def is_country_ok(cc):
"""Return True if this country is in one of the configured "OK" countries(like the US)
If the CC is unknown or the CC is NOT US, return False"""
ok_countries = config.get("blocking","ok_countries").split(",")
if not cc or cc in ok_countries:
return True
return False
def get_records(self):
# don't verify SSL certificates
http_options = {"verify": False}
host = config.get("cif","host")
apikey = config.get("cif","apikey")
confidence = config.get("cif", "confidence") # 85 or so
c = cif_http_client.Client(host, apikey,
http_options,
confidence=confidence,
nolog=True
)
records = []
for feed in 'infrastructure/malware', 'infrastructure/botnet', 'infrastructure/scan':
records.extend(c.search(q=feed))
return records
def get_records(self):
# don't verify SSL certificates
http_options = {"verify": False}
host = config.get("cif", "host")
apikey = config.get("cif", "apikey")
confidence = config.get("cif", "confidence") # 85 or so
c = cif_http_client.Client(host,
apikey,
http_options,
confidence=confidence,
nolog=True)
records = []
for feed in 'infrastructure/malware', 'infrastructure/botnet', 'infrastructure/scan':
records.extend(c.search(q=feed))
return records
import datetime
import time
from ipblocker.config import config
from ipblocker import util
import random
import IPy
#HACK
if sqlalchemy.__version__.startswith("0.4"):
kwargs = {'transactional': False}
else:
kwargs = {'autocommit': True}
dburi = config.get("db","uri")
engine = create_engine(dburi)
Session = scoped_session(sessionmaker(autoflush=True, bind=engine, **kwargs))
metadata = MetaData(bind=engine)
from sqlalchemy.orm import mapper as sqla_mapper
def session_mapper(scoped_session):
def mapper(cls, *arg, **kw):
if cls.__init__ is object.__init__:
def __init__(self, **kwargs):
for key, value in kwargs.items():
setattr(self, key, value)
cls.__init__ = __init__
sqla_mapper(cls, *arg, **kw)
#!/usr/bin/env python
from snort import snortdb
from ipblocker import is_reblockable, is_fishy, ok_to_block
from ipblocker.config import config
from ipblocker.util import groupby, subnet
from operator import itemgetter
import os
import csv
import datetime
from ipblocker.source_blocker import SourceBlocker
rule_file = config.get("snort", "rule_filename")
MINIMUM = int(config.get("snort", "minimum"))
SUBNET_MINIMUM = int(config.get("snort", "subnet_minimum"))
BLOCK_TIME = config.get("snort", "block_time")
class SnortBlocker(SourceBlocker):
blocker = "snort"
must_exist_in_source = False
flag_traffic = False
def read_rules(self):
f = csv.DictReader(open(rule_file))
rules = []
for x in f:
x['minimum'] = int(x['minimum'] or MINIMUM)
x['subnet_minimum'] = int(x['subnet_minimum'] or SUBNET_MINIMUM)
x['block_time'] = x['block_time'] or BLOCK_TIME
def wakeup_backend():
return False
wakeup_host = config.get('db', 'host')
import tcpsleep
return tcpsleep.client.wakeup(host=host, port=11112)
def remove_US(self, ips):
g=pygeoip.GeoIP(config.get("geoip","path"))
ok = [ip for ip in ips if g.country_code_by_addr(ip) != 'US']
skipped = len(ips) - len(ok)
logger.debug("removed %d US ips" % skipped)
return ok
def wakeup_backend():
return False
wakeup_host = config.get('db','host')
import tcpsleep
return tcpsleep.client.wakeup(host=host, port=11112)
#!/usr/bin/env python
from snort import snortdb
from ipblocker import is_reblockable, is_fishy, ok_to_block
from ipblocker.config import config
from ipblocker.util import groupby, subnet
from operator import itemgetter
import os
import csv
import datetime
from ipblocker.source_blocker import SourceBlocker
rule_file = config.get("snort", "rule_filename")
MINIMUM = int(config.get("snort", "minimum"))
SUBNET_MINIMUM = int(config.get("snort", "subnet_minimum"))
BLOCK_TIME = config.get("snort", "block_time")
class SnortBlocker(SourceBlocker):
blocker = "snort"
must_exist_in_source = False
flag_traffic = False
def read_rules(self):
f = csv.DictReader(open(rule_file))
rules = []
for x in f:
x['minimum'] = int(x['minimum'] or MINIMUM)
x['subnet_minimum'] = int(x['subnet_minimum'] or SUBNET_MINIMUM)
x['block_time'] = x['block_time'] or BLOCK_TIME