update configs (#435)

* update feodotracker config

rules/default/feodotracker.yml

@@ -4,21 +4,32 @@ defaults:
   altid_tlp: white
   altid: https://feodotracker.abuse.ch/host/<indicator>
   description: feodo
-  tags:
-    - feodo
-    - botnet
 
 feeds:
-  domains:
+  c2:
     confidence: 8
-    remote: https://feodotracker.abuse.ch/blocklist/?download=domainblocklist
-    pattern: ^(\S+)$
+    remote: https://feodotracker.abuse.ch/downloads/ipblocklist.csv
+    pattern: ^(\S+\s\S+),(\S+),(\S+),(\S+)$
     values:
+      - firsttime
       - indicator
+      - null
+      - null
+    defaults:
+      tags:
+        - feodo
+        - botnet
+        - c2
 
-  ips:
-    confidence: 6
-    remote: https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
-    pattern: ^(\S+)$
+  hashes:
+    confidence: 8
+    remote: https://feodotracker.abuse.ch/downloads/malware_hashes.csv
+    pattern: ^(\S+\s\S+),(\S+),(\S+)$
     values:
+      - firsttime
       - indicator
+      - null
+    defaults:
+      tags:
+        - feodo
+        - botnet

rules/default/sblam.yml

@@ -0,0 +1,14 @@
+defaults:
+  provider: sblam.com
+  confidence: 7
+  tlp: green
+  altid_tlp: white
+  tags:
+    - spam
+    - spammers
+feeds:
+  proxy:
+    remote: https://sblam.com/blacklist.txt
+    pattern: '^(\S+)$'
+    values:
+      - indicator

rules/default/urlhaus_abuse.ch.yml → rules/default/urlhaus_abuse_ch.yml

@@ -4,17 +4,18 @@ defaults:
   tlp: green
   altid_tlp: white
   confidence: 9
-  tags: malware
+  tags:
+    - malware
   application: https
   protocol: tcp
   values:
     - null
     - reporttime
     - indicator
     - null
-    - description
     - null
+    - description
     - null
 feeds:
   Malware:
-    remote: https://urlhaus.abuse.ch/downloads/csv/
+    remote: https://urlhaus.abuse.ch/downloads/csv/