def process(self, i, router):
if i.itype == 'fqdn' and i.provider != 'spamhaus.org':
try:
r = self._resolve(i.indicator)
self.logger.debug(r)
try:
r = CODES[r]
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
f = Indicator(**i.__dict__)
f.tags = [r['tags']]
f.description = r['description']
f.confidence = CONFIDENCE
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(
f.indicator)
x = router.indicators_create(f)
self.logger.debug(x)
except KeyError as e:
self.logger.error(e)
except dns.resolver.NoAnswer:
self.logger.debug('no answer...')
except dns.resolver.NXDOMAIN:
self.logger.debug('nxdomain...')
except EmptyLabel:
self.logger.error('empty label: {}'.format(i.indicator))
def process(i):
if not ENABLED:
return
if i.itype not in ['ipv4', 'ipv6']:
return
if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator):
return
try:
r = _resolve(i.indicator)
except Exception as e:
return
r = CODES.get(str(r), None)
if not r:
return
f = Indicator(**i.__dict__())
f.tags = [r['tags']]
f.description = r['description']
f.confidence = CONFIDENCE
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(f.indicator)
f.lasttime = arrow.utcnow()
f.probability = 0
return f
def process(i):
if not ENABLED:
return
if i.itype != 'url':
return
if i.probability:
return
for t in i.tags:
if t == 'predicted':
return
if not predict(i.indicator):
return
i = Indicator(**i.__dict__())
i.lasttime = arrow.utcnow()
i.confidence = 4
i.probability = 84
i.provider = 'csirtgadgets.com'
i.reference = 'https://github.com/csirtgadgets/csirtg-urlsml-py' + '#' + VERSION
tags = set(i.tags)
tags.add('predicted')
i.tags = list(tags)
return i
def process(self, i, router):
if i.itype == 'fqdn' and i.provider != 'spamhaus.org':
try:
r = self._resolve(i.indicator)
try:
r = CODES.get(str(r), None)
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
confidence = CONFIDENCE
if ' legit ' in r['description']:
confidence = 6
f = Indicator(**i.__dict__())
f.tags = [r['tags']]
f.description = r['description']
f.confidence = confidence
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(f.indicator)
f.lasttime = arrow.utcnow()
x = router.indicators_create(f)
self.logger.debug(x)
except KeyError as e:
self.logger.error(e)
def process(i):
if not ENABLED:
return
if i.itype != 'fqdn':
return
if i.provider == 'spamhaus.org':
return
r = _resolve(i.indicator)
r = CODES.get(str(r), None)
if not r:
return
confidence = CONFIDENCE
if ' legit ' in r['description']:
confidence = 1
f = Indicator(**i.__dict__())
f.tags = [r['tags']]
f.description = r['description']
f.confidence = confidence
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(
f.indicator)
f.lasttime = arrow.utcnow()
f.probability = 0
return f
def process(self, i, router):
if i.itype != 'ipv4' and i.itype != 'ipv6':
return
if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator):
return
try:
r = self._resolve(i.indicator)
try:
r = CODES.get(str(r), None)
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
f = Indicator(**i.__dict__())
f.tags = [r['tags']]
f.description = r['description']
f.confidence = CONFIDENCE
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(f.indicator)
f.lasttime = arrow.utcnow()
x = router.indicators_create(f)
except Exception as e:
self.logger.error(e)
import traceback
traceback.print_exc()
def process(self, i, router):
if i.itype != 'ipv4' and i.itype != 'ipv6':
return
if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator):
return
try:
r = self._resolve(i.indicator)
try:
r = CODES.get(str(r), None)
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
f = Indicator(**i.__dict__())
f.tags = [r['tags']]
f.description = r['description']
f.confidence = CONFIDENCE
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(
f.indicator)
x = router.indicators_create(f)
except Exception as e:
self.logger.error(e)
import traceback
traceback.print_exc()
def process(self, i, router):
if (i.itype == 'ipv4' or i.itype == 'ipv6') and i.provider != 'spamhaus.org':
try:
r = self._resolve(i.indicator)
try:
r = CODES.get(str(r), None)
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
f = Indicator(**i.__dict__)
f.tags = [r['tags']]
f.description = r['description']
f.confidence = CONFIDENCE
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(f.indicator)
x = router.indicators_create(f)
self.logger.debug(x)
except dns.resolver.NoAnswer:
self.logger.info('no answer...')
