admin / SAynapse-Horizon
publicSelf Hosted Cyber Threat Intelligence Hub
SAynapse-Horizon / Synapse-Horizon-v2 / backend / src / sources / urlhaus.js
1981 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | import { makeIoc, fetchWithTimeout, ok, unconfigured, SEVERITY } from '../normalize.js' // URLhaus (abuse.ch) — recent malware-distribution URLs. // abuse.ch requires an Auth-Key header on all feed/API access. const URL = 'https://urlhaus.abuse.ch/downloads/json_recent/' const LIMIT = 25 export const meta = { key: 'urlhaus', requiresKey: true } export function configured() { return Boolean(process.env.ABUSE_CH_AUTH_KEY) } export async function fetchSource() { const key = process.env.ABUSE_CH_AUTH_KEY if (!key) return unconfigured('Set ABUSE_CH_AUTH_KEY (free abuse.ch account) to enable URLhaus.') const res = await fetchWithTimeout(URL, { headers: { 'Auth-Key': key } }) const data = await res.json() // json_recent is an object keyed by id; each value is an array with one entry. const entries = Object.values(data || {}) .flat() .filter((e) => e && e.url) .sort((a, b) => new Date(b.date_added) - new Date(a.date_added)) .slice(0, LIMIT) const iocs = entries.map((e) => { const online = /online/i.test(e.url_status || '') const payload = (Array.isArray(e.tags) && e.tags[0]) || e.threat || 'malware' const defanged = String(e.url).replace(/^https?/i, (m) => m.replace('t', 'x')) return makeIoc('urlhaus', { detectedAt: e.date_added, severity: online ? SEVERITY.HIGH : SEVERITY.MEDIUM, category: 'Malware Distribution', indicator: defanged, indicatorType: 'url', target: payload, confidence: online ? 85 : 65, mitre: [ { id: 'T1105', name: 'Ingress Tool Transfer' }, { id: 'T1204.002', name: 'User Execution: Malicious File' }, ], headline: `Malware Distribution: Payload URL ${defanged} serving ${payload} flagged by URLhaus`, raw: e, stix: { type: 'indicator', pattern: `[url:value = '${e.url}']`, pattern_type: 'stix', labels: ['malicious-activity'], }, }) }) return ok(iocs) } |