From 18523c4ada89baadf68cc9a6b16292ae4bba3c16 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Tue, 16 Jan 2018 17:08:44 +0100
Subject: [PATCH 1/2] Check an IPv4 address against known RBLs

---
 misp_modules/modules/expansion/rbl.py | 117 ++++++++++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 misp_modules/modules/expansion/rbl.py

diff --git a/misp_modules/modules/expansion/rbl.py b/misp_modules/modules/expansion/rbl.py
new file mode 100644
index 0000000..994682a
--- /dev/null
+++ b/misp_modules/modules/expansion/rbl.py
@@ -0,0 +1,117 @@
+import json
+import datetime
+
+try:
+    import dns.resolver
+    resolver = dns.resolver.Resolver()
+    resolver.timeout = 0.2
+    resolver.lifetime = 0.2
+except:
+    print("dnspython3 is missing, use 'pip install dnspython3' to install it.")
+    sys.exit(0)
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']}
+moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
+              'description': 'Check an IPv4 address against known RBLs.',
+              'module-type': ['expansion', 'hover']}
+moduleconfig = []
+
+rbls = {
+ 'spam.spamrats.com': 'http://www.spamrats.com',
+ 'spamguard.leadmon.net': 'http://www.leadmon.net/SpamGuard/',
+ 'rbl-plus.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html',
+ 'web.dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'ix.dnsbl.manitu.net': 'http://www.dnsbl.manitu.net',
+ 'virus.rbl.jp': 'http://www.rbl.jp',
+ 'dul.dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'bogons.cymru.com': 'http://www.team-cymru.org/Services/Bogons/',
+ 'psbl.surriel.com': 'http://psbl.surriel.com',
+ 'misc.dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'httpbl.abuse.ch': 'http://dnsbl.abuse.ch',
+ 'combined.njabl.org': 'http://combined.njabl.org',
+ 'smtp.dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'korea.services.net': 'http://korea.services.net',
+ 'drone.abuse.ch': 'http://dnsbl.abuse.ch',
+ 'rbl.efnetrbl.org': 'http://rbl.efnetrbl.org',
+ 'cbl.anti-spam.org.cn': 'http://www.anti-spam.org.cn/?Locale=en_US',
+ 'b.barracudacentral.org': 'http://www.barracudacentral.org/rbl/removal-request',
+ 'bl.spamcannibal.org': 'http://www.spamcannibal.org',
+ 'xbl.spamhaus.org': 'http://www.spamhaus.org/xbl/',
+ 'zen.spamhaus.org': 'http://www.spamhaus.org/zen/',
+ 'rbl.suresupport.com': 'http://suresupport.com/postmaster',
+ 'db.wpbl.info': 'http://www.wpbl.info',
+ 'sbl.spamhaus.org': 'http://www.spamhaus.org/sbl/',
+ 'http.dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'csi.cloudmark.com': 'http://www.cloudmark.com/en/products/cloudmark-sender-intelligence/index',
+ 'rbl.interserver.net': 'http://rbl.interserver.net',
+ 'ubl.unsubscore.com': 'http://www.lashback.com/blacklist/',
+ 'dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'virbl.bit.nl': 'http://virbl.bit.nl',
+ 'pbl.spamhaus.org': 'http://www.spamhaus.org/pbl/',
+ 'socks.dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'short.rbl.jp': 'http://www.rbl.jp',
+ 'dnsbl.dronebl.org': 'http://www.dronebl.org',
+ 'blackholes.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html',
+ 'truncate.gbudb.net': 'http://www.gbudb.com/truncate/index.jsp',
+ 'dyna.spamrats.com': 'http://www.spamrats.com',
+ 'spamrbl.imp.ch': 'http://antispam.imp.ch',
+ 'spam.dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'wormrbl.imp.ch': 'http://antispam.imp.ch',
+ 'query.senderbase.org': 'http://www.senderbase.org/about',
+ 'opm.tornevall.org': 'http://dnsbl.tornevall.org',
+ 'netblock.pedantic.org': 'http://pedantic.org',
+ 'access.redhawk.org': 'http://www.redhawk.org/index.php?option=com_wrapper&Itemid=33',
+ 'cdl.anti-spam.org.cn': 'http://www.anti-spam.org.cn/?Locale=en_US',
+ 'multi.surbl.org': 'http://www.surbl.org',
+ 'noptr.spamrats.com': 'http://www.spamrats.com',
+ 'dnsbl.inps.de': 'http://dnsbl.inps.de/index.cgi?lang=en',
+ 'bl.spamcop.net': 'http://bl.spamcop.net',
+ 'cbl.abuseat.org': 'http://cbl.abuseat.org',
+ 'dsn.rfc-ignorant.org': 'http://www.rfc-ignorant.org/policy-dsn.php',
+ 'zombie.dnsbl.sorbs.net': 'http://www.sorbs.net',
+ 'dnsbl.njabl.org': 'http://dnsbl.njabl.org',
+ 'relays.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html',
+ 'rbl.spamlab.com': 'http://tools.appriver.com/index.aspx?tool=rbl',
+ 'all.bl.blocklist.de': 'http://www.blocklist.de/en/rbldns.html'
+}
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    if request.get('ip-src'):
+        ip = request['ip-src']
+    elif request.get('ip-dst'):
+        ip = request['ip-dst']
+    else:
+        misperrors['error'] = "Unsupported attributes type"
+        return misperrors
+    results = {}
+    results['query'] = ip
+    results['date'] = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
+    results['listed'] = []
+    results['info'] = []
+    results['not_listed'] = []
+    for rbl in rbls:
+        ipRev =  '.'.join(ip.split('.')[::-1])
+        query = '{}.{}'.format(ipRev, rbl)
+        try:
+            resolver.query(query,'A')
+            try:
+                txt = resolver.query(query, 'TXT')
+            except:
+                results['listed'].append(query)
+            results['listed'].append(query)
+            results['info'].append(str(txt[0]))
+        except:
+            results['not_listed'].append(query)
+    r = {'results': [{'types': mispattributes.get('output'), 'values': json.dumps(results)}]}
+    return r
+
+def introspection():
+    return mispattributes
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo

From d045cf7d5f4acd466cf9cfb43a51915d0b3e7784 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Tue, 16 Jan 2018 19:46:52 +0100
Subject: [PATCH 2/2] chg: Modified output format

---
 misp_modules/modules/expansion/rbl.py | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/misp_modules/modules/expansion/rbl.py b/misp_modules/modules/expansion/rbl.py
index 994682a..da8c5fb 100644
--- a/misp_modules/modules/expansion/rbl.py
+++ b/misp_modules/modules/expansion/rbl.py
@@ -87,26 +87,21 @@ def handler(q=False):
     else:
         misperrors['error'] = "Unsupported attributes type"
         return misperrors
-    results = {}
-    results['query'] = ip
-    results['date'] = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
-    results['listed'] = []
-    results['info'] = []
-    results['not_listed'] = []
+    listed = []
+    info = []
     for rbl in rbls:
         ipRev =  '.'.join(ip.split('.')[::-1])
         query = '{}.{}'.format(ipRev, rbl)
         try:
-            resolver.query(query,'A')
-            try:
-                txt = resolver.query(query, 'TXT')
-            except:
-                results['listed'].append(query)
-            results['listed'].append(query)
-            results['info'].append(str(txt[0]))
+            txt = resolver.query(query,'TXT')
+            listed.append(query)
+            info.append(str(txt[0]))
         except:
-            results['not_listed'].append(query)
-    r = {'results': [{'types': mispattributes.get('output'), 'values': json.dumps(results)}]}
+            continue
+    result = {}
+    for l, i in zip(listed, info):
+        result[l] = i
+    r = {'results': [{'types': mispattributes.get('output'), 'values': json.dumps(result)}]}
     return r
 
 def introspection():