threatinator 0.1.6 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -2
- data/Gemfile +18 -13
- data/Rakefile +1 -1
- data/VERSION +1 -1
- data/feeds/ET_block-ip_reputation.feed +26 -0
- data/feeds/ET_openbadlist-ip_reputation.feed +35 -0
- data/feeds/bambenek_c2_masterlist-domain_reputation.feed +15 -0
- data/feeds/bambenek_c2_masterlist-ip_reputation.feed +15 -0
- data/feeds/bambenek_dga_feed-domain_reputation.feed +15 -0
- data/feeds/berkeley-ip_reputation.feed +23 -0
- data/feeds/bitcash_cz_blacklist.feed +20 -0
- data/feeds/botscout-ip_reputation.feed +24 -0
- data/feeds/cert_mxpoison-ip_reputation.feed +21 -0
- data/feeds/chaosreigns-ip_reputation.feed +36 -0
- data/feeds/cydef_torexit-ip_reputation.feed +24 -0
- data/feeds/danger_bruteforce-ip_reputation.feed +23 -0
- data/feeds/falconcrest-ip_reputation.feed +18 -0
- data/feeds/h3x_asprox.feed +17 -0
- data/feeds/hosts-file_hphostspartial-domain_reputation.feed +18 -0
- data/feeds/infiltrated_vabl-ip_reputation.feed +29 -0
- data/feeds/isc_suspicious_high-domain_reputation.feed +25 -0
- data/feeds/isc_suspicious_low-domain_reputation.feed +25 -0
- data/feeds/isc_suspicious_medium-domain_reputation.feed +25 -0
- data/feeds/malwaredomainlist-url_reputation.feed +16 -0
- data/feeds/malwaredomains-domain_reputation.feed +27 -0
- data/feeds/malwaredomains_dyndns-domain_reputation.feed +27 -0
- data/feeds/malwaredomains_justdomains-domain_reputation.feed +18 -0
- data/feeds/multiproxy-ip_reputation.feed +20 -0
- data/feeds/openphish-url_reputation.feed +22 -0
- data/feeds/packetmail_perimeterbad-ip_reputation.feed +26 -0
- data/feeds/phishtank.feed +1 -1
- data/feeds/sigmaproject_atma.feed +25 -0
- data/feeds/sigmaproject_spyware.feed +24 -0
- data/feeds/sigmaproject_webexploit.feed +26 -0
- data/feeds/snort_bpf-ip_reputation.feed +19 -0
- data/feeds/steeman-ip_reputation.feed +19 -0
- data/feeds/trustedsec-ip_reputation.feed +17 -0
- data/feeds/virbl-ip_reputation.feed +24 -0
- data/feeds/vxvault-url_reputation.feed +22 -0
- data/feeds/yoyo_adservers-domain_reputation.feed +16 -0
- data/lib/threatinator/actions/run/action.rb +15 -3
- data/lib/threatinator/actions/run/coverage_observer.rb +12 -7
- data/lib/threatinator/actions/run/status_observer.rb +37 -0
- data/lib/threatinator/cli.rb +9 -3
- data/lib/threatinator/cli/parser.rb +14 -4
- data/lib/threatinator/config.rb +1 -0
- data/lib/threatinator/config/logger.rb +14 -0
- data/lib/threatinator/event.rb +28 -18
- data/lib/threatinator/event_builder.rb +52 -23
- data/lib/threatinator/exceptions.rb +3 -6
- data/lib/threatinator/feed.rb +1 -1
- data/lib/threatinator/feed_runner.rb +63 -7
- data/lib/threatinator/logger.rb +66 -0
- data/lib/threatinator/logging.rb +20 -0
- data/lib/threatinator/model/base.rb +23 -0
- data/lib/threatinator/model/collection.rb +64 -0
- data/lib/threatinator/model/observables/fqdn_collection.rb +13 -0
- data/lib/threatinator/model/observables/ipv4.rb +30 -0
- data/lib/threatinator/model/observables/ipv4_collection.rb +14 -0
- data/lib/threatinator/model/observables/url_collection.rb +16 -0
- data/lib/threatinator/model/validations.rb +1 -0
- data/lib/threatinator/model/validations/type.rb +21 -0
- data/lib/threatinator/plugins/output/csv.rb +20 -9
- data/spec/feeds/ET_block-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ET_compromised-ip_reputation_spec.rb +2 -5
- data/spec/feeds/ET_openbadlist-ip_reputation_spec.rb +56 -0
- data/spec/feeds/alienvault-ip_reputation_spec.rb +2 -5
- data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb +0 -3
- data/spec/feeds/arbor_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/autoshun_shunlist_spec.rb +1 -4
- data/spec/feeds/bambenek_c2_masterlist-domain_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_c2_masterlist-ip_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_dga_feed-domain_reputation_spec.rb +39 -0
- data/spec/feeds/berkeley-ip_reputation_spec.rb +47 -0
- data/spec/feeds/bitcash_cz_blacklist-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_imap-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_pop3-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_proftpd-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_sip-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_strongips-ip_reputation_spec.rb +2 -5
- data/spec/feeds/botscout-ip_reputation_spec.rb +50 -0
- data/spec/feeds/cert_mxpoison-ip_reputation_spec.rb +47 -0
- data/spec/feeds/chaosreigns-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ciarmy-ip_reputation_spec.rb +2 -5
- data/spec/feeds/cruzit-ip_reputation_spec.rb +2 -5
- data/spec/feeds/cydef_torexit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/dan_me_uk_torlist-ip_reputation_spec.rb +2 -5
- data/spec/feeds/danger_bruteforce-ip_reputation_spec.rb +47 -0
- data/spec/feeds/data/ET_block-ip_reputation.txt +80 -0
- data/spec/feeds/data/ET_openbadlist-ip_reputation.txt +62 -0
- data/spec/feeds/data/bambenek_c2-dommasterlist.csv +30 -0
- data/spec/feeds/data/bambenek_c2-ipmasterlist.csv +27 -0
- data/spec/feeds/data/bambenek_dga_feed.csv +42 -0
- data/spec/feeds/data/berkeley.txt +29 -0
- data/spec/feeds/data/bitcash_cz_blacklist.txt +7 -0
- data/spec/feeds/data/botscout-ip-reputation.txt +713 -0
- data/spec/feeds/data/cert_mxpoison-ip_reputation.txt +17 -0
- data/spec/feeds/data/chaosreigns-ip-reputation.txt +26 -0
- data/spec/feeds/data/cydef_torexit-ip_reputation.txt +27 -0
- data/spec/feeds/data/danger_bruteforce-ip_reputation.txt +12 -0
- data/spec/feeds/data/falconcrest_iplist.txt +345 -0
- data/spec/feeds/data/h3x_asprox.txt +20 -0
- data/spec/feeds/data/hosts-file_hphostspartial_domainlist.txt +24 -0
- data/spec/feeds/data/infiltrated_vabl_iplist.txt +33 -0
- data/spec/feeds/data/isc_suspicious_high_domainlist.txt +26 -0
- data/spec/feeds/data/isc_suspicious_low_domainlist.txt +34 -0
- data/spec/feeds/data/isc_suspicious_medium_domainlist.txt +32 -0
- data/spec/feeds/data/malwaredomainlist-url-reputation.txt +8 -0
- data/spec/feeds/data/malwaredomains_domainlist.txt +24 -0
- data/spec/feeds/data/malwaredomains_dyndns_domainlist.txt +34 -0
- data/spec/feeds/data/malwaredomains_justdomains_domainlist.txt +18 -0
- data/spec/feeds/data/multiproxy_iplist.txt +15 -0
- data/spec/feeds/data/openphish-url-reputation.txt +16 -0
- data/spec/feeds/data/packetmail_perimeterbad-ip_reputation.txt +44 -0
- data/spec/feeds/data/sigmaproject_atma.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_spyware.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_webexploit.return.gz +0 -0
- data/spec/feeds/data/snort_bpf-ip_reputation.txt +16 -0
- data/spec/feeds/data/steeman-ip-reputation.txt +13 -0
- data/spec/feeds/data/trustedsec-ip-reputation.txt +12 -0
- data/spec/feeds/data/virbl-ip_reputation.txt +14 -0
- data/spec/feeds/data/vxvault-url-reputation.txt +15 -0
- data/spec/feeds/data/yoyo_adservers.txt +25 -0
- data/spec/feeds/dshield_attackers-top1000_spec.rb +1 -4
- data/spec/feeds/falconcrest-ip_reputation_spec.rb +37 -0
- data/spec/feeds/feodo-domain_reputation_spec.rb +0 -3
- data/spec/feeds/feodo-ip_reputation_spec.rb +2 -5
- data/spec/feeds/h3x_asprox-ip_reputation_spec.rb +50 -0
- data/spec/feeds/hosts-file_hphostspartial-domain_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated-ip_reputation_spec.rb +2 -5
- data/spec/feeds/infiltrated_vabl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_high-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_low-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_medium-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-domain_reputation_spec.rb +0 -3
- data/spec/feeds/malc0de-ip_reputation_spec.rb +2 -5
- data/spec/feeds/malwaredomainlist_url_reputation_spec.rb +50 -0
- data/spec/feeds/malwaredomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_dyndns-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_justdomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/mirc-domain_reputation_spec.rb +0 -3
- data/spec/feeds/multiproxy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_irc-ip_reputation_spec.rb +2 -5
- data/spec/feeds/nothink_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/openbl-ip_reputation_spec.rb +2 -5
- data/spec/feeds/openphish_url_reputation_spec.rb +50 -0
- data/spec/feeds/packetmail_perimeterbad-ip_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-domain_reputation_spec.rb +0 -3
- data/spec/feeds/palevo-ip_reputation_spec.rb +2 -5
- data/spec/feeds/phishtank_spec.rb +2 -5
- data/spec/feeds/sigmaproject_atma_spec.rb +63 -0
- data/spec/feeds/sigmaproject_spyware_spec.rb +64 -0
- data/spec/feeds/sigmaproject_webexploit_spec.rb +63 -0
- data/spec/feeds/snort_bpf-ip_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-domain_reputation_spec.rb +0 -3
- data/spec/feeds/spyeye-ip_reputation_spec.rb +2 -5
- data/spec/feeds/steeman-ip_reputation_spec.rb +50 -0
- data/spec/feeds/t-arend-de_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/the_haleys_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/trustedsec-ip_reputation_spec.rb +47 -0
- data/spec/feeds/virbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/vxvault_url_reputation_spec.rb +50 -0
- data/spec/feeds/yourcmc_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/yoyo_adservers_spec.rb +47 -0
- data/spec/feeds/zeus-domain_reputation_spec.rb +0 -3
- data/spec/feeds/zeus-ip_reputation_spec.rb +2 -5
- data/spec/spec_helper.rb +2 -0
- data/spec/support/factories/event.rb +11 -7
- data/spec/support/factories/feed.rb +28 -1
- data/spec/support/factories/ipv4.rb +36 -0
- data/spec/support/factories/url.rb +34 -0
- data/spec/support/shared/feed_runner_observer.rb +136 -0
- data/spec/support/shared/feeds.rb +19 -4
- data/spec/support/shared/model/collection.rb +164 -0
- data/spec/threatinator/actions/run/action_spec.rb +27 -10
- data/spec/threatinator/actions/run/coverage_observer_spec.rb +39 -4
- data/spec/threatinator/actions/run/status_observer_spec.rb +86 -0
- data/spec/threatinator/event_builder_spec.rb +111 -21
- data/spec/threatinator/event_spec.rb +237 -13
- data/spec/threatinator/event_spec.rb.new +319 -0
- data/spec/threatinator/feed_builder_spec.rb +0 -3
- data/spec/threatinator/feed_runner_spec.rb +254 -70
- data/spec/threatinator/logger_spec.rb +29 -0
- data/spec/threatinator/model/observables/fqdn_collection_spec.rb +42 -0
- data/spec/threatinator/model/observables/ipv4_collection_spec.rb +36 -0
- data/spec/threatinator/model/observables/ipv4_spec.rb +75 -0
- data/spec/threatinator/model/observables/url_collection_spec.rb +45 -0
- data/spec/threatinator/model/validations/type_spec.rb +37 -0
- data/spec/threatinator/plugins/output/csv_spec.rb +4 -3
- metadata +216 -19
- data/lib/threatinator/property_definer.rb +0 -101
- data/spec/threatinator/property_definer_spec.rb +0 -155
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 49782ab8639faa3f2f202e056f780b6fdeff09df
|
4
|
+
data.tar.gz: d2f4fb0ed1056f32f6509a9b8f1a9740170cc2c1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4e4b0f2c3686572067acee715834addb78cd66fc7d718a5208506fc9ae9b676037ae13d18b9bf2e33d4a9230a345aab00ad50ba1841b92f1d154be5f3800fd01
|
7
|
+
data.tar.gz: c3b15041ad98b6da912de32b90e540a9634572222158d62503734c324d0eec3870b763d371b16abf88d413b74c6d412899bf4e4d3dd8e006a5d32eaa6d593f40
|
data/CHANGELOG.md
CHANGED
@@ -3,15 +3,26 @@ Next
|
|
3
3
|
|
4
4
|
* Your contribution here.
