U @6^| @sPddlZddlmZddlZddlmZddlmZmZmZGdddeZ dS)N)datetime) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc@sjeZdZdZdddddddZddd d d d dZd ZdZefddZ ddZ ddZ ddZ ddZ d S) sfp_greynoiseznGreynoise:Investigate,Passive:Reputation Systems:apikey:Obtain information from Greynoise.io's Enterprise API.T)api_keyage_limit_daysnetblocklookup maxnetblock subnetlookup maxsubnetzGreynoise API Key.zszsfp_greynoise.watchedEventsc Csddddddddd d g S) NMALICIOUS_IPADDR MALICIOUS_ASNMALICIOUS_SUBNETMALICIOUS_AFFILIATE_IPADDRMALICIOUS_NETBLOCK COMPANY_NAMEGEOINFO BGP_AS_MEMBEROPERATING_SYSTEM RAW_RIR_DATArr"rrrproducedEventsCszsfp_greynoise.producedEventsc Csd}d|jdi}d|}|jj||jdd|d}|ddkrX|jd d d |_dSzt|d }Wn6tk r}z|jd d WYdSd}~XYnX|S)Nkeyr z?https://enterprise.api.greynoise.io/v2/experimental/gnql?query= _fetchtimeoutr)timeout useragentheaderscode)200zPGreynoise API key seems to have been rejected or you have exceeded usage limits.FTcontentz.Error processing JSON response from Greynoise.)rrfetchUrlerror errorStatejsonloads Exception)rqryretheaderurlresinfoerrrqueryIPIs" zsfp_greynoise.queryIPcCs|j}|j}|j}|jrdS|jd|d||jddkrZ|jddd|_dS||jkr||jd|d dSd|j|<|d kr|jd sdSt |j |jd kr|jd t t |j dt |jd dS|dkr>|jdsdSt |j |jdkr>|jd t t |j dt |jddS|dksT| drXd}|dkrfd}| |}|szdSd|krdSt|ddkr|dD]P}|ddr|jd|dd}t|d} tt| } ttd|jd} |jddkr2| | kr2|jd dS|d!rj|dkrj|d!} | d"d#d#krd} | d$r| d$d%} | | d"7} td&| |j|}||| d'd#d#kr| d'd(d}td)||j|}||| d*d#d#krtd+| d*|j|}||| d,d#d#krLtd-| d,|j|}||td.t ||j|}|||d/rd0|d1|d/}|d2r|d3d%|d27}n|d4t |d57}|d6|d77}t|||j|}||qdS)8NzReceived event, z, from r rz5You enabled sfp_greynoise but did not set an API key!FTz Skipping z as already mapped.r!r rz$Network size bigger than permitted: z > r rrr NETBLOCK_r$rr'datarseenzFound threat info in Greynoise last_seenz 1970-01-01z%Y-%m-%diQr z#Record found but too old, skipping.metadatacountryunknowncityz, r*asnASr+ organizationr)osr,r-classificationz Greynoise [z] - Classification: tagsz, Tags: z - Raw data: raw_dataz$ https://viz.greynoise.io/ip/z) eventTypemodulerFr9rdebugrr8rr prefixlenstr startswithrDlengetrstrptimeinttimemktime timetupler__name__notifyListenersreplacejoin)revent eventName srcModuleName eventDataevtTyper>reclastseenZ lastseen_dtZ lastseen_ts age_limit_tsZmetlocrCrMdescrrrr handleEvent_s                         zsfp_greynoise.handleEvent)ra __module__ __qualname____doc__roptdescsrr9dictrr#r.rDrorrrrrs,   r) r:rr^netaddrrsflibrrrrrrrr s