threatinator 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7b2a7120fd041938fb215c5ebc85d1e2d3d8bc71
-  data.tar.gz: a6cf7ee4eb833da92c650001aacce17dd2a1b4b4
+  metadata.gz: 56a9d3f712b2e236107652645a6f58797285d548
+  data.tar.gz: 1dafd78f233706c43a4752473bfe801389a915ed
 SHA512:
-  metadata.gz: 1557a2c0b6d59f2f1c03eeeccaef420ab1b920cdd4438d20e54c7be17530a6ee04d9ffc82b714780c9112b81a84812383922a25e05f8f72aa33b6bda39e10865
-  data.tar.gz: b153a90cfcafdfb2e3df1ba9d11b7bbb15ec255e43b96e0712268e063e631bd73e82a50e550c9f4560aa7282fc6b912f56eaa8eb9bc632ded8b0bf76cfbf2da1
+  metadata.gz: b6251abc3747242b36a4b51b53cd0da2f04977e0811b6f952b8d95ecbfa3f108dbfc7fc791153bc6557909e29c8147994e7f50888f0a356837207901d9e12a30
+  data.tar.gz: 61c5638eef5ccfdd9d554e9daa20ecbc004d76739633083f3a0c93766a7a5534c8ab11fb796443785d82e13f9687a7b11e546330c18a3e11af006d1fbe33c5af

data/CHANGELOG.md

@@ -2,15 +2,6 @@ Next
 ====
 
 * Your contribution here.
-
-0.1.1
-====
-
-* Remember to rev the changelog. [@justfalter](https://github.com/justfalter)
-
-0.1.0
-====
-
 * [#56](https://github.com/cikl/threatinator/pull/56): Gemify threatinator - [@justfalter](https://github.com/justfalter)
 * [#55](https://github.com/cikl/threatinator/pull/55): Rewrote configuration handling - [@justfalter](https://github.com/justfalter)
 * [#51](https://github.com/cikl/threatinator/pull/51): Clean up spec layout - [@justfalter](https://github.com/justfalter)

data/VERSION

@@ -1 +1 @@
-0.1.1
+0.1.0

data/feeds/ET_compromised-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "emergingthreats"
+name "compromised_ip_reputation"
+fetch_http('http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/alienvault-ip_reputation.feed

@@ -0,0 +1,37 @@
+provider "alienvault"
+name "ip_reputation"
+fetch_http('https://reputation.alienvault.com/reputation.generic')
+
+# Examples:
+#  108.59.1.5 # Scanning Host A1,,0.0,0.0
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # (?<type>(Scanning Host|C&C|Malicious Host|Malware Domain|Spamming|Malware IP|Malware distribution)) (?<cc>[A-Z]{2}|A1|A1|O1)?,(?<city>[^,]*),(?<lat>-?[0-9]+(\.[0-9]+)?),(?<lon>-?[0-9]+(\.[0-9]+)?)/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+      # This doesn't execute, yet.
+      ipv4_event.cc(m[:cc]) unless m[:cc].nil?
+      ipv4_event.city(m[:city]) unless m[:city].nil?
+      ipv4_latlon(m[:lat].to_f, m[:lon].to_f)
+    end
+
+    case m[:type]
+    when 'Scanning Host'
+      event.type = :scanning
+    when 'C&C'
+      event.type = :c2
+    when 'Malicious Host'
+      event.type = :attacker
+    when 'Malware Domain', 'Malware IP', 'Malware distribution'
+      event.type = :malware_host
+    when 'Spamming'
+     event.type = :spamming
+    end
+  end
+end

data/feeds/arbor_fastflux-domain_reputation.feed

@@ -0,0 +1,18 @@
+provider "arbor"
+name "fastflux_domain_reputation"
+fetch_http('http://atlas.arbor.net/summary/domainlist')
+
+feed_re = /^(?<domain>.*)/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/arbor_ssh-ip_reputation.feed

@@ -0,0 +1,23 @@
+provider "arbor"
+name "ssh_ip_reputation"
+fetch_http('http://atlas-public.ec2.arbor.net/public/ssh_attackers')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+filter do |record|
+  (record.data =~ /^other/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/autoshun_shunlist.feed

