feeds/feodo-domain_reputation.feed
provider "abuse_ch"
name "feodo_domain_reputation"
fetch_http('https://feodotracker.abuse.ch/blocklist.php?download=domainblocklist')
event_types [:c2]
feed_re = /^(?<domain>.*)/
filter_whitespace
filter_comments
parse_eachline(:separator => "\n") do |event_generator, record|
m = feed_re.match(record.data)
next if m.nil?
event_generator.call() do |event|
event.type = :c2
event.add_fqdn(m[:domain])
end
end