def analyze(self, line): fields = line.split('|') if len(fields) < 8: return ip = toolbox.find_ips(fields[0])[0] ip = Ip(ip=ip, tags=['tor']) tornode = {} tornode['description'] = "Tor exit node" tornode['ip'] = fields[0] tornode['name'] = fields[1] tornode['router-port'] = fields[2] tornode['directory-port'] = fields[3] tornode['flags'] = fields[4] tornode['uptime'] = fields[5] tornode['version'] = fields[6] tornode['contactinfo'] = fields[7] tornode['id'] = md5.new(tornode['ip']+tornode['name']).hexdigest() tornode['value'] = "Tor node: %s (%s)" % (tornode['name'], tornode['ip']) tornode['source'] = self.name ip.add_evil(tornode) ip.seen() self.commit_to_db(ip)
def analyze(self, dict): evil = dict evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%d-%m-%Y") # url evil['url'] = dict['url'] evil['id'] = md5.new(evil['url'] + dict['first_seen']).hexdigest() evil['description'] = self.description evil['source'] = self.name url = Url(url=evil['url'], tags=[dict['malware']]) url.seen(first=evil['date_added']) url.add_evil(evil) self.commit_to_db(url) # ip evil['url'] = dict['ip'] evil['id'] = md5.new(evil['url'] + dict['first_seen']).hexdigest() ip = Ip(ip=dict['ip'], tags=[dict['malware']]) ip.seen(first=evil['date_added']) ip.add_evil(evil) self.commit_to_db(ip)
def analyze(self, line): fields = line.split('|') if len(fields) < 8: return ip = toolbox.find_ips(fields[0])[0] ip = Ip(ip=ip, tags=['tor']) tornode = {} tornode['description'] = "Tor exit node" tornode['ip'] = fields[0] tornode['name'] = fields[1] tornode['router-port'] = fields[2] tornode['directory-port'] = fields[3] tornode['flags'] = fields[4] tornode['uptime'] = fields[5] tornode['version'] = fields[6] tornode['contactinfo'] = fields[7] tornode['id'] = md5.new(tornode['ip']+tornode['name']).hexdigest() tornode['value'] = "Tor node: %s (%s)" % (tornode['name'], tornode['ip']) tornode['source'] = self.name ip.add_evil(tornode) ip.seen() self.commit_to_db(ip)
def analyze(self, dict): evil = dict date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime') try: evil['date_added'] = datetime.datetime.strptime( date_string, "%Y-%m-%d %H:%M:%S") except ValueError: pass g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description']) g = g.groupdict() evil['host'] = g['host'] evil['version'] = g['version'] evil['description'] = FeodoTracker.descriptions[g['version']] evil['id'] = md5.new(dict['description']).hexdigest() evil['source'] = self.name del evil['title'] if toolbox.is_ip(evil['host']): elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elif toolbox.is_hostname(evil['host']): elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elt.seen(first=evil['date_added']) elt.add_evil(evil) self.commit_to_db(elt)
def analyze(self, dict): evil = dict date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime') try: evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d %H:%M:%S") except ValueError: pass g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description']) g = g.groupdict() evil['host'] = g['host'] evil['version'] = g['version'] evil['description'] = FeodoTracker.descriptions[g['version']] evil['id'] = md5.new(dict['description']).hexdigest() evil['source'] = self.name del evil['title'] if toolbox.is_ip(evil['host']): elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elif toolbox.is_hostname(evil['host']): elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elt.seen(first=evil['date_added']) elt.add_evil(evil) self.commit_to_db(elt)
def analyze(self, dict): evil = dict evil['host'] = dict['ip'] evil['id'] = md5.new(evil['ip'] + 'InfosecCertPaItIP').hexdigest() evil['description'] = self.description evil['source'] = self.name ip = Ip(ip=evil['host']) ip.seen() ip.add_evil(evil) self.commit_to_db(ip)
def analyze(self, dict): evil = dict evil['host'] = dict['ip'] evil['id'] = md5.new(evil['ip'] + 'Lv %s' % dict['lv']).hexdigest() evil['description'] = 'This IP was reported for ' + dict[ 'lv'] + '/5 malicious activity' evil['source'] = self.name ip = Ip(ip=evil['host']) ip.add_evil(evil) self.commit_to_db(ip)
def analyze(self, dict): evil = dict evil['host'] = dict['ip'] evil['id'] = md5.new(evil['ip'] + evil['score'] + '/7').hexdigest() evil['description'] = 'Threat Score %s/7 by Alienvault.com' % dict[ 'score'] evil['source'] = self.name ip = Ip(ip=evil['host']) ip.seen() ip.add_evil(evil) self.commit_to_db(ip)
def analyze(self, dict): evil = dict evil['first_seen'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S") evil['last_seen'] = datetime.datetime.strptime(dict['last_seen'], "%Y-%m-%d %H:%M:%S") evil['url'] = dict['ip'] evil['id'] = md5.new(evil['url'] + dict['category']).hexdigest() evil['description'] = self.description evil['source'] = self.name ip = Ip(ip=evil['url']) ip.seen(first=evil['first_seen'], last=evil['last_seen']) ip.add_evil(evil) self.commit_to_db(ip)
def analyze(self, line): # This function should only analyze one record at a time (i.e. one line, or one XML node) # This is also where you tell Malcom to ignore e.g. lines starting with # # # Say the resource you requested has the following format: # # ip_addr;owner;description; # 8.8.8.8;Google Inc.;malicious nameserver; # # You should a script similar to: ip, org, description = line.split(';') # split the entry into elements _ip = Ip(ip=ip) # create a new IP element. _ip['tags'] = ['zeus', 'cc' ] # it was a Zeus CC, remember the feed description? # Now comes the definition of the Evil element. Associate it with other elements to build threat intel. # Not adding the information directly to the IP element enables us to determine how many different sources have # seen this specific artifact. evil = {} # create a dictionary that will be included in the element evil['org'] = org # The ID will determine when this entry is updated # If the elements included in the ID remain the same, the entry will be updated; # if one of them changes, a new entry will be created evil['id'] = md5.new(org + ip).hexdigest() # The source will tell you where the information comes from. # A good idea is to give it the name of the feed evil['source'] = self.name # Mandatory field. This is should explain why the element is evil # other than "it just shows up on a blocklist" evil['description'] = description # You can include any other information you might want evil['foo'] = "bar" # Time to commit information to the DB # Add the evil information to the IP _ip.add_evil(evil) # Commit the IP to the DB self.commit_to_db(_ip)
def analyze(self, line): # This function should only analyze one record at a time (i.e. one line, or one XML node) # This is also where you tell Malcom to ignore e.g. lines starting with # # # Say the resource you requested has the following format: # # ip_addr;owner;description; # 8.8.8.8;Google Inc.;malicious nameserver; # # You should a script similar to: ip, org, description = line.split(';') # split the entry into elements _ip = Ip(ip=ip) # create a new IP element. _ip['tags'] = ['zeus', 'cc'] # it was a Zeus CC, remember the feed description? # Now comes the definition of the Evil element. Associate it with other elements to build threat intel. # Not adding the information directly to the IP element enables us to determine how many different sources have # seen this specific artifact. evil = {} # create a dictionary that will be included in the element evil['org'] = org # The ID will determine when this entry is updated # If the elements included in the ID remain the same, the entry will be updated; # if one of them changes, a new entry will be created evil['id'] = md5.new(org+ip).hexdigest() # The source will tell you where the information comes from. # A good idea is to give it the name of the feed evil['source'] = self.name # Mandatory field. This is should explain why the element is evil # other than "it just shows up on a blocklist" evil['description'] = description # You can include any other information you might want evil['foo'] = "bar" # Time to commit information to the DB # Add the evil information to the IP _ip.add_evil(evil) # Commit the IP to the DB self.commit_to_db(_ip)
def analyze(self, dict): evil = dict try: evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S") except ValueError: pass evil['host'] = dict['dst_ip'] evil['version'] = dict['malware'] evil['description'] = FeodoTracker.descriptions[dict['malware']] evil['id'] = md5.new(evil['host'] + evil['description']).hexdigest() evil['source'] = self.name if toolbox.is_ip(evil['host']): elt = Ip(ip=evil['host'], tags=[dict['malware']]) elif toolbox.is_hostname(evil['host']): elt = Hostname(hostname=evil['host'], tags=[dict['malware']]) elt.seen(first=evil['date_added']) elt.add_evil(evil) self.commit_to_db(elt)
def analyze(self, line): if line.startswith("#") or line.startswith("IP address"): return try: ip, port, domains, traffic_info, description, date_string = line.split(',') except ValueError: # Malformed line, skipping return evil = {} evil['ip'] = ip port = re.search('[\d]+', port) if port: evil['port'] = port.group() evil['domains'] = domains evil['description'] = "{}".format(description) if traffic_info: evil['description'] += " ({})".format(traffic_info) evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d") evil['id'] = md5.new(evil['description']+evil['ip']+date_string).hexdigest() evil['source'] = self.name ip = Ip(ip=ip) domains = [d.strip() for d in domains.split('/') if toolbox.is_hostname(d.strip())] ip.seen(first=evil['date_added']) ip.add_evil(evil) i = self.commit_to_db(ip) for d in domains: h = Hostname(hostname=d) h.seen(first=evil['date_added']) h.add_evil(evil) h = self.commit_to_db(h) self.model.connect(h, i)