def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
columns = [
"__IGNORE__", "source.url", "event_description.url", "time.source",
"__IGNORE__", "__IGNORE__", "__IGNORE__",
"event_description.target"
]
raw_report = utils.base64_decode(report.get("raw"))
for row in utils.csv_reader(raw_report):
# ignore headers
if "phish_id" in row:
continue
event = Event(report)
for key, value in zip(columns, row):
if key == "__IGNORE__":
continue
event.add(key, value)
event.add('classification.type', u'phishing')
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if not report or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report.get("raw"))
for row in utils.csv_reader(raw_report):
event = Event(report)
self.logger.debug(repr(row))
event.add("time.source", row[0].replace('_', ' ') + " UTC")
if row[1] != '-':
event.add("source.url", self.add_http(row[1]))
try:
event.add("source.ip", row[2])
except InvalidValue:
event.add("source.url", self.add_http(row[2]))
event.add('source.ip', urlparse(row[2]).netloc)
event.add("source.reverse_dns", row[3])
event.add("event_description.text", row[4])
# TODO: ignore abuse contact for now
event.add("source.asn", int(row[6]))
event.add('classification.type', u'malware')
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if not report or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report.value("raw"))
for row in utils.csv_reader(raw_report):
event = Event(report)
self.logger.debug(repr(row))
event.add("time.source", row[0].replace('_', ' ') + " UTC")
if row[1] != '-':
event.add("source.url", self.add_http(row[1]))
try:
event.add("source.ip", row[2])
except InvalidValue:
event.add("source.url", self.add_http(row[2]))
event.add('source.ip', urlparse(row[2]).netloc)
event.add("source.reverse_dns", row[3])
event.add("event_description.text", row[4])
# TODO: ignore abuse contact for now
event.add("source.asn", int(row[6]))
event.add('classification.type', u'malware')
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if not report or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report.value("raw"))
for row in utils.csv_reader(raw_report):
event = Event(report)
self.logger.debug(repr(row))
event.add("time.source", row[0].replace("_", " ") + " UTC", sanitize=True)
if row[1] != "-":
event.add("source.url", row[1], sanitize=True)
try:
event.add("source.ip", row[2], sanitize=True)
except InvalidValue:
event.add("source.url", row[2], sanitize=True)
event.add("source.ip", urlparse(row[2]).netloc, sanitize=True)
event.add("source.reverse_dns", row[3], sanitize=True)
event.add("event_description.text", row[4], sanitize=True)
# TODO: ignore abuse contact for now
event.add("source.asn", int(row[6]))
event.add("classification.type", "malware")
event.add("raw", ",".join(row), sanitize=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
columns = [
"source.ip",
"__IGNORE__",
"event_description.text",
"__IGNORE__"
]
headers = True
raw_report = utils.base64_decode(report.get("raw"))
for row in utils.csv_reader(raw_report):
# ignore headers
if headers:
headers = False
continue
event = Event(report)
for key, value in zip(columns, row):
if key == "__IGNORE__":
continue
event.add(key, value)
event.add('classification.type', u'scanner')
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
columns = [
"source.ip", "__IGNORE__", "event_description.text", "__IGNORE__"
]
headers = True
raw_report = utils.base64_decode(report.get("raw"))
for row in utils.csv_reader(raw_report):
# ignore headers
if headers:
headers = False
continue
event = Event(report)
for key, value in zip(columns, row):
if key == "__IGNORE__":
continue
event.add(key, value)
event.add('classification.type', u'scanner')
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report["raw"])
for row in utils.csv_reader(raw_report, dictreader=True):
event = Event(report)
extra = {}
event.add('time.source', row['timestamp']+' UTC')
event.add('source.ip', row['ip'])
event.add('source.port', row['port'])
event.add('source.asn', row['asn'])
event.add('source.geolocation.cc', row['geo'])
event.add('source.geolocation.region', row['region'])
event.add('source.geolocation.city', row['city'])
if row['hostname']:
event.add('source.reverse_dns', row['hostname'])
event.add('protocol.transport', row['type'])
event.add('malware.name', row['infection'])
if row['url']:
event.add('destination.url', row['url'])
if row['agent']:
extra['user_agent'] = row['agent']
event.add('destination.ip', row['cc'])
event.add('destination.port', row['cc_port'])
event.add('destination.asn', row['cc_asn'])
event.add('destination.geolocation.cc', row['cc_geo'])
if row['cc_dns']:
event.add('destination.reverse_dns', row['cc_dns'])
extra['connection_count'] = int(row['count'])
if row['proxy']:
extra['proxy'] = row['proxy']
if row['application']:
event.add('protocol.application', row['type'])
extra['os.name'] = row['p0f_genre']
extra['os.version'] = row['p0f_detail']
if 'machine_name' in row and row['machine_name']:
event.add('source.local_hostname', row['type'])
if 'id' in row and row['id']:
extra['bot_id'] = row['id']
if int(row['naics']):
extra['naics'] = int(row['naics'])
if int(row['sic']):
extra['sic'] = int(row['sic'])
event.add('extra', extra)
event.add('classification.type', 'botnet drone')
event.add('raw', '"'+','.join(map(str, row.items()))+'"')
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report.get("raw"))
for row in utils.csv_reader(raw_report, dictreader=True):
event = Event(report)
for key, value in row.items():
if not value:
continue
if key is None:
self.logger.warning('Value without key found, skipping the'
' value: {!r}'.format(value))
continue
key = COLUMNS[key]
if key == "__IGNORE__" or key == "__TDB__":
continue
if key == "source.fqdn" and IPAddress.is_valid(value,
sanitize=True):
continue
if key == "time.source":
value = value + " UTC"
if key == "source.asn" and value.startswith("ASNA"):
continue
if key == "source.asn":
for asn in value.split(','):
if asn.startswith("AS"):
value = asn.split("AS")[1]
break
event.add(key, value)
event.add('classification.type', u'malware')
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report.get("raw"))
for row in utils.csv_reader(raw_report, dictreader=True):
event = Event(report)
for key, value in row.items():
if not value:
continue
if key is None:
self.logger.warning('Value without key found, skipping the'
' value: {!r}'.format(value))
continue
key = COLUMNS[key]
if key == "__IGNORE__" or key == "__TDB__":
continue
if key == "source.fqdn" and IPAddress.is_valid(value,
sanitize=True):
continue
if key == "time.source":
value = value + " UTC"
if key == "source.asn" and value.startswith("ASNA"):
continue
if key == "source.asn":
for asn in value.split(','):
if asn.startswith("AS"):
value = asn.split("AS")[1]
break
event.add(key, value)
event.add('classification.type', u'malware')
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report["raw"])
for row in utils.csv_reader(raw_report, dictreader=True):
event = Event(report)
extra = {}
event.add("time.source", row["timestamp"] + " UTC")
event.add("source.ip", row["ip"])
event.add("protocol.transport", row["protocol"])
event.add("source.port", row["port"])
event.add("source.reverse_dns", row["hostname"])
extra["sysdesc"] = row["sysdesc"]
extra["sysname"] = row["sysname"]
event.add("source.asn", row["asn"])
event.add("source.geolocation.cc", row["geo"])
event.add("source.geolocation.region", row["region"])
event.add("source.geolocation.city", row["city"])
if int(row["naics"]):
extra["naics"] = int(row["naics"])
if int(row["sic"]):
extra["sic"] = int(row["sic"])
if row["sector"]:
extra["sector"] = row["sector"]
event.add("extra", extra)
event.add("protocol.application", "snmp")
event.add("classification.type", "vulnerable service")
event.add("classification.identifier", "snmp")
event.add("raw", '"' + ",".join(map(str, row.items())) + '"')
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report["raw"])
for row in utils.csv_reader(raw_report, dictreader=True):
event = Event(report)
extra = {}
event.add('time.source', row['timestamp']+' UTC')
event.add('source.ip', row['ip'])
event.add('protocol.transport', row['protocol'])
event.add('source.port', row['port'])
event.add('source.reverse_dns', row['hostname'])
extra['sysdesc'] = row['sysdesc']
extra['sysname'] = row['sysname']
event.add('source.asn', row['asn'])
event.add('source.geolocation.cc', row['geo'])
event.add('source.geolocation.region', row['region'])
event.add('source.geolocation.city', row['city'])
if int(row['naics']):
extra['naics'] = int(row['naics'])
if int(row['sic']):
extra['sic'] = int(row['sic'])
if row['sector']:
extra['sector'] = row['sector']
event.add('extra', extra)
event.add('protocol.application', 'snmp')
event.add('classification.type', 'vulnerable service')
event.add('classification.identifier', 'snmp')
event.add('raw', '"'+','.join(map(str, row.items()))+'"')
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
columns = ["__IGNORE__",
"source.url",
"event_description.url",
"time.source",
"__IGNORE__",
"__IGNORE__",
"__IGNORE__",
"event_description.target"
]
raw_report = utils.base64_decode(report.get("raw"))
for row in utils.csv_reader(raw_report):
# ignore headers
if "phish_id" in row:
continue
event = Event(report)
for key, value in zip(columns, row):
if key == "__IGNORE__":
continue
event.add(key, value)
event.add('classification.type', u'phishing')
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report["raw"])
for row in utils.csv_reader(raw_report, dictreader=True):
event = Event(report)
extra = {}
event.add('time.source', row['timestamp']+' UTC')
event.add('source.ip', row['ip'])
event.add('protocol.transport', row['protocol'])
event.add('source.port', row['port'])
event.add('source.reverse_dns', row['hostname'])
event.add('protocol.application', row['tag'])
extra['quote'] = row['quote']
event.add('source.asn', row['asn'])
event.add('source.geolocation.cc', row['geo'])
event.add('source.geolocation.region', row['region'])
event.add('source.geolocation.city', row['city'])
if int(row['naics']):
extra['naics'] = int(row['naics'])
if int(row['sic']):
extra['sic'] = int(row['sic'])
if row['sector']:
extra['sector'] = row['sector']
event.add('extra', extra)
event.add('classification.type', 'vulnerable service')
event.add('classification.identifier', 'qotd')
event.add('raw', '"'+','.join(map(str, row.items()))+'"')
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if not report or not report.contains("raw"):
self.acknowledge_message()
return
columns = self.parameters.columns
raw_report = utils.base64_decode(report.value("raw"))
# ignore lines starting with #
raw_report = re.sub(r'(?m)^#.*\n?', '', raw_report)
# ignore null bytes
raw_report = re.sub(r'(?m)\0', '', raw_report)
for row in utils.csv_reader(raw_report,
delimiter=str(self.parameters.delimiter)):
event = Event(report)
for key, value in zip(columns, row):
if key in ["__IGNORE__", ""]:
continue
try:
if key in ["time.source", "time.destination"]:
value = parse(value, fuzzy=True).isoformat()
value += " UTC"
# regex from http://stackoverflow.com/a/23483979
# matching ipv4/ipv6 IP within string
elif key in ["source.ip", "destination.ip"]:
value = re.compile(
'(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])'
'\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0'
'-5])|(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])'
'\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])|'
'\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|('
'([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]'
'|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d'
'\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:['
'0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|['
'1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|'
':))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1'
',3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d'
'\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){'
'3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,'
'4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-'
'4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-'
'9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-'
'Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0'
'-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1'
'\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(('
'(:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4'
'}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2['
'0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]'
'{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2'
'[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|'
'[1-9]?\d)){3}))|:)))(%.+)?').match(value).group()
elif key.endswith('.url') and '://' not in value:
value = self.parameters.default_url_protocol + value
except:
self.logger.exception('Encountered error while parsing'
'line in csv file, ignoring.')
continue
event.add(key, value)
event.add('classification.type', self.parameters.type)
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report["raw"])
for row in utils.csv_reader(raw_report, dictreader=True):
event = Event(report)
extra = {}
self.logger.debug(repr(row))
event.add('time.source', row['timestamp'] + ' UTC')
event.add('source.ip', row['ip'])
event.add('source.asn', row['asn'])
event.add('source.geolocation.cc', row['geo'])
if row['http_host'] and row['url']:
event.add('destination.url', row['http_host'] + row['url'])
elif row['url']:
extra['url'] = row['url'] # incomplete URL
event.add('malware.name', row['type'])
if row['http_agent']:
extra['http_agent'] = row['http_agent']
if row['tor']:
event.add('source.tor_node', row['tor'])
event.add('source.port', row['src_port'])
if row['p0f_genre']:
extra['os.name'] = row['p0f_genre']
if row['p0f_detail']:
extra['os.version'] = row['p0f_detail']
if row['hostname']:
event.add('source.reverse_dns', row['hostname'])
event.add('destination.port', row['dst_port'])
if row['http_host']:
extra['http_host'] = row['http_host']
if row['http_referer'] not in ['', 'null']:
extra['http_referer'] = row['http_referer']
if row['http_referer_asn']:
extra['http_referer_asn'] = row['http_referer_asn']
if row['http_referer_geo']:
extra['http_referer_geo'] = row['http_referer_geo']
if row['dst_ip']:
event.add('destination.ip', row['dst_ip'])
if row['dst_asn']:
event.add('destination.asn', row['dst_asn'])
if row['dst_geo']:
event.add('destination.geolocation.cc', row['dst_geo'])
if int(row['naics']):
extra['naics'] = int(row['naics'])
if int(row['sic']):
