[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-cvslog
Subject: [prelude-cvslog] prelude-correlator/master: Initial SpamhausDrop
From: noreply () prelude-ids ! com
Date: 2009-09-15 6:47:17
Message-ID: 20090915064717.828DE3C8003 () inferno ! prelude-ids ! com
[Download RAW message or body]
commit 6ee57df63e37d926055658c142dcff892e6fdcac
Author: Wes Young <wes@barely3am.com>
Date: Sun Sep 13 19:12:04 2009 +0000
Initial SpamhausDrop plugin implementation (closes #363)
========================================
PreludeCorrelator/plugins/spamhaus_drop.dat | 149 ++++++++++++++++++++++++++
PreludeCorrelator/plugins/spamhausdrop.py | 117 ++++++++++++++++++++
prelude_correlator.egg-info/SOURCES.txt | 3 +-
prelude_correlator.egg-info/entry_points.txt | 1 +
setup.py | 31 +++---
5 files changed, 287 insertions(+), 14 deletions(-)
========================================
diff --git a/PreludeCorrelator/plugins/spamhaus_drop.dat \
b/PreludeCorrelator/plugins/spamhaus_drop.dat new file mode 100644
index 0000000..1df6b6b
--- /dev/null
+++ b/PreludeCorrelator/plugins/spamhaus_drop.dat
@@ -0,0 +1,149 @@
+; Spamhaus DROP List 9/14/09 - (c) 2009 The Spamhaus Project
+110.44.0.0/20 ; SBL74731
+115.166.64.0/19 ; SBL68085
+116.199.128.0/19 ; SBL56563
+117.103.40.0/21 ; SBL75246
+119.27.128.0/19 ; SBL75245
+119.42.144.0/21 ; SBL70035
+120.143.128.0/21 ; SBL67396
+121.46.64.0/18 ; SBL72673
+128.199.0.0/16 ; SBL62478
+132.232.0.0/16 ; SBL9176
+132.240.0.0/16 ; SBL68517
+134.33.0.0/16 ; SBL7097
+138.252.0.0/16 ; SBL9702
+138.43.0.0/16 ; SBL69354
+139.167.0.0/16 ; SBL64740
+143.49.0.0/16 ; SBL7182
+150.230.0.0/16 ; SBL78129
+152.147.0.0/16 ; SBL8847
+167.28.0.0/16 ; SBL75680
+167.97.0.0/16 ; SBL12947
+168.151.0.0/16 ; SBL73292
+170.67.0.0/16 ; SBL8148
+187.16.192.0/19 ; SBL76362
+190.103.160.0/20 ; SBL77769
+190.112.0.0/19 ; SBL76260
+192.160.44.0/24 ; SBL9493
+192.43.153.0/24 ; SBL69615
+192.43.154.0/23 ; SBL69616
+192.43.156.0/22 ; SBL69617
+192.43.160.0/24 ; SBL69618
+192.67.16.0/24 ; SBL6648
+192.86.85.0/24 ; SBL69619
+193.110.136.0/24 ; SBL3399
+193.138.172.0/22 ; SBL72612
+193.142.244.0/24 ; SBL57948
+193.16.100.0/24 ; SBL61945
+193.169.12.0/23 ; SBL78538
+193.19.120.0/23 ; SBL13553
+193.238.36.0/22 ; SBL40543
+194.110.160.0/22 ; SBL60306
+194.116.146.0/23 ; SBL50590
+194.126.193.0/24 ; SBL58152
+194.146.204.0/22 ; SBL51152
+194.165.4.0/23 ; SBL74236
+195.114.8.0/23 ; SBL48773
+195.225.176.0/22 ; SBL47622
+195.234.159.0/24 ; SBL57950
+195.238.242.0/24 ; SBL57947
+195.74.88.0/23 ; SBL53174
+195.88.32.0/23 ; SBL75285
+195.88.80.0/23 ; SBL75547
+195.95.161.0/24 ; SBL42935
+196.1.176.0/20 ; SBL73088
+196.32.216.0/21 ; SBL66614
+198.151.152.0/22 ; SBL23969
+198.186.16.0/20 ; SBL75933
+198.186.25.0/24 ; SBL23976
+198.204.0.0/21 ; SBL8179
+199.120.163.0/24 ; SBL6658
+199.166.200.0/22 ; SBL6026
+199.245.138.0/24 ; SBL9923
+199.60.102.0/24 ; SBL9159
+200.14.120.0/21 ; SBL77385
+200.50.192.0/19 ; SBL77554
+201.71.0.0/20 ; SBL38197
+202.133.64.0/20 ; SBL71640
+202.6.176.0/20 ; SBL76326
+203.19.101.0/24 ; SBL6619
+203.31.88.0/23 ; SBL8083
+203.34.205.0/24 ; SBL7330
+203.34.70.0/23 ; SBL9682
+203.34.71.0/24 ; SBL7244
+204.13.32.0/21 ; SBL37362
+204.236.0.0/19 ; SBL46767
+204.52.255.0/24 ; SBL13483
+204.86.116.0/22 ; SBL73638
+204.89.224.0/24 ; SBL11667
+205.210.137.0/24 ; SBL25844
+205.235.64.0/20 ; SBL8558
+205.236.189.0/24 ; SBL9442
+206.197.175.0/24 ; SBL14246
+206.197.176.0/24 ; SBL14250
+206.197.177.0/24 ; SBL14248
+206.197.28.0/24 ; SBL14253
+206.197.29.0/24 ; SBL14251
+207.166.112.0/20 ; SBL77866
+208.77.224.0/21 ; SBL62629
+208.81.136.0/21 ; SBL61909
+208.82.136.0/21 ; SBL59310
+208.84.96.0/21 ; SBL72825
+208.87.152.0/21 ; SBL64180
+208.93.152.0/22 ; SBL68601
+209.145.192.0/18 ; SBL67920
+209.165.224.0/20 ; SBL163
+209.213.48.0/20 ; SBL57862
+213.181.80.0/20 ; SBL78149
+216.21.8.0/22 ; SBL70526
+216.243.240.0/20 ; SBL55229
+41.221.112.0/20 ; SBL73618
+58.83.12.0/22 ; SBL53280
+58.83.8.0/22 ; SBL67465
+62.122.32.0/21 ; SBL73243
+64.28.176.0/20 ; SBL36453
+66.206.32.0/22 ; SBL67916
+66.55.160.0/19 ; SBL69212
+67.210.0.0/20 ; SBL58520
+67.213.128.0/20 ; SBL72074
+69.8.176.0/20 ; SBL15315
+69.80.0.0/17 ; SBL69575
+72.2.176.0/20 ; SBL65287
+72.50.192.0/19 ; SBL69515
+74.112.184.0/22 ; SBL77135
+78.155.220.0/23 ; SBL71758
+78.157.128.0/19 ; SBL68777
+79.110.160.0/20 ; SBL67820
+79.135.160.0/19 ; SBL65112
+81.29.240.0/20 ; SBL58207
+85.255.112.0/20 ; SBL36702
+86.105.230.0/24 ; SBL50622
+88.214.211.0/24 ; SBL67516
+89.35.0.0/23 ; SBL47082
+91.196.232.0/22 ; SBL60122
+91.199.112.0/24 ; SBL64756
+91.203.92.0/22 ; SBL65512
+91.208.0.0/24 ; SBL66769
+91.208.162.0/24 ; SBL68740
+91.208.228.0/24 ; SBL71049
+91.209.14.0/24 ; SBL69636
+91.209.184.0/24 ; SBL71669
+91.209.186.0/24 ; SBL73228
+91.209.48.0/24 ; SBL74708
+91.209.58.0/24 ; SBL73115
+91.211.64.0/22 ; SBL70438
+91.211.88.0/22 ; SBL71163
+91.212.45.0/24 ; SBL73397
+91.212.65.0/24 ; SBL73329
+91.213.126.0/24 ; SBL77763
+91.213.33.0/24 ; SBL77856
+91.214.44.0/22 ; SBL77375
+93.118.128.0/18 ; SBL77516
+93.188.160.0/21 ; SBL66854
+94.154.0.0/18 ; SBL67526
+94.154.128.0/18 ; SBL67819
+94.232.248.0/21 ; SBL73242
+94.247.0.0/21 ; SBL71687
+95.129.144.0/23 ; SBL75264
+95.129.146.0/24 ; SBL75437
+95.215.76.0/22 ; SBL73272
diff --git a/PreludeCorrelator/plugins/spamhausdrop.py \
b/PreludeCorrelator/plugins/spamhausdrop.py new file mode 100644
index 0000000..85f9bb5
--- /dev/null
+++ b/PreludeCorrelator/plugins/spamhausdrop.py
@@ -0,0 +1,117 @@
+# Copyright (C) 2009 PreludeIDS Technologies. All Rights Reserved.
+# Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>
+# Author: Wes Young <wes@barely3am.com>
+#
+# This file is part of the Prelude-Correlator program.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; see the file COPYING. If not, write to
+# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
+
+import os, httplib, time
+from PreludeCorrelator import require
+from PreludeCorrelator.idmef import IDMEF
+from PreludeCorrelator.pluginmanager import Plugin
+from PreludeCorrelator.context import Context, Timer
+
+import netaddr
+
+if tuple(int(x) for x in netaddr.__version__.split(".")) >= (0, 7):
+ from netaddr import IPAddress, IPNetwork, IPSet
+else:
+ from netaddr import IP as IPAddress
+ from netaddr import CIDR as IPNetwork
+
+ class IPSet(list):
+ def __contains__(self, y):
+ for i in iter(self):
+ if y in i:
+ return True
+
+ return False
+
+ def add(self, obj):
+ self.append(obj)
+
+
+class SpamhausDropPlugin(Plugin):
+ RELOAD = 7 * 24 * 60 * 60
+ SERVER = "www.spamhaus.org"
+ URI = "/drop/drop.lasso"
+ TIMEOUT = 10
+ FILENAME = require.get_data_filename(__name__, "spamhaus_drop.dat")
+
+ def __loadData(self, age=0):
+ for line in open(self.__filename, "r"):
+ if line[0] == ';':
+ continue
+
+ ip, sbl = line.split(';')
+ ip = IPNetwork(ip.strip())
+ self.__mynets.add(ip)
+
+ if self.__reload > 0:
+ Timer(self.__reload - age, self.__retrieveData).start()
+
+ def __downloadData(self):
+ self.info("Downloading host list, this might take some time...")
+
+ try:
+ con = httplib.HTTPConnection(self.__server, timeout=self.__timeout)
+ except TypeError:
+ con = httplib.HTTPConnection(self.__server)
+
+ con.request("GET", self.__uri)
+ r = con.getresponse()
+ if r.status != 200:
+ raise Exception, "Could not download spamhaus DROP list, error %d" % \
r.status +
+ fd = open(self.__filename, "w")
+ fd.write(r.read())
+ fd.close()
+
+ self.info("Downloading done, processing data.")
+
+ def __retrieveData(self, timer=None):
+ try:
+ st = os.stat(self.__filename)
+ if self.__reload <= 0 or time.time() - st.st_mtime < self.__reload:
+ return self.__loadData(time.time() - st.st_mtime)
+ except OSError:
+ pass
+
+ self.__downloadData()
+ self.__loadData()
+
+
+ def __init__(self, env):
+ Plugin.__init__(self, env)
+
+ self.__mynets = IPSet()
+ self.__reload = self.getConfigValue("reload", self.RELOAD, type=int)
+ self.__filename = self.getConfigValue("filename", self.FILENAME)
+ self.__server = self.getConfigValue("server", self.SERVER)
+ self.__uri = self.getConfigValue("uri", self.URI)
+ self.__timeout = self.getConfigValue("timeout", self.TIMEOUT, type=float)
+ self.__retrieveData()
+
+ def run(self, idmef):
+ for source in idmef.Get("alert.source(*).node.address(*).address"):
+ if IPAddress(source) in self.__mynets:
+ ca = IDMEF()
+ ca.addAlertReference(idmef)
+ ca.Set("alert.classification.text", "IP source matching Spamhaus \
DROP dataset") + ca.Set("alert.correlation_alert.name", "IP source \
matching Spamhaus DROP dataset") + \
ca.Set("alert.assessment.impact.description", "Spamhaus gathered this IP address in \
their DROP list - %s" % (source)) + \
ca.Set("alert.assessment.impact.severity", "medium") + ca.alert()
diff --git a/prelude_correlator.egg-info/SOURCES.txt \
b/prelude_correlator.egg-info/SOURCES.txt index 026cbae..91cf472 100644
--- a/prelude_correlator.egg-info/SOURCES.txt
+++ b/prelude_correlator.egg-info/SOURCES.txt
@@ -24,10 +24,11 @@ PreludeCorrelator/plugins/dshield.py
PreludeCorrelator/plugins/firewall.py
PreludeCorrelator/plugins/opensshauth.py
PreludeCorrelator/plugins/scan.py
+PreludeCorrelator/plugins/spamhausdrop.py
PreludeCorrelator/plugins/worm.py
prelude_correlator.egg-info/PKG-INFO
prelude_correlator.egg-info/SOURCES.txt
prelude_correlator.egg-info/dependency_links.txt
prelude_correlator.egg-info/entry_points.txt
prelude_correlator.egg-info/not-zip-safe
-prelude_correlator.egg-info/top_level.txt
\ No newline at end of file
+prelude_correlator.egg-info/top_level.txt
diff --git a/prelude_correlator.egg-info/entry_points.txt \
b/prelude_correlator.egg-info/entry_points.txt index c1f83c7..c30c039 100644
--- a/prelude_correlator.egg-info/entry_points.txt
+++ b/prelude_correlator.egg-info/entry_points.txt
@@ -6,6 +6,7 @@ WormPlugin = PreludeCorrelator.plugins.worm:WormPlugin
FirewallPlugin = PreludeCorrelator.plugins.firewall:FirewallPlugin
BruteForcePlugin = PreludeCorrelator.plugins.bruteforce:BruteForcePlugin
EventStormPlugin = PreludeCorrelator.plugins.scan:EventStormPlugin
+SpamhausDropPlugin = PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin
DshieldPlugin = PreludeCorrelator.plugins.dshield:DshieldPlugin
EventScanPlugin = PreludeCorrelator.plugins.scan:EventScanPlugin
diff --git a/setup.py b/setup.py
index 614e920..5c6e226 100644
--- a/setup.py
+++ b/setup.py
@@ -12,26 +12,30 @@ PRELUDE_CORRELATOR_VERSION = "0.9.0-beta6"
class my_sdist(sdist):
- def __init__(self, *args, **kwargs):
+ def _downloadDatabase(self, dname, server, url, filename):
import httplib
- fin = os.popen('git log --summary --stat --no-merges --date=short', \
'r')
- fout = open('ChangeLog', 'w')
- fout.write(fin.read())
- fout.close()
-
- print "Downloading DShield database, this might take a while..."
+ print "Downloading %s database, this might take a while..." % \
(dname)
- con = httplib.HTTPConnection("www.dshield.org")
- con.request("GET", "/ipsascii.html?limit=10000")
+ con = httplib.HTTPConnection(server)
+ con.request("GET", url)
r = con.getresponse()
if r.status != 200:
- raise Exception, "Could not download DShield host list, \
error %d" % r.status + raise Exception, "Could not download %s \
host list, error %d" % (dname, r.status)
- fd = open("PreludeCorrelator/plugins/dshield.dat", "w")
+ fd = open(filename, "w")
fd.write(r.read())
fd.close()
+ def __init__(self, *args, **kwargs):
+ fin = os.popen('git log --summary --stat --no-merges --date=short', \
'r') + fout = open('ChangeLog', 'w')
+ fout.write(fin.read())
+ fout.close()
+
+ self._downloadDatabase("DShield", "www.dshield.org", \
"/ipsascii.html?limit=10000", "PreludeCorrelator/plugins/dshield.dat") + \
self._downloadDatabase("Spamhaus", "www.spamhaus.org", "/drop/drop.lasso", \
"PreludeCorrelator/plugins/spamhaus_drop.dat") +
sdist.__init__(self, *args)
@@ -85,7 +89,7 @@ if is_egg:
else:
package_data = {}
data_files = [ ("etc/prelude-correlator", ["prelude-correlator.conf"]),
- ("var/lib/prelude-correlator", \
["PreludeCorrelator/plugins/dshield.dat"]) ] + \
("var/lib/prelude-correlator", ["PreludeCorrelator/plugins/dshield.dat", \
"PreludeCorrelator/plugins/spamhaus_drop.dat"]) ]
setup(
name="prelude-correlator",
@@ -137,7 +141,8 @@ suits your needs.
'EventScanPlugin = \
PreludeCorrelator.plugins.scan:EventScanPlugin',
'EventStormPlugin = \
PreludeCorrelator.plugins.scan:EventStormPlugin',
'EventSweepPlugin = \
PreludeCorrelator.plugins.scan:EventSweepPlugin',
- 'WormPlugin = PreludeCorrelator.plugins.worm:WormPlugin'
+ 'WormPlugin = PreludeCorrelator.plugins.worm:WormPlugin',
+ 'SpamhausDropPlugin = \
PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin' ]
},
_______________________________________________
Prelude-cvslog site list
Prelude-cvslog@prelude-ids.org
http://lists.prelude-ids.org/mailman/listinfo/prelude-cvslog
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic