U @6^)@sZddlmZmZddlZddlmZmZmZddddgdd ggd iZGd d d eZ dS) ) IPAddress IPNetworkN) SpiderFootSpiderFootPluginSpiderFootEventzInternet Storm Center_iscqueryipzhttps://isc.sans.edu/api/ip/{0}z.*\d+.*)idtypechecksurlbadregex goodregexc@sleZdZdZdddZddiZdZefddZd d Z d d Z d dZ ddZ ddZ ddZddZdS)sfp_isczpInternet Storm Center:Investigate,Passive:Reputation Systems::Check if an IP is malicious according to SANS ISC.T)rcheckaffiliatesrzApply checks to affiliates?NcCs4||_||_t|D]}|||j|<qdS)N)sf tempStorageresultslistkeysopts)selfsfcuserOptsoptr2/var/www/spiderfoot.crq.systems/modules/sfp_isc.pysetup2s z sfp_isc.setupcCsddgS)N IP_ADDRESSAFFILIATE_IPADDRrrrrr watchedEvents>szsfp_isc.watchedEventscCsddgS)NMALICIOUS_IPADDRMALICIOUS_AFFILIATE_IPADDRrr!rrrproducedEventsDszsfp_isc.producedEventscCst|dkrB|D]0}t||tjtjBr|jd|dSqt|dkr|D]0}t||tjtjBrR|jd|dSqR|jddS)Nrz#Found to be bad against bad regex: Tz$Found to be good againt good regex: FzNeither good nor bad, unknown.)lenrematch IGNORECASEDOTALLrdebug)rcontentrrrxrrrcontentMaliciousHs   zsfp_isc.contentMaliciouscCs|jd|d|ttD]}t|d}||kr$t|ddkr$tt|d}|jj||d|jdd }|d dkr|j d ||d dS| |d t|d t|dr$||Sq$dS)Nz Querying z for maliciousness of r r rr  _useragenttimeout useragentr,Unable to fetch Frr) rr+r malchecksrstrfetchUrlformatrerrorr.)rr target targetTypecheckcidr resrrr resourceQuery\s     zsfp_isc.resourceQueryc Csd}|dkr |j||jd}ttD]n}t|d}||kr,t|ddkr,t}t|d}|jd||jd d |d <|d dkr|jj |d |jd d}|d dkr|j d|ddS|j d||d |dkrHt} dt|kr~t|d dd} t | t j} |jd|d| |d dD].} t | | } t| d krL| | d qLn|d d} | D]}t|dks|drq|}z@t|t|kr|j|d|d||WSWnBtk r<}z"|jdt|WYqW5d}~XYnXqdSdt|kr|d dD]P} | |ks|dkrd| |krd|j|d|d|d|Sqdq,ztt|d|}tt|d|}|d dD]b} |dkrt || t js&t || t jr|j|d|d|d|WSqWq,tk r}z |jd t|WYq,W5d}~XYq,Xq,dS)!Ndomain _internettldsr r rr sfmal_ cacheperiodrr,r/r0r1r4Fnetblockregexz{0}z(\d+\.\d+\.\d+\.\d+)zNew regex for z:  #z found within netblock/subnet z in zError encountered parsing: /z found in z list.zError encountered parsing 2: )r hostDomainrrr5rdictcacheGetgetr7r9cachePutreplacer'compiler)r+splitfindallr&append startswithstriprr Exceptionr6r8r( BaseException)rr r:r; targetDomr<r=datar iplistr-patlinegrpr erxDomrxTgtrrr resourceListns           zsfp_isc.resourceListcCsttD]}t|d}||kr |t|dkr |jd|d|d|t|ddkrv||||St|ddkr ||||Sq dS) Nr r zChecking maliciousness of z (z) with: r rr)rr5rrr+r?rb)r resourceIditemTyper:r<r=rrr lookupItems zsfp_isc.lookupItemc Csv|j}|j}|j}|jd|d|||jkrL|jd|ddSd|j|<|dkrp|jddspdS|d kr|jd dsdStt D]}t |d }|j|r|d krd }|dkrd}nd}|dkrd}d}|dkrd}|dkrd}|dkrd}|dkrd}| |||} | r2dS| dk r|d|dd| d} t || |j|} || qdS)NzReceived event, z, from z Skipping z, already checked.TCO_HOSTED_SITE checkcohostsFr rr )rr r rr#r$) BGP_AS_OWNER BGP_AS_MEMBERasn MALICIOUS_ASN) INTERNET_NAMErfAFFILIATE_INTERNET_NAMErArlMALICIOUS_INTERNET_NAMErm!MALICIOUS_AFFILIATE_INTERNET_NAMEMALICIOUS_COHOSTz [z] zz) eventTypemodulerZrr+rrrNrr5rre checkForStopr__name__notifyListeners) revent eventName srcModuleName eventDatar<r=typeIdevtTyper textevtrrr handleEventsR          zsfp_isc.handleEvent)rt __module__ __qualname____doc__roptdescsrrLrr"r%r.r?rbrer~rrrrrs  Mr) netaddrrrr'sflibrrrr5rrrrr s