def analyze(self, dict):
evil = dict
evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%d-%m-%Y")
# url
evil['url'] = dict['url']
evil['id'] = md5.new(evil['url'] + dict['first_seen']).hexdigest()
evil['description'] = self.description
evil['source'] = self.name
url = Url(url=evil['url'], tags=[dict['malware']])
url.seen(first=evil['date_added'])
url.add_evil(evil)
self.commit_to_db(url)
# ip
evil['url'] = dict['ip']
evil['id'] = md5.new(evil['url'] + dict['first_seen']).hexdigest()
ip = Ip(ip=dict['ip'], tags=[dict['malware']])
ip.seen(first=evil['date_added'])
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, line):
fields = line.split('|')
if len(fields) < 8:
return
ip = toolbox.find_ips(fields[0])[0]
ip = Ip(ip=ip, tags=['tor'])
tornode = {}
tornode['description'] = "Tor exit node"
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
tornode['id'] = md5.new(tornode['ip']+tornode['name']).hexdigest()
tornode['value'] = "Tor node: %s (%s)" % (tornode['name'], tornode['ip'])
tornode['source'] = self.name
ip.add_evil(tornode)
ip.seen()
self.commit_to_db(ip)
def analyze(self, line):
fields = line.split('|')
if len(fields) < 8:
return
ip = toolbox.find_ips(fields[0])[0]
ip = Ip(ip=ip, tags=['tor'])
tornode = {}
tornode['description'] = "Tor exit node"
tornode['ip'] = fields[0]
tornode['name'] = fields[1]
tornode['router-port'] = fields[2]
tornode['directory-port'] = fields[3]
tornode['flags'] = fields[4]
tornode['uptime'] = fields[5]
tornode['version'] = fields[6]
tornode['contactinfo'] = fields[7]
tornode['id'] = md5.new(tornode['ip']+tornode['name']).hexdigest()
tornode['value'] = "Tor node: %s (%s)" % (tornode['name'], tornode['ip'])
tornode['source'] = self.name
ip.add_evil(tornode)
ip.seen()
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)",
dict['title']).group('datetime')
try:
evil['date_added'] = datetime.datetime.strptime(
date_string, "%Y-%m-%d %H:%M:%S")
except ValueError:
pass
g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)',
dict['description'])
g = g.groupdict()
evil['host'] = g['host']
evil['version'] = g['version']
evil['description'] = FeodoTracker.descriptions[g['version']]
evil['id'] = md5.new(dict['description']).hexdigest()
evil['source'] = self.name
del evil['title']
if toolbox.is_ip(evil['host']):
elt = Ip(ip=evil['host'],
tags=[FeodoTracker.variants[g['version']]])
elif toolbox.is_hostname(evil['host']):
elt = Hostname(hostname=evil['host'],
tags=[FeodoTracker.variants[g['version']]])
elt.seen(first=evil['date_added'])
elt.add_evil(evil)
self.commit_to_db(elt)
def analyze(self, dict):
evil = dict
date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime')
try:
evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d %H:%M:%S")
except ValueError:
pass
g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description'])
g = g.groupdict()
evil['host'] = g['host']
evil['version'] = g['version']
evil['description'] = FeodoTracker.descriptions[g['version']]
evil['id'] = md5.new(dict['description']).hexdigest()
evil['source'] = self.name
del evil['title']
if toolbox.is_ip(evil['host']):
elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]])
elif toolbox.is_hostname(evil['host']):
elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]])
elt.seen(first=evil['date_added'])
elt.add_evil(evil)
self.commit_to_db(elt)
def analyze(self, dict):
evil = dict
evil['host'] = dict['ip']
evil['id'] = md5.new(evil['ip'] + 'InfosecCertPaItIP').hexdigest()
evil['description'] = self.description
evil['source'] = self.name
ip = Ip(ip=evil['host'])
ip.seen()
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
evil['host'] = dict['ip']
evil['id'] = md5.new(evil['ip'] + evil['score'] + '/7').hexdigest()
evil['description'] = 'Threat Score %s/7 by Alienvault.com' % dict[
'score']
evil['source'] = self.name
ip = Ip(ip=evil['host'])
ip.seen()
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
evil['first_seen'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S")
evil['last_seen'] = datetime.datetime.strptime(dict['last_seen'], "%Y-%m-%d %H:%M:%S")
evil['url'] = dict['ip']
evil['id'] = md5.new(evil['url'] + dict['category']).hexdigest()
evil['description'] = self.description
evil['source'] = self.name
ip = Ip(ip=evil['url'])
ip.seen(first=evil['first_seen'], last=evil['last_seen'])
ip.add_evil(evil)
self.commit_to_db(ip)
def analyze(self, dict):
evil = dict
try:
evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S")
except ValueError:
pass
evil['host'] = dict['dst_ip']
evil['version'] = dict['malware']
evil['description'] = FeodoTracker.descriptions[dict['malware']]
evil['id'] = md5.new(evil['host'] + evil['description']).hexdigest()
evil['source'] = self.name
if toolbox.is_ip(evil['host']):
elt = Ip(ip=evil['host'], tags=[dict['malware']])
elif toolbox.is_hostname(evil['host']):
elt = Hostname(hostname=evil['host'], tags=[dict['malware']])
elt.seen(first=evil['date_added'])
elt.add_evil(evil)
self.commit_to_db(elt)
def analyze(self, line):
if line.startswith("#") or line.startswith("IP address"):
return
try:
ip, port, domains, traffic_info, description, date_string = line.split(',')
except ValueError:
# Malformed line, skipping
return
evil = {}
evil['ip'] = ip
port = re.search('[\d]+', port)
if port:
evil['port'] = port.group()
evil['domains'] = domains
evil['description'] = "{}".format(description)
if traffic_info:
evil['description'] += " ({})".format(traffic_info)
evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d")
evil['id'] = md5.new(evil['description']+evil['ip']+date_string).hexdigest()
evil['source'] = self.name
ip = Ip(ip=ip)
domains = [d.strip() for d in domains.split('/') if toolbox.is_hostname(d.strip())]
ip.seen(first=evil['date_added'])
ip.add_evil(evil)
i = self.commit_to_db(ip)
for d in domains:
h = Hostname(hostname=d)
h.seen(first=evil['date_added'])
h.add_evil(evil)
h = self.commit_to_db(h)
self.model.connect(h, i)
