Class: Shadowserver::Malware

Inherits:

Object

Object
Shadowserver::Malware

show all

Defined in:: lib/shadowserver/malware.rb

Class Method Summary collapse

Class Method Details

._get(url) ⇒ `Object`

# File 'lib/shadowserver/malware.rb', line 58

def  Malware::_get(url)
  url = URI.parse(url)
  request = Net::HTTP::Get.new(url.path+"?"+url.query)
  request.add_field("User-Agent", "Ruby/#{RUBY_VERSION} shadowserver rubygem (https://github.com/chrislee35/shadowserver)")
  http = Net::HTTP.new(url.host, url.port)
  if url.scheme == 'https'
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    http.verify_depth = 5
  end
  resp = http.request(request)
  resp.body
end

.avresult(hash) ⇒ `Object`

# File 'lib/shadowserver/malware.rb', line 37

def Malware::avresult(hash)
  doc = _get("http://innocuous.shadowserver.org/api/?avresult=#{hash}")
  raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
  return nil if doc =~ /^\! The Shadowserver Foundation:/
  results = {}
  doc.split(/\n/).each do |l|
    next if l =~ /^"name","classification"/
    name, classification = l.gsub(/"/,'').split(/,/,2)
    results[name] = classification
  end
  results
end

.download(hash, filename = nil) ⇒ `Object`

# File 'lib/shadowserver/malware.rb', line 25

def Malware::download(hash,filename=nil)
  doc = _get("https://innocuous.shadowserver.org/api/?download=#{hash}")
  raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
  return nil if doc =~ /^\! The Shadowserver Foundation:/
  if filename
    File.open(filename,"w") do |f|
      f.write(doc)
    end
  end
  doc
end

.query(hash) ⇒ `Object`

# File 'lib/shadowserver/malware.rb', line 8

def Malware::query(hash)
  doc = _get("http://innocuous.shadowserver.org/api/?query=#{hash}")
  return nil if doc =~ /^\!/
  lines = doc.split(/\n/)
  md5, sha1, first_seen, last_seen, filetype, ssdeep = lines[0].gsub(/\"/,'').split(/,/)
  avresults = JSON.parse(lines[1])
  {
    "md5" => md5,
    "sha1" => sha1,
    "first_seen" => first_seen,
    "last_seen" => last_seen,
    "filetype" => filetype,
    "ssdeep" => ssdeep,
    "avresults" => avresults
  }
end

.ssdeep(hash) ⇒ `Object`

# File 'lib/shadowserver/malware.rb', line 50

def Malware::ssdeep(hash)
  doc = _get("http://innocuous.shadowserver.org/api/?ssdeep=#{hash}")
  raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
  return nil if doc =~ /^\! The Shadowserver Foundation:/
  doc.split(/\n/)
end

Class: Shadowserver::Malware

Class Method Summary collapse

Class Method Details

._get(url) ⇒ Object

.avresult(hash) ⇒ Object

.download(hash, filename = nil) ⇒ Object

.query(hash) ⇒ Object

.ssdeep(hash) ⇒ Object

._get(url) ⇒ `Object`

.avresult(hash) ⇒ `Object`

.download(hash, filename = nil) ⇒ `Object`

.query(hash) ⇒ `Object`

.ssdeep(hash) ⇒ `Object`