U @6^-@sXddlmZmZddlZddlmZmZmZdddddgd d d iZGd d d eZ dS)) IPAddress IPNetworkN) SpiderFootSpiderFootPluginSpiderFootEventzTOR Exist List _torexitslistipnetblockz+https://check.torproject.org/exit-addressesz^ExitAddress\s+{0}\s+)idtypechecksurlregexc@sxeZdZdZddddddZddddd Zd Zefd d Zd dZ ddZ ddZ ddZ ddZ ddZddZd S) sfp_torexitszTOR Exit Nodes:Investigate,Passive:Secondary Networks::Check if an IP or netblock appears on the torproject.org exit node list.T)rcheckaffiliates cacheperiodchecknetblocks checksubnetszApply checks to affiliates?z,Hours to cache list data before re-fetching.z=Report if any malicious IPs are found within owned netblocks?zJCheck if any malicious IPs are found within the same subnet of the target?)rrrrNcCs:||_||_d|_t|D]}|||j|<q"dS)Nztorproject.org)sf tempStorageresults__dataSource__rkeysopts)selfsfcuserOptsoptr 7/var/www/spiderfoot.crq.systems/modules/sfp_torexits.pysetup7s  zsfp_torexits.setupcCs ddddgS)N IP_ADDRESSNETBLOCK_MEMBERAFFILIATE_IPADDRNETBLOCK_OWNERr rr r r! watchedEventsDszsfp_torexits.watchedEventscCs ddddgS)NMALICIOUS_IPADDRMALICIOUS_AFFILIATE_IPADDRMALICIOUS_SUBNETMALICIOUS_NETBLOCKr r'r r r!producedEventsKszsfp_torexits.producedEventscCst|dkrB|D]0}t||tjtjBr|jd|dSqt|dkr|D]0}t||tjtjBrR|jd|dSqR|jddS)Nrz#Found to be bad against bad regex: Tz$Found to be good againt good regex: FzNeither good nor bad, unknown.)lenrematch IGNORECASEDOTALLrdebug)rcontent goodregexbadregexrxr r r!contentMaliciousPs   zsfp_torexits.contentMaliciouscCs|jd|d|ttD]}t|d}||kr$t|ddkr$tt|d}|jj|||jd|jdd }|d dkr|j d ||d dS| |d t|d t|dr$||Sq$dS)Nz Querying z for maliciousness of r r queryr _fetchtimeout _useragenttimeout useragentr4Unable to fetch Fr5r6) rr3r malchecksrstrfetchUrlformatrerrorr8)rr target targetTypecheckcidrresr r r! resourceQueryds $    zsfp_torexits.resourceQueryc Csd}|dkr |j||jd}ttD]t}t|d}||kr,t|ddkr,t}t|d}|jd||jd d |d <|d dkr|jj ||jd |jd d}|d dkr|j d|ddS|j d||d |dkrNt} dt|krt|d dd} t | t j} |jd|d| |d dD].} t | | } t| d krR| | d qRn|d d} | D]}t|dks|drq|}z@t|t|kr|j|d|d||WSWnBtk rB}z"|jdt|WYqW5d}~XYnXqdSdt|kr|d dD]P} | |ks|dkrj| |krj|j|d|d|d|Sqjq,ztt|d|}tt|d|}|d dD]b} |dkrt || t js,t || t jr|j|d|d|d|WSqWq,tk r}z |jd t|WYq,W5d}~XYq,Xq,dS)!Ndomain _internettldsr r rrsfmal_rrr4r:r;r<r?Fr rz{0}z(\d+\.\d+\.\d+\.\d+)zNew regex for z:  #z found within netblock/subnet z in zError encountered parsing: /z found in z list.zError encountered parsing 2: )r hostDomainrrr@rdictcacheGetgetrBrDcachePutreplacer/compiler1r3splitfindallr.append startswithstriprr ExceptionrArCr0 BaseException)rr rErF targetDomrGrHdatariplistr7patlinegrpr erxDomrxTgtr r r! resourceListvs           zsfp_torexits.resourceListcCsttD]}t|d}||kr |t|dkr |jd|d|d|t|ddkrv||||St|ddkr ||||Sq dS) Nr r zChecking maliciousness of z (z) with: r r9r)rr@rrr3rJrj)r resourceIditemTyperErGrHr r r! lookupItems zsfp_torexits.lookupItemc Cs|j}|j}|j}|jd|d|||jkrL|jd|ddSd|j|<|dkrp|jddspdS|d kr|jd dsdS|d kr|jd dsdS|d kr|jddsdStt D]}t |d}|j|r|dkrd}|dkrd}nd}|dkrd}d}|dkrRd}|dkr6d}|dkrDd}|dkrRd}|d krdd}d }|d krvd}d!}| |||} | rdS| dk r|d"|d#d$| d%} t || |j|} || qdS)&NzReceived event, z, from z Skipping z, already checked.TCO_HOSTED_SITE checkcohostsFr%rr&rr$rr )r#r%r r#r)r*) BGP_AS_OWNER BGP_AS_MEMBERasn MALICIOUS_ASN) INTERNET_NAMErnAFFILIATE_INTERNET_NAMErLrtMALICIOUS_INTERNET_NAMEru!MALICIOUS_AFFILIATE_INTERNET_NAMEMALICIOUS_COHOSTr r,r+z [z] zz) eventTypemodulerbrr3rrrVrr@rrm checkForStopr__name__notifyListeners) revent eventName srcModuleName eventDatarGrHtypeIdevtTypertextevtr r r! handleEventsf                zsfp_torexits.handleEvent)r| __module__ __qualname____doc__roptdescsrrTr"r(r-r8rJrjrmrr r r r!rs*   Mr) netaddrrrr/sflibrrrr@rr r r r! s