except dns.resolver.NXDOMAIN:
self.logger.info('nxdomain...')
except Exception as e:
self.logger.error(e)
import traceback
traceback.print_exc()
def process(self, i, router):
if i.itype == 'fqdn' and i.provider != 'spamhaus.org':
try:
r = self._resolve(i.indicator)
try:
r = CODES[r]
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
f = Indicator(**i.__dict__)
f.tags = [r['tags']]
f.description = r['description']
f.confidence = CONFIDENCE
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(f.indicator)
x = router.indicators_create(f)
self.logger.debug(x)
except KeyError as e:
self.logger.error(e)
except dns.resolver.NoAnswer:
self.logger.info('no answer...')
except dns.resolver.NXDOMAIN:
self.logger.info('nxdomain...')
except EmptyLabel:
self.logger.error('empty label: {}'.format(i.indicator))
def process(self, i, router):
if (i.itype == 'ipv4'
or i.itype == 'ipv6') and i.provider != 'spamhaus.org':
try:
r = self._resolve(i.indicator)
try:
r = CODES.get(str(r), None)
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
f = Indicator(**i.__dict__)
f.tags = [r['tags']]
f.description = r['description']
f.confidence = CONFIDENCE
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(
f.indicator)
x = router.indicators_create(f)
self.logger.debug(x)
except dns.resolver.NoAnswer:
self.logger.info('no answer...')
except dns.resolver.NXDOMAIN:
self.logger.info('nxdomain...')
except Exception as e:
self.logger.error(e)
import traceback
traceback.print_exc()
def _get_indicator(i):
i2 = Indicator()
timestamps = []
ports = []
# prioritize the various elements..
for e in i:
if i[e] == 'CC':
i2.cc = e
continue
if i[e] == 'indicator':
if i2.indicator:
i2.reference = e
else:
i2.indicator = e
continue
if i[e] == 'timestamp':
timestamps.append(get_ts(e))
continue
if i[e] == 'float':
i2.asn = e
continue
if i[e] == 'int':
ports.append(e)
continue
if i[e] == 'description':
i2.description = e
continue
if i[e] == 'string':
if re.match(r'[0-9A-Za-z\.\s\/]+', e) and i2.asn:
i2.asn_desc = e
continue
if 4 <= len(e) <= 10 and re.match('[a-z-A-Z]+,?', e) \
and e not in ['ipv4', 'fqdn', 'url', 'ipv6']:
i2.tags = [e]
continue
if ' ' in e and 5 <= len(e) and not i2.asn_desc:
i2.description = e
continue
_calc_timestamps(i2, timestamps)
_calc_ports(i2, ports)
return i2
def process(self, i, router, **kwargs):
if 'search' in i.tags:
return
if i.itype != 'ipv4' and i.itype != 'ipv6':
return
if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator):
return
try:
r = self._resolve(i.indicator)
try:
r = CODES.get(str(r), None)
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
f = Indicator(**i.__dict__())
f.tags = [r['tags']]
if 'hunter' not in f.tags:
f.tags.append('hunter')
f.description = r['description']
f.confidence = CONFIDENCE
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(
f.indicator)
f.lasttime = f.reporttime = arrow.utcnow()
x = router.indicators_create(f)
self.logger.debug("Spamhaus IP: {}".format(x))
except Exception as e:
self.logger.error(
"[Hunter: SpamhausIp] {}: giving up on indicator {}".format(
e, i))
import traceback
traceback.print_exc()
def process(self, i, router, **kwargs):
if 'search' in i.tags:
return
if i.itype == 'fqdn' and i.provider != 'spamhaus.org':
try:
r = self._resolve(i.indicator)
try:
r = CODES.get(str(r), None)