|
5
5
|
|
6
|
+
0.2.0
|
7
|
+
====
|
8
|
+
|
9
|
+
* Fix file-handle leak - [@justfalter](https://github.com/justfalter)
|
10
|
+
* BREAKING CHANGE: Event#ipv4s -> now an Ipv4ObservableCollection that consists on Ipv4Observable objects.
|
11
|
+
* Normalize and validate ipv4 addresses.
|
12
|
+
* Add URL support [@justfalter](https://github.com/justfalter)
|
13
|
+
* Re-implement Event model, get rid of PropertyDefiner [@justfalter](https://github.com/justfalter)
|
14
|
+
* Disable decoding when testing the parsing of a single record. [@justfalter](https://github.com/justfalter)
|
15
|
+
|
6
16
|
0.1.6
|
7
17
|
====
|
8
18
|
|
9
|
-
* Add
|
19
|
+
* [#121](https://github.com/cikl/threatinator/issues/121) Add threatinator list 'json' output format. [@justfalter](https://github.com/justfalter)
|
10
20
|
|
11
21
|
0.1.5
|
12
22
|
====
|
13
23
|
|
14
|
-
* Add missing
|
24
|
+
* [#115](https://github.com/cikl/threatinator/issues/56): Add missing require for 'set' - [@justfalter](https://github.com/justfalter)
|
25
|
+
|
15
26
|
0.1.2
|
16
27
|
====
|
17
28
|
|
data/Gemfile
CHANGED
@@ -1,11 +1,16 @@
|
|
1
1
|
# A sample Gemfile
|
2
2
|
source "https://rubygems.org"
|
3
3
|
|
4
|
-
gem 'typhoeus', '~> 0.6'
|
5
|
-
gem 'nokogiri', '~> 1.6'
|
6
|
-
gem 'docile', '~> 1.1'
|
7
|
-
gem 'virtus', '~> 1.0'
|
8
|
-
gem 'gli', '~> 2.12'
|
4
|
+
gem 'typhoeus', '~> 0.6.0'
|
5
|
+
gem 'nokogiri', '~> 1.6.0'
|
6
|
+
gem 'docile', '~> 1.1.0'
|
7
|
+
gem 'virtus', '~> 1.0.0'
|
8
|
+
gem 'gli', '~> 2.12.0'
|
9
|
+
gem 'activemodel', '~> 4.0'
|
10
|
+
gem 'equalizer', '> 0.0.0'
|
11
|
+
gem 'addressable', '~> 2.3.0'
|
12
|
+
gem 'log4r', '~> 1.1.10'
|
13
|
+
gem 'ruby-ip', '~> 0.9.3'
|
9
14
|
|
10
15
|
platforms :mingw, :mswin, :ruby do
|
11
16
|
gem 'oj', '~> 2.9'
|
@@ -13,16 +18,16 @@ end
|
|
13
18
|
|
14
19
|
group :test do
|
15
20
|
gem 'rake'
|
16
|
-
gem 'multi_json', '~> 1.10'
|
17
|
-
gem 'simplecov', '~> 0.9'
|
21
|
+
gem 'multi_json', '~> 1.10.0'
|
22
|
+
gem 'simplecov', '~> 0.9.0'
|
18
23
|
gem 'simplecov-vim', '= 0.0.1'
|
19
|
-
gem 'rspec', '~> 3'
|
20
|
-
gem 'rspec-its', '~> 1'
|
21
|
-
gem 'webmock', '~> 1'
|
22
|
-
gem 'factory_girl', '~> 4'
|
24
|
+
gem 'rspec', '~> 3.0'
|
25
|
+
gem 'rspec-its', '~> 1.0'
|
26
|
+
gem 'webmock', '~> 1.0'
|
27
|
+
gem 'factory_girl', '~> 4.0'
|
23
28
|
end
|
24
29
|
|
25
30
|
group :development do
|
26
|
-
gem 'jeweler', '~> 2'
|
27
|
-
gem 'pry', '~> 0.10'
|
31
|
+
gem 'jeweler', '~> 2.0'
|
32
|
+
gem 'pry', '~> 0.10.0'
|
28
33
|
end
|
data/Rakefile
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.
|
1
|
+
0.2.0
|
@@ -0,0 +1,26 @@
|
|
1
|
+
provider "emergingthreats"
|
2
|
+
name "block_ip_reputation"
|
3
|
+
fetch_http('http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt')
|
4
|
+
|
5
|
+
filter_whitespace
|
6
|
+
filter_comments
|
7
|
+
|
8
|
+
# 3 categories of IP listed here;
|
9
|
+
# Shadowserver C2 IPs, which we want
|
10
|
+
# Spamhaus drop nets, which are covered in another feed
|
11
|
+
# Dshield top attackers which are also covered in another feed
|
12
|
+
# The ones we don't want are all CIDR
|
13
|
+
filter do |record|
|
14
|
+
(record.data =~ /\//)
|
15
|
+
end
|
16
|
+
|
17
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
18
|
+
ip = record.data.strip()
|
19
|
+
next if ip.nil?
|
20
|
+
|
21
|
+
event_generator.call() do |event|
|
22
|
+
event.type = :c2
|
23
|
+
event.add_ipv4(ip) do |ipv4_event|
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,35 @@
|
|
1
|
+
provider "emergingthreats"
|
2
|
+
name "openbadlist_ip_reputation"
|
3
|
+
fetch_http('https://raw.githubusercontent.com/EmergingThreats/et-open-bad-ip-list/master/IPs.txt')
|
4
|
+
|
5
|
+
filter_whitespace
|
6
|
+
filter_comments
|
7
|
+
|
8
|
+
# Filter out ip's
|
9
|
+
filter do |record|
|
10
|
+
# TODO Add handling for CIDR's once supported
|
11
|
+
!(record.data =~ /\/32/)
|
12
|
+
end
|
13
|
+
|
14
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
15
|
+
fields = record.data.split(/; /)
|
16
|
+
next if record.nil?
|
17
|
+
|
18
|
+
# date = fields[0]
|
19
|
+
ip = fields[1]
|
20
|
+
# description = fields[2]
|
21
|
+
|
22
|
+
# We're tossing anything that's not a /32
|
23
|
+
ip.gsub!(/\/32/, '')
|
24
|
+
ip.strip!
|
25
|
+
if ip =~ /\//
|
26
|
+
puts ip
|
27
|
+
next
|
28
|
+
end
|
29
|
+
|
30
|
+
event_generator.call() do |event|
|
31
|
+
event.type = :c2
|
32
|
+
event.add_ipv4(ip) do |ipv4_event|
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
provider "bambenek"
|
2
|
+
name "c2_masterlist"
|
3
|
+
fetch_http('http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt')
|
4
|
+
|
5
|
+
filter do |record|
|
6
|
+
record.data[:domain].start_with?("#")
|
7
|
+
end
|
8
|
+
|
9
|
+
parse_csv(:headers => [:domain, :description, :moreinfo]) do |event_generator, record|
|
10
|
+
event_generator.call do |event|
|
11
|
+
event.type = :c2
|
12
|
+
event.add_fqdn(record.data[:domain]) do |fqdn_event|
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
provider "bambenek"
|
2
|
+
name "c2_masterlist_ip"
|
3
|
+
fetch_http('http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt')
|
4
|
+
|
5
|
+
filter do |record|
|
6
|
+
record.data[:ip].start_with?("#")
|
7
|
+
end
|
8
|
+
|
9
|
+
parse_csv(:headers => [:ip, :description, :date, :moreinfo]) do |event_generator, record|
|
10
|
+
event_generator.call do |event|
|
11
|
+
event.type = :c2
|
12
|
+
event.add_ipv4(record.data[:ip]) do |ipv4_event|
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
provider "bambenek"
|
2
|
+
name "dga_feed"
|
3
|
+
fetch_http('http://osint.bambenekconsulting.com/feeds/dga-feed.txt')
|
4
|
+
|
5
|
+
filter do |record|
|
6
|
+
record.data[:domain].start_with?("#")
|
7
|
+
end
|
8
|
+
|
9
|
+
parse_csv(:headers => [:domain, :description, :moreinfo]) do |event_generator, record|
|
10
|
+
event_generator.call do |event|
|
11
|
+
event.type = :c2
|
12
|
+
event.add_fqdn(record.data[:domain]) do |fqdn_event|
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
provider "berkeley"
|
2
|
+
name "ip_reputation"
|
3
|
+
fetch_http('https://security.berkeley.edu/aggressive_ips/ips')
|
4
|
+
|
5
|
+
feed_re = /^HOSTILE_IP\: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*LAST_SEEN\: (?<last_seen>\d{10})/
|
6
|
+
|
7
|
+
filter_whitespace
|
8
|
+
filter_comments
|
9
|
+
|
10
|
+
filter do |record|
|
11
|
+
!(record.data =~ /^HOSTILE_IP/)
|
12
|
+
end
|
13
|
+
|
14
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
15
|
+
m = feed_re.match(record.data)
|
16
|
+
next if m.nil?
|
17
|
+
|
18
|
+
event_generator.call() do |event|
|
19
|
+
event.type = :scanning
|
20
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
@@ -0,0 +1,20 @@
|
|
1
|
+
provider "bitcash_cz"
|
2
|
+
name "blacklist"
|
3
|
+
|
4
|
+
fetch_http('http://bitcash.cz/misc/log/blacklist')
|
5
|
+
|
6
|
+
filter_whitespace
|
7
|
+
filter_comments
|
8
|
+
|
9
|
+
parse_eachline() do |event_generator, record|
|
10
|
+
|
11
|
+
fields = record.data.split(/\s/)
|
12
|
+
next if fields[0].nil?
|
13
|
+
ip = fields[0].strip()
|
14
|
+
|
15
|
+
event_generator.call() do |event|
|
16
|
+
event.type = :scanning
|
17
|
+
event.add_ipv4(ip) do |ipv4_event|
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
provider "botscout"
|
2
|
+
name "ip_reputation"
|
3
|
+
fetch_http('http://botscout.com/last_caught_cache.htm')
|
4
|
+
|
5
|
+
feed_re = /(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
+
|
7
|
+
filter_whitespace
|
8
|
+
filter_comments
|
9
|
+
|
10
|
+
# Filter out anything that doesn't have an IP
|
11
|
+
filter do |record|
|
12
|
+
!(record.data =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
|
13
|
+
end
|
14
|
+
|
15
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
+
m = feed_re.match(record.data)
|
17
|
+
next if m.nil?
|
18
|
+
|
19
|
+
event_generator.call() do |event|
|
20
|
+
event.type = :scanning
|
21
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
# https://www.cert.org/blogs/certcc/post.cfm?EntryID=206
|
2
|
+
|
3
|
+
provider "cert"
|
4
|
+
name "mxpoison_ip_reputation"
|
5
|
+
fetch_http('http://www.cert.org/downloads/mxlist.ips.txt')
|
6
|
+
|
7
|
+
feed_re = /(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
8
|
+
|
9
|
+
filter_whitespace
|
10
|
+
filter_comments
|
11
|
+
|
12
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
13
|
+
m = feed_re.match(record.data)
|
14
|
+
next if m.nil?
|
15
|
+
|
16
|
+
event_generator.call() do |event|
|
17
|
+
event.type = :malware_host
|
18
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
provider "chaosreigns"
|
2
|
+
name "ip_reputation"
|
3
|
+
fetch_http('http://www.chaosreigns.com/iprep/iprep.txt')
|
4
|
+
|
5
|
+
filter_whitespace
|
6
|
+
filter_comments
|
7
|
+
|
8
|
+
# Until we support listing arbitrary fields, strip out 100% ham scored items
|
9
|
+
filter do |record|
|
10
|
+
(record.data =~ /\s100\s/)
|
11
|
+
end
|
12
|
+
|
13
|
+
# Until we support v6, strip them out
|
14
|
+
filter do |record|
|
15
|
+
(record.data =~ /\:/)
|
16
|
+
end
|
17
|
+
|
18
|
+
# Last line is a NULL, strip it out
|
19
|
+
filter do |record|
|
20
|
+
(record.data =~ /^\s*0\s*0$/)
|
21
|
+
end
|
22
|
+
|
23
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
24
|
+
fields = record.data.strip.split(/\s/)
|
25
|
+
next if record.nil?
|
26
|
+
|
27
|
+
ip = fields[0].strip
|
28
|
+
# whitelist = fields[1].strip # ...the actual percentage of email from each IP which is ham...
|
29
|
+
# total_count_logo = fields[2].strip #...a count of the total emails from that IP (as a logarithm).
|
30
|
+
|
31
|
+
event_generator.call() do |event|
|
32
|
+
event.type = :scanning
|
33
|
+
event.add_ipv4(ip) do |ipv4_event|
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
provider "cydef"
|
2
|
+
name "torexit_ip_reputation"
|
3
|
+
fetch_http('https://cydef.us/torexit.txt')
|
4
|
+
|
5
|
+
feed_re = /(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
|
6
|
+
|
7
|
+
filter_whitespace
|
8
|
+
filter_comments
|
9
|
+
|
10
|
+
# Filter out IPv6 addresses and the timestamp
|
11
|
+
filter do |record|
|
12
|
+
(record.data =~ /\:/)
|
13
|
+
end
|
14
|
+
|
15
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
16
|
+
m = feed_re.match(record.data)
|
17
|
+
next if m.nil?
|
18
|
+
|
19
|
+
event_generator.call() do |event|
|
20
|
+
event.type = :scanning
|
21
|
+
event.add_ipv4(m[:ip]) do |ipv4_event|
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
provider "danger"
|
2
|
+
name "bruteforce_ip_reputation"
|
3
|
+
fetch_http('http://danger.rulez.sk/projects/bruteforceblocker/blist.php')
|
4
|
+
|
5
|
+
filter_whitespace
|
6
|
+
filter_comments
|
7
|
+
|
8
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
9
|
+
next if record.nil?
|
10
|
+
fields = record.data.split(/\s/)
|
11
|
+
|
12
|
+
# ipv4 = fields[0]
|
13
|
+
# last_reported_date = fields[2]
|
14
|
+
# last_reported_time = fields[3]
|
15
|
+
# count = fields[4]
|
16
|
+
# count = fields[5]
|
17
|
+
|
18
|
+
event_generator.call() do |event|
|
19
|
+
event.type = :scanning
|
20
|
+
event.add_ipv4(fields[0]) do |ipv4_event|
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
provider "falconcrest"
|
2
|
+
name "ip_reputation"
|
3
|
+
fetch_http('http://www.falconcrest.eu/IPBL.aspx')
|
4
|
+
|
5
|
+
parse_xml("//td/span") do |event_generator, record|
|
6
|
+
node = record.node
|
7
|
+
ip = node.text
|
8
|
+
next if ip.nil?
|
9
|
+
next if ip.empty?
|
10
|
+
|
11
|
+
ip.gsub!(/\(/, '')
|
12
|
+
|
13
|
+
event_generator.call() do |event|
|
14
|
+
event.type = :spamming
|
15
|
+
event.add_ipv4(ip) do |ipv4_event|
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
provider "h3x"
|
2
|
+
name "asprox"
|
3
|
+
|
4
|
+
fetch_http('http://atrack.h3x.eu/api/asprox_all.php')
|
5
|
+
|
6
|
+
parse_eachline() do |event_generator, record|
|
7
|
+
|
8
|
+
fields = record.data.split(/\:/)
|
9
|
+
ip = fields[0]
|
10
|
+
# port = fields[1]
|
11
|
+
|
12
|
+
event_generator.call() do |event|
|
13
|
+
event.type = :c2
|
14
|
+
event.add_ipv4(ip) do |ipv4_event|
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
provider "hosts-file"
|
2
|
+
name "hphostspartial_domain_reputation"
|
3
|
+
fetch_http('http://hosts-file.net/hphosts-partial.txt')
|
4
|
+
|
5
|
+
filter_whitespace
|
6
|
+
filter_comments
|
7
|
+
|
8
|
+
parse_eachline(:separator => "\n") do |event_generator, record|
|
9
|
+
fields = record.data.split(/\t/)
|
10
|
+
|
11
|
+
# localhost = fields[0]
|
12
|
+
remote_domain = fields[1].strip
|
13
|
+
|
14
|
+
event_generator.call() do |event|
|
15
|
+
event.type = :malware_host
|
16
|
+
event.add_fqdn(remote_domain)
|
17
|
+
end
|
18
|
+
end
|