gen_blocklist.py

1. #!/usr/bin/python
2. # Copyright 2013 Conix Security
3. # adrien.chevalier@conix.fr
4. # alexandre.deloup@conix.fr
5. #
6. # This program is free software: you can redistribute it and/or modify
7. # it under the terms of the GNU General Public License as published by
8. # the Free Software Foundation, either version 3 of the License, or
9. # (at your option) any later version.
10. #
11. # This program is distributed in the hope that it will be useful,
12. # but WITHOUT ANY WARRANTY; without even the implied warranty of
13. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14. # GNU General Public License for more details.
15. #
16. # You should have received a copy of the GNU General Public License
17. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
18. import socket
19. import os
20. import sys
21. import os.path
22.  
23. #############################################
24. #       Load configuration
25. try:
26.     import conf
27. except ImportError:
28.     print >> sys.stderr, "[!] Error importing conf.py."
29.     print >> sys.stderr, "[ ] You can create your configuration file from the default one:"
30.     print >> sys.stderr, "[ ] $ cp conf.py.sample conf.py && vim conf.py"
31.     sys.exit(1)
32.  
33. try:
34.     OUT_FILE = conf.OUT_FILE
35. except:
36.     OUT_FILE = "blacklisted-domains.rules"
37. try:
38.     IN_FILE = conf.IN_FILE
39. except:
40.     IN_FILE = "blacklist.txt"
41. try:
42.     SID_LOG_FILE = conf.SID_LOG_FILE
43. except:
44.     SID_LOG_FILE = ".sid_log_file"
45. try:
46.     SSH_DEPLOY = conf.SSH_DEPLOY
47. except:
48.     SSH_DEPLOY = False
49. try:
50.     SSH_SERVERS = conf.SSH_SERVERS
51. except:
52.     SSH_SERVERS = ()
53.  
54. #############################################
55. #       SSH Deployement requirement
56. if SSH_DEPLOY:
57.     try:
58.         import paramiko
59.     except ImportError:
60.         print >> sys.stderr, "[!] Error importing Paramiko library."
61.         print >> sys.stderr, "[ ] Install it with <pip install paramiko>"
62.         print >> sys.stderr, "[-] Disabling SSH rules deployment"
63.         SSH_DEPLOY = False
64.  
65. #############################################
66. #       Latest SID
67. print "[+] Getting SID"
68. # get last SID    
69. try:
70.     with open(SID_LOG_FILE, "r") as f_sid_log_file:
71.         line = f_sid_log_file.readline()
72.         sid = int(line)
73. except:
74.     sid = 1510000
75.     print >> sys.stderr, "[-] <%s> not found, starting SID from 1510000"%SID_LOG_FILE
76.  
77. #############################################
78. #       Generating Rules
79. rules = ""
80. sid += 1
81. print "[+] Generating rules"
82. try:
83.     with open(IN_FILE, "r") as f_domains:
84.         rules = ""
85.         for fqdn in f_domains:
86.             pos = fqdn.find("#")
87.             if pos != -1:
88.                 fqdn = fqdn[:pos]
89.            
90.             fqdn = fqdn.strip()
91.            
92.             if fqdn == "":
93.                 continue
94.             try:
95.                 ip_addr = socket.gethostbyname(fqdn)
96.             except:
97.                 ip_addr = None
98.  
99.             if ip_addr != None:
100.                 print "[ ] "+fqdn+" :: "+ip_addr
101.                 rules += 'alert udp $HOME_NET any -> '+ip_addr+' any (msg:"SPAM Campaign UDP Communication FOR '+ip_addr+' ('+fqdn+')"; classtype:trojan-activity; sid:'+str(sid)+'; rev:1; metadata:impact_flag red;)\n'
102.                 sid += 1
103.                 rules += 'alert tcp $HOME_NET any -> '+ip_addr+' any (msg:"SPAM Campaign TCP Communication FOR '+ip_addr+' ('+fqdn+')"; classtype:trojan-activity; sid:'+str(sid)+'; rev:1; metadata:impact_flag red;)\n'
104.                 sid += 1
105.             else:
106.                 print >> sys.stderr, "[-] %s :: ip address not resolved"%fqdn
107.            
108.             members = fqdn.split(".")
109.             dns_request = ""
110.             for m in members:
111.                 dns_request = dns_request+"|"+str(len(m))+"|"+m
112.             rules += 'alert udp $HOME_NET any -> any 53 (msg:"SPAM Campaign DNS REQUEST FOR '+fqdn+' UDP"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:20; offset: 2; content:"'+dns_request+'"; fast_pattern:only; nocase; classtype:trojan-activity; sid:'+str(sid)+'; rev:1; metadata:impact_flag red;)"\n'
113.             sid += 1
114. except:
115.     print >> sys.stderr, "[!] Cannot read <%s>"%IN_FILE
116.     sys.exit(1)
117.  
118. #############################################
119. #       Writing Rules
120. print "[+] Writing file"
121. try:
122.     with open(OUT_FILE, "a") as f_rules:
123.         f_rules.write(rules)
124.     print "[ ] File written"
125. except:
126.     print "[!] Cannot write <%s>"%OUT_FILE
127.     sys.exit(1)
128.  
129. if SSH_DEPLOY:
130.     print "[+] SSH deployment"
131.     for server in SSH_SERVERS:
132.         ssh_server      = server[0]
133.         ssh_port        = server[1]
134.         ssh_user        = server[2]
135.         ssh_password    = server[3]
136.         ssh_remote_path = os.path.join(server[4], os.path.basename(OUT_FILE))
137.         try:
138.             client = paramiko.SSHClient()
139.             client.load_system_host_keys()
140.             client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
141.             client.connect(ssh_server, ssh_port, ssh_user, ssh_password)
142.             sftp = paramiko.SFTPClient.from_transport(client.get_transport())
143.             sftp.put(OUT_FILE, ssh_remote_path)
144.             sftp.close()
145.             client.close()
146.             print "[ ] Rules dispatched on <%s>"%ssh_server
147.         except Exception,e:
148.             print "[!] Rule dispatching error on <%s>: %s" %(ssh_server, e)
149.  
150. #############################################
151. #       Logging max sid
152. print "[+] Writing Last SID"
153. with open(SID_LOG_FILE, "w") as f_sid:
154.     f_sid.write("%d"%(sid-1))
155.  
156. print "[+] Finished!"