def analyze(self, line):
fields = line.split('|')
if len(fields) < 8:
return
ip = toolbox.find_ips(fields[0])[0]
ip = Ip(ip=ip, tags=['tor'])
tornode = {}
tornode['description'] = "Tor exit node"
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
tornode['id'] = md5.new(tornode['ip']+tornode['name']).hexdigest()
tornode['value'] = "Tor node: %s (%s)" % (tornode['name'], tornode['ip'])
tornode['source'] = self.name
ip.add_evil(tornode)
ip.seen()
self.commit_to_db(ip)
def analyze(self, line):
fields = line.split('|')
if len(fields) < 8:
return
ip = toolbox.find_ips(fields[0])[0]
ip = Ip(ip=ip, tags=['tor'])
tornode = {}
tornode['description'] = "Tor exit node"
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
tornode['id'] = md5.new(tornode['ip']+tornode['name']).hexdigest()
tornode['value'] = "Tor node: %s (%s)" % (tornode['name'], tornode['ip'])
tornode['source'] = self.name
ip.add_evil(tornode)
ip.seen()
self.commit_to_db(ip)
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
try:
ip = toolbox.find_ips(line)[0]
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, so we return
return
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
try:
ip = toolbox.find_ips(line)[0]
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, so we return
return
class TorExitNodes(Feed):
"""
This gets data from https://www.dan.me.uk/tornodes
"""
def __init__(self, name):
super(TorExitNodes, self).__init__(name, run_every="12h")
self.name = "TorExitNodes"
self.source = "https://www.dan.me.uk/tornodes"
self.description = "List of Tor exit nodes"
def update(self):
feed = urllib2.urlopen(self.source).read()
start = feed.find('<!-- __BEGIN_TOR_NODE_LIST__ //-->') + len(
'<!-- __BEGIN_TOR_NODE_LIST__ //-->')
end = feed.find('<!-- __END_TOR_NODE_LIST__ //-->')
feed = feed[start:end].replace('\n', '').replace(
'<br />', '\n').replace('>', '>').replace('<',
'<').split('\n')
if len(feed) > 10:
self.status = "OK"
for line in feed:
self.analyze(line)
return True
def analyze(self, line):
fields = line.split('|')
tornode = Evil(tags=['tor exit node'])
#
try:
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
except Exception, e:
return
tornode['value'] = "Tor node: %s (%s)" % (tornode['name'],
tornode['ip'])
try:
ip = toolbox.find_ips(tornode['ip'])[0]
ip = Ip(ip=ip, tags=['tor'])
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, so we return
return
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
dict = line.split('\t')
if int(dict[2]) < 300: # skip entries which have not been reported at least 300 times
return
try:
ip = toolbox.find_ips(line)[0]
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, so we return
return
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
try:
ip = toolbox.find_ips(line)[0]
description = re.search(" # (?P<description>[^,]+),", line)
if description:
description = description.group('description')
else:
description = False
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, we bail
return
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
dict = line.split('\t')
if int(
dict[2]
) < 300: # skip entries which have not been reported at least 300 times
return
try:
ip = toolbox.find_ips(line)[0]
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, so we return
return
def analyze(self, line):
if line.startswith('#') or line.startswith('\n'):
return
try:
ip = toolbox.find_ips(line)[0]
description = re.search(" # (?P<description>[^,]+),", line)
if description:
description = description.group('description')
else:
description = False
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, we bail
return
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
# description
evil['description'] = dict['link'] + " " + dict['description']
# status
status = re.search("Status: (?P<status>\S+),", dict['description'])
if status:
evil['status'] = status.group('status')
else:
evil['status'] = "unknown"
# linkback
evil['guid'] = dict['guid']
# tags
evil['tags'] += ['spyeye', 'malware', 'cc']
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
host = re.search("Host: (?P<host>\S+),",
dict['description']).group("host")
if toolbox.find_ips(host):
elt = Ip(host, tags=['cc', 'spyeye', 'malware'])
else:
elt = Hostname(host, tags=['cc', 'spyeye', 'malware'])
evil['value'] = "SpyEye CC (%s)" % elt['value']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
return elt, evil
self.commit_to_db(elt, evil)
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
# description
evil['description'] = dict['link'] + " " + dict['description']
# status
status = re.search("Status: (?P<status>\S+),", dict['description'])
if status:
evil['status'] = status.group('status')
else:
evil['status'] = "unknown"
# linkback
evil['guid'] = dict['guid']
# tags
evil['tags'] += ['spyeye', 'malware', 'cc']
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
host = re.search("Host: (?P<host>\S+),", dict['description']).group("host")
if toolbox.find_ips(host):
elt = Ip(host, tags=['cc', 'spyeye', 'malware'])
else:
elt = Hostname(host, tags=['cc', 'spyeye', 'malware'])
evil['value'] = "SpyEye CC (%s)" % elt['value']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
return elt, evil
self.commit_to_db(elt, evil)
try:
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
except Exception, e:
return
tornode['value'] = "Tor: %s (%s)" % (tornode['name'], tornode['ip'])
try:
ip = toolbox.find_ips(tornode['ip'])[0]
ip = Ip(ip=ip, tags=['Tor Node'])
except Exception, e:
# if find_ip raises an exception, it means no ip
# was found in the line, so we return
return
# store ip in database
ip, status = self.analytics.save_element(ip, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# store tornode in database
tornode, status = self.analytics.save_element(tornode,
with_status=True)
if status['updatedExisting'] == False:
tornode['ip'] = fields[0] tornode['name'] = fields[1] tornode['router-port'] = fields[2] tornode['directory-port'] = fields[3] tornode['flags'] = fields[4] tornode['uptime'] = fields[5] tornode['version'] = fields[6] tornode['contactinfo'] = fields[7] except Exception, e: return tornode['value'] = "Tor: %s (%s)" % (tornode['name'], tornode['ip']) try: ip = toolbox.find_ips(tornode['ip'])[0] ip = Ip(ip=ip, tags=['Tor Node']) except Exception, e: # if find_ip raises an exception, it means no ip # was found in the line, so we return return # store ip in database ip, status = self.analytics.save_element(ip, with_status=True) if status['updatedExisting'] == False: self.elements_fetched += 1 # store tornode in database tornode, status = self.analytics.save_element(tornode, with_status=True) if status['updatedExisting'] == False:
