U @6^3@sXddlZddlZddlmZddlZddlmZddlmZmZm Z GdddeZ dS)N)datetime) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc @szeZdZdZdddddddddd Zdd d d d d dddd ZdZdZdZe fddZ ddZ ddZ ddZ ddZdS) sfp_xforcezjXForce Exchange:Investigate,Passive:Reputation Systems:apikey:Obtain information from IBM X-Force ExchangeTd) xforce_api_keyxforce_api_key_passwordage_limit_daysnetblocklookup maxnetblock subnetlookup maxsubnet maxcohostcheckaffiliateszX-Force Exchange API Key.zX-Force Exchange API Password.zd-}|d.krLd/}|dkrZd0}||d1} | dk r| d2t}t|d&kr|jd3|D],}| d4d}| d5d}|sĐqt|d6}tt|}ttd#|jd$}|jd$d&kr&||kr&|jd'q| d7d}| d8d&}| d9d}d}t|d:krl|jd;q|dk r|D]}||d<}qz||t |||||}t|||j|}||q|d=krڐq||d>} | dk r| d?t}t|d&kr|jd@|D]\}| dAd} | dBd}!| dCd}"| dDd}#| dEd}$| d!d}%| dFd}&| dGd}'d}(|'dk r|'D]})|(|)d<}(q|!||(||$||"||#||&||%}| d!d} | sqt| d6} tt| }ttd#|jd$}| d%}|jd$d&kr^||kr^|jd'qnt|||j|}||qqdS)HNz ; zReceived event, z, from r rr z;You enabled sfp_xforce but did not set an API key/password!FTz Skipping z as already mapped.r'rrz$Network size bigger than permitted: z > r(rr AFFILIATE_r NETBLOCK_r#r&rr5zNo Passive DNS info for ZPassivez#Found passive DNS results in XforcerecordsZ recordTypeAlastz%Y-%m-%dT%H:%M:%SZiQrvaluerz#Record found but too old, skipping.r,r$r0r%r-r)r/r.r4historyzFound history results in XForcereasonDescriptioncreatedz%Y-%m-%dT%H:%M:%S.000Zreasonscorecatsz Non-malicious results, skipping. )r&r%r)r3ZmalwarezFound malware results in XForcecountorigindomainurimd5firstfamily) eventTypemoduledatarJrdebugrrIrr prefixlenrC startswithgetrappendrrWrKrstrptimeinttimemktime timetupler__name__notifyListeners checkForStoplen)*revent eventName srcModuleName eventDataZ infield_sepqrylistipaddrevtTyperQrUrecr\last_dtlast_ts age_limit_tshostrVaddr rec_historyresultr`ra created_dt created_tsrbrcrdZcats_descriptioncatentryZ rec_malwarergrhrirjrklastseenZ firstseenrmZfamily_descriptionfr r r! handleEventzsf                                                          zsfp_xforce.handleEvent)r{ __module__ __qualname____doc__roptdescsrrJrdictr"r+r2rWrr r r r!rs: )r) rLrErrxnetaddrrsflibrrrrr r r r!s