From 7a3f9a422d9fd5767634be95a4e0443b8ea5bf9d Mon Sep 17 00:00:00 2001
From: GlennHD <glennmbrown@live.com>
Date: Wed, 12 Feb 2020 21:28:41 -0600
Subject: [PATCH] Added GeoIP_City Enrichment module

---
 misp_modules/modules/expansion/geoip_city.py | 64 ++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 misp_modules/modules/expansion/geoip_city.py

diff --git a/misp_modules/modules/expansion/geoip_city.py b/misp_modules/modules/expansion/geoip_city.py
new file mode 100644
index 0000000..9c9f847
--- /dev/null
+++ b/misp_modules/modules/expansion/geoip_city.py
@@ -0,0 +1,64 @@
+import json
+import geoip2.database
+import sys
+import logging
+
+log = logging.getLogger('geoip_city')
+log.setLevel(logging.DEBUG)
+ch = logging.StreamHandler(sys.stdout)
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+ch.setFormatter(formatter)
+log.addHandler(ch)
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['freetext']}
+moduleconfig = ['local_geolite_db']
+# possible module-types: 'expansion', 'hover' or both
+moduleinfo = {'version': '0.1', 'author': 'GlennHD',
+              'description': 'Query a local copy of the Maxmind Geolite City database (MMDB format)',
+              'module-type': ['expansion', 'hover']}
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+
+    if not request.get('config') or not request['config'].get('local_geolite_db'):
+        return {'error': 'Please specify the path of your local copy of Maxminds Geolite database'}
+    path_to_geolite = request['config']['local_geolite_db']
+
+    if request.get('ip-dst'):
+        toquery = request['ip-dst']
+    elif request.get('ip-src'):
+        toquery = request['ip-src']
+    elif request.get('domain|ip'):
+        toquery = request['domain|ip'].split('|')[1]
+    else:
+        return False
+
+    try:
+        reader = geoip2.database.Reader(path_to_geolite)
+    except FileNotFoundError:
+        return {'error': f'Unable to locate the GeoLite database you specified ({path_to_geolite}).'}
+    log.debug(toquery)
+    try:
+        answer = reader.city(toquery)
+        stringmap = 'Continent=' + str(answer.continent.name) + ', Country=' + str(answer.country.name) + ', Subdivision=' + str(answer.subdivisions.most_specific.name) + ', City=' + str(answer.city.name)
+
+    except Exception as e:
+        misperrors['error'] = f"GeoIP resolving error: {e}"
+        return misperrors
+
+    r = {'results': [{'types': mispattributes['output'], 'values': stringmap}]}
+
+    return r
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo