Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
1553 lines (1542 sloc) 40.6 KB
ipwhois:
name: IP Whois
otypes:
- ipv4
ipwhois:
results:
- key: '@'
multi_match:
keys:
- asn
- asn_cidr
- asn_date
- asn_registry
- asn_country_code
pretty_name: ASN Information
- key: nets
multi_match:
keys:
- cidr
- handle
- name
- range
pretty_name: Network Information
- key: nets
multi_match:
keys:
- description
- key: created
regex: '(\d+-\d+-\d+)T'
- key: updated
regex: '(\d+-\d+-\d+)T'
pretty_name: Registration Info
- key: nets
multi_match:
keys:
- city
- state
- postal_code
- country
pretty_name: Registration Locality
# For when we use RWS
- key: nets
multi_match:
keys:
- key: abuse_emails
split: "\n"
pretty_name: Abuse Email
- key: nets
multi_match:
keys:
- key: tech_emails
split: "\n"
pretty_name: Tech Email
# For when we fall back to regular whois
- key: nets
multi_match:
keys:
- key: emails
split: "\n"
pretty_name: Contacts
spamhaus_ip:
name: Spamhaus Zen BL
default: False
otypes:
- ipv4
webscraper:
request:
url: 'http://www.spamhaus.org/query/ip/{target}'
method: get
strip_comments: true
results:
- regex: '<b><font color="red">\S+ is (listed in the \w+)</FONT></B>'
values:
- spamhaus_zenbl
pretty_name: Spamhaus Zen BL
spamhaus_domain:
name: Spamhaus Domain BL
default: False
otypes:
- fqdn
webscraper:
request:
url: 'http://www.spamhaus.org/query/domain/{target}'
method: get
results:
- regex: '<b><font color="red">\S+ is (listed in the \w+)</FONT></B>'
values:
- spamhaus_dbl
pretty_name: Spamhaus DBL
ipvoid:
name: IPVoid
default: true
otypes:
- ipv4
webscraper:
request:
url: 'http://www.ipvoid.com/ip-blacklist-check'
method: post
data:
ip: '{target}'
results:
- regex: '<tr><td>Blacklist Status<\/td><td><.+?>([a-zA-Z\s]+? \d{1,3}\/\d{1,3})<\/span><\/td><\/tr>'
values:
- ipvoid_status
pretty_name: Status from IPVoid
- regex: '<td><i class="fa fa-minus-circle text-danger" aria-hidden="true"><\/i>(.+?)<\/td>'
values:
- ipvoid_blacklist
pretty_name: Blacklist from IPVoid
- regex: 'ISP</td><td>(.+)</td>'
values:
- ipvoid_isp
pretty_name: ISP from IPVoid
- regex: 'Country\sCode.+flag"\s/>\s\((\w+)\)[\w\s]+</td>'
values:
- ipvoid_country_code
pretty_name: Country from IPVoid
urlvoid:
name: URLVoid
otypes:
- fqdn
webscraper:
request:
url: 'http://www.urlvoid.com/scan/{target}'
method: get
results:
- regex: 'Analysis Date<\/td><td>(.+?)<\/td>'
values: urlvoid_analysis_date
pretty_name: Last Analysis
- regex: '(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).{5,30}Find\swebsites\shosted\shere'
values: urlvoid_ip
pretty_name: IP from URLVoid
- regex: '\/>(.+?)<\/td><td><i class="glyphicon glyphicon-alert text-danger"><\/i>'
values: urlvoid_blacklist
pretty_name: Blacklist from URL Void
- regex: 'Domain\s1st\sRegistered.+\<td\>(.+)\<\/td\>'
values: urlvoid_domain_age
pretty_name: Domain Age from URL Void
- regex: 'latitude\s/\slongitude.+\<td\>(.+)\<\/td\>'
values: urlvoid_location
pretty_name: Geo Coordinates from URLVoid
- regex: 'alt="flag"\s/>\s\(\w+\)\s+([\w\s]+)</td>'
values: urlvoid_country_code
pretty_name: Country from URLVoid
unshorten:
name: URL Unshorten
otypes:
- fqdn
- url
webscraper:
request:
url: http://www.toolsvoid.com/unshorten-url
method: post
data:
urladdr: '{target}'
results:
- regex: 'class="myarea">(.*?)</textarea'
values:
- unshorten_url
pretty_name: Unshortened URL
malc0de:
name: Malc0de
otypes:
- ipv4
- fqdn
- hash
webscraper:
request:
url: 'https://malc0de.com/database/index.php?search={target}'
method: get
results:
- regex: '(\d{4}\-\d{1,2}\-\d{1,2})'
values:
- malc0de_date
pretty_name: "MC Date"
- regex: 'search=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'
values:
- malc0de_ipaddr
pretty_name: MC IP
- regex: '(?!search=NA)search=([A-Z]{2})'
values:
- malc0de_country
pretty_name: MC Country
- regex: 'search=\d{4,5}..(\d{4,5})'
values:
- malc0de_asn
pretty_name: MC ASN
- regex: 'search=\d{4,5}..([A-Za-z]+)'
values:
- malc0de_asn_name
pretty_name: MC ASN Name
- regex: 'latest\-scan\/([A-Fa-f0-9]{32})'
values:
- malc0de_md5
pretty_name: MC MD5
AbuseIPDB:
name: AbuseIPDB
otypes:
- ipv4
webscraper:
request:
url: 'https://abuseipdb.com/check/{target}'
method: get
results:
- regex: '((?<=This\sIP\swas\sreported\s<b>)\d{1,3})'
values:
- AbuseIPReports
pretty_name: 'AbuseIPDB reports'
- regex: '((?<=most\srecent\sreport\swas\s<b>)\d{1,3}\s\w+\s\w+)'
values:
- Last_seen
pretty_name: 'Last seen'
RansomwareTracker:
name: RansomwareTracker
otypes:
- ipv4
webscraper:
request:
url: 'https://ransomwaretracker.abuse.ch/host/{target}'
method: get
results:
- regex: '((?<=Host\sStatus:</th><td\scolspan="2"><span\sclass="buttonoffline">)\w+)'
values:
- Active
pretty_name: 'Host Status'
- regex: '((?<=</td><td>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}</td><td>)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})'
values:
- Last_seen
pretty_name: 'Last seen'
- regex: '((?<=Malware:</th><td\scolspan="2">)\w+)'
values:
- ransomwareType
pretty_name: 'Ransomware Type'
sans:
name: SANS
otypes:
- ipv4
webscraper:
request:
url: 'https://isc.sans.edu/api/ip/{target}'
method: get
results:
- regex: 'attacks>(\d+)<'
values:
- sans_attacks
pretty_name: SANS attacks
- regex: 'count>(\d+)<'
values:
- sans_count
pretty_name: SANS count
- regex: 'count>(\d+)<'
values:
- sans_count
pretty_name: SANS count
- regex: 'maxdate>(\d{4}-\d{2}-\d{2})<'
values:
- sans_maxdate
pretty_name: SANS maxdate
- regex: 'mindate>(\d{4}-\d{2}-\d{2})<'
values:
- sans_mindate
pretty_name: SANS mindate
telize:
name: Telize GeoIP
default: False
otypes:
- ipv4
json:
request:
url: 'https://telize-v1.p.mashape.com/geoip/{target}'
method: get
headers:
X-Mashape-Key:
Accept: application/json
results:
- key: continent_code
pretty_name: GeoIP Continent Code
- key: country_code
pretty_name: GeoIP Country Code
- key: country
pretty_name: GeoIP Country
- key: region_code
pretty_name: GeoIP Region Code
- key: region
pretty_name: GeoIP Region
- key: city
pretty_name: GeoIP City
- key: postal_code
pretty_name: GeoIP Zip Code
- key: latitude
pretty_name: GeoIP Latitude
- key: longitude
pretty_name: GeoIP Longitude
- key: timezone
pretty_name: GeoIP Timezone
- key: offset
pretty_name: GeoIP UTC Offset
- key: asn
pretty_name: GeoIP ASN
- key: isp
pretty_name: GeoIP ISP
maxmind:
name: MaxMind GeoIP2 Precision
default: False
otypes:
- ipv4
json:
request:
url: https://geoip.maxmind.com/geoip/v2.1/insights/{target}
auth: maxmind
results:
- key: country.iso_code
pretty_name: MaxMind Country Code
- key: country.names.en
pretty_name: MaxMind Country
- key: subdivisions
multi_match:
keys:
- iso_code
pretty_name: MaxMind Region Code
- key: subdivisions
multi_match:
keys:
- names.en
pretty_name: MaxMind Region
- key: city.names.en
pretty_name: MaxMind City
- key: postal.code
pretty_name: MaxMind Zip Code
- key: location.latitude
pretty_name: MaxMind Latitude
- key: location.longitude
pretty_name: MaxMind Longitude
- key: location.time_zone
pretty_name: MaxMind Timezone
freegeoip:
name: freegeoip.io
default: true
otypes:
- ipv4
# - fqdn
json:
request:
url: https://freegeoip.io/json/{target}
results:
- key: country_code
pretty_name: GeoIP Country Code
- key: country_name
pretty_name: GeoIP Country
# - key: region_code
# pretty_name: GeoIP Region Code
# - key: region_name
# pretty_name: GeoIP Region
- key: city
pretty_name: GeoIP City
# - key: zip_code
# pretty_name: GeoIP Zip Code
# - key: latitude
# pretty_name: GeoIP Latitude
# - key: longitude
# pretty_name: GeoIP Longitude
# - key: time_zone
# pretty_name: GeoIP Timezone
fortinet_classify:
name: Fortinet Category
default: True
otypes:
- ipv4
- fqdn
- url
webscraper:
request:
url: 'https://www.fortiguard.com/webfilter?q={target}'
method: get
results:
- regex: 'Category:\s(.+)<\/h4>\s'
values:
- fortinet_category
pretty_name: Fortinet URL Category
vt_ip:
name: VirusTotal pDNS
otypes:
- ipv4
json:
request:
url: https://www.virustotal.com/vtapi/v2/ip-address/report
params:
ip: '{target}'
apikey: 308211ef74a1044ea98134424b3d20769451d25beda0b808a8b61036badc0ea1
method: get
results:
- key: resolutions
multi_match:
keys:
- key: last_resolved
regex: '(\d{4}\-\d{1,2}\-\d{1,2})'
- hostname
onlyif:
key: last_resolved
maxage: '-30d'
pretty_name: pDNS data from VirusTotal
- key: detected_urls
multi_match:
keys:
- key: scan_date
regex: '(\d{4}\-\d{1,2}\-\d{1,2})'
- key: url
regex: '(http.{1,70}/)'
onlyif:
key: scan_date
maxage: '-30d'
pretty_name: pDNS malicious URLs from VirusTotal
# vt_ip:
# name: VirusTotal pDNS
# otypes:
# - ip
# webscraper:
# request:
# url: 'https://www.virustotal.com/en/ip-address/{target}/information/'
# method: get
# headers:
# Accept: 'text/html, application/xhtml+xml, */*'
# Accept-Language: 'en-US'
# Accept-Encoding: 'gzip, deflate'
# DNT: 1
# Connection: 'Keep-Alive'
# results:
# - regex: '(\d{4}\-\d{1,2}\-\d{1,2})\s+<.{30,70}/en/domain/(.{1,80})/information'
# values:
# - vt_pdns_date
# - vt_pdns_domain
# pretty_name: 'pDNS data from VirtusTotal'
# - regex: '(\d{4}\-\d{1,2}\-\d{1,2}).{1,20}\s+<.{10,80}/en/url/.{1,100}/analysis/.{1,5}\s+(http.{1,70}/)'
# values:
# - vt_pdns_date
# - vt_pdns_url
# pretty_name: 'pDNS malicious URLs from VirusTotal'
vt_domain:
name: VirusTotal pDNS
otypes:
- fqdn
json:
request:
url: https://www.virustotal.com/vtapi/v2/domain/report
params:
domain: '{target}'
apikey: 308211ef74a1044ea98134424b3d20769451d25beda0b808a8b61036badc0ea1
method: get
results:
- key: resolutions
multi_match:
keys:
- key: last_resolved
regex: '(\d{4}\-\d{1,2}\-\d{1,2})'
- ip_address
pretty_name: pDNS data from VirusTotal
- key: Websense ThreatSeeker category
pretty_name: Websense ThreatSeeker category
- key: Webutation domain info.Safety score
pretty_name: Webutation Safety score
# vt_domain:
# name: VirusTotal pDNS
# otypes:
# - fqdn
# webscraper:
# request:
# url: 'https://www.virustotal.com/en/domain/{target}/information/'
# method: get
# headers:
# Accept: 'text/html, application/xhtml+xml, */*'
# Accept-Language: 'en-US'
# Accept-Encoding: 'gzip, deflate'
# DNT: 1
# Connection: 'Keep-Alive'
# results:
# - regex: '(\d{4}\-\d{1,2}\-\d{1,2})\s+<.{30,70}/en/ip-address/(.{1,80})/information'
# values:
# - vt_pdns_date
# - vt_pdns_ip
# pretty_name: 'pDNS data from VirtusTotal'
# - regex: '(\d{4}\-\d{1,2}\-\d{1,2}).{1,20}\s+<.{10,80}/en/url/.{1,100}/analysis/.{1,5}\s+(http.{1,70}/)'
# values:
# - vt_pdns_date
# - vt_pdns_url
# pretty_name: 'pDNS malicious URLs from VirusTotal'
vt_url:
name: VirusTotal URL Report
otypes:
- url
json:
request:
url: https://www.virustotal.com/vtapi/v2/url/report
method: get
params:
apikey: 308211ef74a1044ea98134424b3d20769451d25beda0b808a8b61036badc0ea1
resource: '{target}'
results:
- key: scan_date
pretty_name: Date submitted
- key: positives
pretty_name: Detected scanners
- key: total
pretty_name: Total scanners
- key: scans
pretty_name: URL Scanner
multi_match:
keys:
- '@'
- result
onlyif: detected
vt_hash:
name: VirusTotal File Report
otypes:
- hash
- hash.sha1
- 'hash.sha256'
json:
request:
url: https://www.virustotal.com/vtapi/v2/file/report
method: get
params:
apikey: 308211ef74a1044ea98134424b3d20769451d25beda0b808a8b61036badc0ea1
resource: '{target}'
results:
- key: scan_date
pretty_name: Date submitted
- key: positives
pretty_name: Detected engines
- key: total
pretty_name: Total engines
- key: scans
pretty_name: Scans
multi_match:
keys:
- '@'
- result
onlyif: detected
reputation_authority:
name: Reputation Authority
otypes:
- fqdn
- ipv4
webscraper:
request:
url: 'http://www.reputationauthority.org/lookup.php?ip={target}'
method: get
results:
- regex: '>(\d{1,3}\/\d{1,3})'
values:
- ra_score
pretty_name: Reputation Authority Score
threatexpert:
name: ThreatExpert
otypes:
- hash
webscraper:
request:
url: 'http://www.threatexpert.com/report.aspx?md5={target}'
method: get
results:
- regex: 'Submission\sreceived.\s(.+)</li>'
values:
- threatexpert_date
pretty_name: Hash found at ThreatExpert
- regex: '1">(.{5,100})</td.{10,35}src\='
values:
- threatexpert_indicators
pretty_name: Malicious Indicators from ThreatExpert
