Merge branch 'chrisr3d_patch' of github.com:chrisr3d/misp-modules

5 years ago · 3a57d11745
parent 9acf66053e 90baa1dd5a
commit 3a57d11745
3 changed files with 62 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -23,6 +23,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 * [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
 * [CrowdStrike Falcon](misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
 * [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
+* [DBL Spamhaus](misp_modules/modules/expansion/dbl_spamhaus.py) - a hover module to check Spamhaus DBL for a domain name.
 * [DNS](misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
 * [DomainTools](misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois.
 * [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
--- a/misp_modules/modules/expansion/init.py
+++ b/misp_modules/modules/expansion/init.py
@ -1,3 +1,3 @@
 from . import _vmray

-__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries']
+__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus']
--- a/misp_modules/modules/expansion/dbl_spamhaus.py
+++ b/misp_modules/modules/expansion/dbl_spamhaus.py
@ -0,0 +1,60 @@
+import json
+import datetime
+from collections import defaultdict
+
+try:
+    import dns.resolver
+    resolver = dns.resolver.Resolver()
+    resolver.timeout = 0.2
+    resolver.lifetime = 0.2
+except ModuleNotFoundError:
+    print("dnspython3 is missing, use 'pip install dnspython3' to install it.")
+    sys.exit(0)
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['domain', 'domain|ip', 'hostname', 'hostname|port'], 'output': ['text']}
+moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
+              'description': 'Checks Spamhaus DBL for a domain name.',
+              'module-type': ['expansion', 'hover']}
+moduleconfig = []
+
+dbl = 'dbl.spamhaus.org'
+dbl_mapping = {'127.0.1.2': 'spam domain',
+               '127.0.1.4': 'phish domain',
+               '127.0.1.5': 'malware domain',
+               '127.0.1.6': 'botnet C&C domain',
+               '127.0.1.102': 'abused legit spam',
+               '127.0.1.103': 'abused spammed redirector domain',
+               '127.0.1.104': 'abused legit phish',
+               '127.0.1.105': 'abused legit malware',
+               '127.0.1.106': 'abused legit botnet C&C',
+               '127.0.1.255': 'IP queries prohibited!'}
+
+def fetch_requested_value(request):
+    for attribute_type in mispattributes['input']:
+        if request.get(attribute_type):
+            return request[attribute_type].split('|')[0]
+    return None
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    requested_value = fetch_requested_value(request)
+    if requested_value is None:
+        misperrors['error'] = "Unsupported attributes type"
+        return misperrors
+    query = "{}.{}".format(requested_value, dbl)
+    try:
+        query_result = resolver.query(query, 'A')[0]
+        result = "{} - {}".format(requested_value, dbl_mapping[str(query_result)])
+    except Exception as e:
+        result = e
+    return {'results': [{'types': mispattributes.get('output'), 'values': result}]}
+
+def introspection():
+    return mispattributes
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo