RubyGems - threatinator - Versions diffs - 0.1.4 → 0.1.5 - Mend

threatinator 0.1.4 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -4
data/Rakefile +1 -0
data/VERSION +1 -1
data/feeds/ET_compromised-ip_reputation.feed +19 -0
data/feeds/alienvault-ip_reputation.feed +37 -0
data/feeds/arbor_fastflux-domain_reputation.feed +18 -0
data/feeds/arbor_ssh-ip_reputation.feed +23 -0
data/feeds/autoshun_shunlist.feed +15 -0
data/feeds/blocklist_de_apache-ip_reputation.feed +24 -0
data/feeds/blocklist_de_bots-ip_reputation.feed +24 -0
data/feeds/blocklist_de_ftp-ip_reputation.feed +24 -0
data/feeds/blocklist_de_imap-ip_reputation.feed +24 -0
data/feeds/blocklist_de_pop3-ip_reputation.feed +24 -0
data/feeds/blocklist_de_proftpd-ip_reputation.feed +24 -0
data/feeds/blocklist_de_sip-ip_reputation.feed +24 -0
data/feeds/blocklist_de_ssh-ip_reputation.feed +24 -0
data/feeds/blocklist_de_strongips-ip_reputation.feed +24 -0
data/feeds/ciarmy-ip_reputation.feed +19 -0
data/feeds/cruzit-ip_reputation.feed +29 -0
data/feeds/dan_me_uk_torlist-ip_reputation.feed +24 -0
data/feeds/dshield_attackers-top1000.feed +34 -0
data/feeds/feodo-domain_reputation.feed +18 -0
data/feeds/feodo-ip_reputation.feed +19 -0
data/feeds/infiltrated-ip_reputation.feed +25 -0
data/feeds/malc0de-domain_reputation.feed +23 -0
data/feeds/malc0de-ip_reputation.feed +24 -0
data/feeds/mirc-domain_reputation.feed +28 -0
data/feeds/nothink_irc-ip_reputation.feed +19 -0
data/feeds/nothink_ssh-ip_reputation.feed +19 -0
data/feeds/openbl-ip_reputation.feed +19 -0
data/feeds/palevo-domain_reputation.feed +18 -0
data/feeds/palevo-ip_reputation.feed +19 -0
data/feeds/phishtank.feed +21 -0
data/feeds/spyeye-domain_reputation.feed +18 -0
data/feeds/spyeye-ip_reputation.feed +19 -0
data/feeds/t-arend-de_ssh-ip_reputation.feed +19 -0
data/feeds/the_haleys_ssh-ip_reputation.feed +19 -0
data/feeds/yourcmc_ssh-ip_reputation.feed +19 -0
data/feeds/zeus-domain_reputation.feed +18 -0
data/feeds/zeus-ip_reputation.feed +19 -0
metadata +38 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2b9a96591c91945bd0da63057325ed446ce8272e
-  data.tar.gz: cde7105a964100f88c41f14e242fcf530a08f64e
+  metadata.gz: d9b3ddb0e013a94d6675ff6f56a67f6fe5a30c3b
+  data.tar.gz: 0f502d65e4235795d0d4cf1a8874a31d9321e49e
 SHA512:
-  metadata.gz: 9cf41e2fcb95948f680c2bf4e4176fe522d2ebe97dbb74ee3c4b6a4eec5410b96d2eb042d8048fc5e3b365c917abe002676ecc69234489f7960a7f2dddca8528
-  data.tar.gz: bcd71a6f34d510b783a04dc7a48f5986982dab25baf6d366c779ebbe9b583dbcb900ef3cdb0d6bcb4707e89ac1116e04b0aa2c03a169930e9a55c62d25e78822
+  metadata.gz: 9772c07ba057684f6814f984a8fd397a52266e78642b9faf1e2ffdb63e365b1f6ff6d6a80c9fac7253ab812a55656a66da46aee50d3ab9c7b4ac1556049d9ecf
+  data.tar.gz: 91aa0d43d7150bc5b36d45922b560a7486c2690c82825146beeeed5980730a92d3bc17b059743aaadfc305727e225a74ecb56dfc01ba758856b1b28b23af8c49

data/CHANGELOG.md CHANGED Viewed

@@ -3,12 +3,23 @@ Next
 * Your contribution here.
-0.1.4
-=====
-* [#115](https://github.com/cikl/threatinator/issues/115): Add missing require for 'set'. - [@justfalter](https://github.com/justfalter)
+0.1.5
+====
+* Add missing requrie for set. Fixes #115. - [@justfalter](https://github.com/justfalter)
 0.1.2
-=====
+====
+* Actually include the feeds in the release. Sigh. - [@justfalter](https://github.com/justfalter)
+0.1.1
+====
+* Remember to rev the changelog. - [@justfalter](https://github.com/justfalter)
+0.1.0
+====
 * [#56](https://github.com/cikl/threatinator/pull/56): Gemify threatinator - [@justfalter](https://github.com/justfalter)
 * [#55](https://github.com/cikl/threatinator/pull/55): Rewrote configuration handling - [@justfalter](https://github.com/justfalter)
 * [#51](https://github.com/cikl/threatinator/pull/51): Clean up spec layout - [@justfalter](https://github.com/justfalter)

data/Rakefile CHANGED Viewed

@@ -26,6 +26,7 @@ else
       ['bin/threatinator'] +
       Dir.glob("lib/**/*.rb") +
       Dir.glob("spec/**/*") +
+      Dir.glob("feeds/**/*.feed") +
       %w(CONTRIBUTING.md CHANGELOG.md LICENSE Gemfile README.md Rakefile VERSION)
   end

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.1.4
1	+ 0.1.5

data/feeds/ET_compromised-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "emergingthreats"
+name "compromised_ip_reputation"
+fetch_http('http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/alienvault-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,37 @@
+provider "alienvault"
+name "ip_reputation"
+fetch_http('https://reputation.alienvault.com/reputation.generic')
+# Examples:
+#  108.59.1.5 # Scanning Host A1,,0.0,0.0
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # (?<type>(Scanning Host|C&C|Malicious Host|Malware Domain|Spamming|Malware IP|Malware distribution)) (?<cc>[A-Z]{2}|A1|A1|O1)?,(?<city>[^,]*),(?<lat>-?[0-9]+(\.[0-9]+)?),(?<lon>-?[0-9]+(\.[0-9]+)?)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+      # This doesn't execute, yet.
+      ipv4_event.cc(m[:cc]) unless m[:cc].nil?
+      ipv4_event.city(m[:city]) unless m[:city].nil?
+      ipv4_latlon(m[:lat].to_f, m[:lon].to_f)
+    end
+    case m[:type]
+    when 'Scanning Host'
+      event.type = :scanning
+    when 'C&C'
+      event.type = :c2
+    when 'Malicious Host'
+      event.type = :attacker
+    when 'Malware Domain', 'Malware IP', 'Malware distribution'
+      event.type = :malware_host
+    when 'Spamming'
+     event.type = :spamming
+    end
+  end
+end

data/feeds/arbor_fastflux-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "arbor"
+name "fastflux_domain_reputation"
+fetch_http('http://atlas.arbor.net/summary/domainlist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/arbor_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,23 @@
+provider "arbor"
+name "ssh_ip_reputation"
+fetch_http('http://atlas-public.ec2.arbor.net/public/ssh_attackers')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+filter do |record|
+  (record.data =~ /^other/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/autoshun_shunlist.feed ADDED Viewed