vxvault:
name: VxVault
otypes:
- hash
webscraper:
request:
url: 'http://vxvault.net/ViriList.php?MD5={target}'
method: get
results:
# <tr>\s*<td.*?><a.*?>(\d+-\d+)</a></td>\s*<td.*?><a.*?>\[D\]</a>\s*<a.*?>(.*?)</a></td>\s*<td.*?></td>\s*<td.*?><a.*?>(.*?)</a>
- regex: '>(\d{2}\-\d{2})<'
values:
- vxvault_date
pretty_name: Date found at VXVault
- regex: '\[D\].{2,40}\Wphp\?id.{2,10}>(.{5,100})</a'
values:
- vxvault_url
pretty_name: URL found at VXVault
projecthoneypot:
name: ProjectHoneypot
default: False
otypes:
- ipv4
webscraper:
request:
url: 'https://www.projecthoneypot.org/ip_{target}'
method: get
results:
- regex: 'list_of_ips\.php\?t=[a-z]\">([a-zA-Z\s]+)</a></b>'
values:
- php_activity_type
pretty_name: ProjectHoneyPot activity type
- regex: '>First&nbsp;Received&nbsp;From.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])[a-zA-Z0-9><"&:,()=;\s\t/]+Number&nbsp;Received'
values:
- php_first_mail
pretty_name: ProjectHoneyPot first mail received
- regex: '>Last&nbsp;Received&nbsp;From.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])[a-zA-Z0-9><":,()=;\s\t/]+Number&nbsp;Received'
values:
- php_last_mail
pretty_name: ProjectHoneyPot last mail received
- regex: '>Number&nbsp;Received.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z\)])'
values:
- php_total_mail
pretty_name: ProjectHoneyPot total mail received
- regex: '>Spider&nbsp;First&nbsp;Seen.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_first_spider
pretty_name: ProjectHoneyPot spider first seen
- regex: '>Spider&nbsp;Last&nbsp;Seen.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z])'
values:
- php_last_spider
pretty_name: ProjectHoneyPot spider last seen
- regex: '>Spider&nbsp;Sightings.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(]+[a-zA-Z\)])'
values:
- php_spider_sightings
pretty_name: ProjectHoneyPot total spider sightings
- regex: '>User-Agents.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9\-\(\),\s]+[a-zA-Z\)])'
values:
- php_user_agents
pretty_name: ProjectHoneyPot user-agent sightings
- regex: '>First&nbsp;Post&nbsp;On.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_first_post
pretty_name: ProjectHoneyPot first form post
- regex: '>Last&nbsp;Post&nbsp;On.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_last_post
pretty_name: ProjectHoneyPot last form post
- regex: '>Form&nbsp;Posts.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z\)])'
values:
- php_form_posts
pretty_name: ProjectHoneyPot total form posts
- regex: '>First&nbsp;Rule-Break&nbsp;On.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_first_rulebreak
pretty_name: ProjectHoneyPot first rule break
- regex: '>Last&nbsp;Rule-Break&nbsp;On.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_last_rulebreak
pretty_name: ProjectHoneyPot last rule break
- regex: '>Rule&nbsp;Breaks.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z\)])'
values:
- php_total_rulebreaks
pretty_name: ProjectHoneyPot total rule breaks
- regex: 'Dictionary&nbsp;Attacks[a-zA-Z0-9><":,()=;\s\t/]+>First&nbsp;Received&nbsp;From.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_first_dictionary_attack
pretty_name: ProjectHoneyPot first dictionary attack
- regex: 'Dictionary&nbsp;Attacks[a-zA-Z0-9><"&:,()=;\s\t/]+>Last&nbsp;Received&nbsp;From.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_last_dictionary_attack
pretty_name: ProjectHoneyPot last dictionary attack
- regex: '>Dictionary&nbsp;Attacks.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z\)])'
values:
- php_total_dictionary_attacks
pretty_name: ProjectHoneyPot total dictionary attacks
- regex: '>First&nbsp;Bad&nbsp;Host&nbsp;Appearance.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_first_bad_host
pretty_name: ProjectHoneyPot first bad host
- regex: '>Last&nbsp;Bad&nbsp;Host&nbsp;Appearance.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_last_bad_host
pretty_name: ProjectHoneyPot last bad host
- regex: '>Bad&nbsp;Host&nbsp;Appearances.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)\-]+[a-zA-Z\)])'