@@ -0,0 +1,15 @@
+provider "autoshun"
+name "shunlist"
+fetch_http('http://www.autoshun.org/files/shunlist.csv')
+
+filter do |record|
+  record.data[:ip].start_with?("Shunlist as of")
+end
+
+parse_csv(:headers => [:ip, :last_seen, :reason]) do |event_generator, record|
+  event_generator.call do |event|
+    event.type = :scanning
+    event.add_ipv4(record.data[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_apache-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "apache_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/apache.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_bots-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "bots_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/bots.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_ftp-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "ftp_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/ftp.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_imap-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "imap_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/imap.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_pop3-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "pop3_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/pop3.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_proftpd-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "proftpd_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/proftpd.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_sip-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "sip_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/sip.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_ssh-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "ssh_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/ssh.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/blocklist_de_strongips-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "blocklist_de"
+name "strongips_ip_reputation"
+fetch_http('http://www.blocklist.de/lists/strongips.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/ciarmy-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "ciarmy"
+name "ip_reputation"
+fetch_http('http://www.ciarmy.com/list/ci-badguys.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/cruzit-ip_reputation.feed

@@ -0,0 +1,29 @@
+provider "cruzit"
+name "ip_reputation"
+fetch_http('http://www.cruzit.com/xwbl2txt.php')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+# Filter out first line
+filter do |record|
+  (record.data =~ /^ipaddress$/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/dan_me_uk_torlist-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "dan_me_uk"
+name "torlist_ip_reputation"
+fetch_http('https://www.dan.me.uk/torlist/')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out IPv6 addresses
+filter do |record|
+  (record.data =~ /\:/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/dshield_attackers-top1000.feed

@@ -0,0 +1,34 @@
+provider "dshield"
+name "attackers-top1000"
+fetch_http('https://isc.sans.edu/api/sources/attacks/1000/')
+
+parse_xml("/sources/data") do |event_generator, record|
+  node = record.node
+  ip_node = node[:ip].first
+  next if ip_node.nil?
+
+  ip = ip_node.text
+  next if ip.empty?
+
+  # Dshield's api produces zero-padded octets. We've gotta strip those down.
+  # The following regex will remove any zero-padding.
+  ip.gsub!(/(?<=\A|\.)0+(?=\d+(\.|\Z))/, '')
+
+  attack_node = node[:attacks].first
+  count_node = node[:count].first
+  first_seen_node = node[:first_seen].first
+  last_seen_node = node[:last_seen].first
+
+  event_generator.call() do |event|
+    event.type = :attacker
+    event.add_ipv4(ip) do |ipv4_event|
+    end
+
+    ## TODO
+    # event.first_seen = first_seen_node.text unless first_seen_node.nil?
+    # event.last_seen = last_seen_node.text unless last_seen_node.nil?
+    # attack_count = attack_node.text.to_i unless attack_node.nil?
+    # count = count_node.text.to_i unless count_node.nil?
+  end
+end
+

data/feeds/feodo-domain_reputation.feed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "feodo_domain_reputation"
+fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist')
+
+feed_re = /^(?<domain>.*)/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/feodo-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "feodo_ip_reputation"
+fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=ipblocklist')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/infiltrated-ip_reputation.feed

@@ -0,0 +1,25 @@
+provider "infiltrated"
+name "ip_reputation"
+fetch_http('http://www.infiltrated.net/blacklisted')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out missing last octet
+# Example: '78.29.9.\n'
+filter do |record|
+  (record.data =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\n/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/malc0de-domain_reputation.feed

@@ -0,0 +1,23 @@
+provider "malc0de"
+name "domain_reputation"
+fetch_http('http://malc0de.com/bl/BOOT')
+
+feed_re = /^PRIMARY (?<domain>[a-z,0-9,A-Z,\-,\.]*)/
+
+filter_whitespace
+filter_comments
+
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\/\//)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :malware_host
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/malc0de-ip_reputation.feed

@@ -0,0 +1,24 @@
+provider "malc0de"
+name "ip_reputation"
+fetch_http('http://malc0de.com/bl/IP_Blacklist.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\/\//)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :malware_host
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/mirc-domain_reputation.feed

@@ -0,0 +1,28 @@
+provider "mirc"
+name "domain_reputation"
+fetch_http('http://www.mirc.com/servers.ini')
+
+feed_re = /^n[0-9]+=(?<desc1>[^:]+)SERVER:(?<domain>[^:]+):(?<portlist>[^:]+):?GROUP:(?<group>.*)$/
+
+filter_whitespace
+filter_comments
+
+# Filter out //comments
+filter do |record|
+  !(record.data =~ /\:/)
+  end
+  
+# Filter out //comments
+filter do |record|
+  (record.data =~ /^\;/)
+  end
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/nothink_irc-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "nothink"
+name "irc_ip_reputation"
+fetch_http('http://www.nothink.org/blacklist/blacklist_malware_irc.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/nothink_ssh-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "nothink"
+name "ssh_ip_reputation"
+fetch_http('http://www.nothink.org/blacklist/blacklist_ssh_day.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/openbl-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "openbl"
+name "ip_reputation"
+fetch_http('http://www.openbl.org/lists/base.txt')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/palevo-domain_reputation.feed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "palevo_domain_reputation"
+fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist')
+
+feed_re = /^(?<domain>.*)/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/palevo-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "palevo_ip_reputation"
+fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/phishtank.feed

@@ -0,0 +1,21 @@
+provider "phishtank"
+name "phishtank"
+
+fetch_http('http://data.phishtank.com/data/online-valid.json.gz')
+
+extract_gzip
+parse_json() do |event_generator, record|
+  event_generator.call do |event|
+    # TODO: parse URL
+    # TODO: parse dates
+    
+    event.type = :phishing
+    record.data["details"].each do |detail|
+      if ip = detail["ip_address"]
+        event.add_ipv4(ip) do |ipv4_event|
+        end
+      end
+    end
+  end
+end
+

data/feeds/spyeye-domain_reputation.feed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "spyeye_domain_reputation"
+fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist')
+
+feed_re = /^(?<domain>.*)/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/spyeye-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "spyeye_ip_reputation"
+fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/t-arend-de_ssh-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "t-arend-de"
+name "ssh_ip_reputation"
+fetch_http('http://www.t-arend.de/linux/badguys.txt')
+
+feed_re = /^sshd\: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/the_haleys_ssh-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "the_haleys"
+name "ssh_ip_reputation"
+fetch_http('http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt')
+
+feed_re = /^ALL \: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/yourcmc_ssh-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "yourcmc"
+name "ssh-ip_reputation"
+fetch_http('http://vmx.yourcmc.ru/BAD_HOSTS.IP4')
+
+feed_re = /^(?<ip>.*)/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :scanning
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

data/feeds/zeus-domain_reputation.feed

@@ -0,0 +1,18 @@
+provider "abuse_ch"
+name "zeus_domain_reputation"
+fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist')
+
+feed_re = /^(?<domain>.*)/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_fqdn(m[:domain])
+  end
+end

data/feeds/zeus-ip_reputation.feed

@@ -0,0 +1,19 @@
+provider "abuse_ch"
+name "zeus_ip_reputation"
+fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist')
+
+feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
+
+filter_whitespace
+filter_comments
+
+parse_eachline(:separator => "\n") do |event_generator, record|
+  m = feed_re.match(record.data)
+  next if m.nil?
+
+  event_generator.call() do |event|
+    event.type = :c2
+    event.add_ipv4(m[:ip]) do |ipv4_event|
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: threatinator
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Mike Ryan
@@ -140,6 +140,43 @@ files:
 - Rakefile
 - VERSION
 - bin/threatinator
+- feeds/ET_compromised-ip_reputation.feed
+- feeds/alienvault-ip_reputation.feed
+- feeds/arbor_fastflux-domain_reputation.feed
+- feeds/arbor_ssh-ip_reputation.feed
+- feeds/autoshun_shunlist.feed
+- feeds/blocklist_de_apache-ip_reputation.feed
+- feeds/blocklist_de_bots-ip_reputation.feed
+- feeds/blocklist_de_ftp-ip_reputation.feed
+- feeds/blocklist_de_imap-ip_reputation.feed
+- feeds/blocklist_de_pop3-ip_reputation.feed
+- feeds/blocklist_de_proftpd-ip_reputation.feed
+- feeds/blocklist_de_sip-ip_reputation.feed
+- feeds/blocklist_de_ssh-ip_reputation.feed
+- feeds/blocklist_de_strongips-ip_reputation.feed
+- feeds/ciarmy-ip_reputation.feed
+- feeds/cruzit-ip_reputation.feed
+- feeds/dan_me_uk_torlist-ip_reputation.feed
+- feeds/dshield_attackers-top1000.feed
+- feeds/feodo-domain_reputation.feed
+- feeds/feodo-ip_reputation.feed
+- feeds/infiltrated-ip_reputation.feed
+- feeds/malc0de-domain_reputation.feed
+- feeds/malc0de-ip_reputation.feed
+- feeds/mirc-domain_reputation.feed
+- feeds/nothink_irc-ip_reputation.feed
+- feeds/nothink_ssh-ip_reputation.feed
+- feeds/openbl-ip_reputation.feed
+- feeds/palevo-domain_reputation.feed
+- feeds/palevo-ip_reputation.feed
+- feeds/phishtank.feed
+- feeds/spyeye-domain_reputation.feed
+- feeds/spyeye-ip_reputation.feed
+- feeds/t-arend-de_ssh-ip_reputation.feed
+- feeds/the_haleys_ssh-ip_reputation.feed
+- feeds/yourcmc_ssh-ip_reputation.feed
+- feeds/zeus-domain_reputation.feed
+- feeds/zeus-ip_reputation.feed
 - lib/threatinator.rb
 - lib/threatinator/action.rb
 - lib/threatinator/actions/list.rb