def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#" or len(line) < 2: pass else: try: if "/" in line: type = "ip_range" else: type = "ip_address" intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_module="EmergingThreats", event_dataset="fwrules/emerging-Block-IPs", threat_first_seen=None, threat_last_seen=None, threat_type=type) intel.intel["threat"]["ip"] = line except Exception: pass else: intel._add_docid() self.intel.append(intel)
def _parse(self): for root, dirs, files in walk("tip/githubclones/eset/malware-ioc"): for file in files: if ".git" in root: continue elif "README" in file: continue elif "samples" in file: lines = "" with open("{}/{}".format(root, file), "r") as iocfile: lines = iocfile.read().split("\n") for line in lines: try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Eset", event_dataset="malware-ioc", threat_first_seen=None, threat_last_seen=None, threat_type="file_hash") if file == "samples.sha1": intel.add_file(sha1=line) elif file == "samples.sha256": intel.add_file(sha256=line) elif file == "samples.md5": intel.add_file(md5=line) except Exception as err: print(err) else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: split_line = line.split(",") try: intel = Intel( original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="SSLBlackList", threat_first_seen=split_line[0], threat_last_seen=None, threat_type="ssl_hash", threat_description=split_line[2] ) intel.add_tls(s_sha1=split_line[1]) if "C&C" in intel.intel["threat"]["ioc"]["description"]: intel.add_mitre("TA0011") elif "" in intel.intel["threat"]["ioc"]["description"]: intel.add_mitre("TA0042", "T1588.001") except IndexError as err: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: try: split_line = line.split('", "') intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_module="Abuse.ch", event_dataset="MalwareBazaar", threat_first_seen=split_line[0], threat_last_seen=None, threat_type="file_hash") intel.intel["threat"]["file"] = {} intel.intel["threat"]["file"]["hash"] = {} intel.intel["threat"]["file"]["hash"]["sha1"] = split_line[ 3] intel.intel["threat"]["file"]["hash"][ "sha256"] = split_line[1] intel.intel["threat"]["file"]["hash"]["md5"] = split_line[ 2] except Exception as err: print(err) else: intel._add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: split_line = line.split(",") # add as destination ip try: intel = Intel( original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="FeodoTracker", threat_first_seen=split_line[0], threat_last_seen=split_line[3], threat_type="ip_address", threat_description=split_line[4] ) intel.add_destination(ip=split_line[1], port=split_line[2]) intel.add_malware(name=split_line[4]) except IndexError as err: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: try: split_line = line.split('", "') intel = Intel( original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="MalwareBazaar", threat_first_seen=split_line[0], threat_last_seen=None, threat_type="file_hash" ) intel.add_file(name=split_line[5], extension=split_line[6], mime_type=split_line[7], sha1=split_line[3], sha256=split_line[1], md5=split_line[2]) intel.add_malware(split_line[8]) except Exception as err: print(err) else: intel.add_docid() self.intel.append(intel)
def test_add_destination(self): intel = Intel() intel.add_destination(ip="1.1.1.1") self.assertEqual(intel.intel["destination"]["ip"], "1.1.1.1") intel = Intel() intel.add_destination(ip="1.1.1.1", port=443) self.assertEqual(intel.intel["destination"]["ip"], "1.1.1.1") self.assertEqual(intel.intel["destination"]["port"], 443)
def test_add_source(self): intel = Intel() intel.add_source(ip="1.1.1.1") self.assertEqual(intel.intel["source"]["ip"], "1.1.1.1") intel = Intel() intel.add_source(ip="1.1.1.1", port=443) self.assertEqual(intel.intel["source"]["ip"], "1.1.1.1") self.assertEqual(intel.intel["source"]["port"], 443)
def test_add_ip(self): intel = Intel() intel.add_ip(ip="1.1.1.1") self.assertEqual(intel.intel["threat"]["indicator"]["ip"], "1.1.1.1") intel = Intel() intel.add_ip(ip="1.1.1.1", port=443) self.assertEqual(intel.intel["threat"]["indicator"]["ip"], "1.1.1.1") self.assertEqual(intel.intel["threat"]["indicator"]["port"], 443)
def _parse(self): for obj in self._raw_threat_intel["data"]: try: intel = Intel( original=json.dumps(obj), event_type="indicator", event_reference=self._feed_url, event_module="AbuseIPdb", event_dataset="blacklist", threat_first_seen=None, threat_last_seen=obj["lastReportedAt"], threat_type="ip_address" ) intel.intel["threat"]["ip"] = obj["ipAddress"] except Exception: pass else: intel._add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: split_line = line.split(",") try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_module="Abuse.ch", event_dataset="FeodoTracker", threat_first_seen=split_line[0], threat_last_seen=split_line[3], threat_type="ip_address", threat_description=split_line[4]) intel.intel["threat"]["ip"] = split_line[1] except IndexError as err: pass else: intel._add_docid() self.intel.append(intel)
def test_add_url(self): intel = Intel() intel.add_url(original="https://test.domain.com:9500/") self.assertEqual(intel.intel["url"]["original"], "https://test.domain.com:9500/") self.assertEqual(intel.intel["url"]["scheme"], "https") intel.add_url(full="https://test.domain.com:9500/") self.assertEqual(intel.intel["url"]["original"], "https://test.domain.com:9500/") self.assertEqual(intel.intel["url"]["full"], "https://test.domain.com:9500/") self.assertEqual(intel.intel["url"]["scheme"], "https")
def _parse(self): for line in self._raw_threat_intel.split("\n"): # Add as source ip try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="botvrij", event_dataset="botvrij.ip-dst", threat_first_seen=None, threat_last_seen=None, threat_type="IPV4") intel.add_destination(ip=line) except Exception: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): # Add as source ip try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="botvrij", event_dataset="botvrij.domains", threat_first_seen=None, threat_last_seen=None, threat_type="url") intel.add_url(domain=line, top_level_domain=line.split(".")[1]) except Exception: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is ";": pass else: split_line = line.split(';') # Add as source ip try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Spamhaus", event_dataset="Spamhaus.ipv6drop", threat_first_seen=None, threat_last_seen=None, threat_type="domain", threat_description=split_line[1]) intel.add_ip(ip=split_line[0]) intel.intel["threat"]["type"] = "IPV6" except IndexError: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: split_line = line.split('","') try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="URLhaus", threat_first_seen=split_line[1], threat_last_seen=None, threat_type="domain", threat_description=split_line[4]) intel.add_url(original=split_line[2]) except IndexError: pass else: intel.add_docid() self.intel.append(intel)
def test_add_file(self): intel = Intel() intel.add_file(name="example.exe") self.assertEqual(intel.intel["file"]["name"], "example.exe") intel = Intel() intel.add_file( name="example.exe", sha1="04ea0d99e724bae38f63b34955a669a13da65485", sha256= "4d6feee47b15e24f526f8d9053b04a6ff5cefef4f9df71b8dffede2de31fcc57") self.assertEqual(intel.intel["file"]["name"], "example.exe") self.assertEqual(intel.intel["file"]["hash"]["sha1"], "04ea0d99e724bae38f63b34955a669a13da65485") self.assertEqual( intel.intel["file"]["hash"]["sha256"], "4d6feee47b15e24f526f8d9053b04a6ff5cefef4f9df71b8dffede2de31fcc57") intel = Intel() intel.add_file( name="example.exe", sha1="04ea0d99e724bae38f63b34955a669a13da65485", sha256= "4d6feee47b15e24f526f8d9053b04a6ff5cefef4f9df71b8dffede2de31fcc57", drive_letter="C") self.assertEqual(intel.intel["file"]["name"], "example.exe") self.assertEqual(intel.intel["file"]["drive_letter"], "C") self.assertEqual(intel.intel["file"]["hash"]["sha1"], "04ea0d99e724bae38f63b34955a669a13da65485") self.assertEqual( intel.intel["file"]["hash"]["sha256"], "4d6feee47b15e24f526f8d9053b04a6ff5cefef4f9df71b8dffede2de31fcc57")
def test_add_malware(self): intel = Intel() intel.add_malware(name="Rake") self.assertEqual(intel.intel["threat"]["malware"]["name"], "Rake") intel = Intel() intel.add_malware("Rake") self.assertEqual(intel.intel["threat"]["malware"]["name"], "Rake") intel = Intel() intel.add_malware(name="Rake", family="Rake", malware_type="C&C") self.assertEqual(intel.intel["threat"]["malware"]["name"], "Rake") self.assertEqual(intel.intel["threat"]["malware"]["family"], "Rake") self.assertEqual(intel.intel["threat"]["malware"]["type"], "C&C")
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#" or len(line) < 2: pass else: # Add as source ip try: if "/" in line: type = "ip_range" else: type = "ip_address" intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="EmergingThreats", event_dataset="fwrules/emerging-Block-IPs", threat_first_seen=None, threat_last_seen=None, threat_type=type) intel.add_source(ip=line) except Exception: pass else: intel.add_docid() self.intel.append(intel) # Add as destination ip try: if "/" in line: type = "ip_range" else: type = "ip_address" intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="EmergingThreats", event_dataset="fwrules/emerging-Block-IPs", threat_first_seen=None, threat_last_seen=None, threat_type=type) intel.add_destination(ip=line) except Exception: pass else: intel.add_docid() self.intel.append(intel)
def test_add_tls(self): intel = Intel() intel.add_tls(s_sha1="8964f9caf2c4e688a395f4666db072b165f9c28e") self.assertEqual(intel.intel["tls"]["server"]["hash"]["sha1"], "8964f9caf2c4e688a395f4666db072b165f9c28e")
def _parse(self): for obj in self._raw_threat_intel["data"]: # Add as source ip try: intel = Intel(original=json.dumps(obj), event_type="indicator", event_reference=self._feed_url, event_provider="AbuseIPdb", event_dataset="blacklist", threat_first_seen=None, threat_last_seen=obj["lastReportedAt"], threat_type="ip_address") intel.add_source(ip=obj["ipAddress"]) except Exception: pass else: intel.add_docid() self.intel.append(intel) # Add as destination ip try: intel = Intel(original=json.dumps(obj), event_type="indicator", event_reference=self._feed_url, event_provider="AbuseIPdb", event_dataset="blacklist", threat_first_seen=None, threat_last_seen=obj["lastReportedAt"], threat_type="ip_address") intel.add_destination(ip=obj["ipAddress"]) except Exception: pass else: intel.add_docid() self.intel.append(intel)