threatinator 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- metadata +3 -40
- data/feeds/ET_compromised-ip_reputation.feed +0 -19
- data/feeds/alienvault-ip_reputation.feed +0 -37
- data/feeds/arbor_fastflux-domain_reputation.feed +0 -18
- data/feeds/arbor_ssh-ip_reputation.feed +0 -23
- data/feeds/autoshun_shunlist.feed +0 -15
- data/feeds/blocklist_de_apache-ip_reputation.feed +0 -24
- data/feeds/blocklist_de_bots-ip_reputation.feed +0 -24
- data/feeds/blocklist_de_ftp-ip_reputation.feed +0 -24
- data/feeds/blocklist_de_imap-ip_reputation.feed +0 -24
- data/feeds/blocklist_de_pop3-ip_reputation.feed +0 -24
- data/feeds/blocklist_de_proftpd-ip_reputation.feed +0 -24
- data/feeds/blocklist_de_sip-ip_reputation.feed +0 -24
- data/feeds/blocklist_de_ssh-ip_reputation.feed +0 -24
- data/feeds/blocklist_de_strongips-ip_reputation.feed +0 -24
- data/feeds/ciarmy-ip_reputation.feed +0 -19
- data/feeds/cruzit-ip_reputation.feed +0 -29
- data/feeds/dan_me_uk_torlist-ip_reputation.feed +0 -24
- data/feeds/dshield_attackers-top1000.feed +0 -34
- data/feeds/feodo-domain_reputation.feed +0 -18
- data/feeds/feodo-ip_reputation.feed +0 -19
- data/feeds/infiltrated-ip_reputation.feed +0 -25
- data/feeds/malc0de-domain_reputation.feed +0 -23
- data/feeds/malc0de-ip_reputation.feed +0 -24
- data/feeds/mirc-domain_reputation.feed +0 -28
- data/feeds/nothink_irc-ip_reputation.feed +0 -19
- data/feeds/nothink_ssh-ip_reputation.feed +0 -19
- data/feeds/openbl-ip_reputation.feed +0 -19
- data/feeds/palevo-domain_reputation.feed +0 -18
- data/feeds/palevo-ip_reputation.feed +0 -19
- data/feeds/phishtank.feed +0 -21
- data/feeds/spyeye-domain_reputation.feed +0 -18
- data/feeds/spyeye-ip_reputation.feed +0 -19
- data/feeds/t-arend-de_ssh-ip_reputation.feed +0 -19
- data/feeds/the_haleys_ssh-ip_reputation.feed +0 -19
- data/feeds/yourcmc_ssh-ip_reputation.feed +0 -19
- data/feeds/zeus-domain_reputation.feed +0 -18
- data/feeds/zeus-ip_reputation.feed +0 -19
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dabcfc73e09b0ab033941562c2bd8e4bb3092448
|
4
|
+
data.tar.gz: 583b8a979638ffd036ab63f792a1d484caad5606
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d3841667c9d687a96eddc0f6d929ae5257d78141bc06d266b9133ff2ed32a925d1b7576b3a77dcc51dbdcb1003f891e56079453a65debcb86dd59b877df5465d
|
7
|
+
data.tar.gz: d80e6b20c05f3bea495902251f6627f1aa6d1c6c61218167b3c65d30e8de4ddd359ca94804aaa5c0a42095b5c82e3cee328e63153f25799f834d8ec0cb791346
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: threatinator
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mike Ryan
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2014-
|
12
|
+
date: 2014-12-02 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: typhoeus
|
@@ -140,43 +140,6 @@ files:
|
|
140
140
|
- Rakefile
|
141
141
|
- VERSION
|
142
142
|
- bin/threatinator
|
143
|
-
- feeds/ET_compromised-ip_reputation.feed
|
144
|
-
- feeds/alienvault-ip_reputation.feed
|
145
|
-
- feeds/arbor_fastflux-domain_reputation.feed
|
146
|
-
- feeds/arbor_ssh-ip_reputation.feed
|
147
|
-
- feeds/autoshun_shunlist.feed
|
148
|
-
- feeds/blocklist_de_apache-ip_reputation.feed
|
149
|
-
- feeds/blocklist_de_bots-ip_reputation.feed
|
150
|
-
- feeds/blocklist_de_ftp-ip_reputation.feed
|
151
|
-
- feeds/blocklist_de_imap-ip_reputation.feed
|
152
|
-
- feeds/blocklist_de_pop3-ip_reputation.feed
|
153
|
-
- feeds/blocklist_de_proftpd-ip_reputation.feed
|
154
|
-
- feeds/blocklist_de_sip-ip_reputation.feed
|
155
|
-
- feeds/blocklist_de_ssh-ip_reputation.feed
|
156
|
-
- feeds/blocklist_de_strongips-ip_reputation.feed
|
157
|
-
- feeds/ciarmy-ip_reputation.feed
|
158
|
-
- feeds/cruzit-ip_reputation.feed
|
159
|
-
- feeds/dan_me_uk_torlist-ip_reputation.feed
|
160
|
-
- feeds/dshield_attackers-top1000.feed
|
161
|
-
- feeds/feodo-domain_reputation.feed
|
162
|
-
- feeds/feodo-ip_reputation.feed
|
163
|
-
- feeds/infiltrated-ip_reputation.feed
|
164
|
-
- feeds/malc0de-domain_reputation.feed
|
165
|
-
- feeds/malc0de-ip_reputation.feed
|
166
|
-
- feeds/mirc-domain_reputation.feed
|
167
|
-
- feeds/nothink_irc-ip_reputation.feed
|
168
|
-
- feeds/nothink_ssh-ip_reputation.feed
|
169
|
-
- feeds/openbl-ip_reputation.feed
|
170
|
-
- feeds/palevo-domain_reputation.feed
|
171
|
-
- feeds/palevo-ip_reputation.feed
|
172
|
-
- feeds/phishtank.feed
|
173
|
-
- feeds/spyeye-domain_reputation.feed
|
174
|
-
- feeds/spyeye-ip_reputation.feed
|
175
|
-
- feeds/t-arend-de_ssh-ip_reputation.feed
|
176
|
-
- feeds/the_haleys_ssh-ip_reputation.feed
|
177
|
-
- feeds/yourcmc_ssh-ip_reputation.feed
|
178
|
-
- feeds/zeus-domain_reputation.feed
|
179
|
-
- feeds/zeus-ip_reputation.feed
|
180
143
|
- lib/threatinator.rb
|
181
144
|
- lib/threatinator/action.rb
|
182
145
|
- lib/threatinator/actions/list.rb
|
@@ -406,7 +369,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
406
369
|
version: '0'
|
407
370
|
requirements: []
|
408
371
|
rubyforge_project:
|
409
|
-
rubygems_version: 2.2.
|
372
|
+
rubygems_version: 2.2.0
|
410
373
|
signing_key:
|
411
374
|
specification_version: 4
|
412
375
|
summary: Threatinator is a library and tool for parsing threat data feeds.
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "emergingthreats"
|
2
|
-
name "compromised_ip_reputation"
|
3
|
-
fetch_http('http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :scanning
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,37 +0,0 @@
|
|
1
|
-
provider "alienvault"
|
2
|
-
name "ip_reputation"
|
3
|
-
fetch_http('https://reputation.alienvault.com/reputation.generic')
|
4
|
-
|
5
|
-
# Examples:
|
6
|
-
# 108.59.1.5 # Scanning Host A1,,0.0,0.0
|
7
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # (?<type>(Scanning Host|C&C|Malicious Host|Malware Domain|Spamming|Malware IP|Malware distribution)) (?<cc>[A-Z]{2}|A1|A1|O1)?,(?<city>[^,]*),(?<lat>-?[0-9]+(\.[0-9]+)?),(?<lon>-?[0-9]+(\.[0-9]+)?)/
|
8
|
-
|
9
|
-
filter_whitespace
|
10
|
-
filter_comments
|
11
|
-
|
12
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
13
|
-
m = feed_re.match(record.data)
|
14
|
-
next if m.nil?
|
15
|
-
|
16
|
-
event_generator.call() do |event|
|
17
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
18
|
-
# This doesn't execute, yet.
|
19
|
-
ipv4_event.cc(m[:cc]) unless m[:cc].nil?
|
20
|
-
ipv4_event.city(m[:city]) unless m[:city].nil?
|
21
|
-
ipv4_latlon(m[:lat].to_f, m[:lon].to_f)
|
22
|
-
end
|
23
|
-
|
24
|
-
case m[:type]
|
25
|
-
when 'Scanning Host'
|
26
|
-
event.type = :scanning
|
27
|
-
when 'C&C'
|
28
|
-
event.type = :c2
|
29
|
-
when 'Malicious Host'
|
30
|
-
event.type = :attacker
|
31
|
-
when 'Malware Domain', 'Malware IP', 'Malware distribution'
|
32
|
-
event.type = :malware_host
|
33
|
-
when 'Spamming'
|
34
|
-
event.type = :spamming
|
35
|
-
end
|
36
|
-
end
|
37
|
-
end
|
@@ -1,18 +0,0 @@
|
|
1
|
-
provider "arbor"
|
2
|
-
name "fastflux_domain_reputation"
|
3
|
-
fetch_http('http://atlas.arbor.net/summary/domainlist')
|
4
|
-
|
5
|
-
feed_re = /^(?<domain>.*)/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_fqdn(m[:domain])
|
17
|
-
end
|
18
|
-
end
|
@@ -1,23 +0,0 @@
|
|
1
|
-
provider "arbor"
|
2
|
-
name "ssh_ip_reputation"
|
3
|
-
fetch_http('http://atlas-public.ec2.arbor.net/public/ssh_attackers')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
filter do |record|
|
11
|
-
(record.data =~ /^other/)
|
12
|
-
end
|
13
|
-
|
14
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
15
|
-
m = feed_re.match(record.data)
|
16
|
-
next if m.nil?
|
17
|
-
|
18
|
-
event_generator.call() do |event|
|
19
|
-
event.type = :scanning
|
20
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
21
|
-
end
|
22
|
-
end
|
23
|
-
end
|
@@ -1,15 +0,0 @@
|
|
1
|
-
provider "autoshun"
|
2
|
-
name "shunlist"
|
3
|
-
fetch_http('http://www.autoshun.org/files/shunlist.csv')
|
4
|
-
|
5
|
-
filter do |record|
|
6
|
-
record.data[:ip].start_with?("Shunlist as of")
|
7
|
-
end
|
8
|
-
|
9
|
-
parse_csv(:headers => [:ip, :last_seen, :reason]) do |event_generator, record|
|
10
|
-
event_generator.call do |event|
|
11
|
-
event.type = :scanning
|
12
|
-
event.add_ipv4(record.data[:ip]) do |ipv4_event|
|
13
|
-
end
|
14
|
-
end
|
15
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "apache_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/apache.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "bots_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/bots.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "ftp_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/ftp.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "imap_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/imap.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "pop3_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/pop3.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "proftpd_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/proftpd.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "sip_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/sip.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "ssh_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/ssh.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "blocklist_de"
|
2
|
-
name "strongips_ip_reputation"
|
3
|
-
fetch_http('http://www.blocklist.de/lists/strongips.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "ciarmy"
|
2
|
-
name "ip_reputation"
|
3
|
-
fetch_http('http://www.ciarmy.com/list/ci-badguys.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :scanning
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,29 +0,0 @@
|
|
1
|
-
provider "cruzit"
|
2
|
-
name "ip_reputation"
|
3
|
-
fetch_http('http://www.cruzit.com/xwbl2txt.php')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
# Filter out first line
|
16
|
-
filter do |record|
|
17
|
-
(record.data =~ /^ipaddress$/)
|
18
|
-
end
|
19
|
-
|
20
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
21
|
-
m = feed_re.match(record.data)
|
22
|
-
next if m.nil?
|
23
|
-
|
24
|
-
event_generator.call() do |event|
|
25
|
-
event.type = :scanning
|
26
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "dan_me_uk"
|
2
|
-
name "torlist_ip_reputation"
|
3
|
-
fetch_http('https://www.dan.me.uk/torlist/')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out IPv6 addresses
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :scanning
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,34 +0,0 @@
|
|
1
|
-
provider "dshield"
|
2
|
-
name "attackers-top1000"
|
3
|
-
fetch_http('https://isc.sans.edu/api/sources/attacks/1000/')
|
4
|
-
|
5
|
-
parse_xml("/sources/data") do |event_generator, record|
|
6
|
-
node = record.node
|
7
|
-
ip_node = node[:ip].first
|
8
|
-
next if ip_node.nil?
|
9
|
-
|
10
|
-
ip = ip_node.text
|
11
|
-
next if ip.empty?
|
12
|
-
|
13
|
-
# Dshield's api produces zero-padded octets. We've gotta strip those down.
|
14
|
-
# The following regex will remove any zero-padding.
|
15
|
-
ip.gsub!(/(?<=\A|\.)0+(?=\d+(\.|\Z))/, '')
|
16
|
-
|
17
|
-
attack_node = node[:attacks].first
|
18
|
-
count_node = node[:count].first
|
19
|
-
first_seen_node = node[:first_seen].first
|
20
|
-
last_seen_node = node[:last_seen].first
|
21
|
-
|
22
|
-
event_generator.call() do |event|
|
23
|
-
event.type = :attacker
|
24
|
-
event.add_ipv4(ip) do |ipv4_event|
|
25
|
-
end
|
26
|
-
|
27
|
-
## TODO
|
28
|
-
# event.first_seen = first_seen_node.text unless first_seen_node.nil?
|
29
|
-
# event.last_seen = last_seen_node.text unless last_seen_node.nil?
|
30
|
-
# attack_count = attack_node.text.to_i unless attack_node.nil?
|
31
|
-
# count = count_node.text.to_i unless count_node.nil?
|
32
|
-
end
|
33
|
-
end
|
34
|
-
|
@@ -1,18 +0,0 @@
|
|
1
|
-
provider "abuse_ch"
|
2
|
-
name "feodo_domain_reputation"
|
3
|
-
fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist')
|
4
|
-
|
5
|
-
feed_re = /^(?<domain>.*)/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_fqdn(m[:domain])
|
17
|
-
end
|
18
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "abuse_ch"
|
2
|
-
name "feodo_ip_reputation"
|
3
|
-
fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=ipblocklist')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,25 +0,0 @@
|
|
1
|
-
provider "infiltrated"
|
2
|
-
name "ip_reputation"
|
3
|
-
fetch_http('http://www.infiltrated.net/blacklisted')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out missing last octet
|
11
|
-
# Example: '78.29.9.\n'
|
12
|
-
filter do |record|
|
13
|
-
(record.data =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\n/)
|
14
|
-
end
|
15
|
-
|
16
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
17
|
-
m = feed_re.match(record.data)
|
18
|
-
next if m.nil?
|
19
|
-
|
20
|
-
event_generator.call() do |event|
|
21
|
-
event.type = :scanning
|
22
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
@@ -1,23 +0,0 @@
|
|
1
|
-
provider "malc0de"
|
2
|
-
name "domain_reputation"
|
3
|
-
fetch_http('http://malc0de.com/bl/BOOT')
|
4
|
-
|
5
|
-
feed_re = /^PRIMARY (?<domain>[a-z,0-9,A-Z,\-,\.]*)/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out //comments
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /^\/\//)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :malware_host
|
21
|
-
event.add_fqdn(m[:domain])
|
22
|
-
end
|
23
|
-
end
|
@@ -1,24 +0,0 @@
|
|
1
|
-
provider "malc0de"
|
2
|
-
name "ip_reputation"
|
3
|
-
fetch_http('http://malc0de.com/bl/IP_Blacklist.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out //comments
|
11
|
-
filter do |record|
|
12
|
-
(record.data =~ /^\/\//)
|
13
|
-
end
|
14
|
-
|
15
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
-
m = feed_re.match(record.data)
|
17
|
-
next if m.nil?
|
18
|
-
|
19
|
-
event_generator.call() do |event|
|
20
|
-
event.type = :malware_host
|
21
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
provider "mirc"
|
2
|
-
name "domain_reputation"
|
3
|
-
fetch_http('http://www.mirc.com/servers.ini')
|
4
|
-
|
5
|
-
feed_re = /^n[0-9]+=(?<desc1>[^:]+)SERVER:(?<domain>[^:]+):(?<portlist>[^:]+):?GROUP:(?<group>.*)$/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
# Filter out //comments
|
11
|
-
filter do |record|
|
12
|
-
!(record.data =~ /\:/)
|
13
|
-
end
|
14
|
-
|
15
|
-
# Filter out //comments
|
16
|
-
filter do |record|
|
17
|
-
(record.data =~ /^\;/)
|
18
|
-
end
|
19
|
-
|
20
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
21
|
-
m = feed_re.match(record.data)
|
22
|
-
next if m.nil?
|
23
|
-
|
24
|
-
event_generator.call() do |event|
|
25
|
-
event.type = :c2
|
26
|
-
event.add_fqdn(m[:domain])
|
27
|
-
end
|
28
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "nothink"
|
2
|
-
name "irc_ip_reputation"
|
3
|
-
fetch_http('http://www.nothink.org/blacklist/blacklist_malware_irc.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "nothink"
|
2
|
-
name "ssh_ip_reputation"
|
3
|
-
fetch_http('http://www.nothink.org/blacklist/blacklist_ssh_day.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :scanning
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "openbl"
|
2
|
-
name "ip_reputation"
|
3
|
-
fetch_http('http://www.openbl.org/lists/base.txt')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :scanning
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,18 +0,0 @@
|
|
1
|
-
provider "abuse_ch"
|
2
|
-
name "palevo_domain_reputation"
|
3
|
-
fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist')
|
4
|
-
|
5
|
-
feed_re = /^(?<domain>.*)/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_fqdn(m[:domain])
|
17
|
-
end
|
18
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "abuse_ch"
|
2
|
-
name "palevo_ip_reputation"
|
3
|
-
fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
data/feeds/phishtank.feed
DELETED
@@ -1,21 +0,0 @@
|
|
1
|
-
provider "phishtank"
|
2
|
-
name "phishtank"
|
3
|
-
|
4
|
-
fetch_http('http://data.phishtank.com/data/online-valid.json.gz')
|
5
|
-
|
6
|
-
extract_gzip
|
7
|
-
parse_json() do |event_generator, record|
|
8
|
-
event_generator.call do |event|
|
9
|
-
# TODO: parse URL
|
10
|
-
# TODO: parse dates
|
11
|
-
|
12
|
-
event.type = :phishing
|
13
|
-
record.data["details"].each do |detail|
|
14
|
-
if ip = detail["ip_address"]
|
15
|
-
event.add_ipv4(ip) do |ipv4_event|
|
16
|
-
end
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
20
|
-
end
|
21
|
-
|
@@ -1,18 +0,0 @@
|
|
1
|
-
provider "abuse_ch"
|
2
|
-
name "spyeye_domain_reputation"
|
3
|
-
fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist')
|
4
|
-
|
5
|
-
feed_re = /^(?<domain>.*)/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_fqdn(m[:domain])
|
17
|
-
end
|
18
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "abuse_ch"
|
2
|
-
name "spyeye_ip_reputation"
|
3
|
-
fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "t-arend-de"
|
2
|
-
name "ssh_ip_reputation"
|
3
|
-
fetch_http('http://www.t-arend.de/linux/badguys.txt')
|
4
|
-
|
5
|
-
feed_re = /^sshd\: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "the_haleys"
|
2
|
-
name "ssh_ip_reputation"
|
3
|
-
fetch_http('http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt')
|
4
|
-
|
5
|
-
feed_re = /^ALL \: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :scanning
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "yourcmc"
|
2
|
-
name "ssh-ip_reputation"
|
3
|
-
fetch_http('http://vmx.yourcmc.ru/BAD_HOSTS.IP4')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>.*)/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :scanning
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,18 +0,0 @@
|
|
1
|
-
provider "abuse_ch"
|
2
|
-
name "zeus_domain_reputation"
|
3
|
-
fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist')
|
4
|
-
|
5
|
-
feed_re = /^(?<domain>.*)/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_fqdn(m[:domain])
|
17
|
-
end
|
18
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
provider "abuse_ch"
|
2
|
-
name "zeus_ip_reputation"
|
3
|
-
fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist')
|
4
|
-
|
5
|
-
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
-
|
7
|
-
filter_whitespace
|
8
|
-
filter_comments
|
9
|
-
|
10
|
-
parse_eachline(:separator => "\n") do |event_generator, record|
|
11
|
-
m = feed_re.match(record.data)
|
12
|
-
next if m.nil?
|
13
|
-
|
14
|
-
event_generator.call() do |event|
|
15
|
-
event.type = :c2
|
16
|
-
event.add_ipv4(m[:ip]) do |ipv4_event|
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|