admin / SAynapse-Horizon
publicSelf Hosted Cyber Threat Intelligence Hub
SAynapse-Horizon / Synapse-Horizon-v2 / backend / src / sources / blocklistde.js
1970 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | import { makeIoc, fetchWithTimeout, ok, SEVERITY } from '../normalize.js' // Blocklist.de — public plain-text lists of reported attack sources (no auth). // We pull a few category lists so each IOC carries a real attack label. const LISTS = [ { url: 'https://lists.blocklist.de/lists/ssh.txt', attack: 'SSH brute-force' }, { url: 'https://lists.blocklist.de/lists/mail.txt', attack: 'mail-server abuse' }, { url: 'https://lists.blocklist.de/lists/bruteforcelogin.txt', attack: 'web login brute-force' }, ] const PER_LIST = 8 const IP_RE = /^(?:\d{1,3}\.){3}\d{1,3}$/ export const meta = { key: 'blocklistde', requiresKey: false } export function configured() { return true } export async function fetchSource() { const iocs = [] for (const { url, attack } of LISTS) { try { const res = await fetchWithTimeout(url) const text = await res.text() const ips = text .split('\n') .map((l) => l.trim()) .filter((l) => IP_RE.test(l)) .slice(0, PER_LIST) for (const ip of ips) { iocs.push( makeIoc('blocklistde', { detectedAt: new Date().toISOString(), // list entries are not per-line timestamped severity: SEVERITY.LOW, category: 'Attack Source', indicator: ip, indicatorType: 'ip', target: attack, confidence: 55, mitre: [{ id: 'T1110.001', name: 'Brute Force: Password Guessing' }], headline: `Attack Source: Host ${ip} reported for ${attack} activity by Blocklist.de`, raw: { ip, list: url, category: attack }, stix: { type: 'indicator', pattern: `[ipv4-addr:value = '${ip}']`, pattern_type: 'stix', labels: ['anomalous-activity'], }, }) ) } } catch { // A single list failing should not sink the whole source. } } return ok(iocs) } |