Merge pull request #371 from GlennHD/master

Added GeoIP_City and GeoIP_ASN Database Modules

README.md

@@ -41,6 +41,8 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
 * [Farsight DNSDB Passive DNS](misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
 * [GeoIP](misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind.
+* [GeoIP_City](misp_modules/modules/expansion/geoip_city.py) - a hover and expansion module to get GeoIP City information from geolite/maxmind.
+* [GeoIP_ASN](misp_modules/modules/expansion/geoip_asn.py) - a hover and expansion module to get GeoIP ASN information from geolite/maxmind.
 * [Greynoise](misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise.
 * [hashdd](misp_modules/modules/expansion/hashdd.py) - a hover module to check file hashes against [hashdd.com](http://www.hashdd.com) including NSLR dataset.
 * [hibp](misp_modules/modules/expansion/hibp.py) - a hover module to lookup against Have I Been Pwned?

misp_modules/modules/expansion/__init__.py

@@ -6,7 +6,7 @@ sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')
 __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
            'countrycode', 'cve', 'cve_advanced', 'dns', 'btc_steroids', 'domaintools', 'eupi', 'eql',
            'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal',
-           'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep',
+           'whois', 'shodan', 'reversedns', 'geoip_asn', 'geoip_city', 'geoip_country', 'wiki', 'iprep',
            'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon',
            'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl',
            'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator',

misp_modules/modules/expansion/geoip_asn.py

@@ -0,0 +1,64 @@
+import json
+import geoip2.database
+import sys
+import logging
+
+log = logging.getLogger('geoip_asn')
+log.setLevel(logging.DEBUG)
+ch = logging.StreamHandler(sys.stdout)
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+ch.setFormatter(formatter)
+log.addHandler(ch)
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['freetext']}
+moduleconfig = ['local_geolite_db']
+# possible module-types: 'expansion', 'hover' or both
+moduleinfo = {'version': '0.1', 'author': 'GlennHD',
+              'description': 'Query a local copy of the Maxmind Geolite ASN database (MMDB format)',
+              'module-type': ['expansion', 'hover']}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+
+    if not request.get('config') or not request['config'].get('local_geolite_db'):
+        return {'error': 'Please specify the path of your local copy of the Maxmind Geolite ASN database'}
+    path_to_geolite = request['config']['local_geolite_db']
+
+    if request.get('ip-dst'):
+        toquery = request['ip-dst']
+    elif request.get('ip-src'):
+        toquery = request['ip-src']
+    elif request.get('domain|ip'):
+        toquery = request['domain|ip'].split('|')[1]
+    else:
+        return False
+
+    try:
+        reader = geoip2.database.Reader(path_to_geolite)
+    except FileNotFoundError:
+        return {'error': f'Unable to locate the GeoLite database you specified ({path_to_geolite}).'}
+    log.debug(toquery)
+    try:
+        answer = reader.asn(toquery)
+        stringmap = 'ASN=' + str(answer.autonomous_system_number) + ', AS Org=' + str(answer.autonomous_system_organization)
+    except Exception as e:
+        misperrors['error'] = f"GeoIP resolving error: {e}"
+        return misperrors
+
+    r = {'results': [{'types': mispattributes['output'], 'values': stringmap}]}
+
+    return r
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo

misp_modules/modules/expansion/geoip_city.py

@@ -0,0 +1,65 @@
+import json
+import geoip2.database
+import sys
+import logging
+
+log = logging.getLogger('geoip_city')
+log.setLevel(logging.DEBUG)
+ch = logging.StreamHandler(sys.stdout)
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+ch.setFormatter(formatter)
+log.addHandler(ch)
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['freetext']}
+moduleconfig = ['local_geolite_db']
+# possible module-types: 'expansion', 'hover' or both
+moduleinfo = {'version': '0.1', 'author': 'GlennHD',
+              'description': 'Query a local copy of the Maxmind Geolite City database (MMDB format)',
+              'module-type': ['expansion', 'hover']}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+
+    if not request.get('config') or not request['config'].get('local_geolite_db'):
+        return {'error': 'Please specify the path of your local copy of Maxminds Geolite database'}
+    path_to_geolite = request['config']['local_geolite_db']
+
+    if request.get('ip-dst'):
+        toquery = request['ip-dst']
+    elif request.get('ip-src'):
+        toquery = request['ip-src']
+    elif request.get('domain|ip'):
+        toquery = request['domain|ip'].split('|')[1]
+    else:
+        return False
+
+    try:
+        reader = geoip2.database.Reader(path_to_geolite)
+    except FileNotFoundError:
+        return {'error': f'Unable to locate the GeoLite database you specified ({path_to_geolite}).'}
+    log.debug(toquery)
+    try:
+        answer = reader.city(toquery)
+        stringmap = 'Continent=' + str(answer.continent.name) + ', Country=' + str(answer.country.name) + ', Subdivision=' + str(answer.subdivisions.most_specific.name) + ', City=' + str(answer.city.name)
+
+    except Exception as e:
+        misperrors['error'] = f"GeoIP resolving error: {e}"
+        return misperrors
+
+    r = {'results': [{'types': mispattributes['output'], 'values': stringmap}]}
+
+    return r
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo