mirror of https://github.com/MISP/misp-modules
commit
3a57d11745
3 changed files with 62 additions and 1 deletions
@ -1,3 +1,3 @@ |
||||
from . import _vmray |
||||
|
||||
__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries'] |
||||
__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus'] |
||||
|
@ -0,0 +1,60 @@ |
||||
import json |
||||
import datetime |
||||
from collections import defaultdict |
||||
|
||||
try: |
||||
import dns.resolver |
||||
resolver = dns.resolver.Resolver() |
||||
resolver.timeout = 0.2 |
||||
resolver.lifetime = 0.2 |
||||
except ModuleNotFoundError: |
||||
print("dnspython3 is missing, use 'pip install dnspython3' to install it.") |
||||
sys.exit(0) |
||||
|
||||
misperrors = {'error': 'Error'} |
||||
mispattributes = {'input': ['domain', 'domain|ip', 'hostname', 'hostname|port'], 'output': ['text']} |
||||
moduleinfo = {'version': '0.1', 'author': 'Christian Studer', |
||||
'description': 'Checks Spamhaus DBL for a domain name.', |
||||
'module-type': ['expansion', 'hover']} |
||||
moduleconfig = [] |
||||
|
||||
dbl = 'dbl.spamhaus.org' |
||||
dbl_mapping = {'127.0.1.2': 'spam domain', |
||||
'127.0.1.4': 'phish domain', |
||||
'127.0.1.5': 'malware domain', |
||||
'127.0.1.6': 'botnet C&C domain', |
||||
'127.0.1.102': 'abused legit spam', |
||||
'127.0.1.103': 'abused spammed redirector domain', |
||||
'127.0.1.104': 'abused legit phish', |
||||
'127.0.1.105': 'abused legit malware', |
||||
'127.0.1.106': 'abused legit botnet C&C', |
||||
'127.0.1.255': 'IP queries prohibited!'} |
||||
|
||||
def fetch_requested_value(request): |
||||
for attribute_type in mispattributes['input']: |
||||
if request.get(attribute_type): |
||||
return request[attribute_type].split('|')[0] |
||||
return None |
||||
|
||||
def handler(q=False): |
||||
if q is False: |
||||
return False |
||||
request = json.loads(q) |
||||
requested_value = fetch_requested_value(request) |
||||
if requested_value is None: |
||||
misperrors['error'] = "Unsupported attributes type" |
||||
return misperrors |
||||
query = "{}.{}".format(requested_value, dbl) |
||||
try: |
||||
query_result = resolver.query(query, 'A')[0] |
||||
result = "{} - {}".format(requested_value, dbl_mapping[str(query_result)]) |
||||
except Exception as e: |
||||
result = e |
||||
return {'results': [{'types': mispattributes.get('output'), 'values': result}]} |
||||
|
||||
def introspection(): |
||||
return mispattributes |
||||
|
||||
def version(): |
||||
moduleinfo['config'] = moduleconfig |
||||
return moduleinfo |
Loading…
Reference in new issue