values:
- php_total_bad_host
pretty_name: ProjectHoneyPot total bad hosts
- regex: '>Harvester&nbsp;First&nbsp;Seen.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])'
values:
- php_first_harvester
pretty_name: ProjectHoneyPot harvester first seen
- regex: '>Harvester&nbsp;Last&nbsp;Seen.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z])'
values:
- php_last_harvester
pretty_name: ProjectHoneyPot harvester last seen
- regex: '>Harvester&nbsp;Sightings.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\(\s]+[a-zA-Z\)])'
values:
- php_total_harvester
pretty_name: ProjectHoneyPot total harvester sightings
- regex: '(?:>Harvester&nbsp;Results(?:.+[\n\s].+[\n\s]+)\s{2,}|(?:<br\s/>))(?!\s)([0-9a-zA-Z.\s:,()-]+)\s{2,}'
values:
- php_harvester_results
pretty_name: ProjectHoneyPot harvester results
mcafee_threat_domain:
name: McAfee Threat
otypes:
- fqdn
webscraper:
request:
url: 'https://www.mcafee.com/threat-intelligence/domain/default.aspx?domain={target}'
method: get
results:
- regex: 'ctl00_breadcrumbContent_imgRisk"[^\r\n]+title="([A-Za-z]+)"'
values:
- mcafee_risk
pretty_name: McAfee Web Risk
- regex: '<li>[\n\s]*Web\sCategory:[\n\s]*([A-Z][A-Za-z\s/,]+?)[\n\s]*</li>'
values:
- mcafee_category
pretty_name: McAfee Web Category
- regex: '<li>[\n\s]*Last\sSeen:[\n\s]*([0-9\-]+)[\n\s]*</li>'
values:
- mcafee_last_seen
pretty_name: McAfee Last Seen
mcafee_threat_ip:
name: McAfee Threat
otypes:
- ipv4
webscraper:
request:
url: 'https://www.mcafee.com/threat-intelligence/ip/default.aspx?ip={target}'
method: get
results:
- regex: 'ctl00_breadcrumbContent_imgRisk"[^\r\n]+src="/img/Threat_IP/rep_([a-z]+)\.png"'
values:
- mcafee_risk
pretty_name: McAfee Web Risk
- regex: 'ctl00_breadcrumbContent_imgRisk1"[^\r\n]+src="/img/Threat_IP/rep_([a-z]+)\.png"'
values:
- mcafee_risk
pretty_name: McAfee Email Risk
- regex: 'ctl00_breadcrumbContent_imgRisk2"[^\r\n]+src="/img/Threat_IP/rep_([a-z]+)\.png"'
values:
- mcafee_risk
pretty_name: McAfee Network Risk
- regex: '<li>[\n\s]*Web\sCategory:[\n\s]*([A-Z][A-Za-z\s/,]+?)[\n\s]*</li>'
values:
- mcafee_category
pretty_name: McAfee Web Category
stopforumspam:
name: StopForumSpam
otypes:
- email
webscraper:
request:
url: 'http://www.stopforumspam.com/search/{target}'
method: get
results:
- regex: '>Found (0*[1-9]\d*) entries'
values:
- sfs_spam_count
pretty_name: Spam email count
cymru_mhr:
name: Cymru MHR
otypes:
- hash
- hash.sha1
webscraper:
request:
url: 'https://hash.cymru.com/cgi-bin/bulkmhr.cgi'
method: post
data:
action: do_whois
bulk_paste: '{target}'
submit_paste: Submit
results:
- regex: '[a-f0-9]+\s(\d+)\s(\d+)'
values:
- cymru_mhr_detect_time
- cymru_mhr_detect_pct
pretty_name: Cymru MHR Detection Percent
icsi_notary:
name: ICSI Certificate Notary
otypes:
- sslfp
dns:
request:
query: '{target_stripped}.notary.icsi.berkeley.edu'
rrtype: txt
results:
- regex: 'version=1 first_seen=(\d+) last_seen=(\d+) times_seen=(\d+) validated=(\d+)'
values:
- icsi_first_seen
- icsi_last_seen
- icsi_times_seen
- icsi_validated
pretty_name: ICSI Notary Results
totalhash_ip:
name: TotalHash
default: false
otypes:
- ip
webscraper:
request:
url: 'https://totalhash.com/network/dnsrr:*{target}*%20or%20ip:{target}'
method: get
results:
- regex: '/analysis/(\w{40}).+(\d{4}\-\d{1,2}\-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})'
values:
- thip_hash
- thip_date
pretty_name: Totalhash
domaintools_parsed_whois:
name: DomainTools Whois
default: false
otypes:
- fqdn
json:
request:
url: 'https://api.domaintools.com/v1/{target}/whois/parsed'
method: get
params:
api_username:
api_key:
results:
- key: response.parsed_whois.contacts
multi_match:
keys:
- '@'
- name
- country
- email
onlyif: name
pretty_name: Whois Contacts
- key: response.parsed_whois.created_date
pretty_name: Domain registered
regex: '(\d{4}\-\d{1,2}\-\d{1,2})'
- key: response.parsed_whois.updated_date
pretty_name: Whois updated
regex: '(\d{4}\-\d{1,2}\-\d{1,2})'
- key: response.parsed_whois.expired_date
pretty_name: Domain expiration
regex: '(\d{4}\-\d{1,2}\-\d{1,2})'
- key: response.parsed_whois.name_servers
pretty_name: Name Servers
#match_all: true
- key: response.parsed_whois.registrar
pretty_name: Registrar Info
multi_match:
keys:
- name
- abuse_contact_phone
- abuse_contact_email
- url
domaintools_reverse_whois:
name: DomainTools Reverse Whois
default: false
otypes:
- email
json:
request:
url: 'https://api.domaintools.com/v1/reverse-whois/'
method: get
params:
terms: '{target}'
mode: purchase
api_username:
api_key:
results:
- key: response.domains
match_all: true
pretty_name: Registered domain
- key: reponse.domain_count.current
pretty_name: Currently active registered domains
- key: response.domain_count.historic
pretty_name: All registered domains
domaintools_reputation:
name: DomainTools Reputation
default: false
otypes:
- fqdn
json:
request:
url: 'https://api.domaintools.com/v1/reputation/'
method: get
params:
domain: '{target}'
include_reasons: 'true'
api_username:
api_key:
results:
- key: response.risk_score
pretty_name: Risk Score
- key: response.reasons
pretty_name: Reasons
dnsdb_ip:
name: Farsight DNSDB
default: False
otypes:
- ipv4
- ipv6
json:
multi_json: true
request:
url: 'https://api.dnsdb.info/lookup/rdata/ip/{target}'
method: get
headers:
Accept: application/json
X-Api-Key:
results:
- key: '@'
multi_match:
keys:
- rrname
- rrtype
- key: time_first
format: as_time
- key: time_last
format: as_time
labels:
- Record Name
- Record Type
- First Seen
- Last Seen
dnsdb_fqdn:
name: Farsight DNSDB
default: False
otypes:
- fqdn
json:
multi_json: true
request:
url: 'https://api.dnsdb.info/lookup/rrset/name/{target}'
method: get
ignored_status_codes:
- 404
params:
time_last_after:
relatime: '-7d'
timezone: UTC
format: as_epoch
headers:
Accept: application/json
X-Api-Key:
results:
- key: '@'
multi_match:
keys:
- rrtype
- key: rdata
# format: as_list
- key: time_last
format: as_time
labels:
- Record Type
- Record Data
- Last Seen
onlyif:
key: rrtype
regex: "^(A|AAAA|MX|SPF|TXT)$"
cif:
name: Collective Intelligence Framework
default: false
otypes:
- ipv4
- fqdn
- email
- hash
json:
request:
url: 'https://cif/observables'
method: get
params:
nolog: 1
confidence: 75
observable: '{target}'
reporttime:
relatime: '-2d'
timezone: UTC
reporttimeend:
relatime: 'now'
timezone: UTC
headers:
Accept: application/vnd.cif.v2+json
Authorization: Token token=
verify_ssl: False
results:
- key: '@'
multi_match:
keys:
- asn
- cc
labels:
- AS Number
- Country Code
- key: '@'
multi_match:
keys:
- key: reporttime
regex: '^(\d+-\d+-\d+)T'
- confidence
- key: tags
format: as_list
- provider
- description
labels:
- Report Date
- Confidence
- Tags
- Provider
- Description
cymon_ip_events:
name: Cymon.io IP Events
default: True
otypes:
- ipv4
json:
paginated: true
request:
url: 'https://cymon.io/api/nexus/v1/ip/{target}/events/'
method: get
ignored_status_codes:
- 404
results:
- key: 'results'
pretty_name: Event
multi_match:
keys:
- title
- key: created
regex: '^(\d+-\d+-\d+)T'
- key: updated
regex: '^(\d+-\d+-\d+)T'
labels:
- Title
- Created
- Updated
cymon_ip_domains:
name: Cymon.io IP Domains
default: True
otypes:
- ipv4
json:
request:
url: 'https://cymon.io/api/nexus/v1/ip/{target}/domains/'
method: get
ignored_status_codes:
- 404
results:
- key: 'results'
pretty_name: Domain
multi_match:
keys:
- name
- key: created
regex: '^(\d+-\d+-\d+)T'
- key: updated
regex: '^(\d+-\d+-\d+)T'
labels:
- Domain
- Created
- Updated
cymon_ip_urls:
name: Cymon.io IP URLs
default: True
otypes:
- ipv4
json:
request:
url: 'https://cymon.io/api/nexus/v1/ip/{target}/urls/'
method: get
ignored_status_codes:
- 404
results:
- key: 'results'
pretty_name: URL
multi_match:
keys:
- location
- key: created
regex: '^(\d+-\d+-\d+)T'
- key: updated
regex: '^(\d+-\d+-\d+)T'
labels:
- Domain
- Created
- Updated
cymon_domain:
name: Cymon.io Domain Lookup
default: True
otypes:
- fqdn
json:
request:
url: 'https://cymon.io/api/nexus/v1/domain/{target}'
method: get
ignored_status_codes:
- 404
results:
- key: 'sources'
pretty_name: Domain listed by
match_all: true
- key: 'ips'
pretty_name: Associated IP
regex: '^https://cymon.io/api/nexus/v1/ip/(.+)'
match_all: true
- key: 'urls'
pretty_name: Malicious URL
regex: '^https://cymon.io/api/nexus/v1/url/(.+)'
match_all: true
urldecode: twice
cymon_url:
name: Cymon.io URL Lookup
default: True
otypes:
- url
json:
request:
url: 'https://cymon.io/api/nexus/v1/url/{target}'
method: get
ignored_status_codes:
- 404
target:
urlencode: twice
results:
- key: 'sources'
pretty_name: URL listed by
match_all: true
- key: 'ips'
pretty_name: Associated IP
regex: '^https://cymon.io/api/nexus/v1/ip/(.+)'
match_all: true
threatcrowd_ip_report:
name: ThreatCrowd IP Report
default: True
otypes:
- ipv4
json:
paginated: false
request:
url: 'https://www.threatcrowd.org/searchApi/v2/ip/report/?ip={target}'
method: get
ignored_status_codes:
- 404
results:
- key: 'resolutions'
pretty_name: Passive DNS
multi_match:
keys:
- domain
- last_resolved
labels:
- Domain
- Last Resolved
onlyif:
key: last_resolved
maxage: '-30d'
- key: 'hashes'
pretty_name: Known Malware Hash
match_all: true
passivetotal_pdns:
name: PassiveTotal Passive DNS
default: False
otypes:
- fqdn
- ipv4
json:
request:
url: 'https://api.passivetotal.org/v2/dns/passive'
auth: passivetotal
params:
query: '{target}'
method: get
headers:
Accept: application/json
ignored_status_codes:
- 401
results:
- key: results
format: as_list
pretty_name: Results
multi_match:
keys:
- key: resolve
- key: queryValue
pretty_name: Query Value
passivetotal_whois:
name: PassiveTotal Whois
default: False
otypes:
- fqdn
json:
request:
url: 'https://api.passivetotal.org/v2/whois'
auth: passivetotal
params:
query: '{target}'
method: get
headers:
Accept: application/json
ignored_status_codes:
- 401
results:
- key: registryUpdatedAt
pretty_name: Registry Updated At
- key: domain
pretty_name: Domain
- key: billing
pretty_name: Billing
- key: zone
pretty_name: Zone
- key: nameServers
pretty_name: Name Servers
- key: registered
pretty_name: Registered
- key: lastLoadedAt
pretty_name: Last Loaded At
- key: whoisServer
pretty_name: Whois Server
- key: contactEmail
pretty_name: Contact Email
- key: admin
pretty_name: Admin
- key: expiresAt
pretty_name: Expires At
- key: registrar
pretty_name: Registrar
- key: tech
pretty_name: Tech
- key: registrant
pretty_name: Registrant
passivetotal_sslcert:
name: PassiveTotal SSL Certificate History
default: False
otypes:
- ipv4
json:
request:
url: 'https://api.passivetotal.org/v2/ssl-certificate/history'
auth: passivetotal
params:
query: '{target}'
method: get
headers:
Accept: application/json
ignored_status_codes:
- 401
results:
- key: results
multi_match:
keys:
- key: sha1
pretty_name: Sha1
- key: firstSeen
pretty_name: First Seen
- key: ipAddresses
pretty_name: Ip Addresses
- key: lastSeen
pretty_name: Last Seen
pretty_name: Results
passivetotal_components:
name: PassiveTotal Components
default: False
otypes:
- fqdn
json:
request:
url: 'https://api.passivetotal.org/v2/host-attributes/components'
auth: passivetotal
params:
query: '{target}'
method: get
headers:
Accept: application/json
ignored_status_codes:
- 401
results:
- key: results
multi_match:
keys:
- key: category
pretty_name: Category
- key: hostname
pretty_name: Hostname
- key: lastSeen
pretty_name: Last Seen
- key: firstSeen
pretty_name: First Seen
- key: label
pretty_name: Label
pretty_name: Results
passivetotal_trackers:
name: PassiveTotal Trackers
default: False
otypes:
- fqdn
json:
request:
url: 'https://api.passivetotal.org/v2/host-attributes/trackers'
auth: passivetotal
params:
query: '{target}'
method: get
headers:
Accept: application/json
ignored_status_codes:
- 401
results:
- key: results
multi_match:
keys:
- key: hostname
pretty_name: Hostname
- key: attributeType
pretty_name: Type
- key: attributeValue
pretty_name: Value
- key: lastSeen
pretty_name: Last Seen
- key: firstSeen
pretty_name: First Seen
pretty_name: Results
fraudguard:
name: FraudGuard
default: False
otypes:
- ipv4
json:
request:
url: https://api.fraudguard.io/ip/{target}
auth: fraudguard
results:
- key: isocode
pretty_name: FraudGuard Country Code
- key: country
pretty_name: FraudGuard Country
- key: state
pretty_name: FraudGuard State
- key: city
pretty_name: FraudGuard City
- key: discover_date
pretty_name: FraudGuard Discovery Date
- key: threat
pretty_name: FraudGuard Threat Type
- key: risk_level
pretty_name: FraudGuard Risk Level
shodan:
name: Shodan
default: False
otypes:
- ipv4
json:
request:
url: https://api.shodan.io/shodan/host/{target}
params:
key:
results:
- key: '@'
multi_match:
keys:
- asn
- org
- city
- region
- country_code
- postal_code
pretty_name: Shodan Organization
- key: hostnames
match_all: true
pretty_name: Shodan Hostnames
- key: isp
pretty_name: Shodan ISP
- key: data
multi_match:
keys:
- timestamp
- transport
- port
- product
- version
pretty_name: Shodan Ports
- key: data
multi_match:
keys:
- transport
- port
- ssl.versions
onlyif: ssl.versions
pretty_name: Shodan SSL Versions
- key: data
multi_match:
keys:
- transport
- port
- ssl.cert.subject.CN
- ssl.cert.fingerprint.sha256
onlyif: ssl.cert.fingerprint.sha256
pretty_name: Shodan SSL Certs
ipinfoio:
name: ipinfo.io
default: False
otypes:
- ipv4
- ipv6
json:
request:
url: https://ipinfo.io/{target}
headers:
Accept: application/json
results:
- key: hostname
pretty_name: ipinfo.io hostname
- key: city
pretty_name: ipinfo.io city
- key: region
pretty_name: ipinfo.io region
- key: country
pretty_name: ipinfo.io country
- key: loc
pretty_name: ipinfo.io geolocation
- key: org
pretty_name: ipinfo.io organization
- key: postal
pretty_name: ipinfo.io postal code
xforce-malware:
name: IBM XForce Malware Report
default: False
otypes:
- ipv4
json:
request:
url: https://api.xforce.ibmcloud.com/ipr/malware/{target}
auth: xforce
results:
- key: type
pretty_name: malware type
- key: md5
pretty_name: md5
- key: domain
pretty_name: domain name
- key: firstseen
pretty_name: first seen
- key: lastseen
pretty_name: last seen
hackedip:
name: Hacked IP
default: False
otypes:
- ipv4
json:
request:
url: http://www.hackedip.com/api.php?ip={target}
results:
- key: '@'
format: as_list
pretty_name: Hacked IP Threat List
metadefender_hash:
name: MetaDefender File Report
default: False
otypes:
- hash
- hash.sha1
- hash.sha256
json:
request:
url: https://api.metadefender.com/v2/hash/{target}
method: get
headers:
apikey:
results:
- key: scan_results.start_time
pretty_name: Date submitted
- key: scan_results.total_detected_avs
pretty_name: Detected engines
- key: scan_results.total_avs
pretty_name: Total engines
- key: scan_results.scan_details
pretty_name: Scans
multi_match:
keys:
- '@'
- threat_found
onlyif: scan_result_i
# misp:
# name: MISP
# default: true
# otypes:
# - ipv4
# - url
# - email
# - fqdn
# - hash
# - hash.sha1
# - hash.sha256
# json:
# request:
# url: https://***YOUR_MISP_HERE***/events/restSearch/download/{target}/null/null/null/null/7
# method: get
# headers:
# Authorization: ***YOUR_APIKEY_HERE***
# results:
# - key: response
# pretty_name: MISP Events
# multi_match:
# keys:
# - Event.date
# - Event.id
# - Event.info
greynoise:
name: GreyNoise
default: False
otypes:
- ipv4
json:
request:
url: https://enterprise.api.greynoise.io/v2/noise/context/{target}
headers:
key:
results:
- key: seen
pretty_name: GreyNoise Known Scanner
- key: actor
pretty_name: GreyNoise Actor
- key: tags
pretty_name: GreyNoise Reason
- key: metadata.category
pretty_name: GreyNoise Category
- key: first_seen
pretty_name: GreyNoise First Seen
- key: last_seen
pretty_name: GreyNoise Last Seen
- key: raw_data.web.useragents
pretty_name: GreyNoise User-agent
- key: raw_data.scan
multi_match:
keys:
- port
- protocol
pretty_name: GreyNoise Observations
macvendors:
name: MACVendors
default: true
otypes:
- mac
webscraper:
request:
url: 'https://api.macvendors.com/{target}'
method: get
results:
- regex: '(.+)'
values:
- vendor
pretty_name: Mac Address Vendor
You can’t perform that action at this time.