extra['sic'] = int(row['sic'])
event.add('raw', '"' + ','.join(map(str, row.items())) + '"')
if extra:
event.add('extra', extra)
event.add('classification.type', 'botnet drone')
event.add('protocol.application', 'http')
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if not report or not report.contains("raw"):
self.acknowledge_message()
return
columns = self.parameters.columns
raw_report = utils.base64_decode(report.get("raw"))
# ignore lines starting with #
raw_report = re.sub(r'(?m)^#.*\n?', '', raw_report)
# ignore null bytes
raw_report = re.sub(r'(?m)\0', '', raw_report)
for row in utils.csv_reader(raw_report,
delimiter=str(self.parameters.delimiter)):
event = Event(report)
for key, value in zip(columns, row):
if key in ["__IGNORE__", ""]:
continue
try:
if key in ["time.source", "time.destination"]:
value = parse(value, fuzzy=True).isoformat()
value += " UTC"
# regex from http://stackoverflow.com/a/23483979
# matching ipv4/ipv6 IP within string
elif key in ["source.ip", "destination.ip"]:
value = re.compile(
'(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])'
'\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0'
'-5])|(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])'
'\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])|'
'\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|('
'([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]'
'|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d'
'\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:['
'0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|['
'1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|'
':))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1'
',3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d'
'\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){'
'3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,'
'4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-'
'4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-'
'9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-'
'Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0'
'-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1'
'\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(('
'(:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4'
'}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2['
'0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]'
'{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2'
'[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|'
'[1-9]?\d)){3}))|:)))(%.+)?').match(value).group()
elif key.endswith('.url') and '://' not in value:
value = self.parameters.default_url_protocol + value
except:
self.logger.exception('Encountered error while parsing'
'line in csv file, ignoring.')
continue
event.add(key, value)
event.add('classification.type', self.parameters.type)
event.add("raw", ",".join(row))
self.send_message(event)
self.acknowledge_message()
def process(self):
report = self.receive_message()
if report is None or not report.contains("raw"):
self.acknowledge_message()
return
raw_report = utils.base64_decode(report["raw"])
for row in utils.csv_reader(raw_report, dictreader=True):
event = Event(report)
extra = {}
self.logger.debug(repr(row))
event.add('time.source', row['timestamp']+' UTC')
event.add('source.ip', row['ip'])
event.add('source.asn', row['asn'])
event.add('source.geolocation.cc', row['geo'])
if row['http_host'] and row['url']:
event.add('destination.url', row['http_host']+row['url'])
elif row['url']:
extra['url'] = row['url'] # incomplete URL
event.add('malware.name', row['type'])
if row['http_agent']:
extra['http_agent'] = row['http_agent']
if row['tor']:
event.add('source.tor_node', row['tor'])
event.add('source.port', row['src_port'])
if row['p0f_genre']:
extra['os.name'] = row['p0f_genre']
if row['p0f_detail']:
extra['os.version'] = row['p0f_detail']
if row['hostname']:
event.add('source.reverse_dns', row['hostname'])
event.add('destination.port', row['dst_port'])
if row['http_host']:
extra['http_host'] = row['http_host']
if row['http_referer'] not in ['', 'null']:
extra['http_referer'] = row['http_referer']
if row['http_referer_asn']:
extra['http_referer_asn'] = row['http_referer_asn']
if row['http_referer_geo']:
extra['http_referer_geo'] = row['http_referer_geo']
if row['dst_ip']:
event.add('destination.ip', row['dst_ip'])
if row['dst_asn']:
event.add('destination.asn', row['dst_asn'])
if row['dst_geo']:
event.add('destination.geolocation.cc', row['dst_geo'])
if int(row['naics']):
extra['naics'] = int(row['naics'])
if int(row['sic']):
extra['sic'] = int(row['sic'])
event.add('raw', '"'+','.join(map(str, row.items()))+'"')
if extra:
event.add('extra', extra)
event.add('classification.type', 'botnet drone')
event.add('protocol.application', 'http')
self.send_message(event)
self.acknowledge_message()
