3 @6^-@sXddlmZmZddlZddlmZmZmZdddddgd d d iZGd d d eZ dS)) IPAddress IPNetworkN) SpiderFootSpiderFootPluginSpiderFootEventzTOR Exist List _torexitslistipnetblockz+https://check.torproject.org/exit-addressesz^ExitAddress\s+{0}\s+)idtypechecksurlregexc@sxeZdZdZddddddZddddd Zd Zefd d Zd dZ ddZ ddZ ddZ ddZ ddZddZd S) sfp_torexitszTOR Exit Nodes:Investigate,Passive:Secondary Networks::Check if an IP or netblock appears on the torproject.org exit node list.T)rcheckaffiliates cacheperiodchecknetblocks checksubnetszApply checks to affiliates?z,Hours to cache list data before re-fetching.z=Report if any malicious IPs are found within owned netblocks?zJCheck if any malicious IPs are found within the same subnet of the target?)rrrrNcCs>||_|j|_d|_x"t|jD]}|||j|<q$WdS)Nztorproject.org)sf tempStorageresults__dataSource__rkeysopts)selfsfcuserOptsoptr 7/var/www/spiderfoot.crq.systems/modules/sfp_torexits.pysetup7s  zsfp_torexits.setupcCs ddddgS)N IP_ADDRESSNETBLOCK_MEMBERAFFILIATE_IPADDRNETBLOCK_OWNERr )rr r r! watchedEventsDszsfp_torexits.watchedEventscCs ddddgS)NMALICIOUS_IPADDRMALICIOUS_AFFILIATE_IPADDRMALICIOUS_SUBNETMALICIOUS_NETBLOCKr )rr r r!producedEventsKszsfp_torexits.producedEventscCst|dkrDx6|D].}tj||tjtjBr|jjd|dSqWt|dkrx6|D].}tj||tjtjBrV|jjd|dSqVW|jjddS)Nrz#Found to be bad against bad regex: Tz$Found to be good againt good regex: FzNeither good nor bad, unknown.)lenrematch IGNORECASEDOTALLrdebug)rcontent goodregexbadregexrxr r r!contentMaliciousPs     zsfp_torexits.contentMaliciouscCs|jjd|d|xttjD]}t|d}||kr&t|ddkr&tt|d}|jj|j||jd|jdd }|d dkr|jj d |j|d dS|j |d t|d t|dr&|j|Sq&WdS)Nz Querying z for maliciousness of r r queryr _fetchtimeout _useragent)timeout useragentr3zUnable to fetch Fr4r5) rr2r malchecksrstrfetchUrlformatrerrorr7)rr target targetTypecheckcidrresr r r! resourceQueryds $   zsfp_torexits.resourceQuerycCsd}|dkr |jj||jd}xjttjD]X}t|d}||koXt|ddkr0t}t|d}|jjd||jjd d |d <|d dkr|jj ||jd |jd d}|d dkr|jj d|ddS|jj d||d |dkrFt} dt|krt|dj dd} t j| t j} |jjd|d| xP|d jdD].} t j| | } t| d krV| j| d qVWn|d jd} x| D]}t|dks|jdrq|j}y6t|t|kr|jj|d|d||SWn<tk r:}z|jjdt|wWYdd}~XnXqWdSdt|krxZ|d jdD]H} | |ks|dkrd| |krd|jj|d|d|d|SqdWq0ytt|dj|}tt|dj|}xj|d jdD]X} |dkrt j|| t js"t j|| t jr|jj|d|d|d|SqWWq0tk r}z|jjd t|w0WYdd}~Xq0Xq0WdS)!Ndomain _internettldsr r rrsfmal_rrr3r9r:)r;r<zUnable to fetch Fr rz{0}z(\d+\.\d+\.\d+\.\d+)zNew regex for z:  #z found within netblock/subnet z in zError encountered parsing: /z found in z list.zError encountered parsing 2: )r hostDomainrrr=rdictcacheGetgetr?rAcachePutreplacer.compiler0r2splitfindallr-append startswithstriprr Exceptionr>r@r/ BaseException)rr rBrC targetDomrDrEdatariplistr6patlinegrpr erxDomrxTgtr r r! resourceListvsr           zsfp_torexits.resourceListcCsxttjD]}t|d}||kr|t|dkr|jjd|d|d|t|ddkrt|j|||St|ddkr|j|||SqWdS) Nr r zChecking maliciousness of z (z) with: r r8r)rr=rrr2rGrg)r resourceIditemTyperBrDrEr r r! lookupItems zsfp_torexits.lookupItemc Cs|j}|j}|j}|jjd|d|||jkrL|jjd|ddSd|j|<|dkrr|jjdd rrdS|d kr|jjd d rdS|d kr|jjd d rdS|d kr|jjdd rdSxtt j D]}t |d}|j|r|d%krd}|dkrd}nd}|d&kr&d}d}|d'kr^d}|dkrBd}|dkrPd}|dkr^d}|d krpd}d}|d krd}d }|j |||} |j rdS| dk r|d!|d"d#| d$} t || |j|} |j| qWdS)(NzReceived event, z, from z Skipping z, already checked.TCO_HOSTED_SITE checkcohostsFr%rr&rr$rr r#r r(r) BGP_AS_OWNER BGP_AS_MEMBERasn MALICIOUS_ASN INTERNET_NAMEAFFILIATE_INTERNET_NAMErIMALICIOUS_INTERNET_NAME!MALICIOUS_AFFILIATE_INTERNET_NAMEMALICIOUS_COHOSTr r+r*z [z] zz)r#r%)rmrn)rqrkrr) eventTypemoduler_rr2rrrSrr=rrj checkForStopr__name__notifyListeners) revent eventName srcModuleName eventDatarDrEtypeIdevtTypertextevtr r r! handleEventsf             zsfp_torexits.handleEvent)ry __module__ __qualname____doc__roptdescsrrQr"r'r,r7rGrgrjrr r r r!rs& Mr) netaddrrrr.sflibrrrr=rr r r r! s