def analyze(self, line):
fields = line.split('|')
if len(fields) < 8:
return
ip = toolbox.find_ips(fields[0])[0]
ip = Ip(ip=ip, tags=['tor'])
tornode = {}
tornode['description'] = "Tor exit node"
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
tornode['id'] = md5.new(tornode['ip']+tornode['name']).hexdigest()
tornode['value'] = "Tor node: %s (%s)" % (tornode['name'], tornode['ip'])
tornode['source'] = self.name
ip.add_evil(tornode)
ip.seen()
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%d-%m-%Y")
# url
evil['url'] = dict['url']
evil['id'] = md5.new(evil['url'] + dict['first_seen']).hexdigest()
evil['description'] = self.description
evil['source'] = self.name
url = Url(url=evil['url'], tags=[dict['malware']])
url.seen(first=evil['date_added'])
url.add_evil(evil)
self.commit_to_db(url)
# ip
evil['url'] = dict['ip']
evil['id'] = md5.new(evil['url'] + dict['first_seen']).hexdigest()
ip = Ip(ip=dict['ip'], tags=[dict['malware']])
ip.seen(first=evil['date_added'])
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, line):
fields = line.split('|')
if len(fields) < 8:
return
ip = toolbox.find_ips(fields[0])[0]
ip = Ip(ip=ip, tags=['tor'])
tornode = {}
tornode['description'] = "Tor exit node"
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
tornode['id'] = md5.new(tornode['ip']+tornode['name']).hexdigest()
tornode['value'] = "Tor node: %s (%s)" % (tornode['name'], tornode['ip'])
tornode['source'] = self.name
ip.add_evil(tornode)
ip.seen()
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)",
dict['title']).group('datetime')
try:
evil['date_added'] = datetime.datetime.strptime(
date_string, "%Y-%m-%d %H:%M:%S")
except ValueError:
pass
g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)',
dict['description'])
g = g.groupdict()
evil['host'] = g['host']
evil['version'] = g['version']
evil['description'] = FeodoTracker.descriptions[g['version']]
evil['id'] = md5.new(dict['description']).hexdigest()
evil['source'] = self.name
del evil['title']
if toolbox.is_ip(evil['host']):
elt = Ip(ip=evil['host'],
tags=[FeodoTracker.variants[g['version']]])
elif toolbox.is_hostname(evil['host']):
elt = Hostname(hostname=evil['host'],
tags=[FeodoTracker.variants[g['version']]])
elt.seen(first=evil['date_added'])
elt.add_evil(evil)
self.commit_to_db(elt)
def analyze(self, dict):
evil = dict
date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime')
try:
evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d %H:%M:%S")
except ValueError:
pass
g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description'])
g = g.groupdict()
evil['host'] = g['host']
evil['version'] = g['version']
evil['description'] = FeodoTracker.descriptions[g['version']]
evil['id'] = md5.new(dict['description']).hexdigest()
evil['source'] = self.name
del evil['title']
if toolbox.is_ip(evil['host']):
elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]])
elif toolbox.is_hostname(evil['host']):
elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]])
elt.seen(first=evil['date_added'])
elt.add_evil(evil)
self.commit_to_db(elt)
def analyze(self, dict):
evil = dict
evil['host'] = dict['ip']
evil['id'] = md5.new(evil['ip'] + 'InfosecCertPaItIP').hexdigest()
evil['description'] = self.description
evil['source'] = self.name
ip = Ip(ip=evil['host'])
ip.seen()
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
evil['host'] = dict['ip']
evil['id'] = md5.new(evil['ip'] + 'Lv %s' % dict['lv']).hexdigest()
evil['description'] = 'This IP was reported for ' + dict[
'lv'] + '/5 malicious activity'
evil['source'] = self.name
ip = Ip(ip=evil['host'])
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
evil['host'] = dict['ip']
evil['id'] = md5.new(evil['ip'] + evil['score'] + '/7').hexdigest()
evil['description'] = 'Threat Score %s/7 by Alienvault.com' % dict[
'score']
evil['source'] = self.name
ip = Ip(ip=evil['host'])
ip.seen()
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
evil['first_seen'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S")
evil['last_seen'] = datetime.datetime.strptime(dict['last_seen'], "%Y-%m-%d %H:%M:%S")
evil['url'] = dict['ip']
evil['id'] = md5.new(evil['url'] + dict['category']).hexdigest()
evil['description'] = self.description
evil['source'] = self.name
ip = Ip(ip=evil['url'])
ip.seen(first=evil['first_seen'], last=evil['last_seen'])
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, line):
# This function should only analyze one record at a time (i.e. one line, or one XML node)
# This is also where you tell Malcom to ignore e.g. lines starting with #
#
# Say the resource you requested has the following format:
#
# ip_addr;owner;description;
# 8.8.8.8;Google Inc.;malicious nameserver;
#
# You should a script similar to:
ip, org, description = line.split(';') # split the entry into elements
_ip = Ip(ip=ip) # create a new IP element.
_ip['tags'] = ['zeus', 'cc'
] # it was a Zeus CC, remember the feed description?
# Now comes the definition of the Evil element. Associate it with other elements to build threat intel.
# Not adding the information directly to the IP element enables us to determine how many different sources have
# seen this specific artifact.
evil = {} # create a dictionary that will be included in the element
evil['org'] = org
# The ID will determine when this entry is updated
# If the elements included in the ID remain the same, the entry will be updated;
# if one of them changes, a new entry will be created
evil['id'] = md5.new(org + ip).hexdigest()
# The source will tell you where the information comes from.
# A good idea is to give it the name of the feed
evil['source'] = self.name
# Mandatory field. This is should explain why the element is evil
# other than "it just shows up on a blocklist"
evil['description'] = description
# You can include any other information you might want
evil['foo'] = "bar"
# Time to commit information to the DB
# Add the evil information to the IP
_ip.add_evil(evil)
# Commit the IP to the DB
self.commit_to_db(_ip)
def analyze(self, line):
# This function should only analyze one record at a time (i.e. one line, or one XML node)
# This is also where you tell Malcom to ignore e.g. lines starting with #
#
# Say the resource you requested has the following format:
#
# ip_addr;owner;description;
# 8.8.8.8;Google Inc.;malicious nameserver;
#
# You should a script similar to:
ip, org, description = line.split(';') # split the entry into elements
_ip = Ip(ip=ip) # create a new IP element.
_ip['tags'] = ['zeus', 'cc'] # it was a Zeus CC, remember the feed description?
# Now comes the definition of the Evil element. Associate it with other elements to build threat intel.
# Not adding the information directly to the IP element enables us to determine how many different sources have
# seen this specific artifact.
evil = {} # create a dictionary that will be included in the element
evil['org'] = org
# The ID will determine when this entry is updated
# If the elements included in the ID remain the same, the entry will be updated;
# if one of them changes, a new entry will be created
evil['id'] = md5.new(org+ip).hexdigest()
# The source will tell you where the information comes from.
# A good idea is to give it the name of the feed
evil['source'] = self.name
# Mandatory field. This is should explain why the element is evil
# other than "it just shows up on a blocklist"
evil['description'] = description
# You can include any other information you might want
evil['foo'] = "bar"
# Time to commit information to the DB
# Add the evil information to the IP
_ip.add_evil(evil)
# Commit the IP to the DB
self.commit_to_db(_ip)
def analyze(self, dict):
evil = dict
try:
evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S")
except ValueError:
pass
evil['host'] = dict['dst_ip']
evil['version'] = dict['malware']
evil['description'] = FeodoTracker.descriptions[dict['malware']]
evil['id'] = md5.new(evil['host'] + evil['description']).hexdigest()
evil['source'] = self.name
if toolbox.is_ip(evil['host']):
elt = Ip(ip=evil['host'], tags=[dict['malware']])
elif toolbox.is_hostname(evil['host']):
elt = Hostname(hostname=evil['host'], tags=[dict['malware']])
elt.seen(first=evil['date_added'])
elt.add_evil(evil)
self.commit_to_db(elt)
def analyze(self, line):
if line.startswith("#") or line.startswith("IP address"):
return
try:
ip, port, domains, traffic_info, description, date_string = line.split(',')
except ValueError:
# Malformed line, skipping
return
evil = {}
evil['ip'] = ip
port = re.search('[\d]+', port)
if port:
evil['port'] = port.group()
evil['domains'] = domains
evil['description'] = "{}".format(description)
if traffic_info:
evil['description'] += " ({})".format(traffic_info)
evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d")
evil['id'] = md5.new(evil['description']+evil['ip']+date_string).hexdigest()
evil['source'] = self.name
ip = Ip(ip=ip)
domains = [d.strip() for d in domains.split('/') if toolbox.is_hostname(d.strip())]
ip.seen(first=evil['date_added'])
ip.add_evil(evil)
i = self.commit_to_db(ip)
for d in domains:
h = Hostname(hostname=d)
h.seen(first=evil['date_added'])
h.add_evil(evil)
h = self.commit_to_db(h)
self.model.connect(h, i)
