def process(self):
event = self.receive_message()
if event is None:
self.acknowledge_message()
return
for key in ["source.", "destination."]:
ip_key = key + "ip"
asn_key = key + "asn"
bgp_key = key + "network"
if not event.contains(ip_key):
continue
ip = event.get(ip_key)
if IPAddress.version(ip) == 6:
# Currently not supported by pyasn, fix will come soon
continue
info = self.database.lookup(ip)
if info:
if info[0]:
event.add(asn_key, str(info[0]), force=True)
if info[1]:
event.add(bgp_key, str(info[1]), force=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if ip_key not in event:
continue
address = event.get(ip_key)
cache_key = CACHE_KEY % (IPAddress.version(address), address)
result_json = self.cache_get(cache_key)
if result_json:
result = json.loads(result_json)
else:
result = Cymru.query(address)
if not result:
self.logger.info('Got no result from Cymru for IP address %r.',
address)
result_json = json.dumps(result)
self.cache_set(cache_key, result_json)
if not result:
continue
for result_key, result_value in result.items():
if result_key == 'registry' and result_value == 'other':
continue
event.add(key % result_key, result_value, overwrite=self.overwrite)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
for key in ["source.", "destination."]:
ip_key = key + "ip"
asn_key = key + "asn"
bgp_key = key + "network"
if not event.contains(ip_key):
continue
ip = event.get(ip_key)
if IPAddress.version(ip) == 6:
# Currently not supported by pyasn, fix will come soon
continue
info = self.database.lookup(ip)
if info:
if info[0]:
event.add(asn_key, str(info[0]), force=True)
if info[1]:
event.add(bgp_key, str(info[1]), force=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
if event is None:
self.acknowledge_message()
return
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if not event.contains(ip_key):
continue
ip = event.value(ip_key)
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
else:
self.logger.error("Invalid IP version {!r}".format(ip_version))
self.send_message(event)
self.acknowledge_message()
cache_key = bin(ip_integer)[2:minimum + 2]
cachevalue = self.cache.get(cache_key)
result = None
if cachevalue:
result = cachevalue
else:
rev_name = reversename.from_address(ip)
try:
result = resolver.query(rev_name, "PTR")
expiration = result.expiration
result = result[0]
except dns.exception.DNSException as e:
if isinstance(e, dns.resolver.NXDOMAIN):
continue
else:
ttl = datetime.fromtimestamp(expiration) - datetime.now()
self.cache.set(cache_key,
str(result),
ttl=int(ttl.total_seconds()))
if result is not None:
event.add(key % 'reverse_dns',
str(result),
sanitize=True,
force=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if ip_key not in event:
continue
ip = event.get(ip_key)
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
cache_key = bin(ip_integer)[2:minimum + 2]
cachevalue = self.cache.get(cache_key)
result = None
if cachevalue == DNS_EXCEPTION_VALUE:
continue
elif cachevalue:
result = cachevalue
else:
rev_name = reversename.from_address(ip)
try:
results = resolver.query(rev_name, "PTR")
expiration = results.expiration
for result in results:
# use first valid result
if event.is_valid('source.reverse_dns', str(result)):
break
else:
raise InvalidPTRResult
except (dns.exception.DNSException, InvalidPTRResult) as e:
# Set default TTL for 'DNS query name does not exist' error
ttl = None if isinstance(e, dns.resolver.NXDOMAIN) else \
getattr(self.parameters, "cache_ttl_invalid_response",
60)
self.cache.set(cache_key, DNS_EXCEPTION_VALUE, ttl)
result = None
else:
ttl = datetime.fromtimestamp(expiration) - datetime.now()
self.cache.set(cache_key,
str(result),
ttl=int(ttl.total_seconds()))
if result is not None:
event.add(key % 'reverse_dns', str(result), overwrite=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if ip_key not in event:
continue
ip = event.get(ip_key)
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
cache_key = bin(ip_integer)[2: minimum + 2]
cachevalue = self.cache.get(cache_key)
result = None
if cachevalue == DNS_EXCEPTION_VALUE:
continue
elif cachevalue:
result = cachevalue
else:
rev_name = reversename.from_address(ip)
try:
results = resolver.query(rev_name, "PTR")
expiration = results.expiration
for result in results:
# use first valid result
if event.is_valid('source.reverse_dns', str(result)):
break
else:
raise InvalidPTRResult
except (dns.exception.DNSException, InvalidPTRResult) as e:
# Set default TTL for 'DNS query name does not exist' error
ttl = None if isinstance(e, dns.resolver.NXDOMAIN) else \
getattr(self.parameters, "cache_ttl_invalid_response",
60)
self.cache.set(cache_key, DNS_EXCEPTION_VALUE, ttl)
result = None
else:
ttl = datetime.fromtimestamp(expiration) - datetime.now()
self.cache.set(cache_key, str(result),
ttl=int(ttl.total_seconds()))
if result is not None:
event.add(key % 'reverse_dns', str(result), overwrite=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
if event is None:
self.acknowledge_message()
return
for key in ['source.', 'destination.']:
ip_key = key + "ip"
abuse_key = key + "abuse_contact"
asn_key = key + "asn"
ip = event.get(ip_key, None)
if not ip:
continue
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
else:
raise ValueError('Unexpected IP version '
'{!r}.'.format(ip_version))
cache_key = bin(ip_integer)[2:minimum + 2]
cache_result = self.cache.get(cache_key)
abuse = (event.get(abuse_key).split(',')
if abuse_key in event else [])
if cache_result:
cache_result = ast.literal_eval(cache_result)
cache_result = [n.strip() for n in cache_result]
abuse.extend(cache_result)
else:
asn = event.get(asn_key, None)
if self.query_db_asn and asn:
abuse.extend(lib.query_asn(asn))
if self.query_db_ip and ip:
abuse.extend(lib.query_ripedb(ip))
if self.query_stat_asn and asn:
abuse.extend(lib.query_ripestat(asn))
if self.query_stat_ip and ip:
abuse.extend(lib.query_ripestat(ip))
self.cache.set(cache_key, abuse)
event.add(abuse_key,
','.join(filter(None, set(abuse))),
force=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
if event is None:
self.acknowledge_message()
return
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if not event.contains(ip_key):
continue
ip = event.value(ip_key)
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
else:
self.logger.error("Invalid IP version {!r}".format(ip_version))
self.send_message(event)
self.acknowledge_message()
cache_key = bin(ip_integer)[2: minimum + 2]
cachevalue = self.cache.get(cache_key)
result = None
if cachevalue:
result = cachevalue
else:
rev_name = reversename.from_address(ip)
try:
result = resolver.query(rev_name, "PTR")
expiration = result.expiration
result = result[0]
except dns.exception.DNSException as e:
if isinstance(e, dns.resolver.NXDOMAIN):
continue
else:
ttl = datetime.fromtimestamp(expiration) - datetime.now()
self.cache.set(cache_key, str(result),
ttl=int(ttl.total_seconds()))
if result is not None:
event.add(key % 'reverse_dns',
str(result), sanitize=True, force=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
if event is None:
self.acknowledge_message()
return
for key in ['source.', 'destination.']:
ip_key = key + "ip"
abuse_key = key + "abuse_contact"
asn_key = key + "asn"
ip = event.get(ip_key, None)
if not ip:
continue
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
else:
raise ValueError('Unexpected IP version '
'{!r}.'.format(ip_version))
cache_key = bin(ip_integer)[2: minimum + 2]
cache_result = self.cache.get(cache_key)
abuse = (event.get(abuse_key).split(',') if abuse_key in event
else [])
if cache_result:
cache_result = ast.literal_eval(cache_result)
cache_result = [n.strip() for n in cache_result]
abuse.extend(cache_result)
else:
asn = event.get(asn_key, None)
if self.query_db_asn and asn:
abuse.extend(lib.query_asn(asn))
if self.query_db_ip and ip:
abuse.extend(lib.query_ripedb(ip))
if self.query_stat_asn and asn:
abuse.extend(lib.query_ripestat(asn))
if self.query_stat_ip and ip:
abuse.extend(lib.query_ripestat(ip))
self.cache.set(cache_key,abuse)
event.add(abuse_key, ','.join(filter(None, set(abuse))), force=True)
self.send_message(event)
self.acknowledge_message()
def __ip_query(ip):
ip_version = IPAddress.version(ip)
reverse_ip = IPAddress.to_reverse(ip)
if ip_version == 4:
reverse = reverse_ip.split('.in-addr.arpa.')[0]
version = ""
else:
reverse = reverse_ip.split('.ip6.arpa.')[0]
version = "6"
query = IP_QUERY % (reverse, version)
return Cymru.__query(query)
def __ip_query(ip):
ip_version = IPAddress.version(ip)
reverse_ip = IPAddress.to_reverse(ip)
if ip_version == 4:
reverse = reverse_ip.split('.in-addr.arpa.')[0]
version = ""
else:
reverse = reverse_ip.split('.ip6.arpa.')[0]
version = "6"
query = IP_QUERY % (reverse, version)
return Cymru.__query(query)
def process(self):
event = self.receive_message()
if event is None:
self.acknowledge_message()
return
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if not event.contains(ip_key):
continue
ip = event.value(ip_key)
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
else:
raise ValueError('Unexpected IP version '
'{!r}.'.format(ip_version))
cache_key = bin(ip_integer)[2:minimum + 2]
result_json = self.cache.get(cache_key)
if result_json:
result = json.loads(result_json)
else:
result = Cymru.query(ip)
result_json = json.dumps(result)
self.cache.set(cache_key, result_json)
for result_key, result_value in result.items():
event.add(key % result_key,
result_value,
sanitize=True,
force=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if ip_key not in event:
continue
ip = event.get(ip_key)
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
else:
raise ValueError('Unexpected IP version '
'{!r}.'.format(ip_version))
cache_key = bin(ip_integer)[2:minimum + 2]
result_json = self.cache.get(cache_key)
if result_json:
result = json.loads(result_json)
else:
result = Cymru.query(ip)
if not result:
continue
result_json = json.dumps(result)
self.cache.set(cache_key, result_json)
for result_key, result_value in result.items():
if result_key == 'registry' and result_value == 'other':
continue
event.add(key % result_key,
result_value,
overwrite=self.overwrite)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
if event is None:
self.acknowledge_message()
return
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if not event.contains(ip_key):
continue
ip = event.value(ip_key)
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
else:
raise ValueError('Unexpected IP version '
'{!r}.'.format(ip_version))
cache_key = bin(ip_integer)[2: minimum + 2]
result_json = self.cache.get(cache_key)
if result_json:
result = json.loads(result_json)
else:
result = Cymru.query(ip)
result_json = json.dumps(result)
self.cache.set(cache_key, result_json)
for result_key, result_value in result.items():
event.add(key % result_key, result_value, sanitize=True,
force=True)
self.send_message(event)
self.acknowledge_message()
def process(self):
event = self.receive_message()
keys = ["source.%s", "destination.%s"]
for key in keys:
ip_key = key % "ip"
if ip_key not in event:
continue
ip = event.get(ip_key)
ip_version = IPAddress.version(ip)
ip_integer = IPAddress.to_int(ip)
if ip_version == 4:
minimum = MINIMUM_BGP_PREFIX_IPV4
elif ip_version == 6:
minimum = MINIMUM_BGP_PREFIX_IPV6
else:
raise ValueError('Unexpected IP version '
'{!r}.'.format(ip_version))
cache_key = bin(ip_integer)[2: minimum + 2]
result_json = self.cache.get(cache_key)
if result_json:
result = json.loads(result_json)
else:
result = Cymru.query(ip)
if not result:
continue
result_json = json.dumps(result)
self.cache.set(cache_key, result_json)
for result_key, result_value in result.items():
if result_key == 'registry' and result_value == 'other':
continue
event.add(key % result_key, result_value, overwrite=True)
self.send_message(event)
self.acknowledge_message()
