U @6^+@sXddlmZmZddlZddlmZmZmZdddddd gd d iZGd d d eZ dS)) IPAddress IPNetworkN) SpiderFootSpiderFootPluginSpiderFootEventzCustom Threat Data _customfeedipnetblockasndomainz^{0}$)idchecksregexc@steZdZdZddddddZdddd d Zd Zd Zefd dZ ddZ ddZ ddZ ddZ ddZddZd S)sfp_customfeedzCustom Threat Feed:Investigate,Passive:Reputation Systems::Check if a host/domain, netblock, ASN or IP is malicious according to your custom feed.Tr)rcheckaffiliates checkcohostsurl cacheperiodzThe URL where the feed can be found. Exact matching is performed so the format must be a single line per host, ASN, domain, IP or netblock.zApply checks to affiliates?z?Apply checks to sites found to be co-hosted on the target's IP?zIMaximum age of data in hours before re-downloading. 0 to always download.)rrrrNFcCs:||_||_d|_t|D]}|||j|<q"dS)NF)sf tempStorageresults errorStatelistkeysopts)selfsfcuserOptsoptr 9/var/www/spiderfoot.crq.systems/modules/sfp_customfeed.pysetup5s  zsfp_customfeed.setupcCsdddddgS)N INTERNET_NAME IP_ADDRESSAFFILIATE_INTERNET_NAMEAFFILIATE_IPADDRCO_HOSTED_SITEr rr r r! watchedEventsBszsfp_customfeed.watchedEventscCsdddddgS)NMALICIOUS_IPADDRMALICIOUS_INTERNET_NAMEMALICIOUS_AFFILIATE_IPADDR!MALICIOUS_AFFILIATE_INTERNET_NAMEMALICIOUS_COHOSTr r(r r r!producedEventsIs zsfp_customfeed.producedEventscCst|dkrB|D]0}t||tjtjBr|jd|dSqt|dkr|D]0}t||tjtjBrR|jd|dSqR|jddS)Nrz#Found to be bad against bad regex: Tz$Found to be good againt good regex: FzNeither good nor bad, unknown.)lenrematch IGNORECASEDOTALLrdebug)rcontent goodregexbadregexrxr r r!contentMaliciousOs   zsfp_customfeed.contentMaliciousc Csd}|dkr |j||jd}ttD]b}t|d}|jd}||kr,t}|jd||jdd|d <|d dkr|jj ||jd |jd d }|d dkr|j d |ddS|j d||d |dkrz) eventTypemoduler]rr5rrrKrrIrrFrrh checkForStopr__name__notifyListeners) revent eventName srcModuleName eventDatar[r\typeIdevtTypertextevtr r r! handleEventsr                zsfp_customfeed.handleEvent)ru __module__ __qualname____doc__roptdescsrrrGr"r)r/r:rerhrr r r r!rs*   M r) netaddrrrr1sflibrrrrFrr r r r!s