U @†6^Ýã@s<ddlZddlmZddlmZmZmZGdd„deƒZdS)éN)Ú IPNetwork)Ú SpiderFootÚSpiderFootPluginÚSpiderFootEventc@sjeZdZdZdddddddœZddddd d dœZdZdZeƒfd d„Z dd„Z dd„Zdd„Zdd„Z dS)Úsfp_threatcrowdz”ThreatCrowd:Investigate,Passive:Reputation Systems::Obtain information from ThreatCrowd about identified IP addresses, domains and e-mail addresses.Té)ÚcheckcohostsÚcheckaffiliatesÚnetblocklookupÚmaxnetblockÚsubnetlookupÚ maxsubnetzCheck co-hosted sites?zCheck affiliates?zvLook up all IPs on netblocks deemed to be owned by your target for possible hosts on the same target subdomain/domain?zyIf looking up owned netblocks, the maximum netblock size to look up all IPs within (CIDR value, 24 = /24, 16 = /16, etc.)z:Look up all IPs on subnets which your target is a part of?zsIf looking up subnets, the maximum subnet size to look up all the IPs within (CIDR value, 24 = /24, 16 = /16, etc.)NFcCs:||_| ¡|_d|_t| ¡ƒD]}|||j|<q"dS)NF)ÚsfÚtempStorageÚresultsÚ errorStateÚlistÚkeysÚopts)ÚselfÚsfcÚuserOptsÚopt©rú:/var/www/spiderfoot.crq.systems/modules/sfp_threatcrowd.pyÚsetup0s zsfp_threatcrowd.setupcCsddddddddgS) NÚ IP_ADDRESSÚAFFILIATE_IPADDRÚ INTERNET_NAMEÚCO_HOSTED_SITEÚNETBLOCK_OWNERÚ EMAILADDRÚNETBLOCK_MEMBERÚAFFILIATE_INTERNET_NAMEr©rrrrÚ watchedEvents<sþzsfp_threatcrowd.watchedEventscCsddddddddgS) NÚMALICIOUS_IPADDRÚMALICIOUS_INTERNET_NAMEÚMALICIOUS_COHOSTÚ!MALICIOUS_AFFILIATE_INTERNET_NAMEÚMALICIOUS_AFFILIATE_IPADDRÚMALICIOUS_NETBLOCKÚMALICIOUS_SUBNETÚMALICIOUS_EMAILADDRrr$rrrÚproducedEventsBsýzsfp_threatcrowd.producedEventsc CsÄd}d}|j |¡rd|}d|kr,d|}|s8d|}|jj||jddd}|ddkrp|j d |¡dSzt |d¡}Wn<tk r¾}z|j d d¡d|_ WY¢dSd}~XYnX|S) Nz7https://www.threatcrowd.org/searchApi/v2/ip/report/?ip=ú@z=https://www.threatcrowd.org/searchApi/v2/email/report/?email=z?https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=Ú _fetchtimeoutr)ÚtimeoutÚ useragentÚcontentzNo ThreatCrowd info found for z0Error processing JSON response from ThreatCrowd.FT) rÚvalidIPÚfetchUrlrÚinfoÚjsonÚloadsÚ ExceptionÚerrorr)rÚqryÚretÚurlÚresÚerrrÚqueryHs&zsfp_threatcrowd.querycCs„|j}|j}|j}|jrdS|j d|d|¡||jkrV|j d|d¡dSd|j|<| d¡rx|jdsxdS|dkrŽ|jd sŽdS|d krè|jds¤dSt |ƒj |jdkrè|j d tt |ƒj ƒdt|jdƒ¡dS|dkrH|jdsdSt |ƒj |jdkrH|j d tt |ƒj ƒdt|jdƒ¡dStƒ}| d¡rˆt |ƒD]"}| t|ƒ¡d|jt|ƒ<qbn | |¡|D]è}| ¡rªdS| |¡}|dkrÂq–| dd¡dkr–|j d|¡|dksú| d¡rþd} |dkrd} |dkrd} |dkr(d} |dkr6d} |dkrDd } d!| d"¡d#} t| d$|d%| |j|ƒ}| |¡q–dS)&NzReceived event, z, from z Skipping z as already mapped.TZ AFFILIATEr rrr r rz$Network size bigger than permitted: z > r"rr Ú NETBLOCK_ÚvotesrzFound ThreatCrowd URL data for )rr&rr*rr'r#r)r(r!r-zZ permalinkzz ThreatCrowd [z] )Ú eventTypeÚmoduleÚdatarrÚdebugrÚ startswithrrÚ prefixlenÚstrrÚappendÚcheckForStopr@Úgetr6rÚ__name__ÚnotifyListeners)rÚeventÚ eventNameÚ srcModuleNameÚ eventDataÚqrylistÚipaddrÚaddrr6ÚevtZinfourlr?rrrÚhandleEventes ÿÿþ ÿÿþ ÿÿzsfp_threatcrowd.handleEvent)rMÚ __module__Ú__qualname__Ú__doc__rÚoptdescsrrÚdictrr%r.r@rWrrrrrs,úúr)r7ÚnetaddrrÚsflibrrrrrrrrÚ s