def analyze(self, line): line = line.strip() sline = line.split() try: if line[0] != "#" and len(sline) > 2: # ignore comments and entries with no clear reference if sline[0].isdigit(): del sline[0] # remove the useless first field _hostname = Hostname(hostname=sline[0]) evil = {} evil["source"] = self.name evil["id"] = md5.new(sline[0] + sline[1]).hexdigest() evil["description"] = sline[1] # malware, EK, etc evil["reference"] = sline[2] # GG safe browsing, blog, other blacklist, etc... if sline[3]: # add the last date of inclusion in the feed if sline[3] == "relisted" and sline[4]: evil["date_added"] = datetime.datetime.strptime(sline[4], "%Y%m%d") else: evil["date_added"] = datetime.datetime.strptime(sline[3], "%Y%m%d") _hostname.add_evil(evil) _hostname.seen(first=evil["date_added"]) self.commit_to_db(_hostname) except Exception, e: toolbox.debug_output(str(e), type="error")
def analyze(self, line): line = line.strip() sline = line.split() try: if line[0] != '#' and len( sline ) > 2: #ignore comments and entries with no clear reference if sline[0].isdigit(): del sline[0] #remove the useless first field _hostname = Hostname(hostname=sline[0]) evil = {} evil['source'] = self.name evil['id'] = md5.new(sline[0] + sline[1]).hexdigest() evil['description'] = sline[1] #malware, EK, etc evil['reference'] = sline[ 2] #GG safe browsing, blog, other blacklist, etc... if sline[3]: #add the last date of inclusion in the feed if sline[3] == 'relisted' and sline[4]: evil['date_added'] = datetime.datetime.strptime( sline[4], "%Y%m%d") else: evil['date_added'] = datetime.datetime.strptime( sline[3], "%Y%m%d") _hostname.add_evil(evil) _hostname.seen(first=evil['date_added']) self.commit_to_db(_hostname) except Exception, e: toolbox.debug_output(str(e), type='error')
def analyze(self, dict): evil = dict evil['host'] = dict['domain'] evil['id'] = md5.new(evil['domain'] + 'InfosecCertPaItFQDN').hexdigest() evil['description'] = self.description evil['source'] = self.name elt = Hostname(hostname=evil['host']) elt.seen() elt.add_evil(evil) self.commit_to_db(elt)
def analyze(self, dict): # Create the new Hostname and store it in the DB hostname = Hostname(hostname=toolbox.find_hostnames(dict['title'])[0]) if hostname['value'] == None: return evil = dict evil['status'] = re.search("Status: (?P<status>\S+)", dict['description']).group('status') evil['id'] = md5.new(re.search(r"id=(?P<id>[a-f0-9]+)", dict['guid']).group('id')).hexdigest() evil['source'] = self.name hostname.seen() hostname.add_evil(evil) self.commit_to_db(hostname)
def analyze(self, line): if line.startswith("#") or line.startswith("IP address"): return try: ip, port, domains, traffic_info, description, date_string = line.split(',') except ValueError: # Malformed line, skipping return evil = {} evil['ip'] = ip port = re.search('[\d]+', port) if port: evil['port'] = port.group() evil['domains'] = domains evil['description'] = "{}".format(description) if traffic_info: evil['description'] += " ({})".format(traffic_info) evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d") evil['id'] = md5.new(evil['description']+evil['ip']+date_string).hexdigest() evil['source'] = self.name ip = Ip(ip=ip) domains = [d.strip() for d in domains.split('/') if toolbox.is_hostname(d.strip())] ip.seen(first=evil['date_added']) ip.add_evil(evil) i = self.commit_to_db(ip) for d in domains: h = Hostname(hostname=d) h.seen(first=evil['date_added']) h.add_evil(evil) h = self.commit_to_db(h) self.model.connect(h, i)