def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#" or len(line) < 2:
pass
else:
# Add as source ip
try:
if "/" in line:
type = "ip_range"
else:
type = "ip_address"
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="EmergingThreats",
event_dataset="fwrules/emerging-Block-IPs",
threat_first_seen=None,
threat_last_seen=None,
threat_type=type)
intel.add_ip(ip=line)
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
def test_add_ip(self):
intel = Intel()
intel.add_ip(ip="1.1.1.1")
self.assertEqual(intel.intel["threat"]["indicator"]["ip"], "1.1.1.1")
intel = Intel()
intel.add_ip(ip="1.1.1.1", port=443)
self.assertEqual(intel.intel["threat"]["indicator"]["ip"], "1.1.1.1")
self.assertEqual(intel.intel["threat"]["indicator"]["port"], 443)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
# Add as source ip
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="botvrij",
event_dataset="botvrij.ip-dst",
threat_first_seen=None,
threat_last_seen=None,
threat_type="IPV4")
intel.add_ip(ip=line)
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for obj in self._raw_threat_intel["data"]:
# Add as source ip
try:
intel = Intel(
original=json.dumps(obj),
event_type="indicator",
event_reference=self._feed_url,
event_provider="AbuseIPdb",
event_dataset="blacklist",
threat_first_seen=None,
threat_last_seen=obj["lastReportedAt"],
threat_type="ip_address"
)
intel.add_ip(ip=obj["ipAddress"])
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is ";":
pass
else:
split_line = line.split(';')
# Add as source ip
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Spamhaus",
event_dataset="Spamhaus.extendeddrop",
threat_first_seen=None,
threat_last_seen=None,
threat_type="domain",
threat_description=split_line[1])
intel.add_ip(ip=split_line[0])
except IndexError:
pass
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#":
pass
else:
split_line = line.split(",")
# add as destination ip
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Abuse.ch",
event_dataset="FeodoTracker",
threat_first_seen=split_line[0],
threat_last_seen=split_line[3],
threat_type="ip_address",
threat_description=split_line[4])
intel.add_ip(ip=split_line[1], port=split_line[2])
intel.add_malware(name=split_line[4])
except IndexError as err:
pass
else:
intel.add_docid()
self.intel.append(intel)