0001-added-spamhausdrop.py-to-plugins.patch
PreludeCorrelator/plugins/spamhausdrop.py | ||
---|---|---|
1 |
# Copyright (C) 2009 PreludeIDS Technologies. All Rights Reserved. |
|
2 |
# Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com> |
|
3 |
# Author: Wes Young <wes@barely3am.com> |
|
4 |
# |
|
5 |
# This file is part of the Prelude-Correlator program. |
|
6 |
# |
|
7 |
# This program is free software; you can redistribute it and/or modify |
|
8 |
# it under the terms of the GNU General Public License as published by |
|
9 |
# the Free Software Foundation; either version 2, or (at your option) |
|
10 |
# any later version. |
|
11 |
# |
|
12 |
# This program is distributed in the hope that it will be useful, |
|
13 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
14 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
15 |
# GNU General Public License for more details. |
|
16 |
# |
|
17 |
# You should have received a copy of the GNU General Public License |
|
18 |
# along with this program; see the file COPYING. If not, write to |
|
19 |
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. |
|
20 | ||
21 |
import os, httplib, time |
|
22 |
from PreludeCorrelator import require |
|
23 |
from PreludeCorrelator.idmef import IDMEF |
|
24 |
from PreludeCorrelator.pluginmanager import Plugin |
|
25 |
from PreludeCorrelator.context import Context, Timer |
|
26 | ||
27 |
import netaddr |
|
28 | ||
29 |
if tuple(int(x) for x in netaddr.__version__.split(".")) >= (0, 7): |
|
30 |
from netaddr import IPAddress, IPNetwork, IPSet |
|
31 |
else: |
|
32 |
from netaddr import IP as IPAddress |
|
33 |
from netaddr import CIDR as IPNetwork |
|
34 | ||
35 |
class IPSet(list): |
|
36 |
def __contains__(self, y): |
|
37 |
for i in iter(self): |
|
38 |
if y in i: |
|
39 |
return True |
|
40 | ||
41 |
return False |
|
42 | ||
43 |
def add(self, obj): |
|
44 |
self.append(obj) |
|
45 | ||
46 | ||
47 |
class SpamhausDropPlugin(Plugin): |
|
48 |
RELOAD = 7 * 24 * 60 * 60 |
|
49 |
SERVER = "www.spamhaus.org" |
|
50 |
URI = "/drop/drop.lasso" |
|
51 |
TIMEOUT = 10 |
|
52 |
FILENAME = require.get_data_filename(__name__, "spamhaus_drop.dat") |
|
53 | ||
54 |
def __loadData(self, age=0): |
|
55 |
for line in open(self.__filename, "r"): |
|
56 |
if line[0] == ';': |
|
57 |
continue |
|
58 | ||
59 |
ip, sbl = line.split(';') |
|
60 |
ip = IPNetwork(ip.strip()) |
|
61 |
self.__mynets.add(ip) |
|
62 | ||
63 |
if self.__reload > 0: |
|
64 |
Timer(self.__reload - age, self.__retrieveData).start() |
|
65 | ||
66 |
def __downloadData(self): |
|
67 |
self.info("Downloading host list, this might take some time...") |
|
68 | ||
69 |
try: |
|
70 |
con = httplib.HTTPConnection(self.__server, timeout=self.__timeout) |
|
71 |
except TypeError: |
|
72 |
con = httplib.HTTPConnection(self.__server) |
|
73 | ||
74 |
con.request("GET", self.__uri) |
|
75 |
r = con.getresponse() |
|
76 |
if r.status != 200: |
|
77 |
raise Exception, "Could not download spamhaus DROP list, error %d" % r.status |
|
78 | ||
79 |
fd = open(self.__filename, "w") |
|
80 |
fd.write(r.read()) |
|
81 |
fd.close() |
|
82 | ||
83 |
self.info("Downloading done, processing data.") |
|
84 | ||
85 |
def __retrieveData(self, timer=None): |
|
86 |
try: |
|
87 |
st = os.stat(self.__filename) |
|
88 |
if self.__reload <= 0 or time.time() - st.st_mtime < self.__reload: |
|
89 |
return self.__loadData(time.time() - st.st_mtime) |
|
90 |
except OSError: |
|
91 |
pass |
|
92 | ||
93 |
self.__downloadData() |
|
94 |
self.__loadData() |
|
95 | ||
96 | ||
97 |
def __init__(self, env): |
|
98 |
Plugin.__init__(self, env) |
|
99 | ||
100 |
self.__mynets = IPSet() |
|
101 |
self.__reload = self.getConfigValue("reload", self.RELOAD, type=int) |
|
102 |
self.__filename = self.getConfigValue("filename", self.FILENAME) |
|
103 |
self.__server = self.getConfigValue("server", self.SERVER) |
|
104 |
self.__uri = self.getConfigValue("uri", self.URI) |
|
105 |
self.__timeout = self.getConfigValue("timeout", self.TIMEOUT, type=float) |
|
106 |
self.__retrieveData() |
|
107 | ||
108 |
def run(self, idmef): |
|
109 |
for source in idmef.Get("alert.source(*).node.address(*).address"): |
|
110 |
if IPAddress(source) in self.__mynets: |
|
111 |
ca = IDMEF() |
|
112 |
ca.addAlertReference(idmef) |
|
113 |
ca.Set("alert.classification.text", "IP source matching Spamhaus DROP dataset") |
|
114 |
ca.Set("alert.correlation_alert.name", "IP source matching Spamhaus DROP dataset") |
|
115 |
ca.Set("alert.assessment.impact.description", "Spamhaus gathered this IP address in their DROP list - %s" % (source)) |
|
116 |
ca.Set("alert.assessment.impact.severity", "medium") |
|
117 |
ca.alert() |
prelude_correlator.egg-info/SOURCES.txt | ||
---|---|---|
24 | 24 |
PreludeCorrelator/plugins/firewall.py |
25 | 25 |
PreludeCorrelator/plugins/opensshauth.py |
26 | 26 |
PreludeCorrelator/plugins/scan.py |
27 |
PreludeCorrelator/plugins/spamhausdrop.py |
|
27 | 28 |
PreludeCorrelator/plugins/worm.py |
28 | 29 |
prelude_correlator.egg-info/PKG-INFO |
29 | 30 |
prelude_correlator.egg-info/SOURCES.txt |
30 | 31 |
prelude_correlator.egg-info/dependency_links.txt |
31 | 32 |
prelude_correlator.egg-info/entry_points.txt |
32 | 33 |
prelude_correlator.egg-info/not-zip-safe |
33 |
prelude_correlator.egg-info/top_level.txt |
|
34 |
prelude_correlator.egg-info/top_level.txt |
prelude_correlator.egg-info/entry_points.txt | ||
---|---|---|
6 | 6 |
FirewallPlugin = PreludeCorrelator.plugins.firewall:FirewallPlugin |
7 | 7 |
BruteForcePlugin = PreludeCorrelator.plugins.bruteforce:BruteForcePlugin |
8 | 8 |
EventStormPlugin = PreludeCorrelator.plugins.scan:EventStormPlugin |
9 |
SpamhausDropPlugin = PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin |
|
9 | 10 |
DshieldPlugin = PreludeCorrelator.plugins.dshield:DshieldPlugin |
10 | 11 |
EventScanPlugin = PreludeCorrelator.plugins.scan:EventScanPlugin |
11 | 12 |
setup.py | ||
---|---|---|
12 | 12 | |
13 | 13 | |
14 | 14 |
class my_sdist(sdist): |
15 |
def __init__(self, *args, **kwargs):
|
|
15 |
def _downloadDatabase(self, dname, server, url, filename):
|
|
16 | 16 |
import httplib |
17 | 17 | |
18 |
fin = os.popen('git log --summary --stat --no-merges --date=short', 'r') |
|
19 |
fout = open('ChangeLog', 'w') |
|
20 |
fout.write(fin.read()) |
|
21 |
fout.close() |
|
22 | ||
23 |
print "Downloading DShield database, this might take a while..." |
|
18 |
print "Downloading %s database, this might take a while..." % (dname) |
|
24 | 19 | |
25 |
con = httplib.HTTPConnection("www.dshield.org")
|
|
26 |
con.request("GET", "/ipsascii.html?limit=10000")
|
|
20 |
con = httplib.HTTPConnection(server)
|
|
21 |
con.request("GET", url)
|
|
27 | 22 |
r = con.getresponse() |
28 | 23 |
if r.status != 200: |
29 |
raise Exception, "Could not download DShield host list, error %d" % r.status
|
|
24 |
raise Exception, "Could not download %s host list, error %d" % (dname, r.status)
|
|
30 | 25 | |
31 |
fd = open("PreludeCorrelator/plugins/dshield.dat", "w")
|
|
26 |
fd = open(filename, "w")
|
|
32 | 27 |
fd.write(r.read()) |
33 | 28 |
fd.close() |
34 | 29 | |
30 |
def __init__(self, *args, **kwargs): |
|
31 |
fin = os.popen('git log --summary --stat --no-merges --date=short', 'r') |
|
32 |
fout = open('ChangeLog', 'w') |
|
33 |
fout.write(fin.read()) |
|
34 |
fout.close() |
|
35 | ||
36 |
self._downloadDatabase("DShield", "www.dshield.org", "/ipsascii.html?limit=10000", "PreludeCorrelator/plugins/dshield.dat") |
|
37 |
self._downloadDatabase("Spamhaus", "www.spamhaus.org", "/drop/drop.lasso", "PreludeCorrelator/plugins/spamhaus_drop.dat") |
|
38 | ||
35 | 39 |
sdist.__init__(self, *args) |
36 | 40 | |
37 | 41 | |
... | ... | |
85 | 89 |
else: |
86 | 90 |
package_data = {} |
87 | 91 |
data_files = [ ("etc/prelude-correlator", ["prelude-correlator.conf"]), |
88 |
("var/lib/prelude-correlator", ["PreludeCorrelator/plugins/dshield.dat"]) ] |
|
92 |
("var/lib/prelude-correlator", ["PreludeCorrelator/plugins/dshield.dat", "PreludeCorrelator/plugins/spamhaus_drop.dat"]) ]
|
|
89 | 93 | |
90 | 94 |
setup( |
91 | 95 |
name="prelude-correlator", |
... | ... | |
137 | 141 |
'EventScanPlugin = PreludeCorrelator.plugins.scan:EventScanPlugin', |
138 | 142 |
'EventStormPlugin = PreludeCorrelator.plugins.scan:EventStormPlugin', |
139 | 143 |
'EventSweepPlugin = PreludeCorrelator.plugins.scan:EventSweepPlugin', |
140 |
'WormPlugin = PreludeCorrelator.plugins.worm:WormPlugin' |
|
144 |
'WormPlugin = PreludeCorrelator.plugins.worm:WormPlugin', |
|
145 |
'SpamhausDropPlugin = PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin' |
|
141 | 146 |
] |
142 | 147 |
}, |
143 | 148 | |
144 |
- |