RubyGems - threatinator - Versions diffs - 0.1.4 → 0.1.5 - Mend

threatinator 0.1.4 → 0.1.5

Files changed (42) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -4
data/Rakefile +1 -0
data/VERSION +1 -1
data/feeds/ET_compromised-ip_reputation.feed +19 -0
data/feeds/alienvault-ip_reputation.feed +37 -0
data/feeds/arbor_fastflux-domain_reputation.feed +18 -0
data/feeds/arbor_ssh-ip_reputation.feed +23 -0
data/feeds/autoshun_shunlist.feed +15 -0
data/feeds/blocklist_de_apache-ip_reputation.feed +24 -0
data/feeds/blocklist_de_bots-ip_reputation.feed +24 -0
data/feeds/blocklist_de_ftp-ip_reputation.feed +24 -0
data/feeds/blocklist_de_imap-ip_reputation.feed +24 -0
data/feeds/blocklist_de_pop3-ip_reputation.feed +24 -0
data/feeds/blocklist_de_proftpd-ip_reputation.feed +24 -0
data/feeds/blocklist_de_sip-ip_reputation.feed +24 -0
data/feeds/blocklist_de_ssh-ip_reputation.feed +24 -0
data/feeds/blocklist_de_strongips-ip_reputation.feed +24 -0
data/feeds/ciarmy-ip_reputation.feed +19 -0
data/feeds/cruzit-ip_reputation.feed +29 -0
data/feeds/dan_me_uk_torlist-ip_reputation.feed +24 -0
data/feeds/dshield_attackers-top1000.feed +34 -0
data/feeds/feodo-domain_reputation.feed +18 -0
data/feeds/feodo-ip_reputation.feed +19 -0
data/feeds/infiltrated-ip_reputation.feed +25 -0
data/feeds/malc0de-domain_reputation.feed +23 -0
data/feeds/malc0de-ip_reputation.feed +24 -0
data/feeds/mirc-domain_reputation.feed +28 -0
data/feeds/nothink_irc-ip_reputation.feed +19 -0
data/feeds/nothink_ssh-ip_reputation.feed +19 -0
data/feeds/openbl-ip_reputation.feed +19 -0
data/feeds/palevo-domain_reputation.feed +18 -0
data/feeds/palevo-ip_reputation.feed +19 -0
data/feeds/phishtank.feed +21 -0
data/feeds/spyeye-domain_reputation.feed +18 -0
data/feeds/spyeye-ip_reputation.feed +19 -0
data/feeds/t-arend-de_ssh-ip_reputation.feed +19 -0
data/feeds/the_haleys_ssh-ip_reputation.feed +19 -0
data/feeds/yourcmc_ssh-ip_reputation.feed +19 -0
data/feeds/zeus-domain_reputation.feed +18 -0
data/feeds/zeus-ip_reputation.feed +19 -0
metadata +38 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2b9a96591c91945bd0da63057325ed446ce8272e
-  data.tar.gz: cde7105a964100f88c41f14e242fcf530a08f64e
+  metadata.gz: d9b3ddb0e013a94d6675ff6f56a67f6fe5a30c3b
+  data.tar.gz: 0f502d65e4235795d0d4cf1a8874a31d9321e49e
 SHA512:
-  metadata.gz: 9cf41e2fcb95948f680c2bf4e4176fe522d2ebe97dbb74ee3c4b6a4eec5410b96d2eb042d8048fc5e3b365c917abe002676ecc69234489f7960a7f2dddca8528
-  data.tar.gz: bcd71a6f34d510b783a04dc7a48f5986982dab25baf6d366c779ebbe9b583dbcb900ef3cdb0d6bcb4707e89ac1116e04b0aa2c03a169930e9a55c62d25e78822
+  metadata.gz: 9772c07ba057684f6814f984a8fd397a52266e78642b9faf1e2ffdb63e365b1f6ff6d6a80c9fac7253ab812a55656a66da46aee50d3ab9c7b4ac1556049d9ecf
+  data.tar.gz: 91aa0d43d7150bc5b36d45922b560a7486c2690c82825146beeeed5980730a92d3bc17b059743aaadfc305727e225a74ecb56dfc01ba758856b1b28b23af8c49

data/CHANGELOG.md CHANGED Viewed

@@ -3,12 +3,23 @@ Next
 * Your contribution here.
-0.1.4
-=====
-* [#115](https://github.com/cikl/threatinator/issues/115): Add missing require for 'set'. - [@justfalter](https://github.com/justfalter)
+0.1.5
+====
+* Add missing requrie for set. Fixes #115. - [@justfalter](https://github.com/justfalter)
 0.1.2
-=====
+====
+* Actually include the feeds in the release. Sigh. - [@justfalter](https://github.com/justfalter)
+0.1.1
+====
+* Remember to rev the changelog. - [@justfalter](https://github.com/justfalter)
+0.1.0
+====
 * [#56](https://github.com/cikl/threatinator/pull/56): Gemify threatinator - [@justfalter](https://github.com/justfalter)
 * [#55](https://github.com/cikl/threatinator/pull/55): Rewrote configuration handling - [@justfalter](https://github.com/justfalter)
 * [#51](https://github.com/cikl/threatinator/pull/51): Clean up spec layout - [@justfalter](https://github.com/justfalter)

data/Rakefile CHANGED Viewed

@@ -26,6 +26,7 @@ else
       ['bin/threatinator'] +
       Dir.glob("lib/**/*.rb") +
       Dir.glob("spec/**/*") +
+      Dir.glob("feeds/**/*.feed") +
       %w(CONTRIBUTING.md CHANGELOG.md LICENSE Gemfile README.md Rakefile VERSION)
   end

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.1.4
1	+ 0.1.5

data/feeds/ET_compromised-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "emergingthreats"
+name "compromised_ip_reputation"
+fetch_http('http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/alienvault-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,37 @@
+provider "alienvault"
+name "ip_reputation"
+fetch_http('https://reputation.alienvault.com/reputation.generic')
+# Examples:
+#  108.59.1.5 # Scanning Host A1,,0.0,0.0
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # (?<type>(Scanning Host|C&C|Malicious Host|Malware Domain|Spamming|Malware IP|Malware distribution)) (?<cc>[A-Z]{2}|A1|A1|O1)?,(?<city>[^,]*),(?<lat>-?[0-9]+(\.[0-9]+)?),(?<lon>-?[0-9]+(\.[0-9]+)?)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+      # This doesn't execute, yet.
+      ipv4_event.cc(m[:cc]) unless m[:cc].nil?
+      ipv4_event.city(m[:city]) unless m[:city].nil?
+      ipv4_latlon(m[:lat].to_f, m[:lon].to_f)
+    end
+    case m[:type]
+    when 'Scanning Host'
+      event.type = :scanning
+    when 'C&C'
+      event.type = :c2
+    when 'Malicious Host'
+      event.type = :attacker
+    when 'Malware Domain', 'Malware IP', 'Malware distribution'
+      event.type = :malware_host
+    when 'Spamming'
+     event.type = :spamming
+    end
+  end
+end

data/feeds/arbor_fastflux-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "arbor"
+name "fastflux_domain_reputation"
+fetch_http('http://atlas.arbor.net/summary/domainlist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/arbor_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,23 @@
+provider "arbor"
+name "ssh_ip_reputation"
+fetch_http('http://atlas-public.ec2.arbor.net/public/ssh_attackers')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+filter do |record|
+  (record.data =~ /^other/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/autoshun_shunlist.feed ADDED Viewed

@@ -0,0 +1,15 @@
+provider "autoshun"
+name "shunlist"
+fetch_http('http://www.autoshun.org/files/shunlist.csv')
+filter do |record|
+  record.data[:ip].start_with?("Shunlist as of")
+end
+parse_csv(:headers => [:ip, :last_seen, :reason]) do |event_generator, record|
+  event_generator.call do |event|
+    event.type = :scanning
+    event.add_ipv4(record.data[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_apache-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "apache_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/apache.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_bots-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "bots_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/bots.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_ftp-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "ftp_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/ftp.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_imap-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "imap_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/imap.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_pop3-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "pop3_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/pop3.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_proftpd-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "proftpd_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/proftpd.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_sip-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "sip_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/sip.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "ssh_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/ssh.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_strongips-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "strongips_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/strongips.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/ciarmy-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "ciarmy"
+name "ip_reputation"
+fetch_http('http://www.ciarmy.com/list/ci-badguys.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/cruzit-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,29 @@
+provider "cruzit"
+name "ip_reputation"
+fetch_http('http://www.cruzit.com/xwbl2txt.php')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+# Filter out first line
+filter do |record|
+  (record.data =~ /^ipaddress$/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/dan_me_uk_torlist-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "dan_me_uk"
+name "torlist_ip_reputation"
+fetch_http('https://www.dan.me.uk/torlist/')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/dshield_attackers-top1000.feed ADDED Viewed

@@ -0,0 +1,34 @@
+provider "dshield"
+name "attackers-top1000"
+fetch_http('https://isc.sans.edu/api/sources/attacks/1000/')
+parse_xml("/sources/data") do |event_generator, record|
+  node = record.node
+  ip_node = node[:ip].first
+  next if ip_node.nil?
+  ip = ip_node.text
+  next if ip.empty?
+  # Dshield's api produces zero-padded octets. We've gotta strip those down.
+  # The following regex will remove any zero-padding.
+  ip.gsub!(/(?<=\A|\.)0+(?=\d+(\.|\Z))/, '')
+  attack_node = node[:attacks].first
+  count_node = node[:count].first
+  first_seen_node = node[:first_seen].first
+  last_seen_node = node[:last_seen].first
+  event_generator.call() do |event|
+    event.type = :attacker
+    event.add_ipv4(ip) do |ipv4_event|
+    end
+    ## TODO
+    # event.first_seen = first_seen_node.text unless first_seen_node.nil?
+    # event.last_seen = last_seen_node.text unless last_seen_node.nil?
+    # attack_count = attack_node.text.to_i unless attack_node.nil?
+    # count = count_node.text.to_i unless count_node.nil?
+  end
+end

data/feeds/feodo-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "feodo_domain_reputation"
+fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/feodo-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "feodo_ip_reputation"
+fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=ipblocklist')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/infiltrated-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,25 @@
+provider "infiltrated"
+name "ip_reputation"
+fetch_http('http://www.infiltrated.net/blacklisted')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out missing last octet
+# Example: '78.29.9.\n'
+filter do |record|
+  (record.data =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\n/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/malc0de-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,23 @@
+provider "malc0de"
+name "domain_reputation"
+fetch_http('http://malc0de.com/bl/BOOT')
+feed_re = /^PRIMARY (?<domain>[a-z,0-9,A-Z,\-,\.]*)/
+filter_whitespace
+filter_comments
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\/\//)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :malware_host
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/malc0de-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "malc0de"
+name "ip_reputation"
+fetch_http('http://malc0de.com/bl/IP_Blacklist.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\/\//)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :malware_host
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/mirc-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,28 @@
+provider "mirc"
+name "domain_reputation"
+fetch_http('http://www.mirc.com/servers.ini')
+feed_re = /^n[0-9]+=(?<desc1>[^:]+)SERVER:(?<domain>[^:]+):(?<portlist>[^:]+):?GROUP:(?<group>.*)$/
+filter_whitespace
+filter_comments
+# Filter out //comments
+filter do |record|
+  !(record.data =~ /\:/)
+  end
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\;/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/nothink_irc-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "nothink"
+name "irc_ip_reputation"
+fetch_http('http://www.nothink.org/blacklist/blacklist_malware_irc.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/nothink_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "nothink"
+name "ssh_ip_reputation"
+fetch_http('http://www.nothink.org/blacklist/blacklist_ssh_day.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/openbl-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "openbl"
+name "ip_reputation"
+fetch_http('http://www.openbl.org/lists/base.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/palevo-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "palevo_domain_reputation"
+fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/palevo-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "palevo_ip_reputation"
+fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/phishtank.feed ADDED Viewed

@@ -0,0 +1,21 @@
+provider "phishtank"
+name "phishtank"
+fetch_http('http://data.phishtank.com/data/online-valid.json.gz')
+extract_gzip
+parse_json() do |event_generator, record|
+  event_generator.call do |event|
+    # TODO: parse URL
+    # TODO: parse dates
+    event.type = :phishing
+    record.data["details"].each do |detail|
+      if ip = detail["ip_address"]
+        event.add_ipv4(ip) do |ipv4_event|
+        end
+      end
+    end
+  end
+end

data/feeds/spyeye-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "spyeye_domain_reputation"
+fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/spyeye-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "spyeye_ip_reputation"
+fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/t-arend-de_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "t-arend-de"
+name "ssh_ip_reputation"
+fetch_http('http://www.t-arend.de/linux/badguys.txt')
+feed_re = /^sshd\: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/the_haleys_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "the_haleys"
+name "ssh_ip_reputation"
+fetch_http('http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt')
+feed_re = /^ALL \: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/yourcmc_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "yourcmc"
+name "ssh-ip_reputation"
+fetch_http('http://vmx.yourcmc.ru/BAD_HOSTS.IP4')
+feed_re = /^(?<ip>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/zeus-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "zeus_domain_reputation"
+fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/zeus-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "zeus_ip_reputation"
+fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: threatinator
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
 platform: ruby
 authors:
 - Mike Ryan
@@ -140,6 +140,43 @@ files:
 - Rakefile
 - VERSION
 - bin/threatinator
+- feeds/ET_compromised-ip_reputation.feed
+- feeds/alienvault-ip_reputation.feed
+- feeds/arbor_fastflux-domain_reputation.feed
+- feeds/arbor_ssh-ip_reputation.feed
+- feeds/autoshun_shunlist.feed
+- feeds/blocklist_de_apache-ip_reputation.feed
+- feeds/blocklist_de_bots-ip_reputation.feed
+- feeds/blocklist_de_ftp-ip_reputation.feed
+- feeds/blocklist_de_imap-ip_reputation.feed
+- feeds/blocklist_de_pop3-ip_reputation.feed
+- feeds/blocklist_de_proftpd-ip_reputation.feed
+- feeds/blocklist_de_sip-ip_reputation.feed
+- feeds/blocklist_de_ssh-ip_reputation.feed
+- feeds/blocklist_de_strongips-ip_reputation.feed
+- feeds/ciarmy-ip_reputation.feed
+- feeds/cruzit-ip_reputation.feed
+- feeds/dan_me_uk_torlist-ip_reputation.feed
+- feeds/dshield_attackers-top1000.feed
+- feeds/feodo-domain_reputation.feed
+- feeds/feodo-ip_reputation.feed
+- feeds/infiltrated-ip_reputation.feed
+- feeds/malc0de-domain_reputation.feed
+- feeds/malc0de-ip_reputation.feed
+- feeds/mirc-domain_reputation.feed
+- feeds/nothink_irc-ip_reputation.feed
+- feeds/nothink_ssh-ip_reputation.feed
+- feeds/openbl-ip_reputation.feed
+- feeds/palevo-domain_reputation.feed
+- feeds/palevo-ip_reputation.feed
+- feeds/phishtank.feed
+- feeds/spyeye-domain_reputation.feed
+- feeds/spyeye-ip_reputation.feed
+- feeds/t-arend-de_ssh-ip_reputation.feed
+- feeds/the_haleys_ssh-ip_reputation.feed
+- feeds/yourcmc_ssh-ip_reputation.feed
+- feeds/zeus-domain_reputation.feed
+- feeds/zeus-ip_reputation.feed
 - lib/threatinator.rb
 - lib/threatinator/action.rb
 - lib/threatinator/actions/list.rb