3 @6^3@sXddlZddlZddlmZddlZddlmZddlmZmZm Z GdddeZ dS)N)datetime) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc @szeZdZdZdddddddddd Zdd d d d d dddd ZdZdZdZe fddZ ddZ ddZ ddZ ddZdS) sfp_xforcezjXForce Exchange:Investigate,Passive:Reputation Systems:apikey:Obtain information from IBM X-Force ExchangeTd) xforce_api_keyxforce_api_key_passwordage_limit_daysnetblocklookup maxnetblock subnetlookup maxsubnet maxcohostcheckaffiliateszX-Force Exchange API Key.zX-Force Exchange API Password.z||_|j|_d|_x"t|jD]}|||j|<q$WdS)Nr)sf tempStorageresults cohostcountlistkeysopts)selfsfcuserOptsoptr 5/var/www/spiderfoot.crq.systems/modules/sfp_xforce.pysetup9s  zsfp_xforce.setupcCsdddddddgS)N IP_ADDRESSAFFILIATE_IPADDR INTERNET_NAMECO_HOSTED_SITENETBLOCK_OWNERNETBLOCK_MEMBERAFFILIATE_INTERNET_NAMEr )rr r r! watchedEventsEszsfp_xforce.watchedEventscCsdddddddgS)NMALICIOUS_IPADDRMALICIOUS_INTERNET_NAMEMALICIOUS_COHOST!MALICIOUS_AFFILIATE_INTERNET_NAMEMALICIOUS_AFFILIATE_IPADDRMALICIOUS_NETBLOCKr&r )rr r r!producedEventsKszsfp_xforce.producedEventsc Cs<d}|dkrd}d}|jd}t|tkr4|jd}|jd}t|tkrT|jd}tj|djd|}d d |jdd }|d |d |} |jj| |jd d|d} | ddkr|jj ddd|_ dS| ddkr|jj d|dSyt j | d} Wn0tk r6} z|jj dddSd} ~ XnX| S)N ipr/malware ipr/historyresolvezhttps://api.xforce.ibmcloud.comr zutf-8r :zapplication/jsonzBasic )Accept Authorization/ _fetchtimeoutr)timeout useragentheaderscode400401402403z[XForce API key seems to have been rejected or you have exceeded usage limits for the month.FTcontentzNo XForce info found for z+Error processing JSON response from XForce.)r2r3r4)r>r?r@rA)rtypestrencodebase64 b64encodedecoderfetchUrlerror errorStateinfojsonloads Exception) rqry querytyperetZ xforce_urlapi_keyZapi_key_passwordtokenr<urlresrLer r r!queryQs8       zsfp_xforce.queryc*Cs|j}|j}|j}d}|jr dS|jjd|d||jddksT|jddkrl|jjddd |_dS||jkr|jjd |d dSd |j|<|d kr|jd sdSt |j |jdkr|jjdt t |j dt |jddS|dkrR|jds dSt |j |jdkrR|jjdt t |j dt |jddS|j drt|jj dd rtdSt}|j drx:t |D]"}|jt |d |jt |<qWn |j||dkrd}|j|jdkrdS|j|d} | dkr|jjd|nd| kr|jjd| dd} x| D]} | dd kr6| j d!d} | s^q6tj| d"} ttj| j}ttjd#|jd$}| d%}|jd$d&kr||kr|jjd'q6n(t|||j|}|j||jd(7_q6Wx|D]}|jrdS|dks*|j dr.d)}|d*krt}t|d&kr|jjd?xj|D]`}|j d@d} |j dAd}!|j dBd}"|j dCd}#|j dDd}$|j d!d}%|j dEd}&|j dFd}'d}(|'dk rx|'D]})|(|)d<}(qW|!||(||$||"||#||&||%}| j d!d} | sq6tj| d6} ttj| j}ttjd#|jd$}| d%}|jd$d&kr|||kr||jjd'q6nt|||j|}|j|q6WqWdS)HNz ; zReceived event, z, from r rr z;You enabled sfp_xforce but did not set an API key/password!FTz Skipping z as already mapped.r'rrz$Network size bigger than permitted: z > r(rr AFFILIATE_r NETBLOCK_r#r&rr4zNo Passive DNS info for ZPassivez#Found passive DNS results in XforcerecordsZ recordTypeAlastz%Y-%m-%dT%H:%M:%SZiQrvaluerz#Record found but too old, skipping.r+r$r/r%r,r)r.r-z ipr/historyhistoryzFound history results in XForcereasonDescriptioncreatedz%Y-%m-%dT%H:%M:%S.000Zreasonscorecatsz Non-malicious results, skipping. z ipr/malwareZmalwarezFound malware results in XForcecountorigindomainurimd5firstfamily)r&r%r)) eventTypemoduledatarKrdebugrrJrr prefixlenrD startswithgetrappendrrXrLrstrptimeinttimemktime timetupler__name__notifyListeners checkForStoplen)*revent eventName srcModuleName eventDataZ infield_sepqrylistipaddrevtTyperRrVrecr]last_dtlast_ts age_limit_tshostrWaddr rec_historyresultrarb created_dt created_tsrcrdreZcats_descriptioncatentryZ rec_malwarerhrirjrkrllastseenZ firstseenrnZfamily_descriptionfr r r! handleEventzs                                                  .   zsfp_xforce.handleEvent)r| __module__ __qualname____doc__roptdescsrrKrdictr"r*r1rXrr r r r!rs6 )r) rMrFrrynetaddrrsflibrrrrr r r r!s