Skip to content

Commit

Permalink
Added Malware And Phishing Domain Feeds - Bambenek Consulting (demist…
Browse files Browse the repository at this point in the history 
…o#32440) (demisto#32579)

* added maldomain feeds

* added release notes.

* Fixed Validation Issues.

* Updated docker image in release notes.

Co-authored-by: Rambatla Venkat Rao <[email protected]>
  • Loading branch information
@content-bot @RamboV
content-bot and RamboV authored Feb 1, 2024
1 parent cc53066 commit 426f69e
Show file tree
Hide file tree
Showing 8 changed files with 252 additions and 151 deletions.
3 changes: 3 additions & 0 deletions Packs/FeedBambenekConsulting/.secrets-ignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,6 @@ e::Ba
/feeds/dga/c2-masterlist.txt
https://us-cert.cisa.gov
https://osint.bambenekconsulting.com/feeds/
[email protected]
23.82.12.29
http://osint.bambenekconsulting.com
261 changes: 136 additions & 125 deletions Packs/FeedBambenekConsulting/Integrations/FeedBambenekConsulting/FeedBambenekConsulting.py
View file
Original file line number Diff line number Diff line change
@@ -1,153 +1,164 @@
from CommonServerPython import *

name_to_url = {
'C2 IP Feed': 'https://faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist.txt',
'High-Confidence C2 IP Feed': 'http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt',
'C2 Domain Feed': 'https://faf.bambenekconsulting.com/feeds/dga/c2-dommasterlist.txt',
'High-Confidence C2 Domain Feed': 'http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt',
'DGA Domain Feed': 'https://faf.bambenekconsulting.com/feeds/dga-feed.gz',
'High-Confidence DGA Domain Feed': 'https://faf.bambenekconsulting.com/feeds/dga-feed-high.gz',
'C2 All Indicator Feed': 'https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist.txt',
'High-Confidence C2 All Indicator Feed': 'https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist-high.txt',
'Sinkhole Feed': 'https://faf.bambenekconsulting.com/feeds/sinkhole/latest.csv'
"C2 IP Feed": "https://faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist.txt",
"High-Confidence C2 IP Feed": "http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt",
"C2 Domain Feed": "https://faf.bambenekconsulting.com/feeds/dga/c2-dommasterlist.txt",
"High-Confidence C2 Domain Feed": "http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt",
"DGA Domain Feed": "https://faf.bambenekconsulting.com/feeds/dga-feed.gz",
"High-Confidence DGA Domain Feed": "https://faf.bambenekconsulting.com/feeds/dga-feed-high.gz",
"C2 All Indicator Feed": "https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist.txt",
"High-Confidence C2 All Indicator Feed": "https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist-high.txt",
"Sinkhole Feed": "https://faf.bambenekconsulting.com/feeds/sinkhole/latest.csv",
"Malware Domains Feed": "https://faf.bambenekconsulting.com/feeds/maldomainml/malware-master.txt",
"Phishing Domains Feed": "https://faf.bambenekconsulting.com/feeds/maldomainml/phishing-master.txt",
}


def main():
feed_url_to_config = {
'https://faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist.txt': {
'fieldnames': ['value', 'description',
'date_created',
'info'],
'indicator_type': FeedIndicatorType.IP,
'relationship_name': EntityRelationship.Relationships.INDICATOR_OF,
'relationship_entity_b_type': 'STIX Malware',
'mapping': {
'description': 'description',
'malwarefamily': ('description', r'.*used\s+by\s(.*?)\s', None),
'relationship_entity_b': ('description', r'.*used\s+by\s(.*?)\s', None),
}
"https://faf.bambenekconsulting.com/feeds/dga/c2-ipmasterlist.txt": {
"fieldnames": ["value", "description", "date_created", "info"],
"indicator_type": FeedIndicatorType.IP,
"relationship_name": EntityRelationship.Relationships.INDICATOR_OF,
"relationship_entity_b_type": "STIX Malware",
"mapping": {
"description": "description",
"malwarefamily": ("description", r".*used\s+by\s(.*?)\s", None),
"relationship_entity_b": ("description", r".*used\s+by\s(.*?)\s", None),
},
},

'https://faf.bambenekconsulting.com/feeds/dga/c2-dommasterlist.txt': {
'fieldnames': ['value', 'description',
'date_created',
'info'],
'indicator_type': FeedIndicatorType.Domain,
'relationship_name': EntityRelationship.Relationships.INDICATOR_OF,
'relationship_entity_b_type': 'STIX Malware',
'mapping': {
'description': 'description',
'malwarefamily': ('description', r'.*used\s+by\s(.*?)\s', None),
'relationship_entity_b': ('description', r'.*used\s+by\s(.*?)$', None)
}
"https://faf.bambenekconsulting.com/feeds/dga/c2-dommasterlist.txt": {
"fieldnames": ["value", "description", "date_created", "info"],
"indicator_type": FeedIndicatorType.Domain,
"relationship_name": EntityRelationship.Relationships.INDICATOR_OF,
"relationship_entity_b_type": "STIX Malware",
"mapping": {
"description": "description",
"malwarefamily": ("description", r".*used\s+by\s(.*?)\s", None),
"relationship_entity_b": ("description", r".*used\s+by\s(.*?)$", None),
},
},
'http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt': {
'fieldnames': ['value', 'description',
'date_created',
'info'],
'indicator_type': FeedIndicatorType.IP,
'relationship_name': EntityRelationship.Relationships.INDICATOR_OF,
'relationship_entity_b_type': 'STIX Malware',
'mapping': {
'description': 'description',
'malwarefamily': ('description', r'.*used\s+by\s(.*?)\s', None),
'relationship_entity_b': ('description', r'.*used\s+by\s(.*?)\s', None)
}
"http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt": {
"fieldnames": ["value", "description", "date_created", "info"],
"indicator_type": FeedIndicatorType.IP,
"relationship_name": EntityRelationship.Relationships.INDICATOR_OF,
"relationship_entity_b_type": "STIX Malware",
"mapping": {
"description": "description",
"malwarefamily": ("description", r".*used\s+by\s(.*?)\s", None),
"relationship_entity_b": ("description", r".*used\s+by\s(.*?)\s", None),
},
},
'http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt': {
'fieldnames': ['value', 'description',
'date_created',
'info'],
'indicator_type': FeedIndicatorType.Domain,
'relationship_name': EntityRelationship.Relationships.INDICATOR_OF,
'relationship_entity_b_type': 'STIX Malware',
'mapping': {
'description': 'description',
'malwarefamily': ('description', r'.*used\s+by\s(.*?)\s', None),
'relationship_entity_b': ('description', r'.*used\s+by\s(.*?)\s', None),

}
"http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt": {
"fieldnames": ["value", "description", "date_created", "info"],
"indicator_type": FeedIndicatorType.Domain,
"relationship_name": EntityRelationship.Relationships.INDICATOR_OF,
"relationship_entity_b_type": "STIX Malware",
"mapping": {
"description": "description",
"malwarefamily": ("description", r".*used\s+by\s(.*?)\s", None),
"relationship_entity_b": ("description", r".*used\s+by\s(.*?)\s", None),
},
},
'https://faf.bambenekconsulting.com/feeds/dga-feed.gz': {
'fieldnames': ['value', 'description',
'date_created',
'info'],
'indicator_type': FeedIndicatorType.Domain,
'relationship_name': EntityRelationship.Relationships.INDICATOR_OF,
'relationship_entity_b_type': 'STIX Malware',
'mapping': {
'description': 'description',
'malwarefamily': ('description', r'.*used\s+by\s(.*?)(\(|DGA)', None),
'relationship_entity_b': ('description', r'.*used\s+by\s(.*?)(\(|DGA)', None),
"https://faf.bambenekconsulting.com/feeds/dga-feed.gz": {
"fieldnames": ["value", "description", "date_created", "info"],
"indicator_type": FeedIndicatorType.Domain,
"relationship_name": EntityRelationship.Relationships.INDICATOR_OF,
"relationship_entity_b_type": "STIX Malware",
"mapping": {
"description": "description",
"malwarefamily": ("description", r".*used\s+by\s(.*?)(\(|DGA)", None),
"relationship_entity_b": (
"description",
r".*used\s+by\s(.*?)(\(|DGA)",
None,
),
},
'is_zipped_file': True
"is_zipped_file": True,
},
'https://faf.bambenekconsulting.com/feeds/dga-feed-high.gz': {
'fieldnames': ['value', 'description',
'date_created',
'info'],
'indicator_type': FeedIndicatorType.Domain,
'relationship_name': EntityRelationship.Relationships.INDICATOR_OF,
'relationship_entity_b_type': 'STIX Malware',
'mapping': {
'description': 'description',
'malwarefamily': ('description', r'.*used\s+by\s(.*?)\s', None),
'relationship_entity_b': ('description', r'.*used\s+by\s(.*?)\s', None)
"https://faf.bambenekconsulting.com/feeds/dga-feed-high.gz": {
"fieldnames": ["value", "description", "date_created", "info"],
"indicator_type": FeedIndicatorType.Domain,
"relationship_name": EntityRelationship.Relationships.INDICATOR_OF,
"relationship_entity_b_type": "STIX Malware",
"mapping": {
"description": "description",
"malwarefamily": ("description", r".*used\s+by\s(.*?)\s", None),
"relationship_entity_b": ("description", r".*used\s+by\s(.*?)\s", None),
},
'is_zipped_file': True
"is_zipped_file": True,
},
'https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist.txt': {
'fieldnames': ['value',
'ip',
'nsname',
'nsip',
'description',
'info'],
'indicator_type': FeedIndicatorType.Domain,
'relationship_entity_b_type': FeedIndicatorType.IP,
'relationship_name': EntityRelationship.Relationships.RESOLVED_FROM,
'mapping': {
'ipaddress': 'ip',
'relationship_entity_b': 'ip'
}
"https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist.txt": {
"fieldnames": ["value", "ip", "nsname", "nsip", "description", "info"],
"indicator_type": FeedIndicatorType.Domain,
"relationship_entity_b_type": FeedIndicatorType.IP,
"relationship_name": EntityRelationship.Relationships.RESOLVED_FROM,
"mapping": {"ipaddress": "ip", "relationship_entity_b": "ip"},
},
'https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist-high.txt': {
'fieldnames': ['value',
'ip',
'nsname',
'nsip',
'description',
'info'],
'indicator_type': FeedIndicatorType.Domain,
'relationship_name': EntityRelationship.Relationships.RESOLVED_FROM,
'relationship_entity_b_type': FeedIndicatorType.IP,
'mapping': {
'ipaddress': 'ip',
'relationship_entity_b': 'ip'
}
"https://faf.bambenekconsulting.com/feeds/dga/c2-masterlist-high.txt": {
"fieldnames": ["value", "ip", "nsname", "nsip", "description", "info"],
"indicator_type": FeedIndicatorType.Domain,
"relationship_name": EntityRelationship.Relationships.RESOLVED_FROM,
"relationship_entity_b_type": FeedIndicatorType.IP,
"mapping": {"ipaddress": "ip", "relationship_entity_b": "ip"},
},
"https://faf.bambenekconsulting.com/feeds/sinkhole/latest.csv": {
"fieldnames": ["value", "owner"],
"indicator_type": FeedIndicatorType.IP,
"mapping": {"description": ("owner", None, "Sinkholed by {}")},
},
"https://faf.bambenekconsulting.com/feeds/maldomainml/malware-master.txt": {
"fieldnames": [
"hostname",
"registered_domain",
"ipv4 address",
"asn",
"netblock",
"description",
],
"indicator_type": FeedIndicatorType.Domain,
"relationship_name": EntityRelationship.Relationships.INDICATOR_OF,
"relationship_entity_b_type": "STIX Malware",
"mapping": {
"description": "description",
"ipaddress": "ipv4 address",
"malwarefamily": ("description", r".*used\s+by\s(.*?)\s", None),
"relationship_entity_b": ("description", r".*used\s+by\s(.*?)$", None),
},
},
"https://faf.bambenekconsulting.com/feeds/maldomainml/phishing-master.txt": {
"fieldnames": [
"hostname",
"registered_domain",
"ipv4 address",
"asn",
"netblock",
"description",
],
"indicator_type": FeedIndicatorType.Domain,
"relationship_name": EntityRelationship.Relationships.INDICATOR_OF,
"relationship_entity_b_type": "STIX Malware",
"mapping": {
"description": "description",
"ipaddress": "ipv4 address",
"malwarefamily": ("description", r".*used\s+by\s(.*?)\s", None),
"relationship_entity_b": ("description", r".*used\s+by\s(.*?)$", None),
},
},
'https://faf.bambenekconsulting.com/feeds/sinkhole/latest.csv': {
'fieldnames': ['value',
'owner'],
'indicator_type': FeedIndicatorType.IP,
'mapping': {
'description': ('owner', None, 'Sinkholed by {}')
}
}
}
params = {k: v for k, v in demisto.params().items() if v is not None}
params['url'] = [name_to_url.get(url) for url in argToList(params.get('url'))]
params['feed_url_to_config'] = feed_url_to_config
params['ignore_regex'] = r'^#'
params['delimiter'] = ','
params["url"] = [name_to_url.get(url) for url in argToList(params.get("url"))]
params["feed_url_to_config"] = feed_url_to_config
params["ignore_regex"] = r"^#"
params["delimiter"] = ","

# Main execution of the CSV API Module.
# This function allows to add to or override this execution.
feed_main('Bambenek Consulting Feed', params, 'bambenek')
feed_main("Bambenek Consulting Feed", params, "bambenek")


from CSVFeedApiModule import * # noqa: E402

if __name__ in ('__builtin__', 'builtins', '__main__'):
if __name__ in ("__builtin__", "builtins", "__main__"):
main()
4 changes: 3 additions & 1 deletion Packs/FeedBambenekConsulting/Integrations/FeedBambenekConsulting/FeedBambenekConsulting.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,8 @@ configuration:
- DGA Domain Feed
- High-Confidence DGA Domain Feed
- Sinkhole Feed
- Malware Domains Feed
- Phishing Domains Feed
required: true
type: 16
- display: Username
Expand Down Expand Up @@ -123,7 +125,7 @@ script:
name: indicator_type
description: Gets the feed indicators.
name: bambenek-get-indicators
dockerimage: demisto/python3:3.10.12.63474
dockerimage: demisto/python3:3.10.13.86272
feed: true
runonce: false
script: '-'
Expand Down
Loading

0 comments on commit 426f69e

Please sign in to comment.