threatinator 0.1.6 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -2
- data/Gemfile +18 -13
- data/Rakefile +1 -1
- data/VERSION +1 -1
- data/feeds/ET_block-ip_reputation.feed +26 -0
- data/feeds/ET_openbadlist-ip_reputation.feed +35 -0
- data/feeds/bambenek_c2_masterlist-domain_reputation.feed +15 -0
- data/feeds/bambenek_c2_masterlist-ip_reputation.feed +15 -0
- data/feeds/bambenek_dga_feed-domain_reputation.feed +15 -0
- data/feeds/berkeley-ip_reputation.feed +23 -0
- data/feeds/bitcash_cz_blacklist.feed +20 -0
- data/feeds/botscout-ip_reputation.feed +24 -0
- data/feeds/cert_mxpoison-ip_reputation.feed +21 -0
- data/feeds/chaosreigns-ip_reputation.feed +36 -0
- data/feeds/cydef_torexit-ip_reputation.feed +24 -0
- data/feeds/danger_bruteforce-ip_reputation.feed +23 -0
- data/feeds/falconcrest-ip_reputation.feed +18 -0
- data/feeds/h3x_asprox.feed +17 -0
- data/feeds/hosts-file_hphostspartial-domain_reputation.feed +18 -0
- data/feeds/infiltrated_vabl-ip_reputation.feed +29 -0
- data/feeds/isc_suspicious_high-domain_reputation.feed +25 -0
- data/feeds/isc_suspicious_low-domain_reputation.feed +25 -0
- data/feeds/isc_suspicious_medium-domain_reputation.feed +25 -0
- data/feeds/malwaredomainlist-url_reputation.feed +16 -0
- data/feeds/malwaredomains-domain_reputation.feed +27 -0
- data/feeds/malwaredomains_dyndns-domain_reputation.feed +27 -0
- data/feeds/malwaredomains_justdomains-domain_reputation.feed +18 -0
- data/feeds/multiproxy-ip_reputation.feed +20 -0
- data/feeds/openphish-url_reputation.feed +22 -0
- data/feeds/packetmail_perimeterbad-ip_reputation.feed +26 -0
- data/feeds/phishtank.feed +1 -1
- data/feeds/sigmaproject_atma.feed +25 -0
- data/feeds/sigmaproject_spyware.feed +24 -0
- data/feeds/sigmaproject_webexploit.feed +26 -0
- data/feeds/snort_bpf-ip_reputation.feed +19 -0
- data/feeds/steeman-ip_reputation.feed +19 -0
- data/feeds/trustedsec-ip_reputation.feed +17 -0
- data/feeds/virbl-ip_reputation.feed +24 -0
- data/feeds/vxvault-url_reputation.feed +22 -0
- data/feeds/yoyo_adservers-domain_reputation.feed +16 -0
- data/lib/threatinator/actions/run/action.rb +15 -3
- data/lib/threatinator/actions/run/coverage_observer.rb +12 -7
- data/lib/threatinator/actions/run/status_observer.rb +37 -0
- data/lib/threatinator/cli.rb +9 -3
- data/lib/threatinator/cli/parser.rb +14 -4
- data/lib/threatinator/config.rb +1 -0
- data/lib/threatinator/config/logger.rb +14 -0
- data/lib/threatinator/event.rb +28 -18
- data/lib/threatinator/event_builder.rb +52 -23
- data/lib/threatinator/exceptions.rb +3 -6
- data/lib/threatinator/feed.rb +1 -1
- data/lib/threatinator/feed_runner.rb +63 -7
- data/lib/threatinator/logger.rb +66 -0
- data/lib/threatinator/logging.rb +20 -0
- data/lib/threatinator/model/base.rb +23 -0
- data/lib/threatinator/model/collection.rb +64 -0
- data/lib/threatinator/model/observables/fqdn_collection.rb +13 -0
- data/lib/threatinator/model/observables/ipv4.rb +30 -0
- data/lib/threatinator/model/observables/ipv4_collection.rb +14 -0
- data/lib/threatinator/model/observables/url_collection.rb +16 -0
- data/lib/threatinator/model/validations.rb +1 -0
- data/lib/threatinator/model/validations/type.rb +21 -0
- data/lib/threatinator/plugins/output/csv.rb +20 -9
- data/spec/feeds/ET_block-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ET_compromised-ip_reputation_spec.rb +2 -5
