mirror of https://github.com/MISP/misp-modules
commit
73161ad153
|
@ -23,6 +23,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
|
||||||
* [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
|
* [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
|
||||||
* [CrowdStrike Falcon](misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
|
* [CrowdStrike Falcon](misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
|
||||||
* [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
|
* [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
|
||||||
|
* [DBL Spamhaus](misp_modules/modules/expansion/dbl_spamhaus.py) - a hover module to check Spamhaus DBL for a domain name.
|
||||||
* [DNS](misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
|
* [DNS](misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
|
||||||
* [DomainTools](misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois.
|
* [DomainTools](misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois.
|
||||||
* [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
|
* [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
from . import _vmray
|
from . import _vmray
|
||||||
|
|
||||||
__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries']
|
__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus']
|
||||||
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
import json
|
||||||
|
import datetime
|
||||||
|
from collections import defaultdict
|
||||||
|
|
||||||
|
try:
|
||||||
|
import dns.resolver
|
||||||
|
resolver = dns.resolver.Resolver()
|
||||||
|
resolver.timeout = 0.2
|
||||||
|
resolver.lifetime = 0.2
|
||||||
|
except ModuleNotFoundError:
|
||||||
|
print("dnspython3 is missing, use 'pip install dnspython3' to install it.")
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
misperrors = {'error': 'Error'}
|
||||||
|
mispattributes = {'input': ['domain', 'domain|ip', 'hostname', 'hostname|port'], 'output': ['text']}
|
||||||
|
moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
|
||||||
|
'description': 'Checks Spamhaus DBL for a domain name.',
|
||||||
|
'module-type': ['expansion', 'hover']}
|
||||||
|
moduleconfig = []
|
||||||
|
|
||||||
|
dbl = 'dbl.spamhaus.org'
|
||||||
|
dbl_mapping = {'127.0.1.2': 'spam domain',
|
||||||
|
'127.0.1.4': 'phish domain',
|
||||||
|
'127.0.1.5': 'malware domain',
|
||||||
|
'127.0.1.6': 'botnet C&C domain',
|
||||||
|
'127.0.1.102': 'abused legit spam',
|
||||||
|
'127.0.1.103': 'abused spammed redirector domain',
|
||||||
|
'127.0.1.104': 'abused legit phish',
|
||||||
|
'127.0.1.105': 'abused legit malware',
|
||||||
|
'127.0.1.106': 'abused legit botnet C&C',
|
||||||
|
'127.0.1.255': 'IP queries prohibited!'}
|
||||||
|
|
||||||
|
def fetch_requested_value(request):
|
||||||
|
for attribute_type in mispattributes['input']:
|
||||||
|
if request.get(attribute_type):
|
||||||
|
return request[attribute_type].split('|')[0]
|
||||||
|
return None
|
||||||
|
|
||||||
|
def handler(q=False):
|
||||||
|
if q is False:
|
||||||
|
return False
|
||||||
|
request = json.loads(q)
|
||||||
|
requested_value = fetch_requested_value(request)
|
||||||
|
if requested_value is None:
|
||||||
|
misperrors['error'] = "Unsupported attributes type"
|
||||||
|
return misperrors
|
||||||
|
query = "{}.{}".format(requested_value, dbl)
|
||||||
|
try:
|
||||||
|
query_result = resolver.query(query, 'A')[0]
|
||||||
|
result = "{} - {}".format(requested_value, dbl_mapping[str(query_result)])
|
||||||
|
except Exception as e:
|
||||||
|
result = e
|
||||||
|
return {'results': [{'types': mispattributes.get('output'), 'values': result}]}
|
||||||
|
|
||||||
|
def introspection():
|
||||||
|
return mispattributes
|
||||||
|
|
||||||
|
def version():
|
||||||
|
moduleinfo['config'] = moduleconfig
|
||||||
|
return moduleinfo
|
Loading…
Reference in New Issue