def create():
reports = []
reports.extend(get_zeus())
reports.extend(get_palevo())
reports.extend(get_spyeye())
feedinfo = {'name': 'abusech',
'display_name': "abuse.ch Malware Domains",
'provider_url': "http://www.abuse.ch",
'summary': "abuse.ch tracks C&C servers for Zeus, SpyEye and Palevo malware. " +
"This feed combines the three domain names blocklists.",
'tech_data': "There are no requirements to share any data to receive this feed.",
"icon": "abuse.ch.jpg"
}
# the lazy way to the icon
old_cwd = os.getcwd()
os.chdir(os.path.dirname(os.path.realpath(__file__)))
feedinfo = CbFeedInfo(**feedinfo)
feed = CbFeed(feedinfo, reports)
bytes = feed.dump()
os.chdir(old_cwd)
return bytes
def build_feed_data(feed_name: str, display_name: str, feed_summary: str, site: str, icon_link: str,
reports: List[Dict[str, Any]]) -> str:
"""
Return a feed definition as a JSON string definition.
:param feed_name: the short name of the feed
:param display_name: the display name of the feed
:param feed_summary: the feed summary
:param site: the site name
:param icon_link: path to the icon source
:param reports: List of gathered reports
:return: feed as JSON string
"""
feedinfo = {'name': feed_name,
'display_name': display_name,
'provider_url': 'http://' + site,
'summary': feed_summary,
'tech_data': "There are no requirements to share any data to receive this feed.",
}
# handle optionals
if icon_link:
feedinfo['icon'] = icon_link
feedinfo = CbFeedInfo(**feedinfo)
reports = remove_duplicate_reports(reports)
feed = CbFeed(feedinfo, reports)
return feed.dump()
def create():
nodes = get_tor_nodes()
reports = build_reports(nodes)
feedinfo = {'name': 'tor',
'display_name': "Tor Exit Nodes",
'provider_url': 'https://www.torproject.org/',
'summary': "This feed is a list of Tor Node IP addresses, updated every 30 minutes.",
'tech_data': "There are no requirements to share any data to receive this feed.",
'icon': 'tor.png',
'icon_small': 'tor.small.jpg',
'category': 'Open Source',
}
# lazy way out to get right icon path. sorry.
old_cwd = os.getcwd()
os.chdir(os.path.dirname(os.path.realpath(__file__)))
feedinfo = CbFeedInfo(**feedinfo)
feed = CbFeed(feedinfo, reports)
created_feed = feed.dump()
os.chdir(old_cwd)
return created_feed
def create(localcsv=None):
if localcsv:
lines = open(localcsv, "r").readlines()
else:
r = requests.get("http://www.malwaredomainlist.com/mdlcsv.php", stream=True)
lines = r.text.split("\r\n")
reports = reports_from_csv(lines)
feedinfo = {'name': 'mdl',
'display_name': "Malware Domain List",
'provider_url': "http://www.malwaredomainlist.com/mdl.php",
'summary': "Malware Domain List is a non-commercial community project to track domains used by malware." +
" This feed contains the most recent 180 days of entries.",
'tech_data': "There are no requirements to share any data to receive this feed.",
"icon": "mdl.png"
}
# lazy way out
old_cwd = os.getcwd()
os.chdir(os.path.dirname(os.path.realpath(__file__)))
feedinfo = CbFeedInfo(**feedinfo)
feed = CbFeed(feedinfo, reports)
bytes = feed.dump()
os.chdir(old_cwd)
return bytes
def _initialize_feed(self):
feed = {
"name": self.integration_name,
"display_name": self.integration_display_name(),
"summary": self.integration_summary(),
"tech_data": self.integration_detail(),
"provider_url": self.integration_url(),
"icon": self.integration_icon()
}
return CbFeedInfo(**feed)
def create_feed(options):
# generate the required feed information fields
# based on command-line arguments
#
feedinfo = {
'name': options.name,
'display_name': options.display_name,
'provider_url': options.url,
'summary': options.summary,
'tech_data': options.techdata
}
# if an icon was provided, encode as base64 and
# include in the feed information
#
if options.icon:
b64bytes = base64.b64encode(open(options.icon).read()).decode("utf-8")
feedinfo['icon'] = b64bytes
# if a small icon was provided, encode as base64 and
# include in the feed information
#
if options.small_icon:
b64bytes = base64.b64encode(open(
options.small_icon).read()).decode("utf-8")
feedinfo['icon_small'] = b64bytes
# if a feed category was provided, include it in the feed information
#
if options.category:
feedinfo['category'] = options.category
# build a CbFeedInfo instance
# this does field validation
#
feedinfo = CbFeedInfo(**feedinfo)
# build a list of reports (always one report in this
# case). the single report will include all the IOCs
#
reports = build_reports(options)
# build a CbFeed instance
# this does field validation (including on the report data)
#
feed = CbFeed(feedinfo, reports)
return feed.dump()
def create():
nodes = get_tor_nodes()
reports = build_reports(nodes)
feedinfo = {'name': 'tor',
'display_name': "Tor Exit Nodes",
'provider_url': 'https://www.torproject.org/',
'summary': "This feed is a list of Tor Node IP addresses, updated every 30 minutes.",
'tech_data': "There are no requirements to share any data to receive this feed.",
'icon': 'images/tor.png'}
feedinfo = CbFeedInfo(**feedinfo)
feed = CbFeed(feedinfo, reports)
return feed.dump()
def generate_feed_information():
"""
return a dictionary of feed information
this is feed 'metadata' - the description of the feed, and not the feed contents
"""
feed = {}
feed["name"] = "iSIGHT"
feed["display_name"] = "iSIGHT Partners feed"
feed["summary"] = "iSIGHT Partners provides a cyber intelligence feed"
feed[
"tech_data"] = "There are no requirements to share any data with Carbon Black to receive this feed. The underlying IOC data is provided by iSIGHT Partners"
feed["provider_url"] = "http://www.isightpartners.com/"
feed["icon"] = "isight.png"
feed["icon_small"] = "isight.small.jpg"
feed["category"] = "Partner"
return CbFeedInfo(**feed)
def create(input_source):
reports = build_reports(input_source)
# ****************************
# TODO - you probably want to change these values to reflect your
# local input source
feedinfo = {
'name': 'stiximport',
'display_name': "STIX Package Import",
'provider_url': 'http://stix.mitre.org',
'summary':
"This feed was imported from stix package(s) at %s" % input_source,
'tech_data':
"There are no requirements to share any data to receive this feed.",
'icon': 'images/stix.gif'
}
feedinfo = CbFeedInfo(**feedinfo)
feed = CbFeed(feedinfo, reports)
return feed.dump()
def build_feed_data(feed_name, display_name, feed_summary, site, icon_link,
reports):
"""
:return:feed as bytes to be written out
"""
feedinfo = {
'name': feed_name,
'display_name': display_name,
'provider_url': 'http://' + site,
'summary': feed_summary,
'tech_data':
"There are no requirements to share any data to receive this feed.",
'icon': icon_link
}
feedinfo = CbFeedInfo(**feedinfo)
reports = remove_duplicate_reports(reports)
feed = CbFeed(feedinfo, reports)
return feed.dump()
def create():
reports = []
tmp = get_zeus()
if tmp:
reports.extend(tmp)
tmp = get_feodo()
if tmp:
reports.extend(tmp)
tmp = get_ransomware()
if tmp:
reports.extend(tmp)
feedinfo = {
'name': 'abusech',
'display_name': "abuse.ch Malware Domains",
'provider_url': "http://www.abuse.ch",
'summary':
"abuse.ch tracks C&C servers for Zeus and Palevo malware. " +
"This feed combines the two domain names blocklists.",
'tech_data':
"There are no requirements to share any data to receive this feed.",
'icon': "abuse.ch.jpg",
'icon_small': "abuse.ch.small.jpg",
'category': "Open Source"
}
# the lazy way to the icon
old_cwd = os.getcwd()
os.chdir(os.path.dirname(os.path.realpath(__file__)))
feedinfo = CbFeedInfo(**feedinfo)
feed = CbFeed(feedinfo, reports)
feed_bytes = feed.dump()
os.chdir(old_cwd)
return feed_bytes
