threatinator 0.1.4 → 0.1.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (42) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +15 -4
  3. data/Rakefile +1 -0
  4. data/VERSION +1 -1
  5. data/feeds/ET_compromised-ip_reputation.feed +19 -0
  6. data/feeds/alienvault-ip_reputation.feed +37 -0
  7. data/feeds/arbor_fastflux-domain_reputation.feed +18 -0
  8. data/feeds/arbor_ssh-ip_reputation.feed +23 -0
  9. data/feeds/autoshun_shunlist.feed +15 -0
  10. data/feeds/blocklist_de_apache-ip_reputation.feed +24 -0
  11. data/feeds/blocklist_de_bots-ip_reputation.feed +24 -0
  12. data/feeds/blocklist_de_ftp-ip_reputation.feed +24 -0
  13. data/feeds/blocklist_de_imap-ip_reputation.feed +24 -0
  14. data/feeds/blocklist_de_pop3-ip_reputation.feed +24 -0
  15. data/feeds/blocklist_de_proftpd-ip_reputation.feed +24 -0
  16. data/feeds/blocklist_de_sip-ip_reputation.feed +24 -0
  17. data/feeds/blocklist_de_ssh-ip_reputation.feed +24 -0
  18. data/feeds/blocklist_de_strongips-ip_reputation.feed +24 -0
  19. data/feeds/ciarmy-ip_reputation.feed +19 -0
  20. data/feeds/cruzit-ip_reputation.feed +29 -0
  21. data/feeds/dan_me_uk_torlist-ip_reputation.feed +24 -0
  22. data/feeds/dshield_attackers-top1000.feed +34 -0
  23. data/feeds/feodo-domain_reputation.feed +18 -0
  24. data/feeds/feodo-ip_reputation.feed +19 -0
  25. data/feeds/infiltrated-ip_reputation.feed +25 -0
  26. data/feeds/malc0de-domain_reputation.feed +23 -0
  27. data/feeds/malc0de-ip_reputation.feed +24 -0
  28. data/feeds/mirc-domain_reputation.feed +28 -0
  29. data/feeds/nothink_irc-ip_reputation.feed +19 -0
  30. data/feeds/nothink_ssh-ip_reputation.feed +19 -0
  31. data/feeds/openbl-ip_reputation.feed +19 -0
  32. data/feeds/palevo-domain_reputation.feed +18 -0
  33. data/feeds/palevo-ip_reputation.feed +19 -0
  34. data/feeds/phishtank.feed +21 -0
  35. data/feeds/spyeye-domain_reputation.feed +18 -0
  36. data/feeds/spyeye-ip_reputation.feed +19 -0
  37. data/feeds/t-arend-de_ssh-ip_reputation.feed +19 -0
  38. data/feeds/the_haleys_ssh-ip_reputation.feed +19 -0
  39. data/feeds/yourcmc_ssh-ip_reputation.feed +19 -0
  40. data/feeds/zeus-domain_reputation.feed +18 -0
  41. data/feeds/zeus-ip_reputation.feed +19 -0
  42. metadata +38 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2b9a96591c91945bd0da63057325ed446ce8272e
4
- data.tar.gz: cde7105a964100f88c41f14e242fcf530a08f64e
3
+ metadata.gz: d9b3ddb0e013a94d6675ff6f56a67f6fe5a30c3b
4
+ data.tar.gz: 0f502d65e4235795d0d4cf1a8874a31d9321e49e
5
5
  SHA512:
6
- metadata.gz: 9cf41e2fcb95948f680c2bf4e4176fe522d2ebe97dbb74ee3c4b6a4eec5410b96d2eb042d8048fc5e3b365c917abe002676ecc69234489f7960a7f2dddca8528
7
- data.tar.gz: bcd71a6f34d510b783a04dc7a48f5986982dab25baf6d366c779ebbe9b583dbcb900ef3cdb0d6bcb4707e89ac1116e04b0aa2c03a169930e9a55c62d25e78822
6
+ metadata.gz: 9772c07ba057684f6814f984a8fd397a52266e78642b9faf1e2ffdb63e365b1f6ff6d6a80c9fac7253ab812a55656a66da46aee50d3ab9c7b4ac1556049d9ecf
7
+ data.tar.gz: 91aa0d43d7150bc5b36d45922b560a7486c2690c82825146beeeed5980730a92d3bc17b059743aaadfc305727e225a74ecb56dfc01ba758856b1b28b23af8c49
data/CHANGELOG.md CHANGED
@@ -3,12 +3,23 @@ Next
3
3
 
4
4
  * Your contribution here.
5
5
 
6
- 0.1.4
7
- =====
8
- * [#115](https://github.com/cikl/threatinator/issues/115): Add missing require for 'set'. - [@justfalter](https://github.com/justfalter)
6
+ 0.1.5
7
+ ====
9
8
 
9
+ * Add missing requrie for set. Fixes #115. - [@justfalter](https://github.com/justfalter)
10
10
  0.1.2
11
- =====
11
+ ====
12
+
13
+ * Actually include the feeds in the release. Sigh. - [@justfalter](https://github.com/justfalter)
14
+
15
+ 0.1.1
16
+ ====
17
+
18
+ * Remember to rev the changelog. - [@justfalter](https://github.com/justfalter)
19
+
20
+ 0.1.0
21
+ ====
22
+
12
23
  * [#56](https://github.com/cikl/threatinator/pull/56): Gemify threatinator - [@justfalter](https://github.com/justfalter)
13
24
  * [#55](https://github.com/cikl/threatinator/pull/55): Rewrote configuration handling - [@justfalter](https://github.com/justfalter)
14
25
  * [#51](https://github.com/cikl/threatinator/pull/51): Clean up spec layout - [@justfalter](https://github.com/justfalter)
data/Rakefile CHANGED
@@ -26,6 +26,7 @@ else
26
26
  ['bin/threatinator'] +
27
27
  Dir.glob("lib/**/*.rb") +
28
28
  Dir.glob("spec/**/*") +
29
+ Dir.glob("feeds/**/*.feed") +
29
30
  %w(CONTRIBUTING.md CHANGELOG.md LICENSE Gemfile README.md Rakefile VERSION)
30
31
 
31
32
  end
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.4
1
+ 0.1.5
@@ -0,0 +1,19 @@
1
+ provider "emergingthreats"
2
+ name "compromised_ip_reputation"
3
+ fetch_http('http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :scanning
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,37 @@
1
+ provider "alienvault"
2
+ name "ip_reputation"
3
+ fetch_http('https://reputation.alienvault.com/reputation.generic')
4
+
5
+ # Examples:
6
+ # 108.59.1.5 # Scanning Host A1,,0.0,0.0
7
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # (?<type>(Scanning Host|C&C|Malicious Host|Malware Domain|Spamming|Malware IP|Malware distribution)) (?<cc>[A-Z]{2}|A1|A1|O1)?,(?<city>[^,]*),(?<lat>-?[0-9]+(\.[0-9]+)?),(?<lon>-?[0-9]+(\.[0-9]+)?)/
8
+
9
+ filter_whitespace
10
+ filter_comments
11
+
12
+ parse_eachline(:separator => "\n") do |event_generator, record|
13
+ m = feed_re.match(record.data)
14
+ next if m.nil?
15
+
16
+ event_generator.call() do |event|
17
+ event.add_ipv4(m[:ip]) do |ipv4_event|
18
+ # This doesn't execute, yet.
19
+ ipv4_event.cc(m[:cc]) unless m[:cc].nil?
20
+ ipv4_event.city(m[:city]) unless m[:city].nil?
21
+ ipv4_latlon(m[:lat].to_f, m[:lon].to_f)
22
+ end
23
+
24
+ case m[:type]
25
+ when 'Scanning Host'
26
+ event.type = :scanning
27
+ when 'C&C'
28
+ event.type = :c2
29
+ when 'Malicious Host'
30
+ event.type = :attacker
31
+ when 'Malware Domain', 'Malware IP', 'Malware distribution'
32
+ event.type = :malware_host
33
+ when 'Spamming'
34
+ event.type = :spamming
35
+ end
36
+ end
37
+ end
@@ -0,0 +1,18 @@
1
+ provider "arbor"
2
+ name "fastflux_domain_reputation"
3
+ fetch_http('http://atlas.arbor.net/summary/domainlist')
4
+
5
+ feed_re = /^(?<domain>.*)/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_fqdn(m[:domain])
17
+ end
18
+ end
@@ -0,0 +1,23 @@
1
+ provider "arbor"
2
+ name "ssh_ip_reputation"
3
+ fetch_http('http://atlas-public.ec2.arbor.net/public/ssh_attackers')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ filter do |record|
11
+ (record.data =~ /^other/)
12
+ end
13
+
14
+ parse_eachline(:separator => "\n") do |event_generator, record|
15
+ m = feed_re.match(record.data)
16
+ next if m.nil?
17
+
18
+ event_generator.call() do |event|
19
+ event.type = :scanning
20
+ event.add_ipv4(m[:ip]) do |ipv4_event|
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,15 @@
1
+ provider "autoshun"
2
+ name "shunlist"
3
+ fetch_http('http://www.autoshun.org/files/shunlist.csv')
4
+
5
+ filter do |record|
6
+ record.data[:ip].start_with?("Shunlist as of")
7
+ end
8
+
9
+ parse_csv(:headers => [:ip, :last_seen, :reason]) do |event_generator, record|
10
+ event_generator.call do |event|
11
+ event.type = :scanning
12
+ event.add_ipv4(record.data[:ip]) do |ipv4_event|
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "apache_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/apache.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "bots_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/bots.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "ftp_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/ftp.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "imap_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/imap.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "pop3_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/pop3.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "proftpd_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/proftpd.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "sip_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/sip.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "ssh_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/ssh.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,24 @@
1
+ provider "blocklist_de"
2
+ name "strongips_ip_reputation"
3
+ fetch_http('http://www.blocklist.de/lists/strongips.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,19 @@
1
+ provider "ciarmy"
2
+ name "ip_reputation"
3
+ fetch_http('http://www.ciarmy.com/list/ci-badguys.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :scanning
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,29 @@
1
+ provider "cruzit"
2
+ name "ip_reputation"
3
+ fetch_http('http://www.cruzit.com/xwbl2txt.php')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ # Filter out first line
16
+ filter do |record|
17
+ (record.data =~ /^ipaddress$/)
18
+ end
19
+
20
+ parse_eachline(:separator => "\n") do |event_generator, record|
21
+ m = feed_re.match(record.data)
22
+ next if m.nil?
23
+
24
+ event_generator.call() do |event|
25
+ event.type = :scanning
26
+ event.add_ipv4(m[:ip]) do |ipv4_event|
27
+ end
28
+ end
29
+ end
@@ -0,0 +1,24 @@
1
+ provider "dan_me_uk"
2
+ name "torlist_ip_reputation"
3
+ fetch_http('https://www.dan.me.uk/torlist/')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out IPv6 addresses
11
+ filter do |record|
12
+ (record.data =~ /\:/)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :scanning
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,34 @@
1
+ provider "dshield"
2
+ name "attackers-top1000"
3
+ fetch_http('https://isc.sans.edu/api/sources/attacks/1000/')
4
+
5
+ parse_xml("/sources/data") do |event_generator, record|
6
+ node = record.node
7
+ ip_node = node[:ip].first
8
+ next if ip_node.nil?
9
+
10
+ ip = ip_node.text
11
+ next if ip.empty?
12
+
13
+ # Dshield's api produces zero-padded octets. We've gotta strip those down.
14
+ # The following regex will remove any zero-padding.
15
+ ip.gsub!(/(?<=\A|\.)0+(?=\d+(\.|\Z))/, '')
16
+
17
+ attack_node = node[:attacks].first
18
+ count_node = node[:count].first
19
+ first_seen_node = node[:first_seen].first
20
+ last_seen_node = node[:last_seen].first
21
+
22
+ event_generator.call() do |event|
23
+ event.type = :attacker
24
+ event.add_ipv4(ip) do |ipv4_event|
25
+ end
26
+
27
+ ## TODO
28
+ # event.first_seen = first_seen_node.text unless first_seen_node.nil?
29
+ # event.last_seen = last_seen_node.text unless last_seen_node.nil?
30
+ # attack_count = attack_node.text.to_i unless attack_node.nil?
31
+ # count = count_node.text.to_i unless count_node.nil?
32
+ end
33
+ end
34
+
@@ -0,0 +1,18 @@
1
+ provider "abuse_ch"
2
+ name "feodo_domain_reputation"
3
+ fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist')
4
+
5
+ feed_re = /^(?<domain>.*)/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_fqdn(m[:domain])
17
+ end
18
+ end
@@ -0,0 +1,19 @@
1
+ provider "abuse_ch"
2
+ name "feodo_ip_reputation"
3
+ fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=ipblocklist')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,25 @@
1
+ provider "infiltrated"
2
+ name "ip_reputation"
3
+ fetch_http('http://www.infiltrated.net/blacklisted')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out missing last octet
11
+ # Example: '78.29.9.\n'
12
+ filter do |record|
13
+ (record.data =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\n/)
14
+ end
15
+
16
+ parse_eachline(:separator => "\n") do |event_generator, record|
17
+ m = feed_re.match(record.data)
18
+ next if m.nil?
