示例#1
0
def process(i):
    if not ENABLED:
        return

    if i.itype not in ['ipv4', 'ipv6']:
        return

    if i.provider == 'spamhaus.org' and not is_ipv4_net(i.indicator):
        return

    try:
        r = _resolve(i.indicator)
    except Exception as e:
        return

    r = CODES.get(str(r), None)
    if not r:
        return

    f = Indicator(**i.__dict__())

    f.tags = [r['tags']]
    f.description = r['description']
    f.confidence = CONFIDENCE
    f.provider = PROVIDER
    f.reference_tlp = 'white'
    f.reference = 'http://www.spamhaus.org/query/bl?ip={}'.format(f.indicator)
    f.lasttime = arrow.utcnow()
    f.probability = 0
    return f
示例#2
0
def process(i):
    if not ENABLED:
        return

    if i.itype != 'url':
        return

    if i.probability:
        return

    for t in i.tags:
        if t == 'predicted':
            return

    if not predict(i.indicator):
        return

    i = Indicator(**i.__dict__())
    i.lasttime = arrow.utcnow()
    i.confidence = 4
    i.probability = 84
    i.provider = 'csirtgadgets.com'
    i.reference = 'https://github.com/csirtgadgets/csirtg-urlsml-py' + '#' + VERSION

    tags = set(i.tags)
    tags.add('predicted')
    i.tags = list(tags)

    return i
示例#3
0
def process(i):
    if not ENABLED:
        return

    if i.itype != 'fqdn':
        return

    if i.provider == 'spamhaus.org':
        return

    r = _resolve(i.indicator)
    r = CODES.get(str(r), None)

    if not r:
        return

    confidence = CONFIDENCE
    if ' legit ' in r['description']:
        confidence = 1

    f = Indicator(**i.__dict__())

    f.tags = [r['tags']]
    f.description = r['description']
    f.confidence = confidence
    f.provider = PROVIDER
    f.reference_tlp = 'white'
    f.reference = 'http://www.spamhaus.org/query/dbl?domain={}'.format(
        f.indicator)
    f.lasttime = arrow.utcnow()
    f.probability = 0
    return f
示例#4
0
def process(i):
    if not ENABLED:
        return

    if i.itype != 'fqdn':
        return

    try:
        r = resolve_ns(i.indicator)
        if not r:
            return
    except Timeout:
        return

    rv = []

    for rr in r:
        rr = str(rr)
        if rr in ["", 'localhost']:
            continue

        ip = Indicator(**i.__dict__())
        ip.lasttime = arrow.utcnow()

        ip.indicator = rr
        try:
            resolve_itype(ip.indicator)
        except:
            continue

        ip.itype = 'ipv4'
        ip.rdata = i.indicator
        ip.confidence = 1
        ip.probability = 0
        rv.append(ip)

        pdns = Indicator(**copy.deepcopy(i.__dict__()))

        # also create a passive dns tag
        pdns.tags = 'pdns'
        pdns.confidence = 4
        pdns.probability = i.probability
        pdns.indicator = ip.indicator
        pdns.rdata = i.indicator
        rv.append(pdns)

    return rv
示例#5
0
def process(i):
    return
    if not ENABLED:
        return

    if i.itype != 'fqdn':
        return

    if 'search' in i.tags:
        return

    try:
        r = resolve_ns(i.indicator, t='MX')
        if not r:
            return
    except Timeout:
        return

    rv = []

    for rr in r:
        rr = re.sub(r'^\d+ ', '', str(rr))
        rr = str(rr).rstrip('.')

        if rr in ["", 'localhost']:
            continue

        # 10
        if re.match('^\d+$', rr):
            continue

        fqdn = Indicator(**i.__dict__())
        fqdn.probability = 0
        fqdn.indicator = rr.rstrip('.')
        fqdn.lasttime = arrow.utcnow()

        try:
            resolve_itype(fqdn.indicator)
        except:
            continue

        fqdn.itype = 'fqdn'
        fqdn.rdata = i.indicator
        fqdn.confidence = 0
        rv.append(fqdn)

    return rv
示例#6
0
def process(i):
    if i.itype != 'fqdn':
        return

    if not i.is_subdomain():
        return

    fqdn = Indicator(**i.__dict__())
    fqdn.probability = 0
    fqdn.indicator = i.is_subdomain()
    fqdn.lasttime = arrow.utcnow()

    try:
        resolve_itype(fqdn.indicator)
    except:
        return

    fqdn.confidence = 1
    return fqdn
示例#7
0
def process(i):
    if i.itype not in ['ipv4', 'ipv6']:
        return

    if 'whitelist' not in i.tags:
        return

    prefix = i.indicator.split('.')
    prefix = prefix[:3]
    prefix.append('0/24')
    prefix = '.'.join(prefix)

    ii = Indicator(**i.__dict__())
    ii.probability = 0
    ii.lasttime = arrow.utcnow()

    ii.indicator = prefix
    ii.tags = ['whitelist']
    ii.confidence = 2
    return ii
示例#8
0
def process(i):
    return
    if not ENABLED:
        return

    if i.itype != 'fqdn':
        return

    if 'search' in i.tags:
        return

    try:
        r = resolve_ns(i.indicator)
        if not r:
            return
    except Timeout:
        return

    rv = []

    for rr in r:
        if str(rr).rstrip('.') in ["", 'localhost']:
            continue

        ip = Indicator(**i.__dict__())
        ip.probability = 0
        ip.indicator = str(rr)
        ip.lasttime = arrow.utcnow()

        try:
            resolve_itype(ip.indicator)
        except:
            continue

        ip.itype = 'ipv4'
        ip.rdata = i.indicator
        ip.confidence = 0
        rv.append(ip)

    return rv
示例#9
0
def process(i):
    if not ENABLED:
        return

    if i.itype != 'fqdn':
        return

    try:
        r = resolve_ns(i.indicator, t='CNAME')
        if not r:
            return
    except Timeout:
        return

    rv = []

    for rr in r:
        # http://serverfault.com/questions/44618/is-a-wildcard-cname-dns-record-valid
        rr = str(rr).rstrip('.').lstrip('*.')
        if rr in ['', 'localhost']:
            continue

        fqdn = Indicator(**i.__dict__())
        fqdn.probability = 0
        fqdn.indicator = rr
        fqdn.lasttime = arrow.utcnow()

        try:
            resolve_itype(fqdn.indicator)
        except:
            return

        fqdn.itype = 'fqdn'
        # keep avoid recursive cname lookups
        fqdn.confidence = int(fqdn.confidence /
                              2) if fqdn.confidence >= 2 else 0
        rv.append(fqdn)

    return rv
示例#10
0
def process(i):
    if not ENABLED:
        return

    if i.itype != 'fqdn':
        return

    if i.probability:
        return

    if not predict(i.indicator):
        return

    fqdn = Indicator(**i.__dict__())
    fqdn.lasttime = arrow.utcnow()
    fqdn.confidence = 4
    fqdn.probability = 84
    fqdn.provider = 'csirtgadgets.com'
    fqdn.reference = 'https://github.com/csirtgadgets/csirtg-domainsml-py' + '#' + VERSION
    tags = set(fqdn.tags)
    tags.add('predicted')
    fqdn.tags = list(tags)

    return fqdn
示例#11
0
def process(i):
    if i.itype != 'url':
        return

    u = urlparse(i.indicator)
    if not u.hostname:
        return

    try:
        resolve_itype(u.hostname)
    except TypeError as e:
        logger.error(u.hostname)
        logger.error(e)
        return

    fqdn = Indicator(**i.__dict__())
    fqdn.lasttime = arrow.utcnow()
    fqdn.indicator = u.hostname
    fqdn.itype = 'fqdn'
    fqdn.confidence = 2
    fqdn.rdata = i.indicator
    fqdn.probability = 0

    return fqdn