def process(self): event = self.receive_message() if event is None: self.acknowledge_message() return for key in ["source.", "destination."]: ip_key = key + "ip" asn_key = key + "asn" bgp_key = key + "network" if not event.contains(ip_key): continue ip = event.get(ip_key) if IPAddress.version(ip) == 6: # Currently not supported by pyasn, fix will come soon continue info = self.database.lookup(ip) if info: if info[0]: event.add(asn_key, str(info[0]), force=True) if info[1]: event.add(bgp_key, str(info[1]), force=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if ip_key not in event: continue address = event.get(ip_key) cache_key = CACHE_KEY % (IPAddress.version(address), address) result_json = self.cache_get(cache_key) if result_json: result = json.loads(result_json) else: result = Cymru.query(address) if not result: self.logger.info('Got no result from Cymru for IP address %r.', address) result_json = json.dumps(result) self.cache_set(cache_key, result_json) if not result: continue for result_key, result_value in result.items(): if result_key == 'registry' and result_value == 'other': continue event.add(key % result_key, result_value, overwrite=self.overwrite) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() for key in ["source.", "destination."]: ip_key = key + "ip" asn_key = key + "asn" bgp_key = key + "network" if not event.contains(ip_key): continue ip = event.get(ip_key) if IPAddress.version(ip) == 6: # Currently not supported by pyasn, fix will come soon continue info = self.database.lookup(ip) if info: if info[0]: event.add(asn_key, str(info[0]), force=True) if info[1]: event.add(bgp_key, str(info[1]), force=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() if event is None: self.acknowledge_message() return keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if not event.contains(ip_key): continue ip = event.value(ip_key) ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 else: self.logger.error("Invalid IP version {!r}".format(ip_version)) self.send_message(event) self.acknowledge_message() cache_key = bin(ip_integer)[2:minimum + 2] cachevalue = self.cache.get(cache_key) result = None if cachevalue: result = cachevalue else: rev_name = reversename.from_address(ip) try: result = resolver.query(rev_name, "PTR") expiration = result.expiration result = result[0] except dns.exception.DNSException as e: if isinstance(e, dns.resolver.NXDOMAIN): continue else: ttl = datetime.fromtimestamp(expiration) - datetime.now() self.cache.set(cache_key, str(result), ttl=int(ttl.total_seconds())) if result is not None: event.add(key % 'reverse_dns', str(result), sanitize=True, force=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if ip_key not in event: continue ip = event.get(ip_key) ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 cache_key = bin(ip_integer)[2:minimum + 2] cachevalue = self.cache.get(cache_key) result = None if cachevalue == DNS_EXCEPTION_VALUE: continue elif cachevalue: result = cachevalue else: rev_name = reversename.from_address(ip) try: results = resolver.query(rev_name, "PTR") expiration = results.expiration for result in results: # use first valid result if event.is_valid('source.reverse_dns', str(result)): break else: raise InvalidPTRResult except (dns.exception.DNSException, InvalidPTRResult) as e: # Set default TTL for 'DNS query name does not exist' error ttl = None if isinstance(e, dns.resolver.NXDOMAIN) else \ getattr(self.parameters, "cache_ttl_invalid_response", 60) self.cache.set(cache_key, DNS_EXCEPTION_VALUE, ttl) result = None else: ttl = datetime.fromtimestamp(expiration) - datetime.now() self.cache.set(cache_key, str(result), ttl=int(ttl.total_seconds())) if result is not None: event.add(key % 'reverse_dns', str(result), overwrite=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if ip_key not in event: continue ip = event.get(ip_key) ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 cache_key = bin(ip_integer)[2: minimum + 2] cachevalue = self.cache.get(cache_key) result = None if cachevalue == DNS_EXCEPTION_VALUE: continue elif cachevalue: result = cachevalue else: rev_name = reversename.from_address(ip) try: results = resolver.query(rev_name, "PTR") expiration = results.expiration for result in results: # use first valid result if event.is_valid('source.reverse_dns', str(result)): break else: raise InvalidPTRResult except (dns.exception.DNSException, InvalidPTRResult) as e: # Set default TTL for 'DNS query name does not exist' error ttl = None if isinstance(e, dns.resolver.NXDOMAIN) else \ getattr(self.parameters, "cache_ttl_invalid_response", 60) self.cache.set(cache_key, DNS_EXCEPTION_VALUE, ttl) result = None else: ttl = datetime.fromtimestamp(expiration) - datetime.now() self.cache.set(cache_key, str(result), ttl=int(ttl.total_seconds())) if result is not None: event.add(key % 'reverse_dns', str(result), overwrite=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() if event is None: self.acknowledge_message() return for key in ['source.', 'destination.']: ip_key = key + "ip" abuse_key = key + "abuse_contact" asn_key = key + "asn" ip = event.get(ip_key, None) if not ip: continue ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 else: raise ValueError('Unexpected IP version ' '{!r}.'