From bdb726ca9ef405e8675254b7782f0c4e93b04458 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 24 Aug 2020 15:31:53 +0200 Subject: [PATCH] new: Add malicious listing on hostnode --- lookyloo/lookyloo.py | 30 ++++++++++++++++++----- website/web/templates/hostname_popup.html | 20 ++++++++++++++- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/lookyloo/lookyloo.py b/lookyloo/lookyloo.py index ea5d9668..6507fd05 100644 --- a/lookyloo/lookyloo.py +++ b/lookyloo/lookyloo.py @@ -168,7 +168,16 @@ class Indexing(): return self.redis.sadd(f'bh|{urlnode.body_hash}|legitimate', urlnode.hostname) + def malicious_node(self, urlnode: URLNode) -> None: + if urlnode.empty_response: + return + self.redis.sadd('bh|malicious', urlnode.body_hash) + + # Query DB + def is_legitimate(self, urlnode: URLNode) -> Optional[bool]: + if urlnode.empty_response: + return None hostnames = self.redis.smembers(f'bh|{urlnode.body_hash}|legitimate') if hostnames: if urlnode.hostname in hostnames: @@ -178,11 +187,6 @@ class Indexing(): return False return None # Unknown - def malicious_node(self, urlnode: URLNode) -> None: - if urlnode.empty_response: - return None - self.redis.sadd('bh|malicious', urlnode.body_hash) - def is_malicious(self, urlnode: URLNode) -> Optional[bool]: if urlnode.empty_response: return None @@ -195,6 +199,19 @@ class Indexing(): return True return None + def legitimacy_details(self, urlnode: URLNode) -> Optional[Tuple[bool, Optional[List[str]]]]: + if urlnode.empty_response: + return None + hostnames = self.redis.smembers(f'bh|{urlnode.body_hash}|legitimate') + if hostnames: + if urlnode.hostname in hostnames: + return (True, hostnames) + else: + return (False, hostnames) + elif self.redis.sismember('bh|malicious', urlnode.body_hash): + return False + return None + class Lookyloo(): @@ -851,7 +868,8 @@ class Lookyloo(): to_append: Dict[str, Any] = { 'encrypted': url.name.startswith('https'), 'url_path': url.name.split('/', 3)[-1], - 'url_object': url + 'url_object': url, + 'legitimacy': self.indexing.legitimacy_details(url) } if not url.empty_response: diff --git a/website/web/templates/hostname_popup.html b/website/web/templates/hostname_popup.html index c3e836ee..d2344588 100644 --- a/website/web/templates/hostname_popup.html +++ b/website/web/templates/hostname_popup.html @@ -126,11 +126,29 @@

{{ popup_icons(keys_response, url['url_object'], tree_uuid) }} +
{% if url['url_object'].empty_response %} Empty body. {% else %} - Body size: {{ sizeof_fmt(url['url_object'].body.getbuffer().nbytes) }} + {% if url['legitimacy'] and url['legitimacy'][0] == False %} + + {%endif%} + Body size: {{ sizeof_fmt(url['url_object'].body.getbuffer().nbytes) }} + {% if url['legitimacy'] %} + {% if url['legitimacy'][0] %} + - This file is known legitimate. + {% elif url['legitimacy'][0] == False %} + {% if url['legitimacy'][1] is iterable %} +
+ The response sould be considered as phishing unless it is served by the following domain(s): {{ ', '.join(url['legitimacy'][1]) }} +
+ {% else %} + - The response is known malicious. + {%endif%} + {%endif%} + {%endif%} {%endif%} +
{% if url['sane_js'] %} {# Result from SaneJS for the response #}