From 8892893d9bf96a3d09b16736a173b0500a21d8ec Mon Sep 17 00:00:00 2001 From: LaZyDK Date: Fri, 25 Aug 2023 09:55:52 +0200 Subject: [PATCH] Initial commit --- tools/generate-cisco-umbrella-blockpage.py | 76 ++++++++++++++++++++++ tools/generator.py | 10 +++ 2 files changed, 86 insertions(+) create mode 100755 tools/generate-cisco-umbrella-blockpage.py diff --git a/tools/generate-cisco-umbrella-blockpage.py b/tools/generate-cisco-umbrella-blockpage.py new file mode 100755 index 0000000..3ac0852 --- /dev/null +++ b/tools/generate-cisco-umbrella-blockpage.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 + +import ipaddress +import logging +from typing import List, Tuple + +from generator import get_version, write_to_file, Dns, create_resolver + +# Static Umbrella blockpage addresses: https://docs.umbrella.com/deployment-umbrella/docs/block-page-ip-addresses +blockpage_ip_list = ['146.112.61.104', '::ffff:146.112.61.104', '146.112.61.105', '::ffff:146.112.61.105', '146.112.61.106', '::ffff:146.112.61.106', '146.112.61.107', '::ffff:146.112.61.107', '146.112.61.108', '::ffff:146.112.61.108', '146.112.61.110', '::ffff:146.112.61.110'] + + +def process(ipv4: List, ipv6: List, hostname: List): + # Cisco Umbrella blockpage Domains + umbrella_blockpage_hostname_dst = 'umbrella-blockpage-hostname' + umbrella_blockpage_warninglist = { + 'description': 'Event contains one or more Cisco Umbrella blockpage hostnames as attribute with an IDS flag set', + 'name': 'List of known Cisco Umbrella blockpage hostnames', + 'type': 'hostname', + 'matching_attributes': ['hostname', 'domain', 'url', 'domain|ip'] + } + generate(hostname, umbrella_blockpage_warninglist, umbrella_blockpage_hostname_dst) + + # Cisco Umbrella blockpage IPv4 + umbrella_blockpage_ipv4_dst = 'umbrella-blockpage-v4' + umbrella_blockpage_ipv4_warninglist = { + 'description': 'Event contains one or more public IPv4 DNS resolvers as attribute with an IDS flag set', + 'name': 'List of known IPv4 public DNS resolvers', + 'type': 'cidr', + 'matching_attributes': ['ip-src', 'ip-dst', 'domain|ip'] + } + generate(ipv4, umbrella_blockpage_ipv4_warninglist, umbrella_blockpage_ipv4_dst) + + # Cisco Umbrella blockpage IPv6 + umbrella_blockpage_ipv6_dst = 'umbrella-blockpage-v6' + umbrella_blockpage_ipv6_warninglist = { + 'description': 'Event contains one or more public IPv6 DNS resolvers as attribute with an IDS flag set', + 'name': 'List of known IPv6 public DNS resolvers', + 'type': 'cidr', + 'matching_attributes': ['ip-src', 'ip-dst', 'domain|ip'] + } + generate(ipv6, umbrella_blockpage_ipv6_warninglist, umbrella_blockpage_ipv6_dst) + + +def generate(data_list, warninglist, dst): + warninglist['version'] = get_version() + warninglist['list'] = data_list + + write_to_file(warninglist, dst) + + +def main(): + dns = Dns(create_resolver()) + + ipv4_addresses = [] + ipv6_addresses = [] + host_names = [] + + for ip in blockpage_ip_list: + host_names.append(dns.get_domain_from_ip(ip)) + + try: + ip = ipaddress.ip_address(ip) + + if ip.version == 4: + ipv4_addresses.append(ip.compressed) + elif ip.version == 6: + ipv6_addresses.append(ip.compressed) + + except ValueError as exc: + logging.warning(str(exc)) + + process(ipv4_addresses, ipv6_addresses, host_names) + +if __name__ == '__main__': + main() diff --git a/tools/generator.py b/tools/generator.py index 89c5e07..045801d 100644 --- a/tools/generator.py +++ b/tools/generator.py @@ -10,6 +10,7 @@ import gzip import requests import dns.exception import dns.resolver +import dns.reversename from dateutil.parser import parse as parsedate @@ -247,6 +248,15 @@ class Dns: return ranges + def get_domain_from_ip(self, ip: str) -> str: + try: + records = dns.reversename.from_address(ip) + except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN, dns.exception.Timeout, dns.resolver.NoNameservers) as e: + logging.info("Could not fetch PTR record for IP {}: {}".format(ip, str(e))) + return [] + + return str(dns.resolver.resolve(records,"PTR")[0]).rstrip('.') + def main(): init_logging()