.format(ip_version)) cache_key = bin(ip_integer)[2:minimum + 2] cache_result = self.cache.get(cache_key) abuse = (event.get(abuse_key).split(',') if abuse_key in event else []) if cache_result: cache_result = ast.literal_eval(cache_result) cache_result = [n.strip() for n in cache_result] abuse.extend(cache_result) else: asn = event.get(asn_key, None) if self.query_db_asn and asn: abuse.extend(lib.query_asn(asn)) if self.query_db_ip and ip: abuse.extend(lib.query_ripedb(ip)) if self.query_stat_asn and asn: abuse.extend(lib.query_ripestat(asn)) if self.query_stat_ip and ip: abuse.extend(lib.query_ripestat(ip)) self.cache.set(cache_key, abuse) event.add(abuse_key, ','.join(filter(None, set(abuse))), force=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() if event is None: self.acknowledge_message() return keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if not event.contains(ip_key): continue ip = event.value(ip_key) ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 else: self.logger.error("Invalid IP version {!r}".format(ip_version)) self.send_message(event) self.acknowledge_message() cache_key = bin(ip_integer)[2: minimum + 2] cachevalue = self.cache.get(cache_key) result = None if cachevalue: result = cachevalue else: rev_name = reversename.from_address(ip) try: result = resolver.query(rev_name, "PTR") expiration = result.expiration result = result[0] except dns.exception.DNSException as e: if isinstance(e, dns.resolver.NXDOMAIN): continue else: ttl = datetime.fromtimestamp(expiration) - datetime.now() self.cache.set(cache_key, str(result), ttl=int(ttl.total_seconds())) if result is not None: event.add(key % 'reverse_dns', str(result), sanitize=True, force=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() if event is None: self.acknowledge_message() return for key in ['source.', 'destination.']: ip_key = key + "ip" abuse_key = key + "abuse_contact" asn_key = key + "asn" ip = event.get(ip_key, None) if not ip: continue ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 else: raise ValueError('Unexpected IP version ' '{!r}.'.format(ip_version)) cache_key = bin(ip_integer)[2: minimum + 2] cache_result = self.cache.get(cache_key) abuse = (event.get(abuse_key).split(',') if abuse_key in event else []) if cache_result: cache_result = ast.literal_eval(cache_result) cache_result = [n.strip() for n in cache_result] abuse.extend(cache_result) else: asn = event.get(asn_key, None) if self.query_db_asn and asn: abuse.extend(lib.query_asn(asn)) if self.query_db_ip and ip: abuse.extend(lib.query_ripedb(ip)) if self.query_stat_asn and asn: abuse.extend(lib.query_ripestat(asn)) if self.query_stat_ip and ip: abuse.extend(lib.query_ripestat(ip)) self.cache.set(cache_key,abuse) event.add(abuse_key, ','.join(filter(None, set(abuse))), force=True) self.send_message(event) self.acknowledge_message()
def __ip_query(ip): ip_version = IPAddress.version(ip) reverse_ip = IPAddress.to_reverse(ip) if ip_version == 4: reverse = reverse_ip.split('.in-addr.arpa.')[0] version = "" else: reverse = reverse_ip.split('.ip6.arpa.')[0] version = "6" query = IP_QUERY % (reverse, version) return Cymru.__query(query)
def process(self): event = self.receive_message() if event is None: self.acknowledge_message() return keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if not event.contains(ip_key): continue ip = event.value(ip_key) ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 else: raise ValueError('Unexpected IP version ' '{!r}.'.format(ip_version)) cache_key = bin(ip_integer)[2:minimum + 2] result_json = self.cache.get(cache_key) if result_json: result = json.loads(result_json) else: result = Cymru.query(ip) result_json = json.dumps(result) self.cache.set(cache_key, result_json) for result_key, result_value in result.items(): event.add(key % result_key, result_value, sanitize=True, force=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if ip_key not in event: continue ip = event.get(ip_key) ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 else: raise ValueError('Unexpected IP version ' '{!r}.'.format(ip_version)) cache_key = bin(ip_integer)[2:minimum + 2] result_json = self.cache.get(cache_key) if result_json: result = json.loads(result_json) else: result = Cymru.query(ip) if not result: continue result_json = json.dumps(result) self.cache.set(cache_key, result_json) for result_key, result_value in result.items(): if result_key == 'registry' and result_value == 'other': continue event.add(key % result_key, result_value, overwrite=self.overwrite) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() if event is None: self.acknowledge_message() return keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if not event.contains(ip_key): continue ip = event.value(ip_key) ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 else: raise ValueError('Unexpected IP version ' '{!r}.'.format(ip_version)) cache_key = bin(ip_integer)[2: minimum + 2] result_json = self.cache.get(cache_key) if result_json: result = json.loads(result_json) else: result = Cymru.query(ip) result_json = json.dumps(result) self.cache.set(cache_key, result_json) for result_key, result_value in result.items(): event.add(key % result_key, result_value, sanitize=True, force=True) self.send_message(event) self.acknowledge_message()
def process(self): event = self.receive_message() keys = ["source.%s", "destination.%s"] for key in keys: ip_key = key % "ip" if ip_key not in event: continue ip = event.get(ip_key) ip_version = IPAddress.version(ip) ip_integer = IPAddress.to_int(ip) if ip_version == 4: minimum = MINIMUM_BGP_PREFIX_IPV4 elif ip_version == 6: minimum = MINIMUM_BGP_PREFIX_IPV6 else: raise ValueError('Unexpected IP version ' '{!r}.'.format(ip_version)) cache_key = bin(ip_integer)[2: minimum + 2] result_json = self.cache.get(cache_key) if result_json: result = json.loads(result_json) else: result = Cymru.query(ip) if not result: continue result_json = json.dumps(result) self.cache.set(cache_key, result_json) for result_key, result_value in result.items(): if result_key == 'registry' and result_value == 'other': continue event.add(key % result_key, result_value, overwrite=True) self.send_message(event) self.acknowledge_message()