec/feeds/data/palevo_domainlist.txt +25 -0
- data/spec/feeds/data/palevo_iplist.txt +24 -0
- data/spec/feeds/data/phishtank-sample.json.gz +0 -0
- data/spec/feeds/data/spyeye_domainlist.txt +16 -0
- data/spec/feeds/data/spyeye_iplist.txt +19 -0
- data/spec/feeds/data/t-arend-de_ssh_iplist.txt +17 -0
- data/spec/feeds/data/the_haleys_ssh_iplist.txt +12 -0
- data/spec/feeds/data/yourcmc_ssh-ip_reputation.txt +27 -0
- data/spec/feeds/data/zeus-ip_reputation.txt +285 -0
- data/spec/feeds/data/zeus_domainlist.txt +27 -0
- data/spec/feeds/dshield_attackers-top1000_spec.rb +43 -0
- data/spec/feeds/feodo-domain_reputation_spec.rb +50 -0
- data/spec/feeds/feodo-ip_reputation_spec.rb +50 -0
- data/spec/feeds/infiltrated-ip_reputation_spec.rb +50 -0
- data/spec/feeds/malc0de-domain_reputation_spec.rb +50 -0
- data/spec/feeds/malc0de-ip_reputation_spec.rb +50 -0
- data/spec/feeds/mirc-domain_reputation_spec.rb +50 -0
- data/spec/feeds/nothink_irc-ip_reputation_spec.rb +50 -0
- data/spec/feeds/nothink_ssh-ip_reputation_spec.rb +50 -0
- data/spec/feeds/openbl-ip_reputation_spec.rb +50 -0
- data/spec/feeds/palevo-domain_reputation_spec.rb +50 -0
- data/spec/feeds/palevo-ip_reputation_spec.rb +50 -0
- data/spec/feeds/phishtank_spec.rb +45 -0
- data/spec/feeds/spyeye-domain_reputation_spec.rb +50 -0
- data/spec/feeds/spyeye-ip_reputation_spec.rb +50 -0
- data/spec/feeds/t-arend-de_ssh-ip_reputation_spec.rb +50 -0
- data/spec/feeds/the_haleys_ssh-ip_reputation_spec.rb +50 -0
- data/spec/feeds/yourcmc_ssh-ip_reputation_spec.rb +50 -0
- data/spec/feeds/zeus-domain_reputation_spec.rb +50 -0
- data/spec/feeds/zeus-ip_reputation_spec.rb +50 -0
- data/spec/fixtures/feed/provider1/feed1.feed +6 -0
- data/spec/fixtures/parsers/test.xml +13 -0
- data/spec/fixtures/parsers/test_self_closing.xml +20 -0
- data/spec/fixtures/plugins/bad/threatinator/plugins/test_error1/plugin.rb +1 -0
- data/spec/fixtures/plugins/bad/threatinator/plugins/test_missing1/plugin.rb +0 -0
- data/spec/fixtures/plugins/fake.rb +19 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type1/plugin_a.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type1/plugin_b.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type2/plugin_c.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type2/plugin_d.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type3/plugin_e.rb +8 -0
- data/spec/fixtures/plugins/good/threatinator/plugins/test_type3/plugin_f.rb +8 -0
- data/spec/spec_helper.rb +52 -0
- data/spec/support/bad_feeds/missing_fetcher.feed +7 -0
- data/spec/support/bad_feeds/missing_name.feed +6 -0
- data/spec/support/bad_feeds/missing_parser.feed +3 -0
- data/spec/support/bad_feeds/missing_provider.feed +5 -0
- data/spec/support/factories/event.rb +27 -0
- data/spec/support/factories/feed.rb +32 -0
- data/spec/support/factories/feed_builder.rb +65 -0
- data/spec/support/factories/feed_registry.rb +8 -0
- data/spec/support/factories/output.rb +11 -0
- data/spec/support/factories/record.rb +17 -0
- data/spec/support/factories/xml_node.rb +33 -0
- data/spec/support/helpers/io.rb +11 -0
- data/spec/support/helpers/models.rb +13 -0
- data/spec/support/shared/action_builder.rb +47 -0
- data/spec/support/shared/decoder.rb +70 -0
- data/spec/support/shared/feeds.rb +218 -0
- data/spec/support/shared/fetcher.rb +48 -0
- data/spec/support/shared/filter.rb +14 -0
- data/spec/support/shared/io-like.rb +7 -0
- data/spec/support/shared/output.rb +120 -0
- data/spec/support/shared/parsers.rb +51 -0
- data/spec/support/shared/record.rb +111 -0
- data/spec/threatinator/actions/list/action_spec.rb +93 -0
- data/spec/threatinator/actions/run/action_spec.rb +89 -0
- data/spec/threatinator/actions/run/config_spec.rb +39 -0
- data/spec/threatinator/actions/run/coverage_observer_spec.rb +116 -0
- data/spec/threatinator/actions/run/output_config_spec.rb +89 -0
- data/spec/threatinator/cli/list_action_builder_spec.rb +57 -0
- data/spec/threatinator/cli/run_action_builder_spec.rb +133 -0
- data/spec/threatinator/cli_spec.rb +175 -0
- data/spec/threatinator/config/base_spec.rb +39 -0
- data/spec/threatinator/config/feed_search_spec.rb +76 -0
- data/spec/threatinator/decoders/gzip_spec.rb +75 -0
- data/spec/threatinator/event_builder_spec.rb +33 -0
- data/spec/threatinator/event_spec.rb +30 -0
- data/spec/threatinator/feed_builder_spec.rb +636 -0
- data/spec/threatinator/feed_registry_spec.rb +198 -0
- data/spec/threatinator/feed_runner_spec.rb +155 -0
- data/spec/threatinator/feed_spec.rb +169 -0
- data/spec/threatinator/fetcher_spec.rb +12 -0
- data/spec/threatinator/fetchers/http_spec.rb +32 -0
- data/spec/threatinator/filter_spec.rb +13 -0
- data/spec/threatinator/filters/block_spec.rb +16 -0
- data/spec/threatinator/filters/comments_spec.rb +13 -0
- data/spec/threatinator/filters/whitespace_spec.rb +12 -0
- data/spec/threatinator/parser_spec.rb +13 -0
- data/spec/threatinator/parsers/csv/parser_spec.rb +202 -0
- data/spec/threatinator/parsers/getline/parser_spec.rb +83 -0
- data/spec/threatinator/parsers/json/parser_spec.rb +106 -0
- data/spec/threatinator/parsers/json/record_spec.rb +30 -0
- data/spec/threatinator/parsers/xml/node_spec.rb +335 -0
- data/spec/threatinator/parsers/xml/parser_spec.rb +263 -0
- data/spec/threatinator/parsers/xml/path_spec.rb +209 -0
- data/spec/threatinator/parsers/xml/pattern_spec.rb +72 -0
- data/spec/threatinator/parsers/xml/record_spec.rb +27 -0
- data/spec/threatinator/plugin_loader_spec.rb +238 -0
- data/spec/threatinator/plugins/output/csv_spec.rb +46 -0
- data/spec/threatinator/plugins/output/null_spec.rb +17 -0
- data/spec/threatinator/plugins/output/rubydebug_spec.rb +37 -0
- data/spec/threatinator/property_definer_spec.rb +155 -0
- data/spec/threatinator/record_spec.rb +19 -0
- data/spec/threatinator/registry_spec.rb +97 -0
- data/spec/threatinator/runner_spec.rb +273 -0
- metadata +376 -0
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/feodo-domain_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'abuse_ch' }
|
5
|
+
let(:name) { 'feodo_domain_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('feodo_domainlist.txt') do
|
10
|
+
it "should have parsed 12 records" do
|
11
|
+
expect(num_records_parsed).to eq(12)
|
12
|
+
end
|
13
|
+
it "should have filtered 6 records" do
|
14
|
+
expect(num_records_filtered).to eq(6)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record 'buriymishka.ru' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:c2) }
|
31
|
+
its(:fqdns) { is_expected.to match_array(['buriymishka.ru']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record 'hawozkino.com' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:c2) }
|
45
|
+
its(:fqdns) { is_expected.to match_array(['hawozkino.com']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/feodo-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'abuse_ch' }
|
5
|
+
let(:name) { 'feodo_ip_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'https://feodotracker.abuse.ch/blocklist.php?download=ipblocklist'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('feodo_iplist.txt') do
|
10
|
+
it "should have parsed 14 records" do
|
11
|
+
expect(num_records_parsed).to eq(14)
|
12
|
+
end
|
13
|
+
it "should have filtered 6 records" do
|
14
|
+
expect(num_records_filtered).to eq(6)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record '103.25.59.120' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:c2) }
|
31
|
+
its(:ipv4s) { is_expected.to match_array(['103.25.59.120']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record '173.236.86.214' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:c2) }
|
45
|
+
its(:ipv4s) { is_expected.to match_array(['173.236.86.214']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/infiltrated-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'infiltrated' }
|
5
|
+
let(:name) { 'ip_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://www.infiltrated.net/blacklisted'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('infiltrated_iplist.txt') do
|
10
|
+
it "should have parsed 14 records" do
|
11
|
+
expect(num_records_parsed).to eq(14)
|
12
|
+
end
|
13
|
+
it "should have filtered 2 records" do
|
14
|
+
expect(num_records_filtered).to eq(2)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record '95.221.71.219' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:scanning) }
|
31
|
+
its(:ipv4s) { is_expected.to match_array(['95.221.71.219']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record '94.41.71.52' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:scanning) }
|
45
|
+
its(:ipv4s) { is_expected.to match_array(['94.41.71.52']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/malc0de-domain_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'malc0de' }
|
5
|
+
let(:name) { 'domain_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://malc0de.com/bl/BOOT'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('malc0de_domainlist.txt') do
|
10
|
+
it "should have parsed 12 records" do
|
11
|
+
expect(num_records_parsed).to eq(12)
|
12
|
+
end
|
13
|
+
it "should have filtered 6 records" do
|
14
|
+
expect(num_records_filtered).to eq(6)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record 'PRIMARY opencandy.com blockeddomain.hosts' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:malware_host) }
|
31
|
+
its(:fqdns) { is_expected.to match_array(['opencandy.com']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record 'PRIMARY cachelocal.org blockeddomain.hosts' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:malware_host) }
|
45
|
+
its(:fqdns) { is_expected.to match_array(['cachelocal.org']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/malc0de-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'malc0de' }
|
5
|
+
let(:name) { 'ip_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://malc0de.com/bl/IP_Blacklist.txt'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('malc0de_iplist.txt') do
|
10
|
+
it "should have parsed 10 records" do
|
11
|
+
expect(num_records_parsed).to eq(10)
|
12
|
+
end
|
13
|
+
it "should have filtered 4 records" do
|
14
|
+
expect(num_records_filtered).to eq(4)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record '216.151.164.53' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:malware_host) }
|
31
|
+
its(:ipv4s) { is_expected.to match_array(['216.151.164.53']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record '176.32.99.47' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:malware_host) }
|
45
|
+
its(:ipv4s) { is_expected.to match_array(['176.32.99.47']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/mirc-domain_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'mirc' }
|
5
|
+
let(:name) { 'domain_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://www.mirc.com/servers.ini'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('mirc_domainlist.txt') do
|
10
|
+
it "should have parsed 13 records" do
|
11
|
+
expect(num_records_parsed).to eq(13)
|
12
|
+
end
|
13
|
+
it "should have filtered 18 records" do
|
14
|
+
expect(num_records_filtered).to eq(18)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record 'n3=Random US serverSERVER:irc.us.dal.net:6665-6668,7000GROUP:DALnet' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:c2) }
|
31
|
+
its(:fqdns) { is_expected.to match_array(['irc.us.dal.net']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record 'n7=US, WA, SeattleSERVER:serverbuffet.wa.us.dal.net:6665-6668,7000GROUP:DALnet' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:c2) }
|
45
|
+
its(:fqdns) { is_expected.to match_array(['serverbuffet.wa.us.dal.net']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/nothink_irc-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'nothink' }
|
5
|
+
let(:name) { 'irc_ip_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://www.nothink.org/blacklist/blacklist_malware_irc.txt'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('nothink_irc_iplist.txt') do
|
10
|
+
it "should have parsed 11 records" do
|
11
|
+
expect(num_records_parsed).to eq(11)
|
12
|
+
end
|
13
|
+
it "should have filtered 3 records" do
|
14
|
+
expect(num_records_filtered).to eq(3)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record '189.107.132.113' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:c2) }
|
31
|
+
its(:ipv4s) { is_expected.to match_array(['189.107.132.113']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record '201.48.61.38' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:c2) }
|
45
|
+
its(:ipv4s) { is_expected.to match_array(['201.48.61.38']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/nothink_ssh-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'nothink' }
|
5
|
+
let(:name) { 'ssh_ip_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://www.nothink.org/blacklist/blacklist_ssh_day.txt'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('nothink_ssh_iplist.txt') do
|
10
|
+
it "should have parsed 7 records" do
|
11
|
+
expect(num_records_parsed).to eq(7)
|
12
|
+
end
|
13
|
+
it "should have filtered 3 records" do
|
14
|
+
expect(num_records_filtered).to eq(3)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record '36.39.246.121' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:scanning) }
|
31
|
+
its(:ipv4s) { is_expected.to match_array(['36.39.246.121']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record '94.32.71.168' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:scanning) }
|
45
|
+
its(:ipv4s) { is_expected.to match_array(['94.32.71.168']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/openbl-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'openbl' }
|
5
|
+
let(:name) { 'ip_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://www.openbl.org/lists/base.txt'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('openbl_iplist.txt') do
|
10
|
+
it "should have parsed 8 records" do
|
11
|
+
expect(num_records_parsed).to eq(8)
|
12
|
+
end
|
13
|
+
it "should have filtered 4 records" do
|
14
|
+
expect(num_records_filtered).to eq(4)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record '113.171.10.37' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:scanning) }
|
31
|
+
its(:ipv4s) { is_expected.to match_array(['113.171.10.37']) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record '210.209.84.57' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:scanning) }
|
45
|
+
its(:ipv4s) { is_expected.to match_array(['210.209.84.57']) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|