def _parse(self): for root, dirs, files in walk("tip/githubclones/eset/malware-ioc"): for file in files: if ".git" in root: continue elif "README" in file: continue elif "samples" in file: lines = "" with open("{}/{}".format(root, file), "r") as iocfile: lines = iocfile.read().split("\n") for line in lines: try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Eset", event_dataset="malware-ioc", threat_first_seen=None, threat_last_seen=None, threat_type="file_hash") if file == "samples.sha1": intel.add_file(sha1=line) elif file == "samples.sha256": intel.add_file(sha256=line) elif file == "samples.md5": intel.add_file(md5=line) except Exception as err: print(err) else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: split_line = line.split(",") try: intel = Intel( original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="SSLBlackList", threat_first_seen=split_line[0], threat_last_seen=None, threat_type="ssl_hash", threat_description=split_line[2] ) intel.add_tls(s_sha1=split_line[1]) if "C&C" in intel.intel["threat"]["ioc"]["description"]: intel.add_mitre("TA0011") elif "" in intel.intel["threat"]["ioc"]["description"]: intel.add_mitre("TA0042", "T1588.001") except IndexError as err: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: try: split_line = line.split('", "') intel = Intel( original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="MalwareBazaar", threat_first_seen=split_line[0], threat_last_seen=None, threat_type="file_hash" ) intel.add_file(name=split_line[5], extension=split_line[6], mime_type=split_line[7], sha1=split_line[3], sha256=split_line[1], md5=split_line[2]) intel.add_malware(split_line[8]) except Exception as err: print(err) else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#" or len(line) < 2: pass else: # Add as source ip try: if "/" in line: type = "ip_range" else: type = "ip_address" intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="EmergingThreats", event_dataset="fwrules/emerging-Block-IPs", threat_first_seen=None, threat_last_seen=None, threat_type=type) intel.add_ip(ip=line) except Exception: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: split_line = line.split(",") # add as destination ip try: intel = Intel( original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="FeodoTracker", threat_first_seen=split_line[0], threat_last_seen=split_line[3], threat_type="ip_address", threat_description=split_line[4] ) intel.add_destination(ip=split_line[1], port=split_line[2]) intel.add_malware(name=split_line[4]) except IndexError as err: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for obj in self._raw_threat_intel["data"]: # Add as source ip try: intel = Intel(original=json.dumps(obj), event_type="indicator", event_reference=self._feed_url, event_provider="AbuseIPdb", event_dataset="blacklist", threat_first_seen=None, threat_last_seen=obj["lastReportedAt"], threat_type="ip_address") intel.add_source(ip=obj["ipAddress"]) except Exception: pass else: intel.add_docid() self.intel.append(intel) # Add as destination ip try: intel = Intel(original=json.dumps(obj), event_type="indicator", event_reference=self._feed_url, event_provider="AbuseIPdb", event_dataset="blacklist", threat_first_seen=None, threat_last_seen=obj["lastReportedAt"], threat_type="ip_address") intel.add_destination(ip=obj["ipAddress"]) except Exception: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): # Add as source ip try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="botvrij", event_dataset="botvrij.domains", threat_first_seen=None, threat_last_seen=None, threat_type="url") intel.add_url(domain=line, top_level_domain=line.split(".")[1]) except Exception: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): # Add as source ip try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="botvrij", event_dataset="botvrij.ip-dst", threat_first_seen=None, threat_last_seen=None, threat_type="IPV4") intel.add_destination(ip=line) except Exception: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is ";": pass else: split_line = line.split(';') # Add as source ip try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Spamhaus", event_dataset="Spamhaus.ipv6drop", threat_first_seen=None, threat_last_seen=None, threat_type="domain", threat_description=split_line[1]) intel.add_source(ip=split_line[0]) intel.intel["threat"]["type"] = "IPV6" except IndexError: pass else: intel.add_docid() self.intel.append(intel) # Add as destination ip try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Spamhaus", event_dataset="Spamhaus.ipv6drop", threat_first_seen=None, threat_last_seen=None, threat_type="domain", threat_description=split_line[1]) intel.add_destination(ip=split_line[0]) intel.intel["threat"]["type"] = "IPV6" except IndexError: pass else: intel.add_docid() self.intel.append(intel)
def _parse(self): for line in self._raw_threat_intel.split("\n"): if line[:1] is "#": pass else: split_line = line.split('","') try: intel = Intel(original=line, event_type="indicator", event_reference=self._feed_url, event_provider="Abuse.ch", event_dataset="URLhaus", threat_first_seen=split_line[1], threat_last_seen=None, threat_type="domain", threat_description=split_line[4]) intel.add_url(original=split_line[2]) except IndexError: pass else: intel.add_docid() self.intel.append(intel)