Class: Shadowserver::Malware
- Inherits:
-
Object
- Object
- Shadowserver::Malware
- Defined in:
- lib/shadowserver/malware.rb
Class Method Summary collapse
- ._get(url) ⇒ Object
- .avresult(hash) ⇒ Object
- .download(hash, filename = nil) ⇒ Object
- .query(hash) ⇒ Object
- .ssdeep(hash) ⇒ Object
Class Method Details
._get(url) ⇒ Object
58 59 60 61 62 63 64 65 66 67 68 69 70 |
# File 'lib/shadowserver/malware.rb', line 58 def Malware::_get(url) url = URI.parse(url) request = Net::HTTP::Get.new(url.path+"?"+url.query) request.add_field("User-Agent", "Ruby/#{RUBY_VERSION} shadowserver rubygem (https://github.com/chrislee35/shadowserver)") http = Net::HTTP.new(url.host, url.port) if url.scheme == 'https' http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE http.verify_depth = 5 end resp = http.request(request) resp.body end |
.avresult(hash) ⇒ Object
37 38 39 40 41 42 43 44 45 46 47 48 |
# File 'lib/shadowserver/malware.rb', line 37 def Malware::avresult(hash) doc = _get("http://innocuous.shadowserver.org/api/?avresult=#{hash}") raise doc.chomp if doc =~ /\! The Shadowserver Foundation: RESTRICTED ACCESS/ return nil if doc =~ /^\! The Shadowserver Foundation:/ results = {} doc.split(/\n/).each do |l| next if l =~ /^"name","classification"/ name, classification = l.gsub(/"/,'').split(/,/,2) results[name] = classification end results end |
.download(hash, filename = nil) ⇒ Object
25 26 27 28 29 30 31 32 33 34 35 |
# File 'lib/shadowserver/malware.rb', line 25 def Malware::download(hash,filename=nil) doc = _get("https://innocuous.shadowserver.org/api/?download=#{hash}") raise doc.chomp if doc =~ /\! The Shadowserver Foundation: RESTRICTED ACCESS/ return nil if doc =~ /^\! The Shadowserver Foundation:/ if filename File.open(filename,"w") do |f| f.write(doc) end end doc end |
.query(hash) ⇒ Object
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# File 'lib/shadowserver/malware.rb', line 8 def Malware::query(hash) doc = _get("http://innocuous.shadowserver.org/api/?query=#{hash}") return nil if doc =~ /^\!/ lines = doc.split(/\n/) md5, sha1, first_seen, last_seen, filetype, ssdeep = lines[0].gsub(/\"/,'').split(/,/) avresults = JSON.parse(lines[1]) { "md5" => md5, "sha1" => sha1, "first_seen" => first_seen, "last_seen" => last_seen, "filetype" => filetype, "ssdeep" => ssdeep, "avresults" => avresults } end |
.ssdeep(hash) ⇒ Object
50 51 52 53 54 55 |
# File 'lib/shadowserver/malware.rb', line 50 def Malware::ssdeep(hash) doc = _get("http://innocuous.shadowserver.org/api/?ssdeep=#{hash}") raise doc.chomp if doc =~ /\! The Shadowserver Foundation: RESTRICTED ACCESS/ return nil if doc =~ /^\! The Shadowserver Foundation:/ doc.split(/\n/) end |