U @6^@s4ddlmZddlmZmZmZGdddeZdS)) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc @seZdZdZdddddddddZd d d d d ddddZdZdZdddddddddddd Ze fddZ d d!Z d"d#Z d$d%Z d&d'Zd(d)Zd*d+ZdS), sfp_honeypotzrHoneypot Checker:Investigate,Passive:Reputation Systems:apikey:Query the projecthoneypot.org database for entries.FrT)api_key searchengine threatscore timelimitnetblocklookup maxnetblock subnetlookup maxsubnetzProjecthoneypot.org API key.z*Include entries considered search engines?zMThreat score minimum, 0 being everything and 255 being only the most serious.zQMaximum days old an entry can be. 255 is the maximum, 0 means you'll get nothing.zvLook up all IPs on netblocks deemed to be owned by your target for possible hosts on the same target subdomain/domain?zyIf looking up owned netblocks, the maximum netblock size to look up all IPs within (CIDR value, 24 = /24, 16 = /16, etc.)z:Look up all IPs on subnets which your target is a part of?zsIf looking up subnets, the maximum subnet size to look up all the IPs within (CIDR value, 24 = /24, 16 = /16, etc.)Nz Search EngineZ SuspiciousZ HarvesterzSuspicious & HarvesterzComment SpammerzSuspicious & Comment SpammerzHarvester & Comment Spammerz(Suspicious & Harvester & Comment Spammerz Unknown (8)z Unknown (9)z Unknown (10)) 012345678910cCs4||_||_t|D]}|||j|<qdS)N)sf tempStorageresultslistkeysopts)selfsfcuserOptsoptr'7/var/www/spiderfoot.crq.systems/modules/sfp_honeypot.pysetupAs zsfp_honeypot.setupcCs ddddgS)N IP_ADDRESSAFFILIATE_IPADDRNETBLOCK_OWNERNETBLOCK_MEMBERr'r#r'r'r( watchedEventsIszsfp_honeypot.watchedEventscCs ddddgS)NBLACKLISTED_IPADDRBLACKLISTED_AFFILIATE_IPADDRBLACKLISTED_SUBNETBLACKLISTED_NETBLOCKr'r.r'r'r(producedEventsPszsfp_honeypot.producedEventscCsdt|dS)N.)joinreversedsplit)r#ipaddrr'r'r( reverseAddrUszsfp_honeypot.reverseAddrcCs|d}t|d|jdkr$dSt|d|jdkr>dSt|ddkr\|jdr\dSd |j|dd |dd d |d}|S) Nr5r r rr zHoneypotproject ({0}): z Last Activity: z days agoz Threat Level: )r8intr"statuses)r#addrbitstextr'r'r(reportIPYs& zsfp_honeypot.reportIPc Cs.|j}z|jdd||d}|jd||j|}|sJWdS|jdt|d}|D]}||}|dkrqfqfqqf|dk r|dkrd}|dkrd }|d krd }|d krd }t|| ||j |} | | WnHt k r(}z(|jd|d|dt|W5d}~XYnXdS)Nr r5z.dnsbl.httpbl.orgzChecking Honeypot: zAddresses returned: r+r1r*r0r,r3r-r2zUnable to resolve z / z: ) eventTyper"r:rdebug resolveHoststrrCrformat__name__notifyListeners BaseException) r#qaddr parentEvent eventNamelookupaddrsrBr@eevtr'r'r( queryAddris@   6zsfp_honeypot.queryAddrcCs|j}|j}|j}|}t}|jr&dS|jd|d||jddkrd|jddd|_dS||j krrdSd|j |<|dkr|jd sdSt |j |jd kr|jd t t |j d t |jd dS|d kr4|jdsdSt |j |jdkr4|jd t t |j d t |jddS| drrt |D]&}|r\dS|t ||qHn |||dS)NzReceived event, z, from r rz4You enabled sfp_honeypot but did not set an API key!FTr,rrz$Network size bigger than permitted: z > r-rr NETBLOCK_)rDmoduledatar errorStaterrEr"errorrr prefixlenrG startswith checkForStoprS)r#eventrN srcModuleName eventDatarMaddrlistr@r'r'r( handleEventsZ            zsfp_honeypot.handleEvent)rI __module__ __qualname____doc__r"optdescsrrWr?dictr)r/r4r:rCrSr`r'r'r'r(rsP  'rN)netaddrrsflibrrrrr'r'r'r(s