Example #1
0
    def process(self):
        """
        The Ranswomware Tracker has comments in it.
        The IP address field can also have more than one address.
        The ASN and Country code are being ignored, an expert parser can get those added.
        """

        report = self.receive_message()
        raw_report = utils.base64_decode(report.get("raw"))

        for row in csv.reader(io.StringIO(raw_report)):
            if row[0].startswith('#'):
                continue

            if '|' in row[7]:
                for ipaddr in row[7].split('|'):
                    new_row = '"' + row[0] + '","' + row[1] + '","' + row[2] + '","' + row[3] \
                              + '","' + row[4] + '","' + row[5] + '","' + row[6] + '","' + ipaddr \
                              + '","' + row[8] + '","' + row[9] + '"'

                    for nrow in csv.reader(io.StringIO(new_row)):
                        ev = Event(report)
                        ev.add('classification.identifier', nrow[2].lower())
                        ev.add('classification.type', 'c&c')
                        ev.add('time.source', nrow[0] + ' UTC', force=True)
                        ev.add('status', nrow[5])
                        ev.add('source.ip', nrow[7])
                        ev.add('raw', ','.join(nrow))
                        if FQDN.is_valid(nrow[3]):
                            ev.add('source.fqdn', nrow[3])
                        if URL.is_valid(nrow[4]):
                            ev.add('source.url', nrow[4])
                        self.send_message(ev)
            else:
                event = Event(report)
                event.add('classification.identifier', row[2].lower())
                event.add('classification.type', 'c&c')
                event.add('time.source', row[0] + ' UTC')
                event.add('status', row[5])
                event.add('raw', ','.join(row))
                if IPAddress.is_valid(row[7]):
                    event.add('source.ip', row[7])
                if FQDN.is_valid(row[3]):
                    event.add('source.fqdn', row[3])
                if URL.is_valid(row[4]):
                    event.add('source.url', row[4])
                self.send_message(event)
        self.acknowledge_message()
Example #2
0
    def parse_line(self, line, report):
        if line.startswith('#'):
            self.tempdata.append(line)

        else:
            line = line.split()
            event = Event(report)
            event.add('time.source', line[5] + 'T' + line[6] + '+00:00')
            event.add('source.ip', line[0])
            if FQDN.is_valid(line[2]):
                event.add('source.reverse_dns', line[2])
            event.add('classification.type', 'scanner')
            event.add('event_description.text', 'IPs banned for serious abusing of Bitcash services '
                                                '(scanning, sniffing, harvesting, dos attacks)')
            event.add('raw', ','.join(line))

            yield event
Example #3
0
    def parse_line(self, line, report):
        if line.startswith('#'):
            self.tempdata.append(line)

        else:
            line = line.split()
            event = Event(report)
            event.add('time.source', line[5] + 'T' + line[6] + '+00:00')
            event.add('source.ip', line[0])
            if FQDN.is_valid(line[2]):
                event.add('source.reverse_dns', line[2])
            event.add('classification.type', 'scanner')
            event.add(
                'event_description.text',
                'IPs banned for serious abusing of Bitcash services '
                '(scanning, sniffing, harvesting, dos attacks)')
            event.add('raw', ','.join(line))

            yield event
Example #4
0
    def parse_line(self, line, report):
        if line.startswith('#') or len(line) == 0:
            self.tempdata.append(line)
        else:
            lvalue = line.split('\t')
            event = Event(report)

            event.add('classification.identifier', lvalue[0].lower())
            event.add('time.source', DateTime.from_timestamp(int(lvalue[1])))
            if IPAddress.is_valid(lvalue[2]):
                event.add('source.ip', lvalue[2])

            if FQDN.is_valid(lvalue[3]):
                event.add('source.fqdn', lvalue[3])

            if URL.is_valid(lvalue[4]):
                event.add('source.url', lvalue[4])

            event.add('raw', line)
            event.add('classification.type', 'exploit')
            event.add('event_description.url', 'http://data.netlab.360.com/ek')

            yield event
Example #5
0
    def process(self):
        """
        The Ranswomware Tracker has comments in it.
        The IP address field can also have more than one address.
        The ASN and Country code are being ignored, an expert parser can get those added.
        """

        report = self.receive_message()
        raw_report = utils.base64_decode(report.get("raw"))

        for row in csv.reader(io.StringIO(raw_report)):
            if row[0].startswith("#"):
                continue

            if "|" in row[7]:
                for ipaddr in row[7].split("|"):
                    new_row = (
                        '"'
                        + row[0]
                        + '","'
                        + row[1]
                        + '","'
                        + row[2]
                        + '","'
                        + row[3]
                        + '","'
                        + row[4]
                        + '","'
                        + row[5]
                        + '","'
                        + row[6]
                        + '","'
                        + ipaddr
                        + '","'
                        + row[8]
                        + '","'
                        + row[9]
                        + '"'
                    )

                    for nrow in csv.reader(io.StringIO(new_row)):
                        ev = Event(report)
                        ev.add("classification.identifier", nrow[2].lower())
                        ev.add("classification.type", "c&c")
                        ev.add("time.source", nrow[0] + " UTC", force=True)
                        ev.add("status", nrow[5])
                        ev.add("source.ip", nrow[7])
                        ev.add("raw", ",".join(nrow))
                        if FQDN.is_valid(nrow[3]):
                            ev.add("source.fqdn", nrow[3])
                        if URL.is_valid(nrow[4]):
                            ev.add("source.url", nrow[4])
                        self.send_message(ev)
            else:
                event = Event(report)
                event.add("classification.identifier", row[2].lower())
                event.add("classification.type", "c&c")
                event.add("time.source", row[0] + " UTC")
                event.add("status", row[5])
                event.add("raw", ",".join(row))
                if IPAddress.is_valid(row[7]):
                    event.add("source.ip", row[7])
                if FQDN.is_valid(row[3]):
                    event.add("source.fqdn", row[3])
                if URL.is_valid(row[4]):
                    event.add("source.url", row[4])
                self.send_message(event)
        self.acknowledge_message()