- data/spec/feeds/ET_openbadlist-ip_reputation_spec.rb +56 -0
- data/spec/feeds/alienvault-ip_reputation_spec.rb +2 -5
- data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb +0 -3
- data/spec/feeds/arbor_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/autoshun_shunlist_spec.rb +1 -4
- data/spec/feeds/bambenek_c2_masterlist-domain_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_c2_masterlist-ip_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_dga_feed-domain_reputation_spec.rb +39 -0
- data/spec/feeds/berkeley-ip_reputation_spec.rb +47 -0
- data/spec/feeds/bitcash_cz_blacklist-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_imap-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_pop3-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_proftpd-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_sip-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_strongips-ip_reputation_spec.rb +2 -5
- data/spec/feeds/botscout-ip_reputation_spec.rb +50 -0
- data/spec/feeds/cert_mxpoison-ip_reputation_spec.rb +47 -0
- data/spec/feeds/chaosreigns-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ciarmy-ip_reputation_spec.rb +2 -5
- data/spec/feeds/cruzit-ip_reputation_spec.rb +2 -5
- data/spec/feeds/cydef_torexit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/dan_me_uk_torlist-ip_reputation_spec.rb +2 -5
- data/spec/feeds/danger_bruteforce-ip_reputation_spec.rb +47 -0
- data/spec/feeds/data/ET_block-ip_reputation.txt +80 -0
- data/spec/feeds/data/ET_openbadlist-ip_reputation.txt +62 -0
- data/spec/feeds/data/bambenek_c2-dommasterlist.csv +30 -0
- data/spec/feeds/data/bambenek_c2-ipmasterlist.csv +27 -0
- data/spec/feeds/data/bambenek_dga_feed.csv +42 -0
- data/spec/feeds/data/berkeley.txt +29 -0
- data/spec/feeds/data/bitcash_cz_blacklist.txt +7 -0
- data/spec/feeds/data/botscout-ip-reputation.txt +713 -0
- data/spec/feeds/data/cert_mxpoison-ip_reputation.txt +17 -0
- data/spec/feeds/data/chaosreigns-ip-reputation.txt +26 -0
- data/spec/feeds/data/cydef_torexit-ip_reputation.txt +27 -0
- data/spec/feeds/data/danger_bruteforce-ip_reputation.txt +12 -0
- data/spec/feeds/data/falconcrest_iplist.txt +345 -0
- data/spec/feeds/data/h3x_asprox.txt +20 -0
- data/spec/feeds/data/hosts-file_hphostspartial_domainlist.txt +24 -0
- data/spec/feeds/data/infiltrated_vabl_iplist.txt +33 -0
- data/spec/feeds/data/isc_suspicious_high_domainlist.txt +26 -0
- data/spec/feeds/data/isc_suspicious_low_domainlist.txt +34 -0
- data/spec/feeds/data/isc_suspicious_medium_domainlist.txt +32 -0
- data/spec/feeds/data/malwaredomainlist-url-reputation.txt +8 -0
- data/spec/feeds/data/malwaredomains_domainlist.txt +24 -0
- data/spec/feeds/data/malwaredomains_dyndns_domainlist.txt +34 -0
- data/spec/feeds/data/malwaredomains_justdomains_domainlist.txt +18 -0
- data/spec/feeds/data/multiproxy_iplist.txt +15 -0
- data/spec/feeds/data/openphish-url-reputation.txt +16 -0
- data/spec/feeds/data/packetmail_perimeterbad-ip_reputation.txt +44 -0
- data/spec/feeds/data/sigmaproject_atma.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_spyware.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_webexploit.return.gz +0 -0
- data/spec/feeds/data/snort_bpf-ip_reputation.txt +16 -0
- data/spec/feeds/data/steeman-ip-reputation.txt +13 -0
- data/spec/feeds/data/trustedsec-ip-reputation.txt +12 -0
- data/spec/feeds/data/virbl-ip_reputation.txt +14 -0
- data/spec/feeds/data/vxvault-url-reputation.txt +15 -0
- data/spec/feeds/data/yoyo_adservers.txt +25 -0
- data/spec/feeds/dshield_attackers-top1000_spec.rb +1 -4
- data/spec/feeds/falconcrest-ip_reputation_spec.rb +37 -0
- data/spec/feeds/feodo-domain_reputation_spec.rb +0 -3
- data/spec/feeds/feodo-ip_reputation_spec.rb +2 -5
- data/spec/feeds/h3x_asprox-ip_reputation_spec.rb +50 -0
- data/spec/feeds/hosts-file_hphostspartial-domain_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated-ip_reputation_spec.rb +2 -5
- data/spec/feeds/infiltrated_vabl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_high-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_low-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_medium-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-domain_reputation_spec.rb +0 -3
- data/spec/feeds/malc0de-ip_reputation_spec.rb +2 -5
- data/spec/feeds/malwaredomainlist_url_reputation_spec.rb +50 -0
- data/spec/feeds/malwaredomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_dyndns-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_justdomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/mirc-domain_reputation_spec.rb +0 -3
- data/spec/feeds/multiproxy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_irc-ip_reputation_spec.rb +2 -5
- data/spec/feeds/nothink_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/openbl-ip_reputation_spec.rb +2 -5
- data/spec/feeds/openphish_url_reputation_spec.rb +50 -0
- data/spec/feeds/packetmail_perimeterbad-ip_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-domain_reputation_spec.rb +0 -3
- data/spec/feeds/palevo-ip_reputation_spec.rb +2 -5
- data/spec/feeds/phishtank_spec.rb +2 -5
- data/spec/feeds/sigmaproject_atma_spec.rb +63 -0
- data/spec/feeds/sigmaproject_spyware_spec.rb +64 -0
- data/spec/feeds/sigmaproject_webexploit_spec.rb +63 -0
- data/spec/feeds/snort_bpf-ip_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-domain_reputation_spec.rb +0 -3
- data/spec/feeds/spyeye-ip_reputation_spec.rb +2 -5
- data/spec/feeds/steeman-ip_reputation_spec.rb +50 -0
- data/spec/feeds/t-arend-de_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/the_haleys_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/trustedsec-ip_reputation_spec.rb +47 -0
- data/spec/feeds/virbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/vxvault_url_reputation_spec.rb +50 -0
- data/spec/feeds/yourcmc_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/yoyo_adservers_spec.rb +47 -0
- data/spec/feeds/zeus-domain_reputation_spec.rb +0 -3
- data/spec/feeds/zeus-ip_reputation_spec.rb +2 -5
- data/spec/spec_helper.rb +2 -0
- data/spec/support/factories/event.rb +11 -7
- data/spec/support/factories/feed.rb +28 -1
- data/spec/support/factories/ipv4.rb +36 -0
- data/spec/support/factories/url.rb +34 -0
- data/spec/support/shared/feed_runner_observer.rb +136 -0
- data/spec/support/shared/feeds.rb +19 -4
- data/spec/support/shared/model/collection.rb +164 -0
- data/spec/threatinator/actions/run/action_spec.rb +27 -10
- data/spec/threatinator/actions/run/coverage_observer_spec.rb +39 -4
- data/spec/threatinator/actions/run/status_observer_spec.rb +86 -0
- data/spec/threatinator/event_builder_spec.rb +111 -21
- data/spec/threatinator/event_spec.rb +237 -13
- data/spec/threatinator/event_spec.rb.new +319 -0
- data/spec/threatinator/feed_builder_spec.rb +0 -3
- data/spec/threatinator/feed_runner_spec.rb +254 -70
- data/spec/threatinator/logger_spec.rb +29 -0
- data/spec/threatinator/model/observables/fqdn_collection_spec.rb +42 -0
- data/spec/threatinator/model/observables/ipv4_collection_spec.rb +36 -0
- data/spec/threatinator/model/observables/ipv4_spec.rb +75 -0
- data/spec/threatinator/model/observables/url_collection_spec.rb +45 -0
- data/spec/threatinator/model/validations/type_spec.rb +37 -0
- data/spec/threatinator/plugins/output/csv_spec.rb +4 -3
- metadata +216 -19
- data/lib/threatinator/property_definer.rb +0 -101
- data/spec/threatinator/property_definer_spec.rb +0 -155
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/virbl-ip_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'virbl' }
|
5
|
+
let(:name) { 'ip_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://virbl.org/download/virbl.dnsbl.bit.nl.txt'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('virbl-ip_reputation.txt') do
|
10
|
+
it "should have parsed 13 records" do
|
11
|
+
expect(num_records_parsed).to eq(13)
|
12
|
+
end
|
13
|
+
it "should have filtered 1 records" do
|
14
|
+
expect(num_records_filtered).to eq(1)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
describe_parsing_a_record '193.20.147.167' do
|
19
|
+
it "should have parsed" do
|
20
|
+
expect(status).to eq(:parsed)
|
21
|
+
end
|
22
|
+
it "should have parsed 1 event" do
|
23
|
+
expect(events.count).to eq(1)
|
24
|
+
end
|
25
|
+
describe 'event 0' do
|
26
|
+
subject { events[0] }
|
27
|
+
its(:type) { is_expected.to be(:malware_host) }
|
28
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['193.20.147.167'])) }
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
describe_parsing_a_record '37.84.148.198' do
|
33
|
+
it "should have parsed" do
|
34
|
+
expect(status).to eq(:parsed)
|
35
|
+
end
|
36
|
+
it "should have parsed 1 event" do
|
37
|
+
expect(events.count).to eq(1)
|
38
|
+
end
|
39
|
+
describe 'event 0' do
|
40
|
+
subject { events[0] }
|
41
|
+
its(:type) { is_expected.to be(:malware_host) }
|
42
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['37.84.148.198'])) }
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/vxvault-url_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'vxvault' }
|
5
|
+
let(:name) { 'url_reputation' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://vxvault.siri-urz.net/URL_List.php'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('vxvault-url-reputation.txt') do
|
10
|
+
it "should have parsed 12 records" do
|
11
|
+
expect(num_records_parsed).to eq(12)
|
12
|
+
end
|
13
|
+
it "should have filtered 3 records" do
|
14
|
+
expect(num_records_filtered).to eq(3)
|
15
|
+
end
|
16
|
+
it "should have missed 0 records" do
|
17
|
+
expect(num_records_missed).to eq(0)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_parsing_a_record 'http://176.31.228.6/111.exe' do
|
22
|
+
it "should have parsed" do
|
23
|
+
expect(status).to eq(:parsed)
|
24
|
+
end
|
25
|
+
it "should have parsed 1 event" do
|
26
|
+
expect(events.count).to eq(1)
|
27
|
+
end
|
28
|
+
describe 'event 0' do
|
29
|
+
subject { events[0] }
|
30
|
+
its(:type) { is_expected.to be(:malware_host) }
|
31
|
+
its(:urls) { is_expected.to eq(build(:urls, values: ['http://176.31.228.6/111.exe'])) }
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
describe_parsing_a_record 'http://w719460.blob4.ge.tt/streams/2RLPNJy1/Hawlery.exe?sig=-Uidne-6-hjiAPHjRw-9FCmeKQculOB4naU&type=download' do
|
36
|
+
it "should have parsed" do
|
37
|
+
expect(status).to eq(:parsed)
|
38
|
+
end
|
39
|
+
it "should have parsed 1 event" do
|
40
|
+
expect(events.count).to eq(1)
|
41
|
+
end
|
42
|
+
describe 'event 0' do
|
43
|
+
subject { events[0] }
|
44
|
+
its(:type) { is_expected.to be(:malware_host) }
|
45
|
+
its(:urls) { is_expected.to eq(build(:urls, values: ['http://w719460.blob4.ge.tt/streams/2RLPNJy1/Hawlery.exe?sig=-Uidne-6-hjiAPHjRw-9FCmeKQculOB4naU&type=download'])) }
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
@@ -13,9 +13,6 @@ describe 'feeds/yourcmc_ssh-ip_reputation.feed', :feed do
|
|
13
13
|
it "should have filtered 11 records" do
|
14
14
|
expect(num_records_filtered).to eq(11)
|
15
15
|
end
|
16
|
-
it "should have missed 0 records" do
|
17
|
-
expect(num_records_missed).to eq(0)
|
18
|
-
end
|
19
16
|
end
|
20
17
|
|
21
18
|
describe_parsing_a_record '109.120.157.63' do
|
@@ -28,7 +25,7 @@ describe 'feeds/yourcmc_ssh-ip_reputation.feed', :feed do
|
|
28
25
|
describe 'event 0' do
|
29
26
|
subject { events[0] }
|
30
27
|
its(:type) { is_expected.to be(:scanning) }
|
31
|
-
its(:ipv4s) { is_expected.to
|
28
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['109.120.157.63'])) }
|
32
29
|
end
|
33
30
|
end
|
34
31
|
|
@@ -42,7 +39,7 @@ describe 'feeds/yourcmc_ssh-ip_reputation.feed', :feed do
|
|
42
39
|
describe 'event 0' do
|
43
40
|
subject { events[0] }
|
44
41
|
its(:type) { is_expected.to be(:scanning) }
|
45
|
-
its(:ipv4s) { is_expected.to
|
42
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['109.165.15.113'])) }
|
46
43
|
end
|
47
44
|
end
|
48
45
|
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'feeds/yoyo_adservers-domain_reputation.feed', :feed do
|
4
|
+
let(:provider) { 'yoyo' }
|
5
|
+
let(:name) { 'adservers' }
|
6
|
+
|
7
|
+
it_fetches_url 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml'
|
8
|
+
|
9
|
+
describe_parsing_the_file feed_data('yoyo_adservers.txt') do
|
10
|
+
it "should have parsed 25 records" do
|
11
|
+
expect(num_records_parsed).to eq(25)
|
12
|
+
end
|
13
|
+
it "should have filtered 0 records" do
|
14
|
+
expect(num_records_filtered).to eq(0)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
describe_parsing_a_record '4affiliate.net' do
|
19
|
+
it "should have parsed" do
|
20
|
+
expect(status).to eq(:parsed)
|
21
|
+
end
|
22
|
+
it "should have parsed 1 event" do
|
23
|
+
expect(events.count).to eq(1)
|
24
|
+
end
|
25
|
+
describe 'event 0' do
|
26
|
+
subject { events[0] }
|
27
|
+
its(:type) { is_expected.to be(:scanning) }
|
28
|
+
its(:fqdns) { is_expected.to match_array(['4affiliate.net']) }
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
describe_parsing_a_record '600z.com' do
|
33
|
+
it "should have parsed" do
|
34
|
+
expect(status).to eq(:parsed)
|
35
|
+
end
|
36
|
+
it "should have parsed 1 event" do
|
37
|
+
expect(events.count).to eq(1)
|
38
|
+
end
|
39
|
+
describe 'event 0' do
|
40
|
+
subject { events[0] }
|
41
|
+
its(:type) { is_expected.to be(:scanning) }
|
42
|
+
its(:fqdns) { is_expected.to match_array(['600z.com']) }
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
|
@@ -13,9 +13,6 @@ describe 'feeds/zeus-domain_reputation.feed', :feed do
|
|
13
13
|
it "should have filtered 6 records" do
|
14
14
|
expect(num_records_filtered).to eq(6)
|
15
15
|
end
|
16
|
-
it "should have missed 0 records" do
|
17
|
-
expect(num_records_missed).to eq(0)
|
18
|
-
end
|
19
16
|
end
|
20
17
|
|
21
18
|
describe_parsing_a_record 'aconfideeeeeracia200.com' do
|
@@ -13,9 +13,6 @@ describe 'feeds/zeus-ip_reputation.feed', :feed do
|
|
13
13
|
it "should have filtered 8 records" do
|
14
14
|
expect(num_records_filtered).to eq(6)
|
15
15
|
end
|
16
|
-
it "should have missed 0 records" do
|
17
|
-
expect(num_records_missed).to eq(0)
|
18
|
-
end
|
19
16
|
end
|
20
17
|
|
21
18
|
describe_parsing_a_record '109.229.210.250' do
|
@@ -28,7 +25,7 @@ describe 'feeds/zeus-ip_reputation.feed', :feed do
|
|
28
25
|
describe 'event 0' do
|
29
26
|
subject { events[0] }
|
30
27
|
its(:type) { is_expected.to be(:c2) }
|
31
|
-
its(:ipv4s) { is_expected.to
|
28
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['109.229.210.250'])) }
|
32
29
|
end
|
33
30
|
end
|
34
31
|
|
@@ -42,7 +39,7 @@ describe 'feeds/zeus-ip_reputation.feed', :feed do
|
|
42
39
|
describe 'event 0' do
|
43
40
|
subject { events[0] }
|
44
41
|
its(:type) { is_expected.to be(:c2) }
|
45
|
-
its(:ipv4s) { is_expected.to
|
42
|
+
its(:ipv4s) { is_expected.to eq(build(:ipv4s, values: ['141.105.67.94'])) }
|
46
43
|
end
|
47
44
|
end
|
48
45
|
end
|
data/spec/spec_helper.rb
CHANGED
@@ -1,4 +1,5 @@
|
|
1
1
|
require 'threatinator/event'
|
2
|
+
require 'threatinator/event_builder'
|
2
3
|
|
3
4
|
FactoryGirl.define do
|
4
5
|
factory :event, class: Threatinator::Event do
|
@@ -7,19 +8,22 @@ FactoryGirl.define do
|
|
7
8
|
type :scanning
|
8
9
|
ipv4s { [ ] }
|
9
10
|
fqdns { [ ] }
|
11
|
+
urls { [ ] }
|
10
12
|
|
11
13
|
initialize_with {
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
ret.type = type
|
14
|
+
builder = Threatinator::EventBuilder.new(feed_provider, feed_name)
|
15
|
+
builder.type = type
|
16
|
+
|
16
17
|
ipv4s.each do |ipv4|
|
17
|
-
|
18
|
+
builder.add_ipv4(ipv4)
|
18
19
|
end
|
19
20
|
fqdns.each do |fqdn|
|
20
|
-
|
21
|
+
builder.add_fqdn(fqdn)
|
22
|
+
end
|
23
|
+
urls.each do |url|
|
24
|
+
builder.add_url(url)
|
21
25
|
end
|
22
|
-
|
26
|
+
builder.build
|
23
27
|
}
|
24
28
|
end
|
25
29
|
end
|
@@ -8,12 +8,39 @@ FactoryGirl.define do
|
|
8
8
|
sequence(:provider) { |n| "provider_#{n}" }
|
9
9
|
sequence(:name) { |n| "name_#{n}" }
|
10
10
|
fetcher_builder { lambda { Threatinator::Fetcher.new({}) } }
|
11
|
+
fetcher { nil }
|
11
12
|
parser_builder { lambda { Threatinator::Parser.new({}) } }
|
13
|
+
parser { nil }
|
12
14
|
filter_builders { [] }
|
15
|
+
filters { [] }
|
13
16
|
decoder_builders { [] }
|
17
|
+
decoders { [] }
|
14
18
|
parser_block { lambda { |*args| } }
|
15
19
|
|
16
|
-
initialize_with {
|
20
|
+
initialize_with {
|
21
|
+
opts = attributes.to_hash
|
22
|
+
if fetcher = opts.delete(:fetcher)
|
23
|
+
opts[:fetcher_builder] = Proc.new { fetcher }
|
24
|
+
end
|
25
|
+
if decoders = opts.delete(:decoders)
|
26
|
+
decoders.each do |decoder|
|
27
|
+
opts[:decoder_builders] << Proc.new { decoder }
|
28
|
+
end
|
29
|
+
end
|
30
|
+
if filters = opts.delete(:filters)
|
31
|
+
filters.each do |filter|
|
32
|
+
