Example #1
0
    def analyze(self, line):

        line = line.strip()
        sline = line.split()
        try:
            if line[0] != "#" and len(sline) > 2:  # ignore comments and entries with no clear reference
                if sline[0].isdigit():
                    del sline[0]  # remove the useless first field

                _hostname = Hostname(hostname=sline[0])

                evil = {}
                evil["source"] = self.name
                evil["id"] = md5.new(sline[0] + sline[1]).hexdigest()
                evil["description"] = sline[1]  # malware, EK, etc
                evil["reference"] = sline[2]  # GG safe browsing, blog, other blacklist, etc...

                if sline[3]:  # add the last date of inclusion in the feed
                    if sline[3] == "relisted" and sline[4]:
                        evil["date_added"] = datetime.datetime.strptime(sline[4], "%Y%m%d")
                    else:
                        evil["date_added"] = datetime.datetime.strptime(sline[3], "%Y%m%d")

                _hostname.add_evil(evil)
                _hostname.seen(first=evil["date_added"])
                self.commit_to_db(_hostname)
        except Exception, e:
            toolbox.debug_output(str(e), type="error")
Example #2
0
    def analyze(self, line):

        line = line.strip()
        sline = line.split()
        try:
            if line[0] != '#' and len(
                    sline
            ) > 2:  #ignore comments and entries with no clear reference
                if sline[0].isdigit():
                    del sline[0]  #remove the useless first field

                _hostname = Hostname(hostname=sline[0])

                evil = {}
                evil['source'] = self.name
                evil['id'] = md5.new(sline[0] + sline[1]).hexdigest()
                evil['description'] = sline[1]  #malware, EK, etc
                evil['reference'] = sline[
                    2]  #GG safe browsing, blog, other blacklist, etc...
                if sline[3]:  #add the last date of inclusion in the feed
                    if sline[3] == 'relisted' and sline[4]:
                        evil['date_added'] = datetime.datetime.strptime(
                            sline[4], "%Y%m%d")
                    else:
                        evil['date_added'] = datetime.datetime.strptime(
                            sline[3], "%Y%m%d")

                _hostname.add_evil(evil)
                _hostname.seen(first=evil['date_added'])
                self.commit_to_db(_hostname)
        except Exception, e:
            toolbox.debug_output(str(e), type='error')
Example #3
0
    def analyze(self, dict):
        evil = dict

        evil['host'] = dict['domain']
        evil['id'] = md5.new(evil['domain'] +
                             'InfosecCertPaItFQDN').hexdigest()
        evil['description'] = self.description
        evil['source'] = self.name

        elt = Hostname(hostname=evil['host'])
        elt.seen()
        elt.add_evil(evil)
        self.commit_to_db(elt)
Example #4
0
	def analyze(self, dict):

		# Create the new Hostname and store it in the DB

		hostname = Hostname(hostname=toolbox.find_hostnames(dict['title'])[0])
		if hostname['value'] == None: return

		evil = dict
		evil['status'] = re.search("Status: (?P<status>\S+)", dict['description']).group('status')
		evil['id'] = md5.new(re.search(r"id=(?P<id>[a-f0-9]+)", dict['guid']).group('id')).hexdigest()
		evil['source'] = self.name

		hostname.add_evil(evil)
		self.commit_to_db(hostname)
Example #5
0
    def analyze(self, line):
        if line.startswith("#") or line.startswith("IP address"):
            return
        try:
            ip, port, domains, traffic_info, description, date_string = line.split(',')
        except ValueError:
            # Malformed line, skipping
            return

        evil = {}
        evil['ip'] = ip
        port = re.search('[\d]+', port)
        if port:
            evil['port'] = port.group()
        evil['domains'] = domains
        evil['description'] = "{}".format(description)
        if traffic_info:
            evil['description'] += " ({})".format(traffic_info)

        evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d")

        evil['id'] = md5.new(evil['description']+evil['ip']+date_string).hexdigest()
        evil['source'] = self.name

        ip = Ip(ip=ip)
        domains = [d.strip() for d in domains.split('/') if toolbox.is_hostname(d.strip())]

        ip.seen(first=evil['date_added'])
        ip.add_evil(evil)
        i = self.commit_to_db(ip)

        for d in domains:
            h = Hostname(hostname=d)
            h.seen(first=evil['date_added'])
            h.add_evil(evil)
            h = self.commit_to_db(h)
            self.model.connect(h, i)
Example #6
0
	def analyze(self, line):
			
  		line = line.strip()
  		sline = line.split()

  		if line[0] != '#' and len(sline) > 2:		#ignore comments and entries with no clear reference
	  		if sline[0].isdigit():
	  			del sline[0]						#remove the useless first field

			_hostname = Hostname(hostname=sline[0])

			evil = {}
			evil['source'] = self.name
			evil['id'] = md5.new(sline[0] + sline[1]).hexdigest()
			evil['description'] = sline[1]				#malware, EK, etc
			evil['reference'] = sline[2]				#GG safe browsing, blog, other blacklist, etc...
			if sline[3]:								#add the last date of inclusion in the feed
				if sline[3] == 'relisted' and sline[4]:
					evil['date_added'] = datetime.datetime.strptime(sline[4], "%Y%m%d")
				else:
					evil['date_added'] = datetime.datetime.strptime(sline[3], "%Y%m%d")

			_hostname.add_evil(evil)
			self.commit_to_db(_hostname)