feeds/alienvault-ip_reputation.feed from shadowbq/threatinator

feeds/alienvault-ip_reputation.feed

Summary

Maintainability

Test Coverage

Issues

provider "alienvault"
name "ip_reputation"
fetch_http('https://reputation.alienvault.com/reputation.generic')
event_types [:scanning, :attacker, :malware_host, :spamming]


# Examples:
#  108.59.1.5 # Scanning Host A1,,0.0,0.0
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # (?<type>(Scanning Host|C&C|Malicious Host|Malware Domain|Spamming|Malware IP|Malware distribution)) (?<cc>[A-Z]{2}|A1|A1|O1)?,(?<city>[^,]*),(?<lat>-?[0-9]+(\.[0-9]+)?),(?<lon>-?[0-9]+(\.[0-9]+)?)/

filter_whitespace
filter_comments

parse_eachline(:separator => "\n") do |event_generator, record|
  m = feed_re.match(record.data)
  next if m.nil?

  event_generator.call() do |event|
    event.add_ipv4(m[:ip]) do |ipv4_event|
      # This doesn't execute, yet.
      ipv4_event.cc(m[:cc]) unless m[:cc].nil?
      ipv4_event.city(m[:city]) unless m[:city].nil?
      ipv4_latlon(m[:lat].to_f, m[:lon].to_f)
    end

    case m[:type]
    when 'Scanning Host'
      event.type = :scanning
    when 'C&C'
      event.type = :c2
    when 'Malicious Host'
      event.type = :attacker
    when 'Malware Domain', 'Malware IP', 'Malware distribution'
      event.type = :malware_host
    when 'Spamming'
     event.type = :spamming
    end
  end
end