Merge pull request #674 from yeti-platform/1.8.0

1.8.0

Author: sebdraven

Diff for: plugins/feeds/public/ViruSign.py

@@ -1,3 +1,4 @@
+from configparser import Error
 import logging
 from datetime import timedelta
 
@@ -18,16 +19,16 @@ class AbuseIPDB(Feed):
     def update(self):
         api_key = yeti_config.get("abuseIPDB", "key")
 
-        if api_key:
-            self.source = (
-                "https://api.abuseipdb.com/api/v2/blacklist?&key=%s&plaintext&limit=10000"
-                % (api_key)
-            )
-            # change the limit rate if you subscribe to a paid plan
-            for line in self.update_lines():
-                self.analyze(line)
-        else:
-            logging.error("Your abuseIPDB API key is not set in the yeti.conf file")
+        if not api_key:
+            raise Exception("Your abuseIPDB API key is not set in the yeti.conf file")
+
+        self.source = (
+            "https://api.abuseipdb.com/api/v2/blacklist?&key=%s&plaintext&limit=10000"
+            % (api_key)
+        )
+        # change the limit rate if you subscribe to a paid plan
+        for line in self.update_lines():
+            self.analyze(line)
 
     def analyze(self, line):
         line = line.strip()

Diff for: plugins/feeds/public/abuseipdb.py

@@ -3,7 +3,7 @@
 
 from core.errors import ObservableValidationError
 from core.feed import Feed
-from core.observables import Url
+from core.observables import Ip
 
 
 class FeodoTrackerIPBlockList(Feed):
@@ -15,34 +15,43 @@ class FeodoTrackerIPBlockList(Feed):
     }
 
     def update(self):
-
+        firs_line = 0
         for index, line in self.update_csv(
             delimiter=",",
-            filter_row="Firstseen",
-            names=["Firstseen", "DstIP", "DstPort", "LastOnline", "Malware"],
+            filter_row="first_seen_utc",
+            names=[
+                "first_seen_utc",
+                "dst_ip",
+                "dst_port",
+                "c2_status",
+                "last_online",
+                "malware",
+            ],
         ):
-            self.analyze(line)
+            if firs_line != 0:
+                self.analyze(line)
+            firs_line += 1
 
     # pylint: disable=arguments-differ
     def analyze(self, line):
 
         tags = []
-        tags.append(line["Malware"].lower())
+        tags.append(line["malware"].lower())
         tags.append("c2")
         tags.append("blocklist")
 
         context = {
-            "first_seen": line["Firstseen"],
+            "first_seen": line["first_seen_utc"],
             "source": self.name,
-            "last_online": line["LastOnline"],
+            "last_online": line["last_online"],
+            "c2_status": line["c2_status"],
+            "port": line["dst_port"],
         }
 
         try:
-            new_url = Url.get_or_create(
-                value="http://{}:{}/".format(line["DstIP"], line["DstPort"])
-            )
-            new_url.add_context(context, dedup_list=["last_online"])
-            new_url.tag(tags)
+            ip_obs = Ip.get_or_create(value=line["dst_ip"])
+            ip_obs.add_context(context, dedup_list=["last_online"])
+            ip_obs.tag(tags)
 
         except ObservableValidationError as e:
             logging.error("Invalid line: {}\nLine: {}".format(e, line))

Diff for: plugins/feeds/public/feodo_tracker_ip_blocklist.py

@@ -36,7 +36,7 @@ def update(self):
 
         number_page = yeti_config.get("otx", "pages")
 
-        assert otx_key and number_page
+        assert otx_key and number_page, "OTX key and pages not configured in yeti.conf"
 
         headers = {"X-OTX-API-KEY": otx_key}