19
+
20
+ event_generator.call() do |event|
21
+ event.type = :scanning
22
+ event.add_ipv4(m[:ip]) do |ipv4_event|
23
+ end
24
+ end
25
+ end
@@ -0,0 +1,23 @@
1
+ provider "malc0de"
2
+ name "domain_reputation"
3
+ fetch_http('http://malc0de.com/bl/BOOT')
4
+
5
+ feed_re = /^PRIMARY (?<domain>[a-z,0-9,A-Z,\-,\.]*)/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out //comments
11
+ filter do |record|
12
+ (record.data =~ /^\/\//)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :malware_host
21
+ event.add_fqdn(m[:domain])
22
+ end
23
+ end
@@ -0,0 +1,24 @@
1
+ provider "malc0de"
2
+ name "ip_reputation"
3
+ fetch_http('http://malc0de.com/bl/IP_Blacklist.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out //comments
11
+ filter do |record|
12
+ (record.data =~ /^\/\//)
13
+ end
14
+
15
+ parse_eachline(:separator => "\n") do |event_generator, record|
16
+ m = feed_re.match(record.data)
17
+ next if m.nil?
18
+
19
+ event_generator.call() do |event|
20
+ event.type = :malware_host
21
+ event.add_ipv4(m[:ip]) do |ipv4_event|
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,28 @@
1
+ provider "mirc"
2
+ name "domain_reputation"
3
+ fetch_http('http://www.mirc.com/servers.ini')
4
+
5
+ feed_re = /^n[0-9]+=(?<desc1>[^:]+)SERVER:(?<domain>[^:]+):(?<portlist>[^:]+):?GROUP:(?<group>.*)$/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ # Filter out //comments
11
+ filter do |record|
12
+ !(record.data =~ /\:/)
13
+ end
14
+
15
+ # Filter out //comments
16
+ filter do |record|
17
+ (record.data =~ /^\;/)
18
+ end
19
+
20
+ parse_eachline(:separator => "\n") do |event_generator, record|
21
+ m = feed_re.match(record.data)
22
+ next if m.nil?
23
+
24
+ event_generator.call() do |event|
25
+ event.type = :c2
26
+ event.add_fqdn(m[:domain])
27
+ end
28
+ end
@@ -0,0 +1,19 @@
1
+ provider "nothink"
2
+ name "irc_ip_reputation"
3
+ fetch_http('http://www.nothink.org/blacklist/blacklist_malware_irc.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,19 @@
1
+ provider "nothink"
2
+ name "ssh_ip_reputation"
3
+ fetch_http('http://www.nothink.org/blacklist/blacklist_ssh_day.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :scanning
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,19 @@
1
+ provider "openbl"
2
+ name "ip_reputation"
3
+ fetch_http('http://www.openbl.org/lists/base.txt')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :scanning
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,18 @@
1
+ provider "abuse_ch"
2
+ name "palevo_domain_reputation"
3
+ fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist')
4
+
5
+ feed_re = /^(?<domain>.*)/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_fqdn(m[:domain])
17
+ end
18
+ end
@@ -0,0 +1,19 @@
1
+ provider "abuse_ch"
2
+ name "palevo_ip_reputation"
3
+ fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,21 @@
1
+ provider "phishtank"
2
+ name "phishtank"
3
+
4
+ fetch_http('http://data.phishtank.com/data/online-valid.json.gz')
5
+
6
+ extract_gzip
7
+ parse_json() do |event_generator, record|
8
+ event_generator.call do |event|
9
+ # TODO: parse URL
10
+ # TODO: parse dates
11
+
12
+ event.type = :phishing
13
+ record.data["details"].each do |detail|
14
+ if ip = detail["ip_address"]
15
+ event.add_ipv4(ip) do |ipv4_event|
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+
@@ -0,0 +1,18 @@
1
+ provider "abuse_ch"
2
+ name "spyeye_domain_reputation"
3
+ fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist')
4
+
5
+ feed_re = /^(?<domain>.*)/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_fqdn(m[:domain])
17
+ end
18
+ end
@@ -0,0 +1,19 @@
1
+ provider "abuse_ch"
2
+ name "spyeye_ip_reputation"
3
+ fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,19 @@
1
+ provider "t-arend-de"
2
+ name "ssh_ip_reputation"
3
+ fetch_http('http://www.t-arend.de/linux/badguys.txt')
4
+
5
+ feed_re = /^sshd\: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,19 @@
1
+ provider "the_haleys"
2
+ name "ssh_ip_reputation"
3
+ fetch_http('http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt')
4
+
5
+ feed_re = /^ALL \: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :scanning
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,19 @@
1
+ provider "yourcmc"
2
+ name "ssh-ip_reputation"
3
+ fetch_http('http://vmx.yourcmc.ru/BAD_HOSTS.IP4')
4
+
5
+ feed_re = /^(?<ip>.*)/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :scanning
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,18 @@
1
+ provider "abuse_ch"
2
+ name "zeus_domain_reputation"
3
+ fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist')
4
+
5
+ feed_re = /^(?<domain>.*)/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_fqdn(m[:domain])
17
+ end
18
+ end
@@ -0,0 +1,19 @@
1
+ provider "abuse_ch"
2
+ name "zeus_ip_reputation"
3
+ fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist')
4
+
5
+ feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
6
+
7
+ filter_whitespace
8
+ filter_comments
9
+
10
+ parse_eachline(:separator => "\n") do |event_generator, record|
11
+ m = feed_re.match(record.data)
12
+ next if m.nil?
13
+
14
+ event_generator.call() do |event|
15
+ event.type = :c2
16
+ event.add_ipv4(m[:ip]) do |ipv4_event|
17
+ end
18
+ end
19
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: threatinator
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.4
4
+ version: 0.1.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike Ryan
@@ -140,6 +140,43 @@ files:
140
140
  - Rakefile
141
141
  - VERSION
142
142
  - bin/threatinator
143
+ - feeds/ET_compromised-ip_reputation.feed
144
+ - feeds/alienvault-ip_reputation.feed
145
+ - feeds/arbor_fastflux-domain_reputation.feed
146
+ - feeds/arbor_ssh-ip_reputation.feed
147
+ - feeds/autoshun_shunlist.feed
148
+ - feeds/blocklist_de_apache-ip_reputation.feed
149
+ - feeds/blocklist_de_bots-ip_reputation.feed
150
+ - feeds/blocklist_de_ftp-ip_reputation.feed
151
+ - feeds/blocklist_de_imap-ip_reputation.feed
152
+ - feeds/blocklist_de_pop3-ip_reputation.feed
153
+ - feeds/blocklist_de_proftpd-ip_reputation.feed
154
+ - feeds/blocklist_de_sip-ip_reputation.feed
155
+ - feeds/blocklist_de_ssh-ip_reputation.feed
156
+ - feeds/blocklist_de_strongips-ip_reputation.feed
157
+ - feeds/ciarmy-ip_reputation.feed
158
+ - feeds/cruzit-ip_reputation.feed
159
+ - feeds/dan_me_uk_torlist-ip_reputation.feed
160
+ - feeds/dshield_attackers-top1000.feed
161
+ - feeds/feodo-domain_reputation.feed
162
+ - feeds/feodo-ip_reputation.feed
163
+ - feeds/infiltrated-ip_reputation.feed
164
+ - feeds/malc0de-domain_reputation.feed
165
+ - feeds/malc0de-ip_reputation.feed
166
+ - feeds/mirc-domain_reputation.feed
167
+ - feeds/nothink_irc-ip_reputation.feed
168
+ - feeds/nothink_ssh-ip_reputation.feed
169
+ - feeds/openbl-ip_reputation.feed
170
+ - feeds/palevo-domain_reputation.feed
171
+ - feeds/palevo-ip_reputation.feed
172
+ - feeds/phishtank.feed
173
+ - feeds/spyeye-domain_reputation.feed
174
+ - feeds/spyeye-ip_reputation.feed
175
+ - feeds/t-arend-de_ssh-ip_reputation.feed
176
+ - feeds/the_haleys_ssh-ip_reputation.feed
177
+ - feeds/yourcmc_ssh-ip_reputation.feed
178
+ - feeds/zeus-domain_reputation.feed
179
+ - feeds/zeus-ip_reputation.feed
143
180
  - lib/threatinator.rb
144
181
  - lib/threatinator/action.rb
145
182
  - lib/threatinator/actions/list.rb