if filter.kind_of?(::Proc)
|
33
|
+
filter = Threatinator::Filters::Block.new(filter)
|
34
|
+
end
|
35
|
+
fb = Proc.new { filter }
|
36
|
+
opts[:filter_builders] << fb
|
37
|
+
end
|
38
|
+
end
|
39
|
+
if parser = opts.delete(:parser)
|
40
|
+
opts[:parser_builder] = Proc.new { parser }
|
41
|
+
end
|
42
|
+
new(opts)
|
43
|
+
}
|
17
44
|
|
18
45
|
trait :http do
|
19
46
|
url { "https://foobar/#{provider}/#{name}.data" }
|
@@ -0,0 +1,36 @@
|
|
1
|
+
require 'threatinator/model/observables/ipv4'
|
2
|
+
require 'ip'
|
3
|
+
|
4
|
+
FactoryGirl.define do
|
5
|
+
factory :ipv4, class: Threatinator::Model::Observables::Ipv4 do
|
6
|
+
sequence(:ipv4) { |n| IP::V4.new(0xa000000 + n) } # Starts at 10.0.0.0
|
7
|
+
|
8
|
+
initialize_with do
|
9
|
+
opts = attributes.dup
|
10
|
+
if opts[:ipv4].is_a?(::String)
|
11
|
+
opts[:ipv4] = IP::V4.parse(opts[:ipv4])
|
12
|
+
end
|
13
|
+
new(opts)
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
factory :ipv4s, class: Threatinator::Model::Observables::Ipv4Collection do
|
18
|
+
values { [ ] }
|
19
|
+
|
20
|
+
initialize_with do
|
21
|
+
values = attributes[:values]
|
22
|
+
|
23
|
+
values.map! do |v|
|
24
|
+
if v.kind_of?(::String)
|
25
|
+
v = build(:ipv4, ipv4: v)
|
26
|
+
end
|
27
|
+
v
|
28
|
+
end
|
29
|
+
|
30
|
+
new(values)
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
|
36
|
+
|
@@ -0,0 +1,34 @@
|
|
1
|
+
require 'threatinator/model/observables/url_collection'
|
2
|
+
require 'addressable/uri'
|
3
|
+
require 'ip'
|
4
|
+
|
5
|
+
FactoryGirl.define do
|
6
|
+
factory :url, class: ::Addressable::URI do
|
7
|
+
url nil
|
8
|
+
|
9
|
+
initialize_with do
|
10
|
+
::Addressable::URI.parse(attributes[:url])
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
factory :urls, class: Threatinator::Model::Observables::UrlCollection do
|
15
|
+
values { [ ] }
|
16
|
+
|
17
|
+
initialize_with do
|
18
|
+
values = attributes[:values]
|
19
|
+
|
20
|
+
values.map! do |v|
|
21
|
+
if v.kind_of?(::String)
|
22
|
+
v = build(:url, url: v)
|
23
|
+
end
|
24
|
+
v
|
25
|
+
end
|
26
|
+
|
27
|
+
new(values)
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
|
33
|
+
|
34
|
+
|
@@ -0,0 +1,136 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
require 'threatinator/feed_runner'
|
3
|
+
|
4
|
+
shared_examples_for "a FeedRunner observer" do
|
5
|
+
describe "#update(:start)" do
|
6
|
+
after :each do
|
7
|
+
observer.update(:end)
|
8
|
+
end
|
9
|
+
it "does not raise any errors when handling a :start event" do
|
10
|
+
expect {
|
11
|
+
observer.update(:start)
|
12
|
+
}.not_to raise_error
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
16
|
+
describe "#update(:end)" do
|
17
|
+
before :each do
|
18
|
+
observer.update(:start)
|
19
|
+
end
|
20
|
+
|
21
|
+
it "does not raise any errors when handling an :end event" do
|
22
|
+
expect {
|
23
|
+
observer.update(:end)
|
24
|
+
}.not_to raise_error
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
context "once started" do
|
29
|
+
before :each do
|
30
|
+
observer.update(:start)
|
31
|
+
end
|
32
|
+
|
33
|
+
after :each do
|
34
|
+
observer.update(:end)
|
35
|
+
end
|
36
|
+
|
37
|
+
let(:record) { build(:record, line_number: 23, pos_start: 99, pos_end: 105, data: "foobar\r\n") }
|
38
|
+
|
39
|
+
describe "#update(:start_fetch)" do
|
40
|
+
it "does not raise any errors when handling an :start_fetch event" do
|
41
|
+
expect {
|
42
|
+
observer.update(:start_fetch)
|
43
|
+
}.not_to raise_error
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
describe "#update(:end_fetch)" do
|
48
|
+
it "does not raise any errors when handling an :end_fetch event" do
|
49
|
+
expect {
|
50
|
+
observer.update(:end_fetch)
|
51
|
+
}.not_to raise_error
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
describe "#update(:start_decode)" do
|
56
|
+
it "does not raise any errors when handling an :start_decode event" do
|
57
|
+
expect {
|
58
|
+
observer.update(:start_decode)
|
59
|
+
}.not_to raise_error
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
describe "#update(:end_decode)" do
|
64
|
+
it "does not raise any errors when handling an :end_decode event" do
|
65
|
+
expect {
|
66
|
+
observer.update(:end_decode)
|
67
|
+
}.not_to raise_error
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
describe "#update(:start_parse_record, record)" do
|
72
|
+
it "does not raise any errors when handling an :start_parse_record event" do
|
73
|
+
expect {
|
74
|
+
observer.update(:start_parse_record, record)
|
75
|
+
}.not_to raise_error
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
describe "#update(:end_parse_record, record)" do
|
80
|
+
it "does not raise any errors when handling an :end_parse_record event" do
|
81
|
+
expect {
|
82
|
+
observer.update(:end_parse_record, record)
|
83
|
+
}.not_to raise_error
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
describe "#update(:record_filtered, record)" do
|
88
|
+
it "does not raise any errors when handling a :record_filtered event" do
|
89
|
+
expect {
|
90
|
+
observer.update(:record_filtered, record)
|
91
|
+
}.not_to raise_error
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
describe "#update(:record_missed, record)" do
|
96
|
+
it "does not raise any errors when handling a :record_missed event" do
|
97
|
+
expect {
|
98
|
+
observer.update(:record_missed, record)
|
99
|
+
}.not_to raise_error
|
100
|
+
end
|
101
|
+
end
|
102
|
+
|
103
|
+
describe "#update(:record_parsed, record, events)" do
|
104
|
+
it "does not raise any errors when handling a :record_parsed event" do
|
105
|
+
expect {
|
106
|
+
observer.update(:record_missed, record, [build(:event)])
|
107
|
+
}.not_to raise_error
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
describe "#update(:record_error, record, array_of_errors)" do
|
112
|
+
it "does not raise any errors when handling a :record_error event" do
|
113
|
+
errors = [
|
114
|
+
Threatinator::Exceptions::EventBuildError.new("error 1"),
|
115
|
+
Threatinator::Exceptions::EventBuildError.new("error 2"),
|
116
|
+
Threatinator::Exceptions::EventBuildError.new("error 3")
|
117
|
+
]
|
118
|
+
expect {
|
119
|
+
observer.update(:record_missed, record, errors)
|
120
|
+
}.not_to raise_error
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
it "does not raise any errors when handling unknown messages" do
|
125
|
+
expect {
|
126
|
+
observer.update(:flibby_floo, record)
|
127
|
+
}.not_to raise_error
|
128
|
+
end
|
129
|
+
|
130
|
+
it "does not raise any errors when handling extra arguments" do
|
131
|
+
expect {
|
132
|
+
observer.update(:flibby_floo, record, 1, 2, 3, 4)
|
133
|
+
}.not_to raise_error
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|