mirror of https://github.com/MISP/misp-modules
GitHub
commit
be258ce2b6
|
|
@ -0,0 +1,112 @@
|
|||
import json
|
||||
import datetime
|
||||
|
||||
try:
|
||||
import dns.resolver
|
||||
resolver = dns.resolver.Resolver()
|
||||
resolver.timeout = 0.2
|
||||
resolver.lifetime = 0.2
|
||||
except:
|
||||
print("dnspython3 is missing, use 'pip install dnspython3' to install it.")
|
||||
sys.exit(0)
|
||||
|
||||
misperrors = {'error': 'Error'}
|
||||
mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']}
|
||||
moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
|
||||
'description': 'Check an IPv4 address against known RBLs.',
|
||||
'module-type': ['expansion', 'hover']}
|
||||
moduleconfig = []
|
||||
|
||||
rbls = {
|
||||
'spam.spamrats.com': 'http://www.spamrats.com',
|
||||
'spamguard.leadmon.net': 'http://www.leadmon.net/SpamGuard/',
|
||||
'rbl-plus.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html',
|
||||
'web.dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'ix.dnsbl.manitu.net': 'http://www.dnsbl.manitu.net',
|
||||
'virus.rbl.jp': 'http://www.rbl.jp',
|
||||
'dul.dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'bogons.cymru.com': 'http://www.team-cymru.org/Services/Bogons/',
|
||||
'psbl.surriel.com': 'http://psbl.surriel.com',
|
||||
'misc.dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'httpbl.abuse.ch': 'http://dnsbl.abuse.ch',
|
||||
'combined.njabl.org': 'http://combined.njabl.org',
|
||||
'smtp.dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'korea.services.net': 'http://korea.services.net',
|
||||
'drone.abuse.ch': 'http://dnsbl.abuse.ch',
|
||||
'rbl.efnetrbl.org': 'http://rbl.efnetrbl.org',
|
||||
'cbl.anti-spam.org.cn': 'http://www.anti-spam.org.cn/?Locale=en_US',
|
||||
'b.barracudacentral.org': 'http://www.barracudacentral.org/rbl/removal-request',
|
||||
'bl.spamcannibal.org': 'http://www.spamcannibal.org',
|
||||
'xbl.spamhaus.org': 'http://www.spamhaus.org/xbl/',
|
||||
'zen.spamhaus.org': 'http://www.spamhaus.org/zen/',
|
||||
'rbl.suresupport.com': 'http://suresupport.com/postmaster',
|
||||
'db.wpbl.info': 'http://www.wpbl.info',
|
||||
'sbl.spamhaus.org': 'http://www.spamhaus.org/sbl/',
|
||||
'http.dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'csi.cloudmark.com': 'http://www.cloudmark.com/en/products/cloudmark-sender-intelligence/index',
|
||||
'rbl.interserver.net': 'http://rbl.interserver.net',
|
||||
'ubl.unsubscore.com': 'http://www.lashback.com/blacklist/',
|
||||
'dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'virbl.bit.nl': 'http://virbl.bit.nl',
|
||||
'pbl.spamhaus.org': 'http://www.spamhaus.org/pbl/',
|
||||
'socks.dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'short.rbl.jp': 'http://www.rbl.jp',
|
||||
'dnsbl.dronebl.org': 'http://www.dronebl.org',
|
||||
'blackholes.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html',
|
||||
'truncate.gbudb.net': 'http://www.gbudb.com/truncate/index.jsp',
|
||||
'dyna.spamrats.com': 'http://www.spamrats.com',
|
||||
'spamrbl.imp.ch': 'http://antispam.imp.ch',
|
||||
'spam.dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'wormrbl.imp.ch': 'http://antispam.imp.ch',
|
||||
'query.senderbase.org': 'http://www.senderbase.org/about',
|
||||
'opm.tornevall.org': 'http://dnsbl.tornevall.org',
|
||||
'netblock.pedantic.org': 'http://pedantic.org',
|
||||
'access.redhawk.org': 'http://www.redhawk.org/index.php?option=com_wrapper&Itemid=33',
|
||||
'cdl.anti-spam.org.cn': 'http://www.anti-spam.org.cn/?Locale=en_US',
|
||||
'multi.surbl.org': 'http://www.surbl.org',
|
||||
'noptr.spamrats.com': 'http://www.spamrats.com',
|
||||
'dnsbl.inps.de': 'http://dnsbl.inps.de/index.cgi?lang=en',
|
||||
'bl.spamcop.net': 'http://bl.spamcop.net',
|
||||
'cbl.abuseat.org': 'http://cbl.abuseat.org',
|
||||
'dsn.rfc-ignorant.org': 'http://www.rfc-ignorant.org/policy-dsn.php',
|
||||
'zombie.dnsbl.sorbs.net': 'http://www.sorbs.net',
|
||||
'dnsbl.njabl.org': 'http://dnsbl.njabl.org',
|
||||
'relays.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html',
|
||||
'rbl.spamlab.com': 'http://tools.appriver.com/index.aspx?tool=rbl',
|
||||
'all.bl.blocklist.de': 'http://www.blocklist.de/en/rbldns.html'
|
||||
}
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
request = json.loads(q)
|
||||
if request.get('ip-src'):
|
||||
ip = request['ip-src']
|
||||
elif request.get('ip-dst'):
|
||||
ip = request['ip-dst']
|
||||
else:
|
||||
misperrors['error'] = "Unsupported attributes type"
|
||||
return misperrors
|
||||
listed = []
|
||||
info = []
|
||||
for rbl in rbls:
|
||||
ipRev = '.'.join(ip.split('.')[::-1])
|
||||
query = '{}.{}'.format(ipRev, rbl)
|
||||
try:
|
||||
txt = resolver.query(query,'TXT')
|
||||
listed.append(query)
|
||||
info.append(str(txt[0]))
|
||||
except:
|
||||
continue
|
||||
result = {}
|
||||
for l, i in zip(listed, info):
|
||||
result[l] = i
|
||||
r = {'results': [{'types': mispattributes.get('output'), 'values': json.dumps(result)}]}
|
||||
return r
|
||||
|
||||
def introspection():
|
||||
return mispattributes
|
||||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleinfo
|
||||
Loading…
Reference in New Issue