feeds/ET_openbadlist-ip_reputation.feed
provider "emergingthreats"
name "openbadlist_ip_reputation"
fetch_http('https://raw.githubusercontent.com/EmergingThreats/et-open-bad-ip-list/master/IPs.txt')
event_types [:c2]
filter_whitespace
filter_comments
# Filter out ip's
filter do |record|
# TODO Add handling for CIDR's once supported
!(record.data =~ /\/32/)
end
parse_eachline(:separator => "\n") do |event_generator, record|
fields = record.data.split(/; /)
next if record.nil?
# date = fields[0]
ip = fields[1]
# description = fields[2]
# We're tossing anything that's not a /32
ip.gsub!(/\/32/, '')
ip.strip!
if ip =~ /\//
puts ip
next
end
event_generator.call() do |event|
event.type = :c2
event.add_ipv4(ip) do |ipv4_event|
end
end
end