3 @6^@s4ddlmZddlmZmZmZGdddeZdS)) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc @seZdZdZdddddddddZd d d d d ddddZdZdZdddddddddddd Ze fddZ d d!Z d"d#Z d$d%Z d&d'Zd(d)Zd*d+ZdS), sfp_honeypotzrHoneypot Checker:Investigate,Passive:Reputation Systems:apikey:Query the projecthoneypot.org database for entries.FrT)api_key searchengine threatscore timelimitnetblocklookup maxnetblock subnetlookup maxsubnetzProjecthoneypot.org API key.z*Include entries considered search engines?zMThreat score minimum, 0 being everything and 255 being only the most serious.zQMaximum days old an entry can be. 255 is the maximum, 0 means you'll get nothing.zvLook up all IPs on netblocks deemed to be owned by your target for possible hosts on the same target subdomain/domain?zyIf looking up owned netblocks, the maximum netblock size to look up all IPs within (CIDR value, 24 = /24, 16 = /16, etc.)z:Look up all IPs on subnets which your target is a part of?zsIf looking up subnets, the maximum subnet size to look up all the IPs within (CIDR value, 24 = /24, 16 = /16, etc.)Nz Search EngineZ SuspiciousZ HarvesterzSuspicious & HarvesterzComment SpammerzSuspicious & Comment SpammerzHarvester & Comment Spammerz(Suspicious & Harvester & Comment Spammerz Unknown (8)z Unknown (9)z Unknown (10)) 012345678910cCs8||_|j|_x"t|jD]}|||j|<qWdS)N)sf tempStorageresultslistkeysopts)selfsfcuserOptsoptr'7/var/www/spiderfoot.crq.systems/modules/sfp_honeypot.pysetupAs zsfp_honeypot.setupcCs ddddgS)N IP_ADDRESSAFFILIATE_IPADDRNETBLOCK_OWNERNETBLOCK_MEMBERr')r#r'r'r( watchedEventsIszsfp_honeypot.watchedEventscCs ddddgS)NBLACKLISTED_IPADDRBLACKLISTED_AFFILIATE_IPADDRBLACKLISTED_SUBNETBLACKLISTED_NETBLOCKr')r#r'r'r(producedEventsPszsfp_honeypot.producedEventscCsdjt|jdS)N.)joinreversedsplit)r#ipaddrr'r'r( reverseAddrUszsfp_honeypot.reverseAddrcCs|jd}t|d|jdkr$dSt|d|jdkr>dSt|ddkr\|jdr\dSd |j|dd |dd d |d}|S) Nr4r r rr zHoneypotproject ({0}): z Last Activity: z days agoz Threat Level: )r7intr"statuses)r#addrbitstextr'r'r(reportIPYs .zsfp_honeypot.reportIPc Cs.|j}y|jdd|j|d}|jjd||jj|}|sHdS|jjdt|d}x$|D]}|j|}|dkrqfqfPqfW|dk r|dkrd}|dkrd }|d krd }|d krd }t||j ||j |} |j | WnHt k r(}z*|jjd|d|dt|WYdd}~XnXdS)Nr r4z.dnsbl.httpbl.orgzChecking Honeypot: zAddresses returned: r+r0r*r/r,r2r-r1zUnable to resolve z / z: ) eventTyper"r9rdebug resolveHoststrrBrformat__name__notifyListeners BaseException) r#qaddr parentEvent eventNamelookupaddrsrAr?eevtr'r'r( queryAddris8   6zsfp_honeypot.queryAddrcCs|j}|j}|j}|}t}|jr&dS|jjd|d||jddkrd|jjddd|_dS||j krrdSd|j |<|dkr|jd sdSt |j |jd kr|jjd t t |j d t |jd dS|d kr4|jdsdSt |j |jdkr4|jjd t t |j d t |jddS|j drtx>t |D]$}|jr\dS|jt ||qJWn |j||dS)NzReceived event, z, from r rz4You enabled sfp_honeypot but did not set an API key!FTr,rrz$Network size bigger than permitted: z > r-rr NETBLOCK_)rCmoduledatar errorStaterrDr"errorrr prefixlenrF startswith checkForStoprR)r#eventrM srcModuleName eventDatarLaddrlistr?r'r'r( handleEventsJ       zsfp_honeypot.handleEvent)rH __module__ __qualname____doc__r"optdescsrrVr>dictr)r.r3r9rBrRr_r'r'r'r(rsJ'rN)netaddrrsflibrrrrr'r'r'r(s