misp-modules/misp_modules/modules/expansion/rbl.py

import json
import sys

try:
    import dns.resolver
except ImportError:
    print("dnspython3 is missing, use 'pip install dnspython3' to install it.")
    sys.exit(0)

misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']}
moduleinfo = {
    'version': '0.2',
    'author': 'Christian Studer',
    'description': 'Module to check an IPv4 address against known RBLs.',
    'module-type': ['expansion', 'hover'],
    'name': 'Real-time Blackhost Lists Lookup',
    'logo': '',
    'requirements': ['dnspython3: DNS python3 library'],
    'features': 'This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.\n\nWe display then all the information we get from those different sources.',
    'references': ['[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20)'],
    'input': 'IP address attribute.',
    'output': 'Text with additional data from Real-time Blackhost Lists about the IP address.',
}
moduleconfig = ['timeout']

rbls = (
    "spam.spamrats.com",
    "spamguard.leadmon.net",
    "rbl-plus.mail-abuse.org",
    "web.dnsbl.sorbs.net",
    "ix.dnsbl.manitu.net",
    "virus.rbl.jp",
    "dul.dnsbl.sorbs.net",
    "bogons.cymru.com",
    "psbl.surriel.com",
    "misc.dnsbl.sorbs.net",
    "httpbl.abuse.ch",
    "combined.njabl.org",
    "smtp.dnsbl.sorbs.net",
    "korea.services.net",
    "drone.abuse.ch",
    "rbl.efnetrbl.org",
    "cbl.anti-spam.org.cn",
    "b.barracudacentral.org",
    "bl.spamcannibal.org",
    "xbl.spamhaus.org",
    "zen.spamhaus.org",
    "rbl.suresupport.com",
    "db.wpbl.info",
    "sbl.spamhaus.org",
    "http.dnsbl.sorbs.net",
    "csi.cloudmark.com",
    "rbl.interserver.net",
    "ubl.unsubscore.com",
    "dnsbl.sorbs.net",
    "virbl.bit.nl",
    "pbl.spamhaus.org",
    "socks.dnsbl.sorbs.net",
    "short.rbl.jp",
    "dnsbl.dronebl.org",
    "blackholes.mail-abuse.org",
    "truncate.gbudb.net",
    "dyna.spamrats.com",
    "spamrbl.imp.ch",
    "spam.dnsbl.sorbs.net",
    "wormrbl.imp.ch",
    "query.senderbase.org",
    "opm.tornevall.org",
    "netblock.pedantic.org",
    "access.redhawk.org",
    "cdl.anti-spam.org.cn",
    "multi.surbl.org",
    "noptr.spamrats.com",
    "dnsbl.inps.de",
    "bl.spamcop.net",
    "cbl.abuseat.org",
    "dsn.rfc-ignorant.org",
    "zombie.dnsbl.sorbs.net",
    "dnsbl.njabl.org",
    "relays.mail-abuse.org",
    "rbl.spamlab.com",
    "all.bl.blocklist.de"
)


def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    if request.get('ip-src'):
        ip = request['ip-src']
    elif request.get('ip-dst'):
        ip = request['ip-dst']
    else:
        misperrors['error'] = "Unsupported attributes type"
        return misperrors
    resolver = dns.resolver.Resolver()
    try:
        timeout = float(request['config']['timeout'])
    except (KeyError, ValueError):
        timeout = 0.4
    resolver.timeout = timeout
    resolver.lifetime = timeout
    infos = {}
    ipRev = '.'.join(ip.split('.')[::-1])
    for rbl in rbls:
        query = '{}.{}'.format(ipRev, rbl)
        try:
            txt = resolver.query(query, 'TXT')
            infos[query] = [str(t) for t in txt]
        except Exception:
            continue
    result = "\n".join([f"{rbl}: {'  -  '.join(info)}" for rbl, info in infos.items()])
    if not result:
        return {'error': 'No data found by querying known RBLs'}
    return {'results': [{'types': mispattributes.get('output'), 'values': result}]}


def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00			`import json`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`import sys`
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00
			`try:`
			`import dns.resolver`
fix: Making python 3.5 happy with the exception type ImportError 2018-09-08 02:53:15 +02:00			`except ImportError:`
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00			`print("dnspython3 is missing, use 'pip install dnspython3' to install it.")`
			`sys.exit(0)`

			`misperrors = {'error': 'Error'}`
			`mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']}`
chg: [doc] Big doc revamp #680 2024-08-12 11:23:10 +02:00			`moduleinfo = {`
			`'version': '0.2',`
			`'author': 'Christian Studer',`
			`'description': 'Module to check an IPv4 address against known RBLs.',`
			`'module-type': ['expansion', 'hover'],`
			`'name': 'Real-time Blackhost Lists Lookup',`
			`'logo': '',`
			`'requirements': ['dnspython3: DNS python3 library'],`
			`'features': 'This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.\n\nWe display then all the information we get from those different sources.',`
			`'references': ['[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20)'],`
			`'input': 'IP address attribute.',`
			`'output': 'Text with additional data from Real-time Blackhost Lists about the IP address.',`
			`}`
chg: [rbl] Added a timeout parameter to change the resolver timeout & lifetime if needed 2021-04-16 22:00:27 +02:00			`moduleconfig = ['timeout']`
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00
chg: [rbl] Small changes on the rbl list and the results handling 2021-04-16 16:45:38 +02:00			`rbls = (`
			`"spam.spamrats.com",`
			`"spamguard.leadmon.net",`
			`"rbl-plus.mail-abuse.org",`
			`"web.dnsbl.sorbs.net",`
			`"ix.dnsbl.manitu.net",`
			`"virus.rbl.jp",`
			`"dul.dnsbl.sorbs.net",`
			`"bogons.cymru.com",`
			`"psbl.surriel.com",`
			`"misc.dnsbl.sorbs.net",`
			`"httpbl.abuse.ch",`
			`"combined.njabl.org",`
			`"smtp.dnsbl.sorbs.net",`
			`"korea.services.net",`
			`"drone.abuse.ch",`
			`"rbl.efnetrbl.org",`
			`"cbl.anti-spam.org.cn",`
			`"b.barracudacentral.org",`
			`"bl.spamcannibal.org",`
			`"xbl.spamhaus.org",`
			`"zen.spamhaus.org",`
			`"rbl.suresupport.com",`
			`"db.wpbl.info",`
			`"sbl.spamhaus.org",`
			`"http.dnsbl.sorbs.net",`
			`"csi.cloudmark.com",`
			`"rbl.interserver.net",`
			`"ubl.unsubscore.com",`
			`"dnsbl.sorbs.net",`
			`"virbl.bit.nl",`
			`"pbl.spamhaus.org",`
			`"socks.dnsbl.sorbs.net",`
			`"short.rbl.jp",`
			`"dnsbl.dronebl.org",`
			`"blackholes.mail-abuse.org",`
			`"truncate.gbudb.net",`
			`"dyna.spamrats.com",`
			`"spamrbl.imp.ch",`
			`"spam.dnsbl.sorbs.net",`
			`"wormrbl.imp.ch",`
			`"query.senderbase.org",`
			`"opm.tornevall.org",`
			`"netblock.pedantic.org",`
			`"access.redhawk.org",`
			`"cdl.anti-spam.org.cn",`
			`"multi.surbl.org",`
			`"noptr.spamrats.com",`
			`"dnsbl.inps.de",`
			`"bl.spamcop.net",`
			`"cbl.abuseat.org",`
			`"dsn.rfc-ignorant.org",`
			`"zombie.dnsbl.sorbs.net",`
			`"dnsbl.njabl.org",`
			`"relays.mail-abuse.org",`
			`"rbl.spamlab.com",`
			`"all.bl.blocklist.de"`
			`)`
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`
			`if request.get('ip-src'):`
			`ip = request['ip-src']`
			`elif request.get('ip-dst'):`
			`ip = request['ip-dst']`
			`else:`
			`misperrors['error'] = "Unsupported attributes type"`
			`return misperrors`
chg: [rbl] Added a timeout parameter to change the resolver timeout & lifetime if needed 2021-04-16 22:00:27 +02:00			`resolver = dns.resolver.Resolver()`
			`try:`
			`timeout = float(request['config']['timeout'])`
			`except (KeyError, ValueError):`
			`timeout = 0.4`
			`resolver.timeout = timeout`
			`resolver.lifetime = timeout`
chg: [rbl] Small changes on the rbl list and the results handling 2021-04-16 16:45:38 +02:00			`infos = {}`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`ipRev = '.'.join(ip.split('.')[::-1])`
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00			`for rbl in rbls:`
			`query = '{}.{}'.format(ipRev, rbl)`
			`try:`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`txt = resolver.query(query, 'TXT')`
chg: [rbl] Small changes on the rbl list and the results handling 2021-04-16 16:45:38 +02:00			`infos[query] = [str(t) for t in txt]`
fix: Quick cleanup 2018-08-30 20:45:29 +02:00			`except Exception:`
chg: Modified output format 2018-01-16 19:46:52 +01:00			`continue`
chg: [rbl] Small changes on the rbl list and the results handling 2021-04-16 16:45:38 +02:00			`result = "\n".join([f"{rbl}: {' - '.join(info)}" for rbl, info in infos.items()])`
fix: Considering the case of empty results 2019-10-08 15:49:09 +02:00			`if not result:`
			`return {'error': 'No data found by querying known RBLs'}`
fix: Updated rbl module result format - More readable as str than dumped json 2018-11-20 10:43:17 +01:00			`return {'results': [{'types': mispattributes.get('output'), 'values': result}]}`
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00			`def introspection():`
			`return mispattributes`

fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
Check an IPv4 address against known RBLs 2018-01-16 17:08:44 +01:00			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`