def resourceQuery(self, id, target, targetType):
self.sf.debug("Querying " + id + " for maliciousness of " + target)
for check in malchecks.keys():
cid = malchecks[check]['id']
if id == cid and malchecks[check]['type'] == "query":
url = unicode(malchecks[check]['url'])
res = self.sf.fetchUrl(url.format(target), timeout=self.opts['_fetchtimeout'], useragent=self.opts['_useragent'])
if res['content'] is None:
self.sf.error("Unable to fetch " + url.format(target), False)
return None
if self.contentMalicious(res['content'],
malchecks[check]['goodregex'],
malchecks[check]['badregex']):
return url.format(target)
return None
def resourceList(self, id, target, targetType):
targetDom = ''
# Get the base domain if we're supplied a domain
if targetType == "domain":
targetDom = self.sf.hostDomain(target, self.opts['_internettlds'])
for check in malchecks.keys():
cid = malchecks[check]['id']
if id == cid and malchecks[check]['type'] == "list":
data = dict()
url = malchecks[check]['url']
data['content'] = self.sf.cacheGet("sfmal_" + cid, self.opts.get('cacheperiod', 0))
if data['content'] is None:
data = self.sf.fetchUrl(url, timeout=self.opts['_fetchtimeout'], useragent=self.opts['_useragent'])
if data['content'] is None:
self.sf.error("Unable to fetch " + url, False)
return None
else:
self.sf.cachePut("sfmal_" + cid, data['content'])
# If we're looking at netblocks
if targetType == "netblock":
iplist = list()
# Get the regex, replace {0} with an IP address matcher to
# build a list of IP.
# Cycle through each IP and check if it's in the netblock.
if 'regex' in malchecks[check]:
rx = malchecks[check]['regex'].replace("{0}",
"(\d+\.\d+\.\d+\.\d+)")
pat = re.compile(rx, re.IGNORECASE)
self.sf.debug("New regex for " + check + ": " + rx)
for line in data['content'].split('\n'):
grp = re.findall(pat, line)
if len(grp) > 0:
#self.sf.debug("Adding " + grp[0] + " to list.")
iplist.append(grp[0])
else:
iplist = data['content'].split('\n')
for ip in iplist:
if len(ip) < 8 or ip.startswith("#"):
continue
ip = ip.strip()
try:
if IPAddress(ip) in IPNetwork(target):
self.sf.debug(ip + " found within netblock/subnet " +
target + " in " + check)
return url
except Exception as e:
self.sf.debug("Error encountered parsing: " + str(e))
continue
return None
# If we're looking at hostnames/domains/IPs
if 'regex' not in malchecks[check]:
for line in data['content'].split('\n'):
if line == target or (targetType == "domain" and line == targetDom):
self.sf.debug(target + "/" + targetDom + " found in " + check + " list.")
return url
else:
# Check for the domain and the hostname
rxDom = unicode(malchecks[check]['regex']).format(targetDom)
rxTgt = unicode(malchecks[check]['regex']).format(target)
for line in data['content'].split('\n'):
if (targetType == "domain" and re.match(rxDom, line, re.IGNORECASE)) or \
re.match(rxTgt, line, re.IGNORECASE):
self.sf.debug(target + "/" + targetDom + " found in " + check + " list.")
return url
return None
