def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: split_line = line.split(",") try: intel = Intel( original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="SSLBlackList", threat_first_seen=split_line[0], threat_last_seen=None, threat_type="ssl_hash", threat_description=split_line[2] ) intel.add_tls(s_sha1=split_line[1]) if "C&C" in intel.intel["threat"]["ioc"]["description"]: intel.add_mitre("TA0011") elif "" in intel.intel["threat"]["ioc"]["description"]: intel.add_mitre("TA0042", "T1588.001") except IndexError as err: pass else: intel.add_docid() self.intel.append(intel)
def test_add_tls(self): intel = Intel() intel.add_tls(s_sha1="8964f9caf2c4e688a395f4666db072b165f9c28e") self.assertEqual(intel.intel["tls"]["server"]["hash"]["sha1"], "8964f9caf2c4e688a395f4666db072b165f9c28e")