Advertisement
opexxx

gen_blocklist.py

Jun 4th, 2014
302
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.42 KB | None | 0 0
  1. #!/usr/bin/python
  2. # Copyright 2013 Conix Security
  3. # adrien.chevalier@conix.fr
  4. # alexandre.deloup@conix.fr
  5. #
  6. # This program is free software: you can redistribute it and/or modify
  7. # it under the terms of the GNU General Public License as published by
  8. # the Free Software Foundation, either version 3 of the License, or
  9. # (at your option) any later version.
  10. #
  11. # This program is distributed in the hope that it will be useful,
  12. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14. # GNU General Public License for more details.
  15. #
  16. # You should have received a copy of the GNU General Public License
  17. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18. import socket
  19. import os
  20. import sys
  21. import os.path
  22.  
  23. #############################################
  24. #       Load configuration
  25. try:
  26.     import conf
  27. except ImportError:
  28.     print >> sys.stderr, "[!] Error importing conf.py."
  29.     print >> sys.stderr, "[ ] You can create your configuration file from the default one:"
  30.     print >> sys.stderr, "[ ] $ cp conf.py.sample conf.py && vim conf.py"
  31.     sys.exit(1)
  32.  
  33. try:
  34.     OUT_FILE = conf.OUT_FILE
  35. except:
  36.     OUT_FILE = "blacklisted-domains.rules"
  37. try:
  38.     IN_FILE = conf.IN_FILE
  39. except:
  40.     IN_FILE = "blacklist.txt"
  41. try:
  42.     SID_LOG_FILE = conf.SID_LOG_FILE
  43. except:
  44.     SID_LOG_FILE = ".sid_log_file"
  45. try:
  46.     SSH_DEPLOY = conf.SSH_DEPLOY
  47. except:
  48.     SSH_DEPLOY = False
  49. try:
  50.     SSH_SERVERS = conf.SSH_SERVERS
  51. except:
  52.     SSH_SERVERS = ()
  53.  
  54. #############################################
  55. #       SSH Deployement requirement
  56. if SSH_DEPLOY:
  57.     try:
  58.         import paramiko
  59.     except ImportError:
  60.         print >> sys.stderr, "[!] Error importing Paramiko library."
  61.         print >> sys.stderr, "[ ] Install it with <pip install paramiko>"
  62.         print >> sys.stderr, "[-] Disabling SSH rules deployment"
  63.         SSH_DEPLOY = False
  64.  
  65. #############################################
  66. #       Latest SID
  67. print "[+] Getting SID"
  68. # get last SID    
  69. try:
  70.     with open(SID_LOG_FILE, "r") as f_sid_log_file:
  71.         line = f_sid_log_file.readline()
  72.         sid = int(line)
  73. except:
  74.     sid = 1510000
  75.     print >> sys.stderr, "[-] <%s> not found, starting SID from 1510000"%SID_LOG_FILE
  76.  
  77. #############################################
  78. #       Generating Rules
  79. rules = ""
  80. sid += 1
  81. print "[+] Generating rules"
  82. try:
  83.     with open(IN_FILE, "r") as f_domains:
  84.         rules = ""
  85.         for fqdn in f_domains:
  86.             pos = fqdn.find("#")
  87.             if pos != -1:
  88.                 fqdn = fqdn[:pos]
  89.            
  90.             fqdn = fqdn.strip()
  91.            
  92.             if fqdn == "":
  93.                 continue
  94.             try:
  95.                 ip_addr = socket.gethostbyname(fqdn)
  96.             except:
  97.                 ip_addr = None
  98.  
  99.             if ip_addr != None:
  100.                 print "[ ] "+fqdn+" :: "+ip_addr
  101.                 rules += 'alert udp $HOME_NET any -> '+ip_addr+' any (msg:"SPAM Campaign UDP Communication FOR '+ip_addr+' ('+fqdn+')"; classtype:trojan-activity; sid:'+str(sid)+'; rev:1; metadata:impact_flag red;)\n'
  102.                 sid += 1
  103.                 rules += 'alert tcp $HOME_NET any -> '+ip_addr+' any (msg:"SPAM Campaign TCP Communication FOR '+ip_addr+' ('+fqdn+')"; classtype:trojan-activity; sid:'+str(sid)+'; rev:1; metadata:impact_flag red;)\n'
  104.                 sid += 1
  105.             else:
  106.                 print >> sys.stderr, "[-] %s :: ip address not resolved"%fqdn
  107.            
  108.             members = fqdn.split(".")
  109.             dns_request = ""
  110.             for m in members:
  111.                 dns_request = dns_request+"|"+str(len(m))+"|"+m
  112.             rules += 'alert udp $HOME_NET any -> any 53 (msg:"SPAM Campaign DNS REQUEST FOR '+fqdn+' UDP"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:20; offset: 2; content:"'+dns_request+'"; fast_pattern:only; nocase; classtype:trojan-activity; sid:'+str(sid)+'; rev:1; metadata:impact_flag red;)"\n'
  113.             sid += 1
  114. except:
  115.     print >> sys.stderr, "[!] Cannot read <%s>"%IN_FILE
  116.     sys.exit(1)
  117.  
  118. #############################################
  119. #       Writing Rules
  120. print "[+] Writing file"
  121. try:
  122.     with open(OUT_FILE, "a") as f_rules:
  123.         f_rules.write(rules)
  124.     print "[ ] File written"
  125. except:
  126.     print "[!] Cannot write <%s>"%OUT_FILE
  127.     sys.exit(1)
  128.  
  129. if SSH_DEPLOY:
  130.     print "[+] SSH deployment"
  131.     for server in SSH_SERVERS:
  132.         ssh_server      = server[0]
  133.         ssh_port        = server[1]
  134.         ssh_user        = server[2]
  135.         ssh_password    = server[3]
  136.         ssh_remote_path = os.path.join(server[4], os.path.basename(OUT_FILE))
  137.         try:
  138.             client = paramiko.SSHClient()
  139.             client.load_system_host_keys()
  140.             client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  141.             client.connect(ssh_server, ssh_port, ssh_user, ssh_password)
  142.             sftp = paramiko.SFTPClient.from_transport(client.get_transport())
  143.             sftp.put(OUT_FILE, ssh_remote_path)
  144.             sftp.close()
  145.             client.close()
  146.             print "[ ] Rules dispatched on <%s>"%ssh_server
  147.         except Exception,e:
  148.             print "[!] Rule dispatching error on <%s>: %s" %(ssh_server, e)
  149.  
  150. #############################################
  151. #       Logging max sid
  152. print "[+] Writing Last SID"
  153. with open(SID_LOG_FILE, "w") as f_sid:
  154.     f_sid.write("%d"%(sid-1))
  155.  
  156. print "[+] Finished!"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement