3 @6^| @sPddlZddlmZddlZddlmZddlmZmZmZGdddeZ dS)N)datetime) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc@sjeZdZdZdddddddZddd d d d dZd ZdZefddZ ddZ ddZ ddZ ddZ d S) sfp_greynoiseznGreynoise:Investigate,Passive:Reputation Systems:apikey:Obtain information from Greynoise.io's Enterprise API.T)api_keyage_limit_daysnetblocklookup maxnetblock subnetlookup maxsubnetzGreynoise API Key.zszsfp_greynoise.watchedEventsc Csddddddddd d g S) NMALICIOUS_IPADDR MALICIOUS_ASNMALICIOUS_SUBNETMALICIOUS_AFFILIATE_IPADDRMALICIOUS_NETBLOCK COMPANY_NAMEGEOINFO BGP_AS_MEMBEROPERATING_SYSTEM RAW_RIR_DATAr)rrrrproducedEventsCszsfp_greynoise.producedEventscCsd}d|jdi}d|}|jj||jdd|d}|ddkrX|jjd d d |_dSytj|d }Wn.tk r}z|jjdd dSd}~XnX|S)Nkeyr zhttps://z7enterprise.api.greynoise.io/v2/experimental/gnql?query= _fetchtimeoutr)timeout useragentheaderscode200zPGreynoise API key seems to have been rejected or you have exceeded usage limits.FTcontentz.Error processing JSON response from Greynoise.z?https://enterprise.api.greynoise.io/v2/experimental/gnql?query=)r4)rrfetchUrlerror errorStatejsonloads Exception)rqryretheaderurlresinfoerrrqueryIPIs  zsfp_greynoise.queryIPcCs|j}|j}|j}|jrdS|jjd|d||jddkrZ|jjddd|_dS||jkr||jjd|d dSd|j|<|d kr|jd sdSt |j |jd kr|jjd t t |j dt |jd dS|dkr@|jdsdSt |j |jdkr@|jjd t t |j dt |jddS|dksV|j drZd}|dkrhd}|j |}|s|dSd|krdSt|ddkrx\|dD]N}|jddr|jjd|jdd}tj|d} ttj| j} ttjd|jd} |jddkr6| | kr6|jjd dS|jd!rn|dkrn|jd!} | jd"d#d#krd} | jd$r| jd$d%} | | jd"7} td&| |j|}|j|| jd'd#d#kr| jd'jd(d}td)||j|}|j|| jd*d#d#krtd+| jd*|j|}|j|| jd,d#d#krPtd-| jd,|j|}|j|td.t ||j|}|j||jd/rd0|d1|jd/}|jd2r|d3d%j|jd27}n|d9t |jd67}|d7|d87}t|||j|}|j|qWdS):NzReceived event, z, from r rz5You enabled sfp_greynoise but did not set an API key!FTz Skipping z as already mapped.r!r rz$Network size bigger than permitted: z > r rrr NETBLOCK_r#rr&datarseenzFound threat info in Greynoise last_seenz 1970-01-01z%Y-%m-%diQr z#Record found but too old, skipping.metadatacountryunknowncityz, r)asnASr* organizationr(osr+r,classificationz Greynoise [z] - Classification: tagsz, Tags: z - z Raw data: Zraw_dataz$ https://viz.greynoise.io/ip/zz - Raw data: ) eventTypemodulerEr8rdebugrr7rr prefixlenstr startswithrClengetrstrptimeinttimemktime timetupler__name__notifyListenersreplacejoin)revent eventName srcModuleName eventDataevtTyper=reclastseenZ lastseen_dtZ lastseen_ts age_limit_tsZmetlocrBrLdescrrrr handleEvent_s                     zsfp_greynoise.handleEvent)r_ __module__ __qualname____doc__roptdescsrr8dictrr"r-rCrmrrrrrs( r) r9rr\netaddrrsflibrrrrrrrr s