3 @6^@s<ddlZddlmZddlmZmZmZGdddeZdS)N) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc@sjeZdZdZdddddddZddddd d dZd Zd Zefd dZ ddZ ddZ ddZ ddZ d S)sfp_threatcrowdzThreatCrowd:Investigate,Passive:Reputation Systems::Obtain information from ThreatCrowd about identified IP addresses, domains and e-mail addresses.T) checkcohostscheckaffiliatesnetblocklookup maxnetblock subnetlookup maxsubnetzCheck co-hosted sites?zCheck affiliates?zvLook up all IPs on netblocks deemed to be owned by your target for possible hosts on the same target subdomain/domain?zyIf looking up owned netblocks, the maximum netblock size to look up all IPs within (CIDR value, 24 = /24, 16 = /16, etc.)z:Look up all IPs on subnets which your target is a part of?zsIf looking up subnets, the maximum subnet size to look up all the IPs within (CIDR value, 24 = /24, 16 = /16, etc.)NFcCs>||_|j|_d|_x"t|jD]}|||j|<q$WdS)NF)sf tempStorageresults errorStatelistkeysopts)selfsfcuserOptsoptr:/var/www/spiderfoot.crq.systems/modules/sfp_threatcrowd.pysetup0s  zsfp_threatcrowd.setupcCsddddddddgS) N IP_ADDRESSAFFILIATE_IPADDR INTERNET_NAMECO_HOSTED_SITENETBLOCK_OWNER EMAILADDRNETBLOCK_MEMBERAFFILIATE_INTERNET_NAMEr)rrrr watchedEvents<szsfp_threatcrowd.watchedEventscCsddddddddgS) NMALICIOUS_IPADDRMALICIOUS_INTERNET_NAMEMALICIOUS_COHOST!MALICIOUS_AFFILIATE_INTERNET_NAMEMALICIOUS_AFFILIATE_IPADDRMALICIOUS_NETBLOCKMALICIOUS_SUBNETMALICIOUS_EMAILADDRr)rrrrproducedEventsBszsfp_threatcrowd.producedEventscCsd}d}|jj|rd|}d|kr,d|}|s8d|}|jj||jddd}|ddkrp|jjd |dSytj|d}Wn4tk r}z|jjd d d |_ dSd}~XnX|S) Nz7https://www.threatcrowd.org/searchApi/v2/ip/report/?ip=@z=https://www.threatcrowd.org/searchApi/v2/email/report/?email=z?https://www.threatcrowd.org/searchApi/v2/domain/report/?domain= _fetchtimeoutr)timeout useragentcontentzNo ThreatCrowd info found for z0Error processing JSON response from ThreatCrowd.FT) rvalidIPfetchUrlrinfojsonloads Exceptionerrorr)rqryreturlreserrrqueryHs&  zsfp_threatcrowd.queryc Cs|j}|j}|j}|jrdS|jjd|d|||jkrV|jjd|ddSd|j|<|jdrz|jd rzdS|dkr|jd  rdS|d kr|jd sdSt |j |jd kr|jjd t t |j dt |jd dS|dkrL|jdsdSt |j |jdkrL|jjd t t |j dt |jddSt }|jdrx:t |D]"}|j t |d|jt |<qhWn |j |x|D]}|jrdS|j|}|dkrʐq|jdddkr|jjd||d&ks|jdrd} |dkrd} |dkr"d} |dkr0d} |dkr>d} |dkrLd } d!|jd"d#} t| d$|d%| |j|} |j| qWdS)'NzReceived event, z, from z Skipping z as already mapped.TZ AFFILIATEr rrr r r z$Network size bigger than permitted: z > r"r r NETBLOCK_votesrzFound ThreatCrowd URL data for rr%rr)rr&r#r(r'r!r,zZ permalinkzz ThreatCrowd [z] )r) eventTypemoduledatarrdebugr startswithrr prefixlenstrrappend checkForStopr?getr5r__name__notifyListeners) revent eventName srcModuleName eventDataqrylistipaddraddrr5evtZinfourlr>rrr handleEventesx                zsfp_threatcrowd.handleEvent)rL __module__ __qualname____doc__roptdescsrrdictrr$r-r?rVrrrrrs( r)r6netaddrrsflibrrrrrrrr s