File Coverage

blib/lib/Metabrik/Lookup/Threatlist.pm
Criterion Covered Total %
statement 9 86 10.4
branch 0 62 0.0
condition 0 21 0.0
subroutine 3 6 50.0
pod 1 3 33.3
total 13 178 7.3


line stmt bran cond sub pod time code
1             #
2             # $Id$
3             #
4             # lookup::threatlist Brik
5             #
6             package Metabrik::Lookup::Threatlist;
7 1     1   781 use strict;
  1         3  
  1         30  
8 1     1   5 use warnings;
  1         2  
  1         26  
9              
10 1     1   5 use base qw(Metabrik);
  1         13  
  1         1306  
11              
12             sub brik_properties {
13             return {
14 0     0 1   revision => '$Revision$',
15             tags => [ qw(unstable ipv4 ipv6 ip threat) ],
16             author => 'GomoR ',
17             license => 'http://opensource.org/licenses/BSD-3-Clause',
18             attributes => {
19             datadir => [ qw(datadir) ],
20             },
21             commands => {
22             update => [ ],
23             from_ipv4 => [ qw(ipv4_address) ],
24             },
25             require_modules => {
26             'Metabrik::Client::Www' => [ ],
27             'Metabrik::File::Compress' => [ ],
28             'Metabrik::File::Text' => [ ],
29             'Metabrik::Network::Address' => [ ],
30             },
31             };
32             }
33              
34             sub update {
35 0     0 0   my $self = shift;
36              
37 0           my $datadir = $self->datadir;
38              
39 0           my %mirror = (
40             'iblocklist-tgbankumtwtrzllndbmb.gz' => 'http://list.iblocklist.com/?list=logmein',
41             'iblocklist-nzldzlpkgrcncdomnttb.gz' => 'http://list.iblocklist.com/?list=nzldzlpkgrcncdomnttb',
42             'iblocklist-xoebmbyexwuiogmbyprb.gz' => 'http://list.iblocklist.com/?list=bt_proxy',
43             'iblocklist-zfucwtjkfwkalytktyiw.gz' => 'http://list.iblocklist.com/?list=zfucwtjkfwkalytktyiw',
44             'iblocklist-llvtlsjyoyiczbkjsxpf.gz' => 'http://list.iblocklist.com/?list=bt_spyware',
45             'iblocklist-togdoptykrlolpddwbvz.gz' => 'http://list.iblocklist.com/?list=tor',
46             'iblocklist-ghlzqtqxnzctvvajwwag.gz' => 'http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag',
47             'sans-block.txt' => 'http://isc.sans.edu/block.txt',
48             'malwaredomains-domains.txt' => 'http://mirror1.malwaredomains.com/files/domains.txt',
49             'emergingthreats-compromised-ips.txt.gz' => 'http://rules.emergingthreats.net/blockrules/compromised-ips.txt',
50             'emergingthreats-emerging-Block-IPs.txt.gz' => 'http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt',
51             'phishtank-verified_online.csv.gz' => 'http://data.phishtank.com/data/online-valid.csv.gz',
52             'abusech-palevotracker.txt.gz' => 'https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist',
53             'abusech-spyeyetracker.txt.gz' => 'https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist',
54             'abusech-zeustracker-badips.txt.gz' => 'https://zeustracker.abuse.ch/blocklist.php?download=badips',
55             'abusech-zeustracker.txt.gz' => 'https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist',
56             'iana-tlds-alpha-by-domain.txt' => 'http://data.iana.org/TLD/tlds-alpha-by-domain.txt',
57             'publicsuffix-effective_tld_names.dat.gz' => 'https://publicsuffix.org/list/effective_tld_names.dat',
58             );
59              
60             # IP Threatlist:
61             # "abusech-palevotracker.txt", # Palevo C&C
62             # "abusech-zeustracker-badips.txt", # Zeus IPs
63             # "abusech-zeustracker.txt", # Zeus IPs
64             # "emergingthreats-compromised-ips.txt", # Compromised IPs
65             # "emergingthreats-emerging-Block-IPs.txt", # Raw IPs from Spamhaus, DShield and Abuse.ch
66             # "iblocklist-ghlzqtqxnzctvvajwwag", # Various exploiters, scanner, spammers IPs
67             # "iblocklist-llvtlsjyoyiczbkjsxpf", # Various evil IPs (?)
