README.md
# Shadowbq-Threatinator
Threatinator is a ruby library for parsing threat data feeds.
## Code Status
[](https://travis-ci.org/shadowbq/threatinator)
[](https://codeclimate.com/github/shadowbq/threatinator)
[](https://codeclimate.com/github/shadowbq/threatinator)
[](http://badge.fury.io/rb/shadowbq-threatinator)
[](https://github.com/shadowbq/threatinator/releases)
## Fork
This is a fork published as `shadowbq-threatinator`
## Source code repository
The repository is located at: https://github.com/shadowbq/threatinator
## Installation
Install from Gem
```
gem install shadowbq-threatinator
```
`threatinator` will be located in your $PATH if installed from gem.
-OR-
Install from Source.
```
git clone https://github.com/shadowbq/threatinator
cd threatinator
bundle install
```
Bundler context
`bundle exec bin/threatinator` is used if not running from an installed gem.
### Listing feeds
```
bundle exec bin/threatinator list
provider name type link/path event_types
----------------- ----------------------------------- ---- ------------------------------------------------------------------------------------ ------------------------------------------------
abuse_ch feodo_domain_reputation http https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist [:c2]
abuse_ch feodo_ip_reputation http https://feodotracker.abuse.ch/blocklist.php?download=ipblocklist [:c2]
[..]
alienvault ip_reputation http https://reputation.alienvault.com/reputation.generic [:scanning, :attacker, :malware_host, :spamming]
arbor fastflux_domain_reputation http http://atlas.arbor.net/summary/domainlist [:c2]
arbor ssh_ip_reputation http http://atlas-public.ec2.arbor.net/public/ssh_attackers [:scanning]
autoshun shunlist http http://www.autoshun.org/files/shunlist.csv [:scanning]
```
### Running a feed
```
bundle exec bin/threatinator run alienvault ip_reputation
```
### Using the AMQP output
```
bundle exec threatinator run --run.output.amqp.url=ENV['RABBITMQ_URL']} --run.output.format=amqp provider name
# --run.output.amqp.routing_key=arg - Routing key for Amqp events (default: none)
## The routing key should be determined by the type
# --run.output.amqp.url=arg - The hostname/ip of the RabbitMQ server (default: none)
```
```
./bin/threatinator run --run.output.amqp.url='amqp://127.0.0.1' --run.output.format=amqp vxvault url_reputation
```
### Getting help
All commands respond to '--help' to provide details on their usage.
```
bundle exec bin/threatinator run --help
NAME
run - fetch and parse a feed
SYNOPSIS
threatinator [global options] run [command options]
COMMAND OPTIONS
--run.coverage_output=arg - Write coverage analysis to the specified file (CSV format) (default: none)
--run.feed_name=arg - The feed name (default: none)
--run.feed_provider=arg - The feed provider (default: none)
--run.fetch_from_file=arg - Read data from the specified file rather than fetching (default: none)
--run.output.amqp.routing_key=arg - Routing key for Amqp events (default: none)
--run.output.amqp.url=arg - The hostname/ip of the RabbitMQ server (default: none)
--run.output.csv.filename=arg - Path to the file where output will be written (default: none)
--run.output.format=arg - Output format (amqp, csv, json, null, rubydebug) (default: none)
--run.output.json.file=arg - The hostname/ip of the RabbitMQ server (default: none)
--run.output.rubydebug.filename=arg - Path to the file where output will be written (default: none)
```
## Contributing and Issue Tracking
All issues for the fork are managed here: [shadowbq/threatinator/issues](https://github.com/shadowbq/threatinator/issues).
## Original License
Copyright (C) 2014 Michael Ryan (github.com/justfalter)
Original code: https://github.com/cikl/threatinator
See the LICENSE file for license rights and limitations (LGPLv3).
See the CHANGE LOG for significant changes made to software.
LGPLv3 in Plain English - https://tldrlegal.com/license/gnu-lesser-general-public-license-v3-(lgpl-3)