Browse Source

add: New module to check if a bitcoin address has been abused

- Also related update of documentation
pull/276/head
chrisr3d 3 years ago
parent
commit
d1000d82c4
No known key found for this signature in database GPG Key ID: 6BBED1B63A6D639F
  1. 1
      README.md
  2. 1
      doc/README.md
  3. 1261
      doc/README.md
  4. 1243
      doc/documentation.md
  5. 9
      doc/expansion/btc_scam_check.json
  6. 0
      doc/expansion/btc_steroids.json
  7. 2
      doc/generate_documentation.py
  8. 2
      misp_modules/modules/expansion/__init__.py
  9. 43
      misp_modules/modules/expansion/btc_scam_check.py

1
README.md

@ -18,6 +18,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
### Expansion modules
* [BGP Ranking](misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
* [BTC scam check](misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused.
* [BTC transactions](misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.
* [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
* [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen.

1
doc/README.md

@ -1 +0,0 @@
documentation.md

1261
doc/README.md

File diff suppressed because it is too large

1243
doc/documentation.md

File diff suppressed because it is too large

9
doc/expansion/btc_scam_check.json

@ -0,0 +1,9 @@
{
"description": "An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.",
"requirements": ["dnspython3: dns python library"],
"features": "The module queries a dns blacklist directly with the bitcoin address and get a response if the address has been abused.",
"logo": "logos/bitcoin.png",
"input": "btc address attribute.",
"output" : "Text to indicate if the BTC address has been abused.",
"references": ["https://btcblack.it/"]
}

0
doc/expansion/btc.json → doc/expansion/btc_steroids.json

2
doc/generate_documentation.py

@ -30,7 +30,7 @@ def generate_doc(root_path):
value = ', '.join(value) if isinstance(value, list) else '{}'.format(value.replace('\n', '\n>'))
markdown.append('- **{}**:\n>{}\n'.format(field, value))
markdown.append('\n-----\n')
with open('documentation.md', 'w') as w:
with open('README.md', 'w') as w:
w.write(''.join(markdown))

2
misp_modules/modules/expansion/__init__.py

@ -8,4 +8,4 @@ __all__ = ['vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl',
'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator',
'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query', 'macaddress_io',
'intel471']
'intel471', 'btc_scam_check']

43
misp_modules/modules/expansion/btc_scam_check.py

@ -0,0 +1,43 @@
import json
import sys
try:
from dns.resolver import Resolver, NXDOMAIN
from dns.name import LabelTooLong
resolver = Resolver()
resolver.timeout = 1
resolver.lifetime = 1
except ImportError:
sys.exit("dnspython3 in missing. use 'pip install dnspython3' to install it.")
misperrors = {'error': 'Error'}
mispattributes = {'input': ['btc'], 'output': ['text']}
moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
'description': 'Checks if a BTC address is referenced as a scam.',
'module-type': ['hover']}
moduleconfig = []
url = 'bl.btcblack.it'
def handler(q=False):
if q is False:
return False
request = json.loads(q)
btc = request['btc']
query = f"{btc}.{url}"
try:
result = ' - '.join([str(r) for r in resolver.query(query, 'TXT')])[1:-1]
except NXDOMAIN:
result = f"{btc} is not known as a scam address."
except LabelTooLong:
result = f"{btc} is probably not a valid BTC address."
return {'results': [{'types': mispattributes['output'], 'values': result}]}
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo
Loading…
Cancel
Save