@@ -0,0 +1,15 @@
+provider "autoshun"
+name "shunlist"
+fetch_http('http://www.autoshun.org/files/shunlist.csv')
+filter do |record|
+  record.data[:ip].start_with?("Shunlist as of")
+end
+parse_csv(:headers => [:ip, :last_seen, :reason]) do |event_generator, record|
+  event_generator.call do |event|
+    event.type = :scanning
+    event.add_ipv4(record.data[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_apache-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "apache_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/apache.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_bots-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "bots_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/bots.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_ftp-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "ftp_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/ftp.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_imap-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "imap_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/imap.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_pop3-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "pop3_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/pop3.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_proftpd-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "proftpd_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/proftpd.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_sip-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "sip_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/sip.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "ssh_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/ssh.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_strongips-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "strongips_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/strongips.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/ciarmy-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "ciarmy"
+name "ip_reputation"
+fetch_http('http://www.ciarmy.com/list/ci-badguys.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/cruzit-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,29 @@
+provider "cruzit"
+name "ip_reputation"
+fetch_http('http://www.cruzit.com/xwbl2txt.php')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+# Filter out first line
+filter do |record|
+  (record.data =~ /^ipaddress$/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/dan_me_uk_torlist-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "dan_me_uk"
+name "torlist_ip_reputation"
+fetch_http('https://www.dan.me.uk/torlist/')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/dshield_attackers-top1000.feed ADDED Viewed

@@ -0,0 +1,34 @@
+provider "dshield"
+name "attackers-top1000"
+fetch_http('https://isc.sans.edu/api/sources/attacks/1000/')
+parse_xml("/sources/data") do |event_generator, record|
+  node = record.node
+  ip_node = node[:ip].first
+  next if ip_node.nil?
+  ip = ip_node.text
+  next if ip.empty?
+  # Dshield's api produces zero-padded octets. We've gotta strip those down.
+  # The following regex will remove any zero-padding.
+  ip.gsub!(/(?<=\A|\.)0+(?=\d+(\.|\Z))/, '')
+  attack_node = node[:attacks].first
+  count_node = node[:count].first
+  first_seen_node = node[:first_seen].first
+  last_seen_node = node[:last_seen].first
+  event_generator.call() do |event|
+    event.type = :attacker
+    event.add_ipv4(ip) do |ipv4_event|
+    end
+    ## TODO
+    # event.first_seen = first_seen_node.text unless first_seen_node.nil?
+    # event.last_seen = last_seen_node.text unless last_seen_node.nil?
+    # attack_count = attack_node.text.to_i unless attack_node.nil?
+    # count = count_node.text.to_i unless count_node.nil?
+  end
+end

data/feeds/feodo-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "feodo_domain_reputation"
+fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/feodo-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "feodo_ip_reputation"
+fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=ipblocklist')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/infiltrated-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,25 @@
+provider "infiltrated"
+name "ip_reputation"
+fetch_http('http://www.infiltrated.net/blacklisted')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out missing last octet
+# Example: '78.29.9.\n'
+filter do |record|
+  (record.data =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\n/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/malc0de-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,23 @@
+provider "malc0de"
+name "domain_reputation"
+fetch_http('http://malc0de.com/bl/BOOT')
+feed_re = /^PRIMARY (?<domain>[a-z,0-9,A-Z,\-,\.]*)/
+filter_whitespace
+filter_comments
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\/\//)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :malware_host
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/malc0de-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,24 @@
+provider "malc0de"
+name "ip_reputation"
+fetch_http('http://malc0de.com/bl/IP_Blacklist.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\/\//)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :malware_host
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/mirc-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,28 @@
+provider "mirc"
+name "domain_reputation"
+fetch_http('http://www.mirc.com/servers.ini')
+feed_re = /^n[0-9]+=(?<desc1>[^:]+)SERVER:(?<domain>[^:]+):(?<portlist>[^:]+):?GROUP:(?<group>.*)$/
+filter_whitespace
+filter_comments
+# Filter out //comments
+filter do |record|
+  !(record.data =~ /\:/)
+  end
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\;/)
+  end
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/nothink_irc-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "nothink"
+name "irc_ip_reputation"
+fetch_http('http://www.nothink.org/blacklist/blacklist_malware_irc.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/nothink_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "nothink"
+name "ssh_ip_reputation"
+fetch_http('http://www.nothink.org/blacklist/blacklist_ssh_day.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/openbl-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "openbl"
+name "ip_reputation"
+fetch_http('http://www.openbl.org/lists/base.txt')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/palevo-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "palevo_domain_reputation"
+fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/palevo-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "palevo_ip_reputation"
+fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/phishtank.feed ADDED Viewed

@@ -0,0 +1,21 @@
+provider "phishtank"
+name "phishtank"
+fetch_http('http://data.phishtank.com/data/online-valid.json.gz')
+extract_gzip
+parse_json() do |event_generator, record|
+  event_generator.call do |event|
+    # TODO: parse URL
+    # TODO: parse dates
+    event.type = :phishing
+    record.data["details"].each do |detail|
+      if ip = detail["ip_address"]
+        event.add_ipv4(ip) do |ipv4_event|
+        end
+      end
+    end
+  end
+end

data/feeds/spyeye-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "spyeye_domain_reputation"
+fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/spyeye-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "spyeye_ip_reputation"
+fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/t-arend-de_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "t-arend-de"
+name "ssh_ip_reputation"
+fetch_http('http://www.t-arend.de/linux/badguys.txt')
+feed_re = /^sshd\: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/the_haleys_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "the_haleys"
+name "ssh_ip_reputation"
+fetch_http('http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt')
+feed_re = /^ALL \: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/yourcmc_ssh-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "yourcmc"
+name "ssh-ip_reputation"
+fetch_http('http://vmx.yourcmc.ru/BAD_HOSTS.IP4')
+feed_re = /^(?<ip>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/zeus-domain_reputation.feed ADDED Viewed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "zeus_domain_reputation"
+fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist')
+feed_re = /^(?<domain>.*)/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/zeus-ip_reputation.feed ADDED Viewed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "zeus_ip_reputation"
+fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist')
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+filter_whitespace
+filter_comments
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: threatinator
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
 platform: ruby
 authors:
 - Mike Ryan
@@ -140,6 +140,43 @@ files:
 - Rakefile
 - VERSION
 - bin/threatinator
+- feeds/ET_compromised-ip_reputation.feed
+- feeds/alienvault-ip_reputation.feed
+- feeds/arbor_fastflux-domain_reputation.feed
+- feeds/arbor_ssh-ip_reputation.feed
+- feeds/autoshun_shunlist.feed
+- feeds/blocklist_de_apache-ip_reputation.feed
+- feeds/blocklist_de_bots-ip_reputation.feed
+- feeds/blocklist_de_ftp-ip_reputation.feed
+- feeds/blocklist_de_imap-ip_reputation.feed
+- feeds/blocklist_de_pop3-ip_reputation.feed
+- feeds/blocklist_de_proftpd-ip_reputation.feed
+- feeds/blocklist_de_sip-ip_reputation.feed
+- feeds/blocklist_de_ssh-ip_reputation.feed
+- feeds/blocklist_de_strongips-ip_reputation.feed
+- feeds/ciarmy-ip_reputation.feed
+- feeds/cruzit-ip_reputation.feed
+- feeds/dan_me_uk_torlist-ip_reputation.feed
+- feeds/dshield_attackers-top1000.feed
+- feeds/feodo-domain_reputation.feed
+- feeds/feodo-ip_reputation.feed
+- feeds/infiltrated-ip_reputation.feed
+- feeds/malc0de-domain_reputation.feed
+- feeds/malc0de-ip_reputation.feed
+- feeds/mirc-domain_reputation.feed
+- feeds/nothink_irc-ip_reputation.feed
+- feeds/nothink_ssh-ip_reputation.feed
+- feeds/openbl-ip_reputation.feed
+- feeds/palevo-domain_reputation.feed
+- feeds/palevo-ip_reputation.feed
+- feeds/phishtank.feed
+- feeds/spyeye-domain_reputation.feed
+- feeds/spyeye-ip_reputation.feed
+- feeds/t-arend-de_ssh-ip_reputation.feed
+- feeds/the_haleys_ssh-ip_reputation.feed
+- feeds/yourcmc_ssh-ip_reputation.feed
+- feeds/zeus-domain_reputation.feed
+- feeds/zeus-ip_reputation.feed
 - lib/threatinator.rb
 - lib/threatinator/action.rb
 - lib/threatinator/actions/list.rb