Class: Shadowserver::Malware

Inherits:
Object
  • Object
show all
Defined in:
lib/shadowserver/malware.rb

Class Method Summary collapse

Class Method Details

._get(url) ⇒ Object



58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/shadowserver/malware.rb', line 58

def  Malware::_get(url)
	url = URI.parse(url)
	request = Net::HTTP::Get.new(url.path+"?"+url.query)
	request.add_field("User-Agent", "Ruby/#{RUBY_VERSION} shadowserver rubygem (https://github.com/chrislee35/shadowserver)")
	http = Net::HTTP.new(url.host, url.port)
	if url.scheme == 'https'
		http.use_ssl = true
		http.verify_mode = OpenSSL::SSL::VERIFY_NONE
		http.verify_depth = 5
	end
	resp = http.request(request)
	resp.body
end

.avresult(hash) ⇒ Object



37
38
39
40
41
42
43
44
45
46
47
48
# File 'lib/shadowserver/malware.rb', line 37

def Malware::avresult(hash)
	doc = _get("http://innocuous.shadowserver.org/api/?avresult=#{hash}")
	raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
	return nil if doc =~ /^\! The Shadowserver Foundation:/
	results = {}
	doc.split(/\n/).each do |l|
		next if l =~ /^"name","classification"/
		name, classification = l.gsub(/"/,'').split(/,/,2)
		results[name] = classification
	end
	results
end

.download(hash, filename = nil) ⇒ Object



25
26
27
28
29
30
31
32
33
34
35
# File 'lib/shadowserver/malware.rb', line 25

def Malware::download(hash,filename=nil)
	doc = _get("https://innocuous.shadowserver.org/api/?download=#{hash}")
	raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
	return nil if doc =~ /^\! The Shadowserver Foundation:/
	if filename
		File.open(filename,"w") do |f|
			f.write(doc)
		end
	end
	doc
end

.query(hash) ⇒ Object



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# File 'lib/shadowserver/malware.rb', line 8

def Malware::query(hash)
	doc = _get("http://innocuous.shadowserver.org/api/?query=#{hash}")
	return nil if doc =~ /^\!/
	lines = doc.split(/\n/)
	md5, sha1, first_seen, last_seen, filetype, ssdeep = lines[0].gsub(/\"/,'').split(/,/)
	avresults = JSON.parse(lines[1])
	{
		"md5" => md5,
		"sha1" => sha1,
		"first_seen" => first_seen,
		"last_seen" => last_seen,
		"filetype" => filetype,
		"ssdeep" => ssdeep,
		"avresults" => avresults
	}
end

.ssdeep(hash) ⇒ Object



50
51
52
53
54
55
# File 'lib/shadowserver/malware.rb', line 50

def Malware::ssdeep(hash)
	doc = _get("http://innocuous.shadowserver.org/api/?ssdeep=#{hash}")
	raise doc.chomp if doc =~ /\! The Shadowserver Foundation:  RESTRICTED ACCESS/
	return nil if doc =~ /^\! The Shadowserver Foundation:/
	doc.split(/\n/)
end