mirror of https://github.com/MISP/misp-modules
127 lines
3.7 KiB
Python
127 lines
3.7 KiB
Python
import json
|
|
import sys
|
|
|
|
try:
|
|
import dns.resolver
|
|
except ImportError:
|
|
print("dnspython3 is missing, use 'pip install dnspython3' to install it.")
|
|
sys.exit(0)
|
|
|
|
misperrors = {'error': 'Error'}
|
|
mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']}
|
|
moduleinfo = {
|
|
'version': '0.2',
|
|
'author': 'Christian Studer',
|
|
'description': 'Module to check an IPv4 address against known RBLs.',
|
|
'module-type': ['expansion', 'hover'],
|
|
'name': 'Real-time Blackhost Lists Lookup',
|
|
'logo': '',
|
|
'requirements': ['dnspython3: DNS python3 library'],
|
|
'features': 'This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.\n\nWe display then all the information we get from those different sources.',
|
|
'references': ['[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20)'],
|
|
'input': 'IP address attribute.',
|
|
'output': 'Text with additional data from Real-time Blackhost Lists about the IP address.',
|
|
}
|
|
moduleconfig = ['timeout']
|
|
|
|
rbls = (
|
|
"spam.spamrats.com",
|
|
"spamguard.leadmon.net",
|
|
"rbl-plus.mail-abuse.org",
|
|
"web.dnsbl.sorbs.net",
|
|
"ix.dnsbl.manitu.net",
|
|
"virus.rbl.jp",
|
|
"dul.dnsbl.sorbs.net",
|
|
"bogons.cymru.com",
|
|
"psbl.surriel.com",
|
|
"misc.dnsbl.sorbs.net",
|
|
"httpbl.abuse.ch",
|
|
"combined.njabl.org",
|
|
"smtp.dnsbl.sorbs.net",
|
|
"korea.services.net",
|
|
"drone.abuse.ch",
|
|
"rbl.efnetrbl.org",
|
|
"cbl.anti-spam.org.cn",
|
|
"b.barracudacentral.org",
|
|
"bl.spamcannibal.org",
|
|
"xbl.spamhaus.org",
|
|
"zen.spamhaus.org",
|
|
"rbl.suresupport.com",
|
|
"db.wpbl.info",
|
|
"sbl.spamhaus.org",
|
|
"http.dnsbl.sorbs.net",
|
|
"csi.cloudmark.com",
|
|
"rbl.interserver.net",
|
|
"ubl.unsubscore.com",
|
|
"dnsbl.sorbs.net",
|
|
"virbl.bit.nl",
|
|
"pbl.spamhaus.org",
|
|
"socks.dnsbl.sorbs.net",
|
|
"short.rbl.jp",
|
|
"dnsbl.dronebl.org",
|
|
"blackholes.mail-abuse.org",
|
|
"truncate.gbudb.net",
|
|
"dyna.spamrats.com",
|
|
"spamrbl.imp.ch",
|
|
"spam.dnsbl.sorbs.net",
|
|
"wormrbl.imp.ch",
|
|
"query.senderbase.org",
|
|
"opm.tornevall.org",
|
|
"netblock.pedantic.org",
|
|
"access.redhawk.org",
|
|
"cdl.anti-spam.org.cn",
|
|
"multi.surbl.org",
|
|
"noptr.spamrats.com",
|
|
"dnsbl.inps.de",
|
|
"bl.spamcop.net",
|
|
"cbl.abuseat.org",
|
|
"dsn.rfc-ignorant.org",
|
|
"zombie.dnsbl.sorbs.net",
|
|
"dnsbl.njabl.org",
|
|
"relays.mail-abuse.org",
|
|
"rbl.spamlab.com",
|
|
"all.bl.blocklist.de"
|
|
)
|
|
|
|
|
|
def handler(q=False):
|
|
if q is False:
|
|
return False
|
|
request = json.loads(q)
|
|
if request.get('ip-src'):
|
|
ip = request['ip-src']
|
|
elif request.get('ip-dst'):
|
|
ip = request['ip-dst']
|
|
else:
|
|
misperrors['error'] = "Unsupported attributes type"
|
|
return misperrors
|
|
resolver = dns.resolver.Resolver()
|
|
try:
|
|
timeout = float(request['config']['timeout'])
|
|
except (KeyError, ValueError):
|
|
timeout = 0.4
|
|
resolver.timeout = timeout
|
|
resolver.lifetime = timeout
|
|
infos = {}
|
|
ipRev = '.'.join(ip.split('.')[::-1])
|
|
for rbl in rbls:
|
|
query = '{}.{}'.format(ipRev, rbl)
|
|
try:
|
|
txt = resolver.query(query, 'TXT')
|
|
infos[query] = [str(t) for t in txt]
|
|
except Exception:
|
|
continue
|
|
result = "\n".join([f"{rbl}: {' - '.join(info)}" for rbl, info in infos.items()])
|
|
if not result:
|
|
return {'error': 'No data found by querying known RBLs'}
|
|
return {'results': [{'types': mispattributes.get('output'), 'values': result}]}
|
|
|
|
|
|
def introspection():
|
|
return mispattributes
|
|
|
|
|
|
def version():
|
|
moduleinfo['config'] = moduleconfig
|
|
return moduleinfo
|