Catalyst / admin/SAynapse-Horizon 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / SAynapse-Horizon

public

Self Hosted Cyber Threat Intelligence Hub

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
SAynapse-Horizon / Synapse-Horizon-v2 / backend / src / sources / blocklistde.js 1970 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import { makeIoc, fetchWithTimeout, ok, SEVERITY } from '../normalize.js'

// Blocklist.de — public plain-text lists of reported attack sources (no auth).
// We pull a few category lists so each IOC carries a real attack label.
const LISTS = [
  { url: 'https://lists.blocklist.de/lists/ssh.txt', attack: 'SSH brute-force' },
  { url: 'https://lists.blocklist.de/lists/mail.txt', attack: 'mail-server abuse' },
  { url: 'https://lists.blocklist.de/lists/bruteforcelogin.txt', attack: 'web login brute-force' },
]
const PER_LIST = 8
const IP_RE = /^(?:\d{1,3}\.){3}\d{1,3}$/

export const meta = { key: 'blocklistde', requiresKey: false }

export function configured() {
  return true
}

export async function fetchSource() {
  const iocs = []

  for (const { url, attack } of LISTS) {
    try {
      const res = await fetchWithTimeout(url)
      const text = await res.text()
      const ips = text
        .split('\n')
        .map((l) => l.trim())
        .filter((l) => IP_RE.test(l))
        .slice(0, PER_LIST)

      for (const ip of ips) {
        iocs.push(
          makeIoc('blocklistde', {
            detectedAt: new Date().toISOString(), // list entries are not per-line timestamped
            severity: SEVERITY.LOW,
            category: 'Attack Source',
            indicator: ip,
            indicatorType: 'ip',
            target: attack,
            confidence: 55,
            mitre: [{ id: 'T1110.001', name: 'Brute Force: Password Guessing' }],
            headline: `Attack Source: Host ${ip} reported for ${attack} activity by Blocklist.de`,
            raw: { ip, list: url, category: attack },
            stix: {
              type: 'indicator',
              pattern: `[ipv4-addr:value = '${ip}']`,
              pattern_type: 'stix',
              labels: ['anomalous-activity'],
            },
          })
        )
      }
    } catch {
      // A single list failing should not sink the whole source.
    }
  }

  return ok(iocs)
}