Merge branch 'sp-dev'

* sp-dev:
  add sample output of intelmq

Author: mhtsai1010

Abuse.ch/Feodo_Botnet.md

@@ -4,11 +4,11 @@ A swiss guy fighting Cybercrime.
 
 ### Feodo Botnet
 
-Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud 
-and steal sensitive information from the victims computer, 
-such as credit card details or credentials. 
+Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud
+and steal sensitive information from the victims computer,
+such as credit card details or credentials.
 
-At the moment, Feodo Tracker is tracking four versions of Feodo, 
+At the moment, Feodo Tracker is tracking four versions of Feodo,
 and they are labeled by Feodo Tracker as:
 
 * Version A: Hosted on compromised webservers running an nginx proxy on port
@@ -26,7 +26,7 @@ and they are labeled by Feodo Tracker as:
 * Version D: Successor of Cridex. This version is also known as Dridex
 
 #### Domain Name
-> 
+>
 * Website
  - `https://feodotracker.abuse.ch/`
 * Source
@@ -42,7 +42,7 @@ and they are labeled by Feodo Tracker as:
 * Comments
  - No present data.
 
-#### Sample Output of IntelMQ
+##### Sample Output of IntelMQ
 
 ```javascript
 {
@@ -51,7 +51,7 @@ and they are labeled by Feodo Tracker as:
 ```
 
 #### IP Address
-> 
+>
 * Website
  - `https://feodotracker.abuse.ch/`
 * Source
@@ -67,9 +67,29 @@ and they are labeled by Feodo Tracker as:
 * Comments
  - No comment
 
+##### Sample Output of IntelMQ
+
 ```javascript
 {
-  null
+  "malware": {
+    "name": "cridex"
+  },
+  "classification": {
+    "type": "c&c"
+  },
+  "time": {
+    "source": "2016-07-07T07:58:29+00:00",
+    "observation": "2016-07-07T07:58:29+00:00"
+  },
+  "raw": "MS4xNzguMTc5LjIxNw==",
+  "feed": {
+    "url": "https:\/\/feodotracker.abuse.ch\/blocklist\/?download=ipblocklist",
+    "accuracy": 100,
+    "name": "Abuse.ch"
+  },
+  "source": {
+    "ip": "1.178.179.217"
+  }
 }
 ```
 
@@ -97,7 +117,7 @@ But there's more information in https://feodotracker.abuse.ch/?sort=lastseen :
 * Version of Feodo
 * Feodo C&C (IP)
 * Status
-* SBL (Spamhaus Block List) 
-* ASN 
-* Country 
+* SBL (Spamhaus Block List)
+* ASN
+* Country
 * Lastseen (UTC)

Abuse.ch/Palevo_Worm.md

@@ -29,6 +29,32 @@ readme [file][1].
 * Comments
  - Palevo Tracker has been discontinued.
 
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  "raw": "YXJ0YS5yb21haWwzYXJuZXN0LmluZm8=",
+  "classification": {
+    "type": "c&c"
+  },
+  "source": {
+    "fqdn": "arta.romail3arnest.info"
+  },
+  "time": {
+    "observation": "2016-07-07T08:09:47+00:00"
+  },
+  "feed": {
+    "url": "https:\/\/palevotracker.abuse.ch\/blocklists.php?download=domainblocklist",
+    "name": "Abuse.ch",
+    "accuracy": 100
+  },
+  "malware": {
+    "name": "palevo"
+  }
+}
+
+```
+
 #### IP Address
 >
 * Website
@@ -45,3 +71,33 @@ readme [file][1].
  - Ok
 * Comments
  - Palevo Tracker has been discontinued.
+
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  "malware": {
+    "name": "palevo"
+  },
+  "source": {
+    "ip": "103.51.144.193"
+  },
+  "time": {
+    "observation": "2016-07-07T08:11:44+00:00"
+  },
+  "raw": "MTAzLjUxLjE0NC4xOTM=",
+  "classification": {
+    "type": "c&c"
+  },
+  "feed": {
+    "accuracy": 100,
+    "url": "https:\/\/palevotracker.abuse.ch\/blocklists.php?download=ipblocklist",
+    "name": "Abuse.ch"
+  }
+}
+```
+
+----
+
+This project is not continued. We plan to remove this intelligence feed in the
+future.

Abuse.ch/Zeus_Botnet.md

@@ -14,7 +14,7 @@ The crimeware kit contains the following modules:
 * A web interface to administrate and control the botnet (ZeuS Admin Panel)
 * A tool to create the trojan binaries and encrypt the config file (called exe
 builder)
- 
+
 Normaly, a ZeuS host consists of three componets / URIs:
 * a config file (mostly with filextension \*.bin)
 * a binary file which contains the newest version of the ZeuS trojan
@@ -62,6 +62,31 @@ public tool available.
 * Comments
  - No comment
 
