def analyze(self, line):
fields = line.split('|')
tornode = Evil(tags=['Tor info'])
#
try:
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
except Exception, e:
return
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
# description
evil['description'] = dict['link'] + " " + dict['description']
# status
status = re.search("Status: (?P<status>\S+),", dict['description'])
if status:
evil['status'] = status.group('status')
else:
evil['status'] = "unknown"
# linkback
evil['guid'] = dict['guid']
# tags
evil['tags'] += ['spyeye', 'malware', 'cc']
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
host = re.search("Host: (?P<host>\S+),",
dict['description']).group("host")
if toolbox.find_ips(host):
elt = Ip(host, tags=['cc', 'spyeye', 'malware'])
else:
elt = Hostname(host, tags=['cc', 'spyeye', 'malware'])
evil['value'] = "SpyEye CC (%s)" % elt['value']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
return elt, evil
self.commit_to_db(elt, evil)
def analyze(self, dict):
# Create the new URL and store it in the DB
url = re.search("Host: (?P<url>[^,]+),",
dict['description']).group('url')
url = Url(url=url)
evil = Evil()
evil['details'] = dict['description']
threat_type = re.search('Description: (?P<tag>.+)',
dict['description']).group('tag')
evil['tags'] = ['malwaredomainlist', threat_type]
evil['value'] = "%s (%s)" % (threat_type, url['value'])
evil['link'] = dict['link']
evil['guid'] = dict['guid']
return url, evil
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
splitted_mdl = line.split('\t')
# 20151201 agasi-story.info malicious blog.dynamoo.com 20131130 20121201 20120521 20110217
# Create the new hostname and store it in the DB
hostname = Hostname(hostname=splitted_mdl[2])
if hostname['value'] == None: return # hostname not found
evil = Evil()
evil['value'] = "Malware domain blocklist (%s)" % hostname['value']
evil['tags'] = [
'malwaredomains',
re.sub(r'[^\w]', '', splitted_mdl[3])
]
evil['reference'] = splitted_mdl[4]
return hostname, evil
class AlienvaultIP(Feed):
"""
This gets data from https://reputation.alienvault.com/reputation.generic
"""
def __init__(self, name):
super(AlienvaultIP, self).__init__(name, run_every="12h")
self.name = "Alienvault"
self.description = "Alienvault IP Reputation Database"
self.source = "https://reputation.alienvault.com/reputation.generic"
self.confidence = 50
def update(self):
self.update_lines()
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
try:
ip = toolbox.find_ips(line)[0]
description = re.search(" # (?P<description>[^,]+),", line)
if description:
description = description.group('description')
else:
description = False
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, we bail
return
if not description:
return # we're not interested in non-qualified information
# Create the new ip and store it in the DB
ip = Ip(ip=ip, tags=['alienvault'])
# Create the new Evil and store it in the DB
evil = Evil()
evil['value'] = ip['value'] + ' (%s)' % description
evil['tags'] = ['AlienvaultIP', description]
return ip, evil
class DShield3215(Feed):
"""
This gets data from http://dshield.org/asdetailsascii.html?as=3215
"""
def __init__(self, name):
super(DShield3215, self).__init__(name)
self.name = "DShield3215"
self.source = 'http://dshield.org/asdetailsascii.html?as=3215'
self.description = "DShield scanning report for AS 3215"
self.confidence = 30
def update(self):
self.update_lines()
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
dict = line.split('\t')
if int(
dict[2]
) < 300: # skip entries which have not been reported at least 300 times
return
try:
ip = toolbox.find_ips(line)[0]
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, so we return
return
# Create the new ip and store it in the DB
dict = line.split('\t')
ip = Ip(ip=ip, tags=['dshield'])
evil = Evil()
evil['value'] = 'Scanner at %s' % ip['value']
evil['reports'] = dict[2]
evil['first seen'] = dict[3]
evil['last seen'] = dict[4]
return ip, evil
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
evil['feed'] = "SpyEyeConfigs"
evil['url'] = toolbox.find_urls(dict['description'])[0]
# description
evil['description'] = dict['link'] + " " + dict['description']
# status
if dict['description'].find("offline") != -1:
evil['status'] = "offline"
else:
evil['status'] = "online"
# md5
md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",
dict['description'])
if md5 != None:
evil['md5'] = md5.group('md5')
else:
evil['md5'] = "No MD5"
# linkback
evil['source'] = dict['guid']
# type
evil['type'] = 'evil'
# tags
evil['tags'] += ['spyeye', 'malware', 'SpyEyeConfigs']
# date_retreived
evil['date_retreived'] = datetime.datetime.utcnow()
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
evil['value'] = "SpyEye Config"
if md5:
evil['value'] += " (MD5: %s)" % evil['md5']
else:
evil['value'] += " (URL: %s)" % evil['url']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
evil, status = self.analytics.save_element(evil, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# Create an URL element
url = Url(evil['url'], ['evil', 'SpyEyeConfigs'])
# Save it to the DB.
url, status = self.analytics.save_element(url, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# Connect the URL element to the Evil element
self.analytics.data.connect(url, evil, 'hosting')
class MalcodeBinaries(Feed):
def __init__(self, name):
super(MalcodeBinaries, self).__init__(name, run_every="1h")
self.name = "MalcodeBinaries"
self.description = "Updated Feed of Malicious Executables"
self.source = "http://malc0de.com/rss/"
def update(self):
request = urllib2.Request(
self.source,
headers={
"User-agent":
"Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11"
})
feed = urllib2.urlopen(request)
children = ["title", "description", "link"]
main_node = "item"
tree = etree.parse(feed)
for item in tree.findall("//%s" % main_node):
dict = {}
for field in children:
dict[field] = item.findtext(field)
self.analyze(dict)
return True
def analyze(self, dict):
try:
url = toolbox.find_urls(dict['description'])[0]
except Exception, e:
return # no URL found, bail
url = Url(url=url, tags=['exe'])
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
evil['info'] = dict['description'] # description
evil['tags'] = [self.name, 'malware']
md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",
dict['description']) # md5
if md5 != None:
evil['md5'] = md5.group('md5')
else:
evil['md5'] = "No MD5"
evil['link'] = dict['link'] # linkback
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
evil['value'] = "Malcode malware URL"
if md5:
evil['value'] += " (MD5: %s)" % evil['md5']
else:
evil['value'] += " (URL: %s)" % url['value']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
self.commit_to_db(url, evil)
