def _parse(self):
for line in self._raw_threat_intel.split("\n"):
if line[:1] is "#":
pass
else:
split_line = line.split(",")
try:
intel = Intel(
original=line,
event_type="indicator",
event_reference=self._feed_url,
event_provider="Abuse.ch",
event_dataset="SSLBlackList",
threat_first_seen=split_line[0],
threat_last_seen=None,
threat_type="ssl_hash",
threat_description=split_line[2]
)
intel.add_tls(s_sha1=split_line[1])
if "C&C" in intel.intel["threat"]["ioc"]["description"]:
intel.add_mitre("TA0011")
elif "" in intel.intel["threat"]["ioc"]["description"]:
intel.add_mitre("TA0042", "T1588.001")
except IndexError as err:
pass
else:
intel.add_docid()
self.intel.append(intel)
def test_add_tls(self):
intel = Intel()
intel.add_tls(s_sha1="8964f9caf2c4e688a395f4666db072b165f9c28e")
self.assertEqual(intel.intel["tls"]["server"]["hash"]["sha1"],
"8964f9caf2c4e688a395f4666db072b165f9c28e")
