feeds/dshield_attackers-top1000.feed
provider "dshield"
name "attackers-top1000"
fetch_http('https://isc.sans.edu/api/sources/attacks/1000/')
event_types [:attacker]
parse_xml("/sources/data") do |event_generator, record|
node = record.node
ip_node = node[:ip].first
next if ip_node.nil?
ip = ip_node.text
next if ip.empty?
# Dshield's api produces zero-padded octets. We've gotta strip those down.
# The following regex will remove any zero-padding.
ip.gsub!(/(?<=\A|\.)0+(?=\d+(\.|\Z))/, '')
attack_node = node[:attacks].first
count_node = node[:count].first
first_seen_node = node[:first_seen].first
last_seen_node = node[:last_seen].first
event_generator.call() do |event|
event.type = :attacker
event.add_ipv4(ip) do |ipv4_event|
end
## TODO
# event.first_seen = first_seen_node.text unless first_seen_node.nil?
# event.last_seen = last_seen_node.text unless last_seen_node.nil?
# attack_count = attack_node.text.to_i unless attack_node.nil?
# count = count_node.text.to_i unless count_node.nil?
end
end