CIRCL
/
lookyloo
mirror of https://github.com/CIRCL/lookyloo
2
0
Fork 0
Code Issues Releases Wiki Activity

new: Add malicious listing on hostnode

pull/86/head
Raphaël Vinot 2020-08-24 15:31:53 +02:00
parent c5aabcf4a3
commit bdb726ca9e
2 changed files with 43 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lookyloo/lookyloo.py
View File

@ -168,7 +168,16 @@ class Indexing():
return return
self.redis.sadd(f'bh|{urlnode.body_hash}|legitimate', urlnode.hostname) self.redis.sadd(f'bh|{urlnode.body_hash}|legitimate', urlnode.hostname)
def malicious_node(self, urlnode: URLNode) -> None:
if urlnode.empty_response:
return
self.redis.sadd('bh|malicious', urlnode.body_hash)
# Query DB
def is_legitimate(self, urlnode: URLNode) -> Optional[bool]: def is_legitimate(self, urlnode: URLNode) -> Optional[bool]:
if urlnode.empty_response:
return None
hostnames = self.redis.smembers(f'bh|{urlnode.body_hash}|legitimate') hostnames = self.redis.smembers(f'bh|{urlnode.body_hash}|legitimate')
if hostnames: if hostnames:
if urlnode.hostname in hostnames: if urlnode.hostname in hostnames:
@ -178,11 +187,6 @@ class Indexing():
return False return False
return None # Unknown return None # Unknown
def malicious_node(self, urlnode: URLNode) -> None:
if urlnode.empty_response:
return None
self.redis.sadd('bh|malicious', urlnode.body_hash)
def is_malicious(self, urlnode: URLNode) -> Optional[bool]: def is_malicious(self, urlnode: URLNode) -> Optional[bool]:
if urlnode.empty_response: if urlnode.empty_response:
return None return None
@ -195,6 +199,19 @@ class Indexing():
return True return True
return None return None
def legitimacy_details(self, urlnode: URLNode) -> Optional[Tuple[bool, Optional[List[str]]]]:
if urlnode.empty_response:
return None
hostnames = self.redis.smembers(f'bh|{urlnode.body_hash}|legitimate')
if hostnames:
if urlnode.hostname in hostnames:
return (True, hostnames)
else:
return (False, hostnames)
elif self.redis.sismember('bh|malicious', urlnode.body_hash):
return False
return None
class Lookyloo(): class Lookyloo():
@ -851,7 +868,8 @@ class Lookyloo():
to_append: Dict[str, Any] = { to_append: Dict[str, Any] = {
'encrypted': url.name.startswith('https'), 'encrypted': url.name.startswith('https'),
'url_path': url.name.split('/', 3)[-1], 'url_path': url.name.split('/', 3)[-1],
'url_object': url 'url_object': url,
'legitimacy': self.indexing.legitimacy_details(url)
} }
if not url.empty_response: if not url.empty_response:

20
website/web/templates/hostname_popup.html
View File

@ -126,11 +126,29 @@
</p> </p>
{{ popup_icons(keys_response, url['url_object'], tree_uuid) }} {{ popup_icons(keys_response, url['url_object'], tree_uuid) }}
<div>
{% if url['url_object'].empty_response %} {% if url['url_object'].empty_response %}
Empty body. Empty body.
{% else %} {% else %}
Body size: {{ sizeof_fmt(url['url_object'].body.getbuffer().nbytes) }} {% if url['legitimacy'] and url['legitimacy'][0] == False %}
<img src="/static/bomb.svg" title="Known malicious content in the response." width="21" height="21"/>
{%endif%} {%endif%}
Body size: {{ sizeof_fmt(url['url_object'].body.getbuffer().nbytes) }}
{% if url['legitimacy'] %}
{% if url['legitimacy'][0] %}
- This file is known <b>legitimate</b>.
{% elif url['legitimacy'][0] == False %}
{% if url['legitimacy'][1] is iterable %}
</br>
The response sould be considered as <b>phishing</b> unless it is served by <b>the following domain(s)</b>: {{ ', '.join(url['legitimacy'][1]) }}
</br>
{% else %}
- The response is known <b>malicious</b>.
{%endif%}
{%endif%}
{%endif%}
{%endif%}
</div>
{% if url['sane_js'] %} {% if url['sane_js'] %}
{# Result from SaneJS for the response #} {# Result from SaneJS for the response #}