except Exception as e:
# https://www.spamhaus.org/faq/section/DNSBL%20Usage
self.logger.error(e)
self.logger.info('check spamhaus return codes')
r = None
if r:
confidence = CONFIDENCE
if ' legit ' in r['description']:
confidence = 6
f = Indicator(**i.__dict__())
f.tags = [r['tags']]
if 'hunter' not in f.tags:
f.tags.append('hunter')
f.description = r['description']
f.confidence = confidence
f.provider = PROVIDER
f.reference_tlp = 'white'
f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(f.indicator)
f.lasttime = f.reporttime = arrow.utcnow()
x = router.indicators_create(f)
self.logger.debug('Spamhaus FQDN: {}'.format(x))
except KeyError as e:
self.logger.error(e)
except Exception as e:
self.logger.error('[Hunter: SpamhausFqdn] {}: giving up on indicator {}'.format(e, i))
def process(i):
if not ENABLED:
return
if i.itype != 'fqdn':
return
if i.probability:
return
if not predict(i.indicator):
return
fqdn = Indicator(**i.__dict__())
fqdn.lasttime = arrow.utcnow()
fqdn.confidence = 4
fqdn.probability = 84
fqdn.provider = 'csirtgadgets.com'
fqdn.reference = 'https://github.com/csirtgadgets/csirtg-domainsml-py' + '#' + VERSION
tags = set(fqdn.tags)
tags.add('predicted')
fqdn.tags = list(tags)
return fqdn
def get_indicator(l, hints=None):
i = OrderedDict()
if not isinstance(l, list):
l = [l]
# step 1, detect datatypes
for e in l:
if not isinstance(e, (str, bytes)):
continue
e = e.rstrip()
e = e.lstrip()
if re.match('^[a-zA-Z]{2}$', e):
i[e] = 'CC'
continue
t = None
try:
t = resolve_itype(e.rstrip('/'))
# 25553.0 ASN formats trip up FQDN resolve itype
if t and not (t == 'fqdn' and re.match('^\d+\.[0-9]$', e)):
i[e] = 'indicator'
continue
except Exception:
pass
if isinstance(e, int):
i[e] = 'int'
continue
if isinstance(e, float) or re.match('^\d+\.[0-9]$', e):
i[e] = 'float'
continue
if is_timestamp(e):
i[e] = 'timestamp'
continue
if isinstance(e, (str, bytes)):
if hints:
for ii in range(0, 25):
if len(hints) == ii:
break
if e.lower() == hints[ii].lower():
i[e] = 'description'
break
if not i.get(e):
i[e] = 'string'
i2 = Indicator()
timestamps = []
ports = []
for e in i:
if i[e] == 'CC':
i2.cc = e
continue
if i[e] == 'indicator':
if i2.indicator:
i2.reference = e
else:
i2.indicator = e
continue
if i[e] == 'timestamp':
timestamps.append(parse_timestamp(e))
continue
if i[e] == 'float':
i2.asn = e
continue
if i[e] == 'int':
ports.append(e)
continue
if i[e] == 'description':
i2.description = e
continue
if i[e] == 'string':
if re.match(r'[0-9A-Za-z\.\s\/]+', e) and i2.asn:
i2.asn_desc = e
continue
if 4 <= len(e) <= 10 and re.match('[a-z-A-Z]+,?', e) and e not in [
'ipv4', 'fqdn', 'url', 'ipv6'
]:
i2.tags = [e]
continue
if ' ' in e and 5 <= len(e) and not i2.asn_desc:
i2.description = e
continue
timestamps = sorted(timestamps, reverse=True)
if len(timestamps) > 0:
i2.last_at = timestamps[0]
if len(timestamps) > 1:
i2.first_at = timestamps[1]
if len(ports) > 0:
if len(ports) == 1:
i2.portlist = ports[0]
else:
if ports[0] > ports[1]:
i2.portlist = ports[0]
i2.dest_portlist = ports[1]
else:
i2.portlist = ports[1]
i2.dest_portlist = ports[0]
return i2
def test_format_indicator():
i = Indicator('example.com')
i.reference = 'https://csirtg.io/search?q={indicator}'
i = i.format_keys()
assert i.reference == 'https://csirtg.io/search?q=example.com'
