feeds/alienvault-ip_reputation.feed
provider "alienvault"
name "ip_reputation"
fetch_http('https://reputation.alienvault.com/reputation.generic')
event_types [:scanning, :attacker, :malware_host, :spamming]
# Examples:
# 108.59.1.5 # Scanning Host A1,,0.0,0.0
feed_re = /^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # (?<type>(Scanning Host|C&C|Malicious Host|Malware Domain|Spamming|Malware IP|Malware distribution)) (?<cc>[A-Z]{2}|A1|A1|O1)?,(?<city>[^,]*),(?<lat>-?[0-9]+(\.[0-9]+)?),(?<lon>-?[0-9]+(\.[0-9]+)?)/
filter_whitespace
filter_comments
parse_eachline(:separator => "\n") do |event_generator, record|
m = feed_re.match(record.data)
next if m.nil?
event_generator.call() do |event|
event.add_ipv4(m[:ip]) do |ipv4_event|
# This doesn't execute, yet.
ipv4_event.cc(m[:cc]) unless m[:cc].nil?
ipv4_event.city(m[:city]) unless m[:city].nil?
ipv4_latlon(m[:lat].to_f, m[:lon].to_f)
end
case m[:type]
when 'Scanning Host'
event.type = :scanning
when 'C&C'
event.type = :c2
when 'Malicious Host'
event.type = :attacker
when 'Malware Domain', 'Malware IP', 'Malware distribution'
event.type = :malware_host
when 'Spamming'
event.type = :spamming
end
end
end