MalPipe is a modular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results.
At this time, the following feeds are supported:
+ VirusTotal (https://www.virustotal.com)
+ MalShare (https://malshare.com/)
+ BambenekFeeds (osint.bambenekconsulting.com/feeds/)
+ FeodoBlockList (https://feodotracker.abuse.ch)
+ Malc0deIPList (http://malc0de.com/)
+ NoThinkIPFeeds (www.nothink.org/)
+ OpenPhishURLs (https://openphish.com)
+ TorNodes (https://torstatus.blutmagie.de)
+ Python 2.7.x
Modules for MalPipe located under malpipe/ by type:
An example configuration is provided in config_example.json with settings to get started. This file contains a JSON object containing the required settings for each feed / processor / exporter.
Processors are used to enrich/standardize the collected. For example, data from VirusTotal contains yara results for each file collected, whereas MalShare does not. By adding, YaraScan to the PROCESSORS key, you can scan the files to also include this data.
The final components is exporters, these control where the data goes. These can be used to export collected data to a malware repository, a SIEM, JSON Log files or printed for the user.
Use and Download:
git clone https://github.com/silascutler/MalPipe && cd MalPipe
pip install -r requirements.txt
Copy, Edit and rename config_example.json with config.json then insert your API key.