From cb97e817ad50190e322b73f5a8dad30701b5a774 Mon Sep 17 00:00:00 2001 From: Wes Young Date: Sun, 13 Sep 2009 19:12:04 +0000 Subject: [PATCH] added spamhausdrop.py to plugins --- PreludeCorrelator/plugins/spamhausdrop.py | 103 +++++++++++++++++++++++++++++ 1 files changed, 103 insertions(+), 0 deletions(-) create mode 100644 PreludeCorrelator/plugins/spamhausdrop.py diff --git a/PreludeCorrelator/plugins/spamhausdrop.py b/PreludeCorrelator/plugins/spamhausdrop.py new file mode 100644 index 0000000..0692cf9 --- /dev/null +++ b/PreludeCorrelator/plugins/spamhausdrop.py @@ -0,0 +1,103 @@ +# Copyright (C) 2009 PreludeIDS Technologies. All Rights Reserved. +# Author: Yoann Vandoorselaere +# Author: Wes Young +# +# This file is part of the Prelude-Correlator program. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to +# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. + +import os, httplib, time +from PreludeCorrelator import require +from PreludeCorrelator.idmef import IDMEF +from PreludeCorrelator.pluginmanager import Plugin +from PreludeCorrelator.context import Context, Timer +from netaddr import IPAddress, IPNetwork + +class SpamhausDropPlugin(Plugin): + RELOAD = 7 * 24 * 60 * 60 + SERVER = "www.spamhaus.org" + URI = "/drop/drop.lasso" + TIMEOUT = 10 + FILENAME = require.get_data_filename(__name__, "spamhaus_drop.dat") + + def __loadData(self, age=0): + for line in open(self.__filename, "r"): + if line[0] == ';': + continue + + ip, sbl = line.split(';') + ip = IPNetwork(ip.strip()) + self.__mynets.append(ip) + + if self.__reload > 0: + Timer(self.__reload - age, self.__retrieveData).start() + + def __downloadData(self): + self.info("Downloading host list, this might take some time...") + + try: + con = httplib.HTTPConnection(self.__server, timeout=self.__timeout) + except TypeError: + con = httplib.HTTPConnection(self.__server) + + con.request("GET", self.__uri) + r = con.getresponse() + if r.status != 200: + raise Exception, "Could not download spamhaus DROP list, error %d" % r.status + + fd = open(self.__filename, "w") + fd.write(r.read()) + fd.close() + + self.info("Downloading done, processing data.") + + def __retrieveData(self, timer=None): + try: + st = os.stat(self.__filename) + if self.__reload <= 0 or time.time() - st.st_mtime < self.__reload: + return self.__loadData(time.time() - st.st_mtime) + except OSError: + pass + + self.__downloadData() + self.__loadData() + + + def __init__(self, env): + Plugin.__init__(self, env) + + self.__mynets = [] + self.__reload = self.getConfigValue("reload", self.RELOAD, type=int) + self.__filename = self.getConfigValue("filename", self.FILENAME) + self.__server = self.getConfigValue("server", self.SERVER) + self.__uri = self.getConfigValue("uri", self.URI) + self.__timeout = self.getConfigValue("timeout", self.TIMEOUT, type=float) + self.__retrieveData() + + def run(self, idmef): + for source in idmef.Get("alert.source(*).node.address(*).address"): + src = IPAddress(source) + InNet = 0 + for net in self.__mynets: + if src in net: + InNet = 1 + if InNet: + ca = IDMEF() + ca.addAlertReference(idmef) + ca.Set("alert.classification.text", "IP source matching Spamhaus DROP dataset") + ca.Set("alert.correlation_alert.name", "IP source matching Spamhaus DROP dataset") + ca.Set("alert.assessment.impact.description", "Spamhaus gathered this IP address in their DROP list - %s" % (source)) + ca.Set("alert.assessment.impact.severity", "medium") + ca.alert() -- 1.5.6.5