def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#" or len(line) < 2:
pass
else:
try:
if "/" in line:
type = "ip_range"
else:
type = "ip_address"
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_module="EmergingThreats",
event_dataset="fwrules/emerging-Block-IPs",
threat_first_seen=None,
threat_last_seen=None,
threat_type=type)
intel.intel["threat"]["ip"] = line
except Exception:
pass
else:
intel._add_docid()
self.intel.append(intel)
def _parse(self):
for root, dirs, files in walk("tip/githubclones/eset/malware-ioc"):
for file in files:
if ".git" in root:
continue
elif "README" in file:
continue
elif "samples" in file:
lines = ""
with open("{}/{}".format(root, file), "r") as iocfile:
lines = iocfile.read().split("\n")
for line in lines:
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Eset",
event_dataset="malware-ioc",
threat_first_seen=None,
threat_last_seen=None,
threat_type="file_hash")
if file == "samples.sha1":
intel.add_file(sha1=line)
elif file == "samples.sha256":
intel.add_file(sha256=line)
elif file == "samples.md5":
intel.add_file(md5=line)
except Exception as err:
print(err)
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#":
pass
else:
split_line = line.split(",")
try:
intel = Intel(
original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Abuse.ch",
event_dataset="SSLBlackList",
threat_first_seen=split_line[0],
threat_last_seen=None,
threat_type="ssl_hash",
threat_description=split_line[2]
)
intel.add_tls(s_sha1=split_line[1])
if "C&C" in intel.intel["threat"]["ioc"]["description"]:
intel.add_mitre("TA0011")
elif "" in intel.intel["threat"]["ioc"]["description"]:
intel.add_mitre("TA0042", "T1588.001")
except IndexError as err:
pass
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#":
pass
else:
try:
split_line = line.split('", "')
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_module="Abuse.ch",
event_dataset="MalwareBazaar",
threat_first_seen=split_line[0],
threat_last_seen=None,
threat_type="file_hash")
intel.intel["threat"]["file"] = {}
intel.intel["threat"]["file"]["hash"] = {}
intel.intel["threat"]["file"]["hash"]["sha1"] = split_line[
3]
intel.intel["threat"]["file"]["hash"][
"sha256"] = split_line[1]
intel.intel["threat"]["file"]["hash"]["md5"] = split_line[
2]
except Exception as err:
print(err)
else:
intel._add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#":
pass
else:
split_line = line.split(",")
# add as destination ip
try:
intel = Intel(
original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Abuse.ch",
event_dataset="FeodoTracker",
threat_first_seen=split_line[0],
threat_last_seen=split_line[3],
threat_type="ip_address",
threat_description=split_line[4]
)
intel.add_destination(ip=split_line[1], port=split_line[2])
intel.add_malware(name=split_line[4])
except IndexError as err:
pass
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#":
pass
else:
try:
split_line = line.split('", "')
intel = Intel(
original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Abuse.ch",
event_dataset="MalwareBazaar",
threat_first_seen=split_line[0],
threat_last_seen=None,
threat_type="file_hash"
)
intel.add_file(name=split_line[5], extension=split_line[6], mime_type=split_line[7],
sha1=split_line[3], sha256=split_line[1], md5=split_line[2])
intel.add_malware(split_line[8])
except Exception as err:
print(err)
else:
intel.add_docid()
self.intel.append(intel)
def test_add_destination(self):
intel = Intel()
intel.add_destination(ip="1.1.1.1")
self.assertEqual(intel.intel["destination"]["ip"], "1.1.1.1")
intel = Intel()
intel.add_destination(ip="1.1.1.1", port=443)
self.assertEqual(intel.intel["destination"]["ip"], "1.1.1.1")
self.assertEqual(intel.intel["destination"]["port"], 443)
def test_add_source(self):
intel = Intel()
intel.add_source(ip="1.1.1.1")
self.assertEqual(intel.intel["source"]["ip"], "1.1.1.1")
intel = Intel()
intel.add_source(ip="1.1.1.1", port=443)
self.assertEqual(intel.intel["source"]["ip"], "1.1.1.1")
self.assertEqual(intel.intel["source"]["port"], 443)
def test_add_ip(self):
intel = Intel()
intel.add_ip(ip="1.1.1.1")
self.assertEqual(intel.intel["threat"]["indicator"]["ip"], "1.1.1.1")
intel = Intel()
intel.add_ip(ip="1.1.1.1", port=443)
self.assertEqual(intel.intel["threat"]["indicator"]["ip"], "1.1.1.1")
self.assertEqual(intel.intel["threat"]["indicator"]["port"], 443)
def _parse(self):
for obj in self._raw_threat_intel["data"]:
try:
intel = Intel(
original=json.dumps(obj),
event_type="indicator",
event_reference=self._feed_url,
event_module="AbuseIPdb",
event_dataset="blacklist",
threat_first_seen=None,
threat_last_seen=obj["lastReportedAt"],
threat_type="ip_address"
)
intel.intel["threat"]["ip"] = obj["ipAddress"]
except Exception:
pass
else:
intel._add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#":
pass
else:
split_line = line.split(",")
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_module="Abuse.ch",
event_dataset="FeodoTracker",
threat_first_seen=split_line[0],
threat_last_seen=split_line[3],
threat_type="ip_address",
threat_description=split_line[4])
intel.intel["threat"]["ip"] = split_line[1]
except IndexError as err:
pass
else:
intel._add_docid()
self.intel.append(intel)
def test_add_url(self):
intel = Intel()
intel.add_url(original="https://test.domain.com:9500/")
self.assertEqual(intel.intel["url"]["original"],
"https://test.domain.com:9500/")
self.assertEqual(intel.intel["url"]["scheme"], "https")
intel.add_url(full="https://test.domain.com:9500/")
self.assertEqual(intel.intel["url"]["original"],
"https://test.domain.com:9500/")
self.assertEqual(intel.intel["url"]["full"],
"https://test.domain.com:9500/")
self.assertEqual(intel.intel["url"]["scheme"], "https")
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
# Add as source ip
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="botvrij",
event_dataset="botvrij.ip-dst",
threat_first_seen=None,
threat_last_seen=None,
threat_type="IPV4")
intel.add_destination(ip=line)
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
# Add as source ip
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="botvrij",
event_dataset="botvrij.domains",
threat_first_seen=None,
threat_last_seen=None,
threat_type="url")
intel.add_url(domain=line, top_level_domain=line.split(".")[1])
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is ";":
pass
else:
split_line = line.split(';')
# Add as source ip
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Spamhaus",
event_dataset="Spamhaus.ipv6drop",
threat_first_seen=None,
threat_last_seen=None,
threat_type="domain",
threat_description=split_line[1])
intel.add_ip(ip=split_line[0])
intel.intel["threat"]["type"] = "IPV6"
except IndexError:
pass
else:
intel.add_docid()
self.intel.append(intel)
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#":
pass
else:
split_line = line.split('","')
try:
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Abuse.ch",
event_dataset="URLhaus",
threat_first_seen=split_line[1],
threat_last_seen=None,
threat_type="domain",
threat_description=split_line[4])
intel.add_url(original=split_line[2])
except IndexError:
pass
else:
intel.add_docid()
self.intel.append(intel)
def test_add_file(self):
intel = Intel()
intel.add_file(name="example.exe")
self.assertEqual(intel.intel["file"]["name"], "example.exe")
intel = Intel()
intel.add_file(
name="example.exe",
sha1="04ea0d99e724bae38f63b34955a669a13da65485",
sha256=
"4d6feee47b15e24f526f8d9053b04a6ff5cefef4f9df71b8dffede2de31fcc57")
self.assertEqual(intel.intel["file"]["name"], "example.exe")
self.assertEqual(intel.intel["file"]["hash"]["sha1"],
"04ea0d99e724bae38f63b34955a669a13da65485")
self.assertEqual(
intel.intel["file"]["hash"]["sha256"],
"4d6feee47b15e24f526f8d9053b04a6ff5cefef4f9df71b8dffede2de31fcc57")
intel = Intel()
intel.add_file(
name="example.exe",
sha1="04ea0d99e724bae38f63b34955a669a13da65485",
sha256=
"4d6feee47b15e24f526f8d9053b04a6ff5cefef4f9df71b8dffede2de31fcc57",
drive_letter="C")
self.assertEqual(intel.intel["file"]["name"], "example.exe")
self.assertEqual(intel.intel["file"]["drive_letter"], "C")
self.assertEqual(intel.intel["file"]["hash"]["sha1"],
"04ea0d99e724bae38f63b34955a669a13da65485")
self.assertEqual(
intel.intel["file"]["hash"]["sha256"],
"4d6feee47b15e24f526f8d9053b04a6ff5cefef4f9df71b8dffede2de31fcc57")
def test_add_malware(self):
intel = Intel()
intel.add_malware(name="Rake")
self.assertEqual(intel.intel["threat"]["malware"]["name"], "Rake")
intel = Intel()
intel.add_malware("Rake")
self.assertEqual(intel.intel["threat"]["malware"]["name"], "Rake")
intel = Intel()
intel.add_malware(name="Rake", family="Rake", malware_type="C&C")
self.assertEqual(intel.intel["threat"]["malware"]["name"], "Rake")
self.assertEqual(intel.intel["threat"]["malware"]["family"], "Rake")
self.assertEqual(intel.intel["threat"]["malware"]["type"], "C&C")
def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#" or len(line) < 2:
pass
else:
# Add as source ip
try:
if "/" in line:
type = "ip_range"
else:
type = "ip_address"
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="EmergingThreats",
event_dataset="fwrules/emerging-Block-IPs",
threat_first_seen=None,
threat_last_seen=None,
threat_type=type)
intel.add_source(ip=line)
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
# Add as destination ip
try:
if "/" in line:
type = "ip_range"
else:
type = "ip_address"
intel = Intel(original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="EmergingThreats",
event_dataset="fwrules/emerging-Block-IPs",
threat_first_seen=None,
threat_last_seen=None,
threat_type=type)
intel.add_destination(ip=line)
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
def test_add_tls(self):
intel = Intel()
intel.add_tls(s_sha1="8964f9caf2c4e688a395f4666db072b165f9c28e")
self.assertEqual(intel.intel["tls"]["server"]["hash"]["sha1"],
"8964f9caf2c4e688a395f4666db072b165f9c28e")
def _parse(self):
for obj in self._raw_threat_intel["data"]:
# Add as source ip
try:
intel = Intel(original=json.dumps(obj),
event_type="indicator",
event_reference=self._feed_url,
event_provider="AbuseIPdb",
event_dataset="blacklist",
threat_first_seen=None,
threat_last_seen=obj["lastReportedAt"],
threat_type="ip_address")
intel.add_source(ip=obj["ipAddress"])
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
# Add as destination ip
try:
intel = Intel(original=json.dumps(obj),
event_type="indicator",
event_reference=self._feed_url,
event_provider="AbuseIPdb",
event_dataset="blacklist",
threat_first_seen=None,
threat_last_seen=obj["lastReportedAt"],
threat_type="ip_address")
intel.add_destination(ip=obj["ipAddress"])
except Exception:
pass
else:
intel.add_docid()
self.intel.append(intel)
