Add Spamhaus DBL analyzer (#585)

* intial Spamhaus DBL analyzer * add fqdn
TheHive-Project · Jan 20, 2020 · 3cf76c2 · 3cf76c2
1 parent b22f1e4
commit 3cf76c2
Show file tree

Hide file tree

Showing 5 changed files with 134 additions and 0 deletions.
diff --git a/analyzers/SpamhausDBL/SpamhausDBL.json b/analyzers/SpamhausDBL/SpamhausDBL.json
@@ -0,0 +1,15 @@
+{
+    "name": "SpamhausDBL",
+    "version": "1.0",
+    "author": "Wes Lambert",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Perform domain lookup to Spamhaus DBL",
+    "dataTypeList": ["domain", "fqdn"],
+    "baseConfig": "SpamhausDBL",
+    "config": {
+       "service": "DBLLookup"
+    },
+    "command": "SpamhausDBL/spamhausdbl.py",
+    "configurationItems": []
+}
diff --git a/analyzers/SpamhausDBL/requirements.txt b/analyzers/SpamhausDBL/requirements.txt
@@ -0,0 +1 @@
+dnyspython
diff --git a/analyzers/SpamhausDBL/spamhausdbl.py b/analyzers/SpamhausDBL/spamhausdbl.py
@@ -0,0 +1,99 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.analyzer import Analyzer
+import dns.resolver
+
+class SpamhausDBLAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.observable = self.get_param('data', None, 'Data missing!')
+
+    def summary(self, raw):
+        taxonomies = []
+        level = 'info'
+        namespace = 'SpamhausDBL'
+
+        # Set predicate for return_code
+        predicate = 'return_code'
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['return_code']))
+
+        # Set predicate for classification
+        predicate = 'classification'
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['classification']))
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        try:
+            lookup = dns.resolver.query(self.observable + '.dbl.spamhaus.org')
+            return_code = str(lookup[0])
+            # Check return code for result info
+            # Reference here: https://www.spamhaus.org/faq/section/Spamhaus%20DBL#291
+
+            # spam domain
+            if return_code == "127.0.1.2" :
+                classification = "Spam"
+
+            # phish domain
+            if return_code == "127.0.1.4" :
+                classification = "Phishing"
+
+            # malware domain
+            if return_code == "127.0.1.5" :
+                classification = "Malware"
+
+            # botnet C&C domain
+            if return_code == "127.0.1.6" :
+                classification = "Botnet C&C"
+
+            # abused legit spam
+            if return_code == "127.0.1.102" :
+                classification = "Abused legit spam"
+
+            # abused spammed redirector domain
+            if return_code == "127.0.1.103" :
+                classification = "Abused spammed redirector"
+
+            # abused legit phish
+            if return_code == "127.0.1.104" :
+                classification = "Abused legit phish"
+
+            # abused legit malware
+            if return_code == "127.0.1.105" :
+                classification = "Abused legit malware"
+
+            # abused legit botnet C&C
+            if return_code == "127.0.1.106" :
+                classification = "Abused legit Botnet C&C"
+
+            # IP queries prohibited
+            if return_code == "127.0.1.255" :
+                classification = "IP queries prohibited"
+
+            # Typing error in DNSBL name
+            if return_code == "127.255.255.252" :
+                classification = "Typing error in DNSBL name"
+
+            # Anon query through public resolver
+            if return_code == "127.255.255.254" :
+                classification = "Anon query through public resolver"
+
+            # Excessive number of queries
+            if return_code == "127.255.255.255" :
+                classification = "Excessive number of queries"
+
+            self.report({ 'return_code': return_code, 'classification': classification })
+
+        except dns.resolver.NXDOMAIN:
+            self.report({ 'return_code': 'NXDOMAIN', 'classification': 'Clean' })
+        except dns.resolver.NoAnswer:
+            self.report({ 'return_code': 'NoAnswer', 'classification': 'NoAnswer' })
+        except dns.resolver.Timeout:
+            self.report({ 'return_code': 'Timeout', 'classification': 'Timeout' })
+        except:
+            self.error('Something unexpected happened!')
+
+if __name__ == '__main__':
+    SpamhausDBLAnalyzer().run()
+
diff --git a/thehive-templates/SpamhausDBL_1_0/long.html b/thehive-templates/SpamhausDBL_1_0/long.html
@@ -0,0 +1,16 @@
+<div class="panel panel-info">
+    <div class="panel-heading">
+        Spamhaus DBL Lookup Results
+    </div>
+    <div class="panel-body">
+        <table class="table table-hover">
+            <tr>
+                <th>Return Code</th>
+                <th>Classification</th>
+            </tr>
+                <td>{{content.return_code | ellipsis:40}}</td>
+                <td>{{content.classification}}</a></td>
+            </tr>
+        </table>
+    </div>
+</div>
diff --git a/thehive-templates/SpamhausDBL_1_0/short.html b/thehive-templates/SpamhausDBL_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>