def process(indicator):
if not ENABLE_PEERS:
return
if indicator.is_private():
return
# TODO ipv6
if indicator.itype != 'ipv4':
return
i = str(indicator.indicator)
match = re.search('^(\S+)\/\d+$', i)
if match:
i = match.group(1)
# cache it to the /24
# 115.87.213.115
# 0.213.87.115
i = list(reversed(i.split('.')))
i = '0.{}.{}.{}'.format(i[1], i[2], i[3])
answers = _resolve(i)
if len(answers) == 0:
return
# Separate fields and order by netmask length
# 23028 | 216.90.108.0/24 | US | arin | 1998-09-25
# 701 1239 3549 3561 7132 | 216.90.108.0/24 | US | arin | 1998-09-25
# i.asn_desc ????
bits = str(answers[0]).replace('"', '').strip().split(' | ')
asns = bits[0].split(' ')
indicator.asn = asns[0]
indicator.prefix = bits[1]
indicator.cc = bits[2]
indicator.rir = bits[3]
answers = resolve_ns('as{}.{}'.format(asns[0], 'asn.cymru.com'),
t='TXT',
timeout=15)
try:
tmp = str(answers[0])
except UnicodeDecodeError as e:
# requires fix latin-1 fix _escapeify to dnspython > 1.14
return indicator
except IndexError:
return indicator
bits = tmp.replace('"', '').strip().split(' | ')
if len(bits) > 4:
indicator.asn_desc = bits[4]
# send back to router
return indicator
def process(i):
if not ENABLED:
return
if i.itype != 'fqdn':
return
try:
r = resolve_ns(i.indicator)
if not r:
return
except Timeout:
return
rv = []
for rr in r:
rr = str(rr)
if rr in ["", 'localhost']:
continue
ip = Indicator(**i.__dict__())
ip.lasttime = arrow.utcnow()
ip.indicator = rr
try:
resolve_itype(ip.indicator)
except:
continue
ip.itype = 'ipv4'
ip.rdata = i.indicator
ip.confidence = 1
ip.probability = 0
rv.append(ip)
pdns = Indicator(**copy.deepcopy(i.__dict__()))
# also create a passive dns tag
pdns.tags = 'pdns'
pdns.confidence = 4
pdns.probability = i.probability
pdns.indicator = ip.indicator
pdns.rdata = i.indicator
rv.append(pdns)
return rv
def process(i):
return
if not ENABLED:
return
if i.itype != 'fqdn':
return
if 'search' in i.tags:
return
try:
r = resolve_ns(i.indicator, t='MX')
if not r:
return
except Timeout:
return
rv = []
for rr in r:
rr = re.sub(r'^\d+ ', '', str(rr))
rr = str(rr).rstrip('.')
if rr in ["", 'localhost']:
continue
# 10
if re.match('^\d+$', rr):
continue
fqdn = Indicator(**i.__dict__())
fqdn.probability = 0
fqdn.indicator = rr.rstrip('.')
fqdn.lasttime = arrow.utcnow()
try:
resolve_itype(fqdn.indicator)
except:
continue
fqdn.itype = 'fqdn'
fqdn.rdata = i.indicator
fqdn.confidence = 0
rv.append(fqdn)
return rv
def process(i):
return
if not ENABLED:
return
if i.itype != 'fqdn':
return
if 'search' in i.tags:
return
try:
r = resolve_ns(i.indicator)
if not r:
return
except Timeout:
return
rv = []
for rr in r:
if str(rr).rstrip('.') in ["", 'localhost']:
continue
ip = Indicator(**i.__dict__())
ip.probability = 0
ip.indicator = str(rr)
ip.lasttime = arrow.utcnow()
try:
resolve_itype(ip.indicator)
except:
continue
ip.itype = 'ipv4'
ip.rdata = i.indicator
ip.confidence = 0
rv.append(ip)
return rv
def process(i):
if not ENABLED:
return
if i.itype != 'fqdn':
return
try:
r = resolve_ns(i.indicator, t='CNAME')
if not r:
return
except Timeout:
return
rv = []
for rr in r:
# http://serverfault.com/questions/44618/is-a-wildcard-cname-dns-record-valid
rr = str(rr).rstrip('.').lstrip('*.')
if rr in ['', 'localhost']:
continue
fqdn = Indicator(**i.__dict__())
fqdn.probability = 0
fqdn.indicator = rr
fqdn.lasttime = arrow.utcnow()
try:
resolve_itype(fqdn.indicator)
except:
return
fqdn.itype = 'fqdn'
# keep avoid recursive cname lookups
fqdn.confidence = int(fqdn.confidence /
2) if fqdn.confidence >= 2 else 0
rv.append(fqdn)
return rv
def _resolve(data):
data = reversed(data.split('.'))
data = '{}.zen.spamhaus.org'.format('.'.join(data))
data = resolve_ns(data)
if data and data[0]:
return data[0]
def _resolve(data):
return resolve_ns('{}.{}'.format(data, 'origin.asn.cymru.com'), t='TXT')
def _resolve(data):
data = '{}.dbl.spamhaus.org'.format(data)
data = resolve_ns(data)
if data and data[0]:
return data[0]
def _resolve(data):
return resolve_ns('{}.{}'.format(data, 'peer.asn.cymru.com', timeout=15),
t='TXT')