def _get_indicator(i): i2 = Indicator() timestamps = [] ports = [] # prioritize the various elements.. for e in i: if i[e] == 'CC': i2.cc = e continue if i[e] == 'indicator': if i2.indicator: i2.reference = e else: i2.indicator = e continue if i[e] == 'timestamp': timestamps.append(get_ts(e)) continue if i[e] == 'float': i2.asn = e continue if i[e] == 'int': ports.append(e) continue if i[e] == 'description': i2.description = e continue if i[e] == 'string': if re.match(r'[0-9A-Za-z\.\s\/]+', e) and i2.asn: i2.asn_desc = e continue if 4 <= len(e) <= 10 and re.match('[a-z-A-Z]+,?', e) \ and e not in ['ipv4', 'fqdn', 'url', 'ipv6']: i2.tags = [e] continue if ' ' in e and 5 <= len(e) and not i2.asn_desc: i2.description = e continue _calc_timestamps(i2, timestamps) _calc_ports(i2, ports) return i2
def process(self, i, router): if i.itype == 'fqdn' and i.provider != 'spamhaus.org': try: r = self._resolve(i.indicator) self.logger.debug(r) try: r = CODES[r] except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: f = Indicator(**i.__dict__) f.tags = [r['tags']] f.description = r['description'] f.confidence = CONFIDENCE f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format( f.indicator) x = router.indicators_create(f) self.logger.debug(x) except KeyError as e: self.logger.error(e) except dns.resolver.NoAnswer: self.logger.debug('no answer...') except dns.resolver.NXDOMAIN: self.logger.debug('nxdomain...') except EmptyLabel: self.logger.error('empty label: {}'.format(i.indicator))
def process(i): if not ENABLED: return if i.itype not in ['ipv4', 'ipv6']: return if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator): return try: r = _resolve(i.indicator) except Exception as e: return r = CODES.get(str(r), None) if not r: return f = Indicator(**i.__dict__()) f.tags = [r['tags']] f.description = r['description'] f.confidence = CONFIDENCE f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(f.indicator) f.lasttime = arrow.utcnow() f.probability = 0 return f
def process(i): if not ENABLED: return if i.itype != 'fqdn': return if i.provider == 'spamhaus.org': return r = _resolve(i.indicator) r = CODES.get(str(r), None) if not r: return confidence = CONFIDENCE if ' legit ' in r['description']: confidence = 1 f = Indicator(**i.__dict__()) f.tags = [r['tags']] f.description = r['description'] f.confidence = confidence f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format( f.indicator) f.lasttime = arrow.utcnow() f.probability = 0 return f
def process(self, i, router): if i.itype == 'fqdn' and i.provider != 'spamhaus.org': try: r = self._resolve(i.indicator) try: r = CODES.get(str(r), None) except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: confidence = CONFIDENCE if ' legit ' in r['description']: confidence = 6 f = Indicator(**i.__dict__()) f.tags = [r['tags']] f.description = r['description'] f.confidence = confidence f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(f.indicator) f.lasttime = arrow.utcnow() x = router.indicators_create(f) self.logger.debug(x) except KeyError as e: self.logger.error(e)
def process(self, i, router): if i.itype != 'ipv4' and i.itype != 'ipv6': return if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator): return try: r = self._resolve(i.indicator) try: r = CODES.get(str(r), None) except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: f = Indicator(**i.__dict__()) f.tags = [r['tags']] f.description = r['description'] f.confidence = CONFIDENCE f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format( f.indicator) x = router.indicators_create(f) except Exception as e: self.logger.error(e) import traceback traceback.print_exc()
def process(self, i, router): if i.itype != 'ipv4' and i.itype != 'ipv6': return if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator): return try: r = self._resolve(i.indicator) try: r = CODES.get(str(r), None) except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: f = Indicator(**i.__dict__()) f.tags = [r['tags']] f.description = r['description'] f.confidence = CONFIDENCE f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(f.indicator) f.lasttime = arrow.utcnow() x = router.indicators_create(f) except Exception as e: self.logger.error(e) import traceback traceback.print_exc()
def process(self, i, router): if i.itype == 'fqdn' and i.provider != 'spamhaus.org': try: r = self._resolve(i.indicator) try: r = CODES[r] except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: f = Indicator(**i.__dict__) f.tags = [r['tags']] f.description = r['description'] f.confidence = CONFIDENCE f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(f.indicator) x = router.indicators_create(f) self.logger.debug(x) except KeyError as e: self.logger.error(e) except dns.resolver.NoAnswer: self.logger.info('no answer...') except dns.resolver.NXDOMAIN: self.logger.info('nxdomain...') except EmptyLabel: self.logger.error('empty label: {}'.format(i.indicator))
def process(self, i, router): if (i.itype == 'ipv4' or i.itype == 'ipv6') and i.provider != 'spamhaus.org': try: r = self._resolve(i.indicator) try: r = CODES.get(str(r), None) except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: f = Indicator(**i.__dict__) f.tags = [r['tags']] f.description = r['description'] f.confidence = CONFIDENCE f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(f.indicator) x = router.indicators_create(f) self.logger.debug(x) except dns.resolver.NoAnswer: self.logger.info('no answer...') except dns.resolver.NXDOMAIN: self.logger.info('nxdomain...') except Exception as e: self.logger.error(e) import traceback traceback.print_exc()
def process(self, i, router): if (i.itype == 'ipv4' or i.itype == 'ipv6') and i.provider != 'spamhaus.org': try: r = self._resolve(i.indicator) try: r = CODES.get(str(r), None) except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: f = Indicator(**i.__dict__) f.tags = [r['tags']] f.description = r['description'] f.confidence = CONFIDENCE f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format( f.indicator) x = router.indicators_create(f) self.logger.debug(x) except dns.resolver.NoAnswer: self.logger.info('no answer...') except dns.resolver.NXDOMAIN: self.logger.info('nxdomain...') except Exception as e: self.logger.error(e) import traceback traceback.print_exc()
def process(self, i, router, **kwargs): if 'search' in i.tags: return if i.itype != 'ipv4' and i.itype != 'ipv6': return if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator): return try: r = self._resolve(i.indicator) try: r = CODES.get(str(r), None) except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: f = Indicator(**i.__dict__()) f.tags = [r['tags']] if 'hunter' not in f.tags: f.tags.append('hunter') f.description = r['description'] f.confidence = CONFIDENCE f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format( f.indicator) f.lasttime = f.reporttime = arrow.utcnow() x = router.indicators_create(f) self.logger.debug("Spamhaus IP: {}".format(x)) except Exception as e: self.logger.error( "[Hunter: SpamhausIp] {}: giving up on indicator {}".format( e, i)) import traceback traceback.print_exc()
def process(self, i, router, **kwargs): if 'search' in i.tags: return if i.itype == 'fqdn' and i.provider != 'spamhaus.org': try: r = self._resolve(i.indicator) try: r = CODES.get(str(r), None) except Exception as e: # https://www.spamhaus.org/faq/section/DNSBL%20Usage self.logger.error(e) self.logger.info('check spamhaus return codes') r = None if r: confidence = CONFIDENCE if ' legit ' in r['description']: confidence = 6 f = Indicator(**i.__dict__()) f.tags = [r['tags']] if 'hunter' not in f.tags: f.tags.append('hunter') f.description = r['description'] f.confidence = confidence f.provider = PROVIDER f.reference_tlp = 'white' f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(f.indicator) f.lasttime = f.reporttime = arrow.utcnow() x = router.indicators_create(f) self.logger.debug('Spamhaus FQDN: {}'.format(x)) except KeyError as e: self.logger.error(e) except Exception as e: self.logger.error('[Hunter: SpamhausFqdn] {}: giving up on indicator {}'.format(e, i))
def get_indicator(l, hints=None): i = OrderedDict() if not isinstance(l, list): l = [l] # step 1, detect datatypes for e in l: if not isinstance(e, (str, bytes)): continue e = e.rstrip() e = e.lstrip() if re.match('^[a-zA-Z]{2}$', e): i[e] = 'CC' continue t = None try: t = resolve_itype(e.rstrip('/')) # 25553.0 ASN formats trip up FQDN resolve itype if t and not (t == 'fqdn' and re.match('^\d+\.[0-9]$', e)): i[e] = 'indicator' continue except Exception: pass if isinstance(e, int): i[e] = 'int' continue if isinstance(e, float) or re.match('^\d+\.[0-9]$', e): i[e] = 'float' continue if is_timestamp(e): i[e] = 'timestamp' continue if isinstance(e, (str, bytes)): if hints: for ii in range(0, 25): if len(hints) == ii: break if e.lower() == hints[ii].lower(): i[e] = 'description' break if not i.get(e): i[e] = 'string' i2 = Indicator() timestamps = [] ports = [] for e in i: if i[e] == 'CC': i2.cc = e continue if i[e] == 'indicator': if i2.indicator: i2.reference = e else: i2.indicator = e continue if i[e] == 'timestamp': timestamps.append(parse_timestamp(e)) continue if i[e] == 'float': i2.asn = e continue if i[e] == 'int': ports.append(e) continue if i[e] == 'description': i2.description = e continue if i[e] == 'string': if re.match(r'[0-9A-Za-z\.\s\/]+', e) and i2.asn: i2.asn_desc = e continue if 4 <= len(e) <= 10 and re.match('[a-z-A-Z]+,?', e) and e not in [ 'ipv4', 'fqdn', 'url', 'ipv6' ]: i2.tags = [e] continue if ' ' in e and 5 <= len(e) and not i2.asn_desc: i2.description = e continue timestamps = sorted(timestamps, reverse=True) if len(timestamps) > 0: i2.last_at = timestamps[0] if len(timestamps) > 1: i2.first_at = timestamps[1] if len(ports) > 0: if len(ports) == 1: i2.portlist = ports[0] else: if ports[0] > ports[1]: i2.portlist = ports[0] i2.dest_portlist = ports[1] else: i2.portlist = ports[1] i2.dest_portlist = ports[0] return i2
def get_indicator(l): i = {} # step 1, detect datatypes for e in l: if isinstance(e, int): i[e] = 'int' continue t = None try: t = resolve_itype(e) if t: i[e] = 'indicator' continue except Exception: pass if is_timestamp(e): i[e] = 'timestamp' continue if isinstance(e, basestring): i[e] = 'string' i2 = Indicator() timestamps = [] ports = [] for e in i: if i[e] == 'indicator': i2.indicator = e continue if i[e] == 'timestamp': timestamps.append(e) continue if i[e] == 'int': ports.append(e) continue if i[e] == 'string': if ' ' in e: i2.description = e continue if len(e) < 10: i2.tags = [e] continue timestamps = sorted(timestamps, reverse=True) if len(timestamps) > 0: i2.lasttime = timestamps[0] if len(timestamps) > 1: i2.firsttime = timestamps[1] if len(ports) > 0: if len(ports) == 1: i2.portlist = ports[0] else: if ports[0] > ports[1]: i2.portlist = ports[0] i2.dest_portlist = ports[1] else: i2.portlist = ports[1] i2.dest_portlist = ports[0] return i2