threatinator 0.1.1

data/lib/threatinator/registry.rb

@@ -0,0 +1,53 @@
+require 'threatinator/exceptions'
+
+module Threatinator
+  # Just a simple class that holds stuff. Yup, a glorified hash.
+  class Registry
+    include Threatinator::Exceptions
+
+    def initialize()
+      @data= Hash.new
+    end
+
+    # @param [Object] key The object to use as the key for storing the object
+    # @param [Object] object The object to be stored
+    # @raise [Threatinator::Exceptions::dAlreadyRegisteredError] if an object
+    #  with the same key is already registered.
+    def register(key, object)
+      if @data.has_key?(key)
+        raise AlreadyRegisteredError.new(key)
+      end
+      @data[key] = object
+    end
+
+    # @param [Object] key 
+    # @return [Object]
+    def get(key)
+      @data[key]
+    end
+
+    # @return [Array<Object>] an array of keys
+    def keys
+      @data.keys
+    end
+
+    # @return [Integer] the number of objects in the registry
+    def count
+      @data.count
+    end
+
+    # Enumerates through each object in our registry
+    # @yield [object]
+    # @yieldparam [Object] object An object within the registry
+    def each(&block)
+      return enum_for(:each) unless block_given?
+      @data.each_pair(&block)
+    end
+
+    # Removes all objects from the registry
+    def clear
+      @data.clear
+    end
+  end
+end
+

data/lib/threatinator/util.rb

@@ -0,0 +1,15 @@
+
+module Threatinator
+  module Util
+    def underscore2cc(str)
+      str.to_s.split('_').map {|e| e.capitalize }.join
+    end
+    module_function :underscore2cc
+
+    def cc2underscore(str)
+      str.to_s.split('_').map {|e| e.capitalize }.join
+    end
+    module_function :underscore2cc
+  end
+end
+

data/spec/feeds/ET_compromised-ip_reputation_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'feeds/ET_compromised-ip_reputation.feed', :feed do
+  let(:provider) { 'emergingthreats' }
+  let(:name) { 'compromised_ip_reputation' }
+
+  it_fetches_url 'http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt'
+
+  describe_parsing_the_file feed_data('ET_compromised-ip_reputation.txt') do
+    it "should have parsed 11 records" do
+      expect(num_records_parsed).to eq(11)
+    end
+    it "should have filtered 0 records" do
+      expect(num_records_filtered).to eq(0)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+  end
+
+  describe_parsing_a_record '1.93.24.90' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['1.93.24.90']) }
+    end
+  end
+
+  describe_parsing_a_record '1.93.26.32' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['1.93.26.32']) }
+    end
+  end
+end
+
+

data/spec/feeds/alienvault-ip_reputation_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'feeds/alienvault-ip_reputation.feed', :feed do
+  let(:provider) { 'alienvault' }
+  let(:name) { 'ip_reputation' }
+
+  it_fetches_url 'https://reputation.alienvault.com/reputation.generic'
+
+  describe_parsing_the_file feed_data('alienvault-ip_reputation.txt') do
+    it "should have parsed 10 records" do
+      expect(num_records_parsed).to eq(10)
+    end
+    it "should have filtered 8 records" do
+      expect(num_records_filtered).to eq(8)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+  end
+
+  describe_parsing_a_record '37.205.198.162 # Scanning Host IT,,42.8333015442,12.8332996368' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+    describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['37.205.198.162']) }
+    end
+  end
+
+  describe_parsing_a_record '108.59.1.5 # Scanning Host A1,,0.0,0.0' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+    describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['108.59.1.5']) }
+    end
+  end
+end
+
+

data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'feeds/arbor_fastflux-domain_reputation.feed', :feed do
+  let(:provider) { 'arbor' }
+  let(:name) { 'fastflux_domain_reputation' }
+
+  it_fetches_url 'http://atlas.arbor.net/summary/domainlist'
+
+  describe_parsing_the_file feed_data('arbor_domainlist.txt') do
+    it "should have parsed 2 records" do
+      expect(num_records_parsed).to eq(2)
+    end
+    it "should have filtered 9 records" do
+      expect(num_records_filtered).to eq(9)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+  end
+
+  describe_parsing_a_record 'brylanehome.com' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:c2) }
+      its(:fqdns) { is_expected.to match_array(['brylanehome.com']) }
+    end
+  end
+
+  describe_parsing_a_record 'emltrk.com' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:c2) }
+      its(:fqdns) { is_expected.to match_array(['emltrk.com']) }
+    end
+  end
+end
+
+

data/spec/feeds/arbor_ssh-ip_reputation_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'feeds/arbor_ssh-ip_reputation.feed', :feed do
+  let(:provider) { 'arbor' }
+  let(:name) { 'ssh_ip_reputation' }
+
+  it_fetches_url 'http://atlas-public.ec2.arbor.net/public/ssh_attackers'
+
+  describe_parsing_the_file feed_data('arbor_ssh.txt') do
+    it "should have parsed 15 records" do
+      expect(num_records_parsed).to eq(15)
+    end
+    it "should have filtered 1 records" do
+      expect(num_records_filtered).to eq(1)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+  end
+
+  describe_parsing_a_record '190.255.48.99' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['190.255.48.99']) }
+    end
+  end
+
+  describe_parsing_a_record '184.172.196.132' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['184.172.196.132']) }
+    end
+  end
+end
+
+

data/spec/feeds/autoshun_shunlist_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe 'feeds/autoshun_shunlist.feed', :feed do
+  let(:provider) { 'autoshun' }
+  let(:name) { 'shunlist' }
+
+  it_fetches_url 'http://www.autoshun.org/files/shunlist.csv'
+
+  describe_parsing_the_file feed_data('autoshun_shunlist.csv') do
+    it "should have parsed 19 records" do
+      expect(num_records_parsed).to eq(19)
+    end
+    it "should have filtered 1 records" do
+      expect(num_records_filtered).to eq(1)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+  end
+
+  describe_parsing_a_record '1.93.34.230,2014-07-16 08:01:23,SSH Brute Force' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+    describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['1.93.34.230']) }
+    end
+  end
+
+  describe_parsing_a_record 'Shunlist as of Mon, 21 Jul 2014 13:30:02 -0500' do
+    it "should have been filtered" do
+      expect(status).to eq(:filtered)
+    end
+  end
+end
+
+

data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'feeds/blocklist_de_apache-ip_reputation.feed', :feed do
+  let(:provider) { 'blocklist_de' }
+  let(:name) { 'apache_ip_reputation' }
+
+  it_fetches_url 'http://www.blocklist.de/lists/apache.txt'
+
+  describe_parsing_the_file feed_data('blocklist_de_apache-ip-reputation.txt') do
+    it "should have parsed 15 records" do
+      expect(num_records_parsed).to eq(15)
+    end
+    it "should have filtered 2 records" do
+      expect(num_records_filtered).to eq(2)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+  end
+
+  describe_parsing_a_record '109.228.235.167' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['109.228.235.167']) }
+    end
+  end
+
+  describe_parsing_a_record '109.70.54.11' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['109.70.54.11']) }
+    end
+  end
+end
+
+

data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'feeds/blocklist_de_bots-ip_reputation.feed', :feed do
+  let(:provider) { 'blocklist_de' }
+  let(:name) { 'bots_ip_reputation' }
+
+  it_fetches_url 'http://www.blocklist.de/lists/bots.txt'
+
+  describe_parsing_the_file feed_data('blocklist_de_bots-ip-reputation.txt') do
+    it "should have parsed 13 records" do
+      expect(num_records_parsed).to eq(13)
+    end
+    it "should have filtered 2 records" do
+      expect(num_records_filtered).to eq(2)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+  end
+
+  describe_parsing_a_record '101.71.196.164' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['101.71.196.164']) }
+    end
+  end
+
+  describe_parsing_a_record '200.93.43.157' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['200.93.43.157']) }
+    end
+  end
+end
+
+

data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'feeds/blocklist_de_ftp-ip_reputation.feed', :feed do
+  let(:provider) { 'blocklist_de' }
+  let(:name) { 'ftp_ip_reputation' }
+
+  it_fetches_url 'http://www.blocklist.de/lists/ftp.txt'
+
+  describe_parsing_the_file feed_data('blocklist_de_ftp-ip-reputation.txt') do
+    it "should have parsed 7 records" do
+      expect(num_records_parsed).to eq(7)
+    end
+    it "should have filtered 0 records" do
+      expect(num_records_filtered).to eq(0)
+    end
+    it "should have missed 0 records" do
+      expect(num_records_missed).to eq(0)
+    end
+  end
+
+  describe_parsing_a_record '111.192.138.169' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['111.192.138.169']) }
+    end
+  end
+
+  describe_parsing_a_record '112.198.77.229' do
+    it "should have parsed" do
+      expect(status).to eq(:parsed)
+    end
+    it "should have parsed 1 event" do
+      expect(events.count).to eq(1)
+    end
+	describe 'event 0' do
+      subject { events[0] }
+      its(:type) { is_expected.to be(:scanning) }
+      its(:ipv4s) { is_expected.to match_array(['112.198.77.229']) }
+    end
+  end
+end
+
+