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  "time": {
+    "observation": "2016-07-07T08:13:55+00:00"
+  },
+  "classification": {
+    "type": "c&c"
+  },
+  "feed": {
+    "name": "Abuse.ch",
+    "accuracy": 100,
+    "url": "https:\/\/zeustracker.abuse.ch\/blocklist.php?download=baddomains"
+  },
+  "malware": {
+    "name": "zeus"
+  },
+  "raw": "MHgueC5nZw==",
+  "source": {
+    "fqdn": "0x.x.gg"
+  }
+}
+```
+
 #### IP Address
 >
 * Website
@@ -79,6 +104,33 @@ public tool available.
 * Comments
  - No comment
 
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  "malware": {
+    "name": "zeus"
+  },
+  "raw": "MTAxLjAuODkuMw==",
+  "source": {
+    "ip": "101.0.89.3"
+  },
+  "classification": {
+    "type": "c&c"
+  },
+  "time": {
+    "observation": "2016-07-07T08:16:17+00:00"
+  },
+  "feed": {
+    "name": "Abuse.ch",
+    "accuracy": 100,
+    "url": "https:\/\/zeustracker.abuse.ch\/blocklist.php?download=badips"
+  }
+}
+```
+
+----
+
 There's only Domain information in  in https://zeustracker.abuse.ch/blocklist.php?download=baddomains. It looks like:
 
     ############################################################################

AlienVault/Malicious_Activities.md

@@ -26,6 +26,16 @@ Alienvault IP Reputation Database
 * Comments
  - No comment
 
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  null
+}
+```
+
+----
+
 There's not only IP information in https://reputation.alienvault.com/reputation.data
 It looks like:
 

AlienVaultOTX/Malicious_Activities.md

@@ -25,3 +25,27 @@ campaigns, and even state sponsored hacking.
  - Ok
 * Comments
  - No API KEY
+
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  "raw": "eyJfaWQiOiAiNTc3MzAwODY3NjFiODIwMTNhYjc4MjkzIiwgImNyZWF0ZWQiOiAiMjAxNi0wNi0yOFQyMjo1NjowNi4zNjUiLCAiZGVzY3JpcHRpb24iOiAiIiwgImluZGljYXRvciI6ICJib3g0MDg0Lm5ldCIsICJ0eXBlIjogImRvbWFpbiJ9",
+  "time": {
+    "source": "2016-06-28T22:56:06+00:00",
+    "observation": "2016-07-07T08:27:18+00:00"
+  },
+  "feed": {
+    "name": "AlienVault OTX",
+    "accuracy": 100
+  },
+  "classification": {
+    "type": "blacklist"
+  },
+  "extra": "{\"author\": \"AlienVault\", \"pulse\": \"Prince of Persia \\u2013 Game Over\"}",
+  "comment": "Unit 42 published a blog at the beginning of May titled \u201cPrince of Persia,\u201d in which we described the discovery of a decade-long campaign using a formerly unknown malware family, Infy, that targeted government and industry interests worldwide.\nSubsequent to the publishing of this article, through cooperation with the parties responsible for the C2 domains, Unit 42 researchers successfully gained control of multiple C2 domains. This disabled the attacker\u2019s access to their victims in this campaign, provided further insight into the targets currently victimized in this operation, and enabled the notification of affected parties.",
+  "source": {
+    "fqdn": "box4084.net"
+  }
+}
+```

ArborNetworks/Distributed_SSH_Brute_Force_Attacks.md

@@ -24,3 +24,11 @@ Unknown
  - Error
 * Comments
  - 403 Forbidden
+
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  null
+}
+```

Autoshun.org/Malicious_Activities.md

@@ -24,3 +24,11 @@ IPs to prevent users from accidentally crushing their firewall.
  - Error
 * Comments
  - URL Changed
+
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  null
+}
+```

Bitsight/Malicious_Activities.md

@@ -23,3 +23,11 @@ Unknown
  - Error
 * Comments
  - No API Key
+
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  null
+}
+```

Blocklist.de/Attacks_on_the_service_Apache.md

@@ -2,10 +2,10 @@
 
 www.blocklist.de is a free and voluntary service provided by a
 Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-,
-FTP-, Webserver- and other services. 
+FTP-, Webserver- and other services.
 The mission is to report any and all attacks to the respective abuse departments
 of the infected PCs/servers, to ensure that the responsible provider can inform
-their customer about the infection and disable the attacker. 
+their customer about the infection and disable the attacker.
 
 ### Attacks on the service Apache
 
@@ -29,6 +29,36 @@ attacks on the service Apache, Apache-DDOS, RFI-Attacks.
 * Comments
  - No comment
 
+##### Sample Output of IntelMQ
+
+```javascript
+{
+  "source": {
+    "ip": "1.34.139.38"
+  },
+  "time": {
+    "observation": "2016-07-07T08:46:43+00:00"
+  },
+  "event_description": {
+    "text": "IP reported as having run attacks on the service Apache, Apache-DDoS, RFI-Attacks"
+  },
+  "classification": {
+    "type": "ids alert"
+  },
+  "raw": "MS4zNC4xMzkuMzg=",
+  "feed": {
+    "name": "BlockList.de",
+    "accuracy": 100,
+    "url": "https:\/\/lists.blocklist.de\/lists\/apache.txt"
+  },
+  "protocol": {
+    "application": "http"
+  }
+}
+```
+
+----
+
 There's only IP information in https://lists.blocklist.de/lists/apache.txt
 It looks like: