misp-modules/misp_modules/modules/expansion/rbl.py

import json
import sys

try:
    import dns.resolver
except ImportError:
    print("dnspython3 is missing, use 'pip install dnspython3' to install it.")
    sys.exit(0)

misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']}
moduleinfo = {
    'version': '0.2',
    'author': 'Christian Studer',
    'description': 'Module to check an IPv4 address against known RBLs.',
    'module-type': ['expansion', 'hover'],
    'name': 'Real-time Blackhost Lists Lookup',
    'logo': '',
    'requirements': ['dnspython3: DNS python3 library'],
    'features': 'This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.\n\nWe display then all the information we get from those different sources.',
    'references': ['[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20)'],
    'input': 'IP address attribute.',
    'output': 'Text with additional data from Real-time Blackhost Lists about the IP address.',
}
moduleconfig = ['timeout']

rbls = (
    "spam.spamrats.com",
    "spamguard.leadmon.net",
    "rbl-plus.mail-abuse.org",
    "web.dnsbl.sorbs.net",
    "ix.dnsbl.manitu.net",
    "virus.rbl.jp",
    "dul.dnsbl.sorbs.net",
    "bogons.cymru.com",
    "psbl.surriel.com",
    "misc.dnsbl.sorbs.net",
    "httpbl.abuse.ch",
    "combined.njabl.org",
    "smtp.dnsbl.sorbs.net",
    "korea.services.net",
    "drone.abuse.ch",
    "rbl.efnetrbl.org",
    "cbl.anti-spam.org.cn",
    "b.barracudacentral.org",
    "bl.spamcannibal.org",
    "xbl.spamhaus.org",
    "zen.spamhaus.org",
    "rbl.suresupport.com",
    "db.wpbl.info",
    "sbl.spamhaus.org",
    "http.dnsbl.sorbs.net",
    "csi.cloudmark.com",
    "rbl.interserver.net",
    "ubl.unsubscore.com",
    "dnsbl.sorbs.net",
    "virbl.bit.nl",
    "pbl.spamhaus.org",
    "socks.dnsbl.sorbs.net",
    "short.rbl.jp",
    "dnsbl.dronebl.org",
    "blackholes.mail-abuse.org",
    "truncate.gbudb.net",
    "dyna.spamrats.com",
    "spamrbl.imp.ch",
    "spam.dnsbl.sorbs.net",
    "wormrbl.imp.ch",
    "query.senderbase.org",
    "opm.tornevall.org",
    "netblock.pedantic.org",
    "access.redhawk.org",
    "cdl.anti-spam.org.cn",
    "multi.surbl.org",
    "noptr.spamrats.com",
    "dnsbl.inps.de",
    "bl.spamcop.net",
    "cbl.abuseat.org",
    "dsn.rfc-ignorant.org",
    "zombie.dnsbl.sorbs.net",
    "dnsbl.njabl.org",
    "relays.mail-abuse.org",
    "rbl.spamlab.com",
    "all.bl.blocklist.de"
)


def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    if request.get('ip-src'):
        ip = request['ip-src']
    elif request.get('ip-dst'):
        ip = request['ip-dst']
    else:
        misperrors['error'] = "Unsupported attributes type"
        return misperrors
    resolver = dns.resolver.Resolver()
    try:
        timeout = float(request['config']['timeout'])
    except (KeyError, ValueError):
        timeout = 0.4
    resolver.timeout = timeout
    resolver.lifetime = timeout
    infos = {}
    ipRev = '.'.join(ip.split('.')[::-1])
    for rbl in rbls:
        query = '{}.{}'.format(ipRev, rbl)
        try:
            txt = resolver.query(query, 'TXT')
            infos[query] = [str(t) for t in txt]
        except Exception:
            continue
    result = "\n".join([f"{rbl}: {'  -  '.join(info)}" for rbl, info in infos.items()])
    if not result:
        return {'error': 'No data found by querying known RBLs'}
    return {'results': [{'types': mispattributes.get('output'), 'values': result}]}


def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo