Merge branch 'umbrella_blockpage_warninglists' of https://github.com/LaZyDK/misp-warninglists into LaZyDK-umbrella_blockpage_warninglists
commit
6dfce67778
|
@ -0,0 +1,76 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
import ipaddress
|
||||
import logging
|
||||
from typing import List, Tuple
|
||||
|
||||
from generator import get_version, write_to_file, Dns, create_resolver
|
||||
|
||||
# Static Umbrella blockpage addresses: https://docs.umbrella.com/deployment-umbrella/docs/block-page-ip-addresses
|
||||
blockpage_ip_list = ['146.112.61.104', '::ffff:146.112.61.104', '146.112.61.105', '::ffff:146.112.61.105', '146.112.61.106', '::ffff:146.112.61.106', '146.112.61.107', '::ffff:146.112.61.107', '146.112.61.108', '::ffff:146.112.61.108', '146.112.61.110', '::ffff:146.112.61.110']
|
||||
|
||||
|
||||
def process(ipv4: List, ipv6: List, hostname: List):
|
||||
# Cisco Umbrella blockpage Domains
|
||||
umbrella_blockpage_hostname_dst = 'umbrella-blockpage-hostname'
|
||||
umbrella_blockpage_warninglist = {
|
||||
'description': 'Event contains one or more Cisco Umbrella blockpage hostnames as attribute with an IDS flag set',
|
||||
'name': 'List of known Cisco Umbrella blockpage hostnames',
|
||||
'type': 'hostname',
|
||||
'matching_attributes': ['hostname', 'domain', 'url', 'domain|ip']
|
||||
}
|
||||
generate(hostname, umbrella_blockpage_warninglist, umbrella_blockpage_hostname_dst)
|
||||
|
||||
# Cisco Umbrella blockpage IPv4
|
||||
umbrella_blockpage_ipv4_dst = 'umbrella-blockpage-v4'
|
||||
umbrella_blockpage_ipv4_warninglist = {
|
||||
'description': 'Event contains one or more public IPv4 DNS resolvers as attribute with an IDS flag set',
|
||||
'name': 'List of known IPv4 public DNS resolvers',
|
||||
'type': 'cidr',
|
||||
'matching_attributes': ['ip-src', 'ip-dst', 'domain|ip']
|
||||
}
|
||||
generate(ipv4, umbrella_blockpage_ipv4_warninglist, umbrella_blockpage_ipv4_dst)
|
||||
|
||||
# Cisco Umbrella blockpage IPv6
|
||||
umbrella_blockpage_ipv6_dst = 'umbrella-blockpage-v6'
|
||||
umbrella_blockpage_ipv6_warninglist = {
|
||||
'description': 'Event contains one or more public IPv6 DNS resolvers as attribute with an IDS flag set',
|
||||
'name': 'List of known IPv6 public DNS resolvers',
|
||||
'type': 'cidr',
|
||||
'matching_attributes': ['ip-src', 'ip-dst', 'domain|ip']
|
||||
}
|
||||
generate(ipv6, umbrella_blockpage_ipv6_warninglist, umbrella_blockpage_ipv6_dst)
|
||||
|
||||
|
||||
def generate(data_list, warninglist, dst):
|
||||
warninglist['version'] = get_version()
|
||||
warninglist['list'] = data_list
|
||||
|
||||
write_to_file(warninglist, dst)
|
||||
|
||||
|
||||
def main():
|
||||
dns = Dns(create_resolver())
|
||||
|
||||
ipv4_addresses = []
|
||||
ipv6_addresses = []
|
||||
host_names = []
|
||||
|
||||
for ip in blockpage_ip_list:
|
||||
host_names.append(dns.get_domain_from_ip(ip))
|
||||
|
||||
try:
|
||||
ip = ipaddress.ip_address(ip)
|
||||
|
||||
if ip.version == 4:
|
||||
ipv4_addresses.append(ip.compressed)
|
||||
elif ip.version == 6:
|
||||
ipv6_addresses.append(ip.compressed)
|
||||
|
||||
except ValueError as exc:
|
||||
logging.warning(str(exc))
|
||||
|
||||
process(ipv4_addresses, ipv6_addresses, host_names)
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
|
@ -10,6 +10,7 @@ import gzip
|
|||
import requests
|
||||
import dns.exception
|
||||
import dns.resolver
|
||||
import dns.reversename
|
||||
from dateutil.parser import parse as parsedate
|
||||
|
||||
|
||||
|
@ -247,6 +248,15 @@ class Dns:
|
|||
|
||||
return ranges
|
||||
|
||||
def get_domain_from_ip(self, ip: str) -> str:
|
||||
try:
|
||||
records = dns.reversename.from_address(ip)
|
||||
except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN, dns.exception.Timeout, dns.resolver.NoNameservers) as e:
|
||||
logging.info("Could not fetch PTR record for IP {}: {}".format(ip, str(e)))
|
||||
return []
|
||||
|
||||
return str(dns.resolver.resolve(records,"PTR")[0]).rstrip('.')
|
||||
|
||||
|
||||
def main():
|
||||
init_logging()
|
||||
|
|
Loading…
Reference in New Issue