RubyGems - threatinator - Versions diffs - 0.1.2 → 0.1.3 - Mend

threatinator 0.1.2 → 0.1.3

Files changed (39) hide show

checksums.yaml +4 -4
metadata +3 -40
data/feeds/ET_compromised-ip_reputation.feed +0 -19
data/feeds/alienvault-ip_reputation.feed +0 -37
data/feeds/arbor_fastflux-domain_reputation.feed +0 -18
data/feeds/arbor_ssh-ip_reputation.feed +0 -23
data/feeds/autoshun_shunlist.feed +0 -15
data/feeds/blocklist_de_apache-ip_reputation.feed +0 -24
data/feeds/blocklist_de_bots-ip_reputation.feed +0 -24
data/feeds/blocklist_de_ftp-ip_reputation.feed +0 -24
data/feeds/blocklist_de_imap-ip_reputation.feed +0 -24
data/feeds/blocklist_de_pop3-ip_reputation.feed +0 -24
data/feeds/blocklist_de_proftpd-ip_reputation.feed +0 -24
data/feeds/blocklist_de_sip-ip_reputation.feed +0 -24
data/feeds/blocklist_de_ssh-ip_reputation.feed +0 -24
data/feeds/blocklist_de_strongips-ip_reputation.feed +0 -24
data/feeds/ciarmy-ip_reputation.feed +0 -19
data/feeds/cruzit-ip_reputation.feed +0 -29
data/feeds/dan_me_uk_torlist-ip_reputation.feed +0 -24
data/feeds/dshield_attackers-top1000.feed +0 -34
data/feeds/feodo-domain_reputation.feed +0 -18
data/feeds/feodo-ip_reputation.feed +0 -19
data/feeds/infiltrated-ip_reputation.feed +0 -25
data/feeds/malc0de-domain_reputation.feed +0 -23
data/feeds/malc0de-ip_reputation.feed +0 -24
data/feeds/mirc-domain_reputation.feed +0 -28
data/feeds/nothink_irc-ip_reputation.feed +0 -19
data/feeds/nothink_ssh-ip_reputation.feed +0 -19
data/feeds/openbl-ip_reputation.feed +0 -19
data/feeds/palevo-domain_reputation.feed +0 -18
data/feeds/palevo-ip_reputation.feed +0 -19
data/feeds/phishtank.feed +0 -21
data/feeds/spyeye-domain_reputation.feed +0 -18
data/feeds/spyeye-ip_reputation.feed +0 -19
data/feeds/t-arend-de_ssh-ip_reputation.feed +0 -19
data/feeds/the_haleys_ssh-ip_reputation.feed +0 -19
data/feeds/yourcmc_ssh-ip_reputation.feed +0 -19
data/feeds/zeus-domain_reputation.feed +0 -18
data/feeds/zeus-ip_reputation.feed +0 -19

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 56a9d3f712b2e236107652645a6f58797285d548
-  data.tar.gz: 1dafd78f233706c43a4752473bfe801389a915ed
+  metadata.gz: dabcfc73e09b0ab033941562c2bd8e4bb3092448
+  data.tar.gz: 583b8a979638ffd036ab63f792a1d484caad5606
 SHA512:
-  metadata.gz: b6251abc3747242b36a4b51b53cd0da2f04977e0811b6f952b8d95ecbfa3f108dbfc7fc791153bc6557909e29c8147994e7f50888f0a356837207901d9e12a30
-  data.tar.gz: 61c5638eef5ccfdd9d554e9daa20ecbc004d76739633083f3a0c93766a7a5534c8ab11fb796443785d82e13f9687a7b11e546330c18a3e11af006d1fbe33c5af
+  metadata.gz: d3841667c9d687a96eddc0f6d929ae5257d78141bc06d266b9133ff2ed32a925d1b7576b3a77dcc51dbdcb1003f891e56079453a65debcb86dd59b877df5465d
+  data.tar.gz: d80e6b20c05f3bea495902251f6627f1aa6d1c6c61218167b3c65d30e8de4ddd359ca94804aaa5c0a42095b5c82e3cee328e63153f25799f834d8ec0cb791346

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: threatinator
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - Mike Ryan
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-08-28 00:00:00.000000000 Z
+date: 2014-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
@@ -140,43 +140,6 @@ files:
 - Rakefile
 - VERSION
 - bin/threatinator
-- feeds/ET_compromised-ip_reputation.feed
-- feeds/alienvault-ip_reputation.feed
-- feeds/arbor_fastflux-domain_reputation.feed
-- feeds/arbor_ssh-ip_reputation.feed
-- feeds/autoshun_shunlist.feed
-- feeds/blocklist_de_apache-ip_reputation.feed
-- feeds/blocklist_de_bots-ip_reputation.feed
-- feeds/blocklist_de_ftp-ip_reputation.feed
-- feeds/blocklist_de_imap-ip_reputation.feed
-- feeds/blocklist_de_pop3-ip_reputation.feed
-- feeds/blocklist_de_proftpd-ip_reputation.feed
-- feeds/blocklist_de_sip-ip_reputation.feed
-- feeds/blocklist_de_ssh-ip_reputation.feed
-- feeds/blocklist_de_strongips-ip_reputation.feed
-- feeds/ciarmy-ip_reputation.feed
-- feeds/cruzit-ip_reputation.feed
-- feeds/dan_me_uk_torlist-ip_reputation.feed
-- feeds/dshield_attackers-top1000.feed
-- feeds/feodo-domain_reputation.feed
-- feeds/feodo-ip_reputation.feed
-- feeds/infiltrated-ip_reputation.feed
-- feeds/malc0de-domain_reputation.feed
-- feeds/malc0de-ip_reputation.feed
-- feeds/mirc-domain_reputation.feed
-- feeds/nothink_irc-ip_reputation.feed
-- feeds/nothink_ssh-ip_reputation.feed
-- feeds/openbl-ip_reputation.feed
-- feeds/palevo-domain_reputation.feed
-- feeds/palevo-ip_reputation.feed
-- feeds/phishtank.feed
-- feeds/spyeye-domain_reputation.feed
-- feeds/spyeye-ip_reputation.feed
-- feeds/t-arend-de_ssh-ip_reputation.feed
-- feeds/the_haleys_ssh-ip_reputation.feed
-- feeds/yourcmc_ssh-ip_reputation.feed
-- feeds/zeus-domain_reputation.feed
-- feeds/zeus-ip_reputation.feed
 - lib/threatinator.rb
 - lib/threatinator/action.rb
 - lib/threatinator/actions/list.rb
@@ -406,7 +369,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.2.2
+rubygems_version: 2.2.0
 signing_key:
 specification_version: 4
 summary: Threatinator is a library and tool for parsing threat data feeds.

data/feeds/ET_compromised-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "emergingthreats"
-name "compromised_ip_reputation"
-fetch_http('http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/alienvault-ip_reputation.feed DELETED Viewed

@@ -1,37 +0,0 @@
-provider "alienvault"
-name "ip_reputation"
-fetch_http('https://reputation.alienvault.com/reputation.generic')
-# Examples:
-#  108.59.1.5 # Scanning Host A1,,0.0,0.0
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # (?<type>(Scanning Host|C&C|Malicious Host|Malware Domain|Spamming|Malware IP|Malware distribution)) (?<cc>[A-Z]{2}|A1|A1|O1)?,(?<city>[^,]*),(?<lat>-?[0-9]+(\.[0-9]+)?),(?<lon>-?[0-9]+(\.[0-9]+)?)/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-      # This doesn't execute, yet.
-      ipv4_event.cc(m[:cc]) unless m[:cc].nil?
-      ipv4_event.city(m[:city]) unless m[:city].nil?
-      ipv4_latlon(m[:lat].to_f, m[:lon].to_f)
-    end
-    case m[:type]
-    when 'Scanning Host'
-      event.type = :scanning
-    when 'C&C'
-      event.type = :c2
-    when 'Malicious Host'
-      event.type = :attacker
-    when 'Malware Domain', 'Malware IP', 'Malware distribution'
-      event.type = :malware_host
-    when 'Spamming'
-     event.type = :spamming
-    end
-  end
-end

data/feeds/arbor_fastflux-domain_reputation.feed DELETED Viewed

@@ -1,18 +0,0 @@
-provider "arbor"
-name "fastflux_domain_reputation"
-fetch_http('http://atlas.arbor.net/summary/domainlist')
-feed_re = /^(?<domain>.*)/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_fqdn(m[:domain])
-  end
-end

data/feeds/arbor_ssh-ip_reputation.feed DELETED Viewed

@@ -1,23 +0,0 @@
-provider "arbor"
-name "ssh_ip_reputation"
-fetch_http('http://atlas-public.ec2.arbor.net/public/ssh_attackers')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-filter do |record|
-  (record.data =~ /^other/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/autoshun_shunlist.feed DELETED Viewed

@@ -1,15 +0,0 @@
-provider "autoshun"
-name "shunlist"
-fetch_http('http://www.autoshun.org/files/shunlist.csv')
-filter do |record|
-  record.data[:ip].start_with?("Shunlist as of")
-end
-parse_csv(:headers => [:ip, :last_seen, :reason]) do |event_generator, record|
-  event_generator.call do |event|
-    event.type = :scanning
-    event.add_ipv4(record.data[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_apache-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "apache_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/apache.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_bots-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "bots_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/bots.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_ftp-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "ftp_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/ftp.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_imap-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "imap_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/imap.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_pop3-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "pop3_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/pop3.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_proftpd-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "proftpd_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/proftpd.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_sip-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "sip_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/sip.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_ssh-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "ssh_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/ssh.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/blocklist_de_strongips-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "blocklist_de"
-name "strongips_ip_reputation"
-fetch_http('http://www.blocklist.de/lists/strongips.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/ciarmy-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "ciarmy"
-name "ip_reputation"
-fetch_http('http://www.ciarmy.com/list/ci-badguys.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/cruzit-ip_reputation.feed DELETED Viewed

@@ -1,29 +0,0 @@
-provider "cruzit"
-name "ip_reputation"
-fetch_http('http://www.cruzit.com/xwbl2txt.php')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-# Filter out first line
-filter do |record|
-  (record.data =~ /^ipaddress$/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/dan_me_uk_torlist-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "dan_me_uk"
-name "torlist_ip_reputation"
-fetch_http('https://www.dan.me.uk/torlist/')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out IPv6 addresses
-filter do |record|
-  (record.data =~ /\:/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/dshield_attackers-top1000.feed DELETED Viewed

@@ -1,34 +0,0 @@
-provider "dshield"
-name "attackers-top1000"
-fetch_http('https://isc.sans.edu/api/sources/attacks/1000/')
-parse_xml("/sources/data") do |event_generator, record|
-  node = record.node
-  ip_node = node[:ip].first
-  next if ip_node.nil?
-  ip = ip_node.text
-  next if ip.empty?
-  # Dshield's api produces zero-padded octets. We've gotta strip those down.
-  # The following regex will remove any zero-padding.
-  ip.gsub!(/(?<=\A|\.)0+(?=\d+(\.|\Z))/, '')
-  attack_node = node[:attacks].first
-  count_node = node[:count].first
-  first_seen_node = node[:first_seen].first
-  last_seen_node = node[:last_seen].first
-  event_generator.call() do |event|
-    event.type = :attacker
-    event.add_ipv4(ip) do |ipv4_event|
-    end
-    ## TODO
-    # event.first_seen = first_seen_node.text unless first_seen_node.nil?
-    # event.last_seen = last_seen_node.text unless last_seen_node.nil?
-    # attack_count = attack_node.text.to_i unless attack_node.nil?
-    # count = count_node.text.to_i unless count_node.nil?
-  end
-end

data/feeds/feodo-domain_reputation.feed DELETED Viewed

@@ -1,18 +0,0 @@
-provider "abuse_ch"
-name "feodo_domain_reputation"
-fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist')
-feed_re = /^(?<domain>.*)/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_fqdn(m[:domain])
-  end
-end

data/feeds/feodo-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "abuse_ch"
-name "feodo_ip_reputation"
-fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=ipblocklist')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/infiltrated-ip_reputation.feed DELETED Viewed

@@ -1,25 +0,0 @@
-provider "infiltrated"
-name "ip_reputation"
-fetch_http('http://www.infiltrated.net/blacklisted')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out missing last octet
-# Example: '78.29.9.\n'
-filter do |record|
-  (record.data =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\n/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/malc0de-domain_reputation.feed DELETED Viewed

@@ -1,23 +0,0 @@
-provider "malc0de"
-name "domain_reputation"
-fetch_http('http://malc0de.com/bl/BOOT')
-feed_re = /^PRIMARY (?<domain>[a-z,0-9,A-Z,\-,\.]*)/
-filter_whitespace
-filter_comments
-# Filter out //comments
-filter do |record|
-  (record.data =~ /^\/\//)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :malware_host
-    event.add_fqdn(m[:domain])
-  end
-end

data/feeds/malc0de-ip_reputation.feed DELETED Viewed

@@ -1,24 +0,0 @@
-provider "malc0de"
-name "ip_reputation"
-fetch_http('http://malc0de.com/bl/IP_Blacklist.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-# Filter out //comments
-filter do |record|
-  (record.data =~ /^\/\//)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :malware_host
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/mirc-domain_reputation.feed DELETED Viewed

@@ -1,28 +0,0 @@
-provider "mirc"
-name "domain_reputation"
-fetch_http('http://www.mirc.com/servers.ini')
-feed_re = /^n[0-9]+=(?<desc1>[^:]+)SERVER:(?<domain>[^:]+):(?<portlist>[^:]+):?GROUP:(?<group>.*)$/
-filter_whitespace
-filter_comments
-# Filter out //comments
-filter do |record|
-  !(record.data =~ /\:/)
-  end
-# Filter out //comments
-filter do |record|
-  (record.data =~ /^\;/)
-  end
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_fqdn(m[:domain])
-  end
-end

data/feeds/nothink_irc-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "nothink"
-name "irc_ip_reputation"
-fetch_http('http://www.nothink.org/blacklist/blacklist_malware_irc.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/nothink_ssh-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "nothink"
-name "ssh_ip_reputation"
-fetch_http('http://www.nothink.org/blacklist/blacklist_ssh_day.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/openbl-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "openbl"
-name "ip_reputation"
-fetch_http('http://www.openbl.org/lists/base.txt')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/palevo-domain_reputation.feed DELETED Viewed

@@ -1,18 +0,0 @@
-provider "abuse_ch"
-name "palevo_domain_reputation"
-fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist')
-feed_re = /^(?<domain>.*)/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_fqdn(m[:domain])
-  end
-end

data/feeds/palevo-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "abuse_ch"
-name "palevo_ip_reputation"
-fetch_http('https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/phishtank.feed DELETED Viewed

@@ -1,21 +0,0 @@
-provider "phishtank"
-name "phishtank"
-fetch_http('http://data.phishtank.com/data/online-valid.json.gz')
-extract_gzip
-parse_json() do |event_generator, record|
-  event_generator.call do |event|
-    # TODO: parse URL
-    # TODO: parse dates
-    event.type = :phishing
-    record.data["details"].each do |detail|
-      if ip = detail["ip_address"]
-        event.add_ipv4(ip) do |ipv4_event|
-        end
-      end
-    end
-  end
-end

data/feeds/spyeye-domain_reputation.feed DELETED Viewed

@@ -1,18 +0,0 @@
-provider "abuse_ch"
-name "spyeye_domain_reputation"
-fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist')
-feed_re = /^(?<domain>.*)/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_fqdn(m[:domain])
-  end
-end

data/feeds/spyeye-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "abuse_ch"
-name "spyeye_ip_reputation"
-fetch_http('https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/t-arend-de_ssh-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "t-arend-de"
-name "ssh_ip_reputation"
-fetch_http('http://www.t-arend.de/linux/badguys.txt')
-feed_re = /^sshd\: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/the_haleys_ssh-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "the_haleys"
-name "ssh_ip_reputation"
-fetch_http('http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt')
-feed_re = /^ALL \: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/yourcmc_ssh-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "yourcmc"
-name "ssh-ip_reputation"
-fetch_http('http://vmx.yourcmc.ru/BAD_HOSTS.IP4')
-feed_re = /^(?<ip>.*)/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :scanning
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end

data/feeds/zeus-domain_reputation.feed DELETED Viewed

@@ -1,18 +0,0 @@
-provider "abuse_ch"
-name "zeus_domain_reputation"
-fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist')
-feed_re = /^(?<domain>.*)/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_fqdn(m[:domain])
-  end
-end

data/feeds/zeus-ip_reputation.feed DELETED Viewed

@@ -1,19 +0,0 @@
-provider "abuse_ch"
-name "zeus_ip_reputation"
-fetch_http('https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist')
-feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
-filter_whitespace
-filter_comments
-parse_eachline(:separator => "\n") do |event_generator, record|
-  m = feed_re.match(record.data)
-  next if m.nil?
-  event_generator.call() do |event|
-    event.type = :c2
-    event.add_ipv4(m[:ip]) do |ipv4_event|
-    end
-  end
-end