68             # "iblocklist-xoebmbyexwuiogmbyprb", # Proxy and TOR IPs
69             # "sans-block.txt", # IP ranges to block for abuse reasons
70              
71             # Owner lists
72             # "iblocklist-nzldzlpkgrcncdomnttb", # ThePirateBay
73             # "iblocklist-togdoptykrlolpddwbvz", # TOR IPs
74             # "iblocklist-tgbankumtwtrzllndbmb", # LogMeIn IPs
75             # "iblocklist-zfucwtjkfwkalytktyiw", # RapidShare IPs
76             # "phishtank-verified_online.csv", # URLs hosting phishings
77             # "malwaredomains-domains.txt", # Malware domains
78              
79             # Other lists
80             # "top-1m.csv",
81             # "iana-tlds-alpha-by-domain.txt",
82             # "publicsuffix-effective_tld_names.dat",
83              
84 0 0         my $cw = Metabrik::Client::Www->new_from_brik_init($self) or return;
85 0           $cw->user_agent("Metabrik-Lookup-Threatlist-mirror/1.00");
86 0           $cw->datadir($datadir);
87              
88 0 0         my $fc = Metabrik::File::Compress->new_from_brik_init($self) or return;
89 0           $fc->datadir($datadir);
90              
91 0           my @updated = ();
92 0           for my $f (keys %mirror) {
93 0 0         my $files = $cw->mirror($mirror{$f}, $f) or next;
94 0           for my $file (@$files) {
95 0           my $outfile = $file;
96 0 0         if ($file =~ /\.gz$/) {
    0          
97 0           ($outfile = $file) =~ s/\.gz$//;
98 0 0         $fc->uncompress($file, $outfile) or next;
99             }
100             elsif ($file =~ /\.zip$/) {
101 0           ($outfile = $file) =~ s/\.zip$//;
102 0 0         $fc->uncompress($file, $outfile) or next;
103             }
104 0           push @updated, $outfile;
105             }
106             }
107              
108 0           return \@updated;
109             }
110              
111             sub from_ipv4 {
112 0     0 0   my $self = shift;
113 0           my ($ipv4) = @_;
114              
115 0 0         $self->brik_help_run_undef_arg('from_ipv4', $ipv4) or return;
116              
117 0 0         my $na = Metabrik::Network::Address->new_from_brik_init($self) or return;
118 0 0         if (! $na->is_ipv4($ipv4)) {
119 0           return $self->log->error("from_ipv4: not a valid IPv4 address [$ipv4]");
120             }
121              
122             # Keep only the IP part
123 0           ($ipv4) = $ipv4 =~ m{^(\d+\.\d+\.\d+\.\d+)/?.*$};
124              
125             # One IP per line format
126 0           my $lists_a = {
127             "abusech-palevotracker.txt" => 'Abuse.ch - Palevo C&C',
128             "abusech-zeustracker-badips.txt" => 'Abuse.ch - Zeus bad IPs',
129             "abusech-zeustracker.txt" => 'Abuse.ch - Zeus IPs',
130             "emergingthreats-compromised-ips.txt" => 'EmergingThreats - Compromised IPs',
131             "emergingthreats-emerging-Block-IPs.txt" => 'EmergingThreats - Spamhaus, DShield and Abuse.ch',
132             };
133              
134             # CSV-like format
135 0           my $lists_b = {
136             "iblocklist-ghlzqtqxnzctvvajwwag" => 'iblocklist - Exploiters, scanner and spammers',
137             "iblocklist-llvtlsjyoyiczbkjsxpf" => 'iblocklist - Malicious IPs',
138             "iblocklist-xoebmbyexwuiogmbyprb" => 'iblocklist - Proxy and TOR',
139             };
140              
141             # Custom format
142 0           my $lists_c = {
143             "sans-block.txt" => 'SANS - Malicious IPs',
144             };
145              
146 0           my $datadir = $self->datadir;
147              
148 0 0         my $ft = Metabrik::File::Text->new_from_brik_init($self) or return;
149 0           $ft->as_array(1);
150 0           $ft->strip_crlf(1);
151              
152 0           my $level = $self->log->level;
153 0           $self->log->level(1);
154              
155 0           my %threats = ();
156 0           for my $file (keys %$lists_a) {
157 0 0         my $data = $ft->read($datadir.'/'.$file) or next;
158 0           for (@$data) {
159 0 0         next if (/^\s*#/);
160 0 0         next if (/^\s*$/);
161 0 0 0       if ($na->is_ipv4_subnet($_) && $na->match($ipv4, $_)) {
    0 0        
162 0           $threats{$lists_a->{$file}}++;
163             }
164             elsif ($na->is_ipv4($_) && /^$ipv4$/) {
165 0           $threats{$lists_a->{$file}}++;
166             }
167             }
168             }
169              
170 0           for my $file (keys %$lists_b) {
171 0 0         my $data = $ft->read($datadir.'/'.$file) or next;
172 0           for (@$data) {
173 0 0         next if (/^\s*#/);
174 0 0         next if (/^\s*$/);
175 0           my @toks = split(/\s*:\s*/);
176 0 0 0       next unless (defined($toks[0]) && defined($toks[1]));
177 0           my $type = $toks[0]; # Exploit scanner, WebExploit, ...
178 0           my ($start, $end) = $toks[1] =~ m{^\s*(\d+\.\d+\.\d+\.\d+)\s*-\s*(\d+\.\d+\.\d+\.\d+)\s*$};
179 0 0 0       next unless (defined($start) && defined($end));
180 0 0 0       next unless ($na->is_ipv4($start) && $na->is_ipv4($end));
181 0 0         my $subnet = $na->range_to_cidr($start, $end) or next;
182 0           for my $this (@$subnet) {
183 0 0         if ($na->match($ipv4, $this)) {
184 0           $threats{$lists_b->{$file}}++;
185             }
186             }
187             }
188             }
189              
190 0           for my $file (keys %$lists_c) {
191 0 0         my $data = $ft->read($datadir.'/'.$file) or next;
192 0           for (@$data) {
193 0 0         next if (/^\s*#/);
194 0 0         next if (/^\s*$/);
195 0           my @toks = split(/\s+/);
196 0           my $start = $toks[0];
197 0           my $end = $toks[1];
198 0 0 0       next unless (defined($start) && defined($end));
199 0 0 0       next unless ($na->is_ipv4($start) && $na->is_ipv4($end));
200 0 0         my $subnet = $na->range_to_cidr($start, $end) or next;
201 0           for my $this (@$subnet) {
202 0 0         if ($na->match($ipv4, $this)) {
203 0           $threats{$lists_c->{$file}}++;
204             }
205             }
206             }
207             }
208              
209 0           $self->log->level($level);
210              
211 0           return [ keys %threats ];
212             }
213              
214             1;
215              
216             __END__