Skip to content
Permalink
Browse files

ioc2rpz is a place where threat intelligence meets DNS

  • Loading branch information...
Homas committed Sep 23, 2019
1 parent 5021391 commit 41c2f3321d99a531a1318e913f5a4ea7adf9c6e2
Showing with 41 additions and 5 deletions.
  1. +3 −0 ChangeLog.md
  2. +1 −0 TODO.md
  3. +1 −1 include/ioc2rpz.hrl
  4. +36 −4 src/ioc2rpz.erl
@@ -1,5 +1,8 @@
# ioc2rpz change log
[CB] - Changed Behaviour
## 2019-09-20 v1.0.0.4
-Filtering out indicators with illegal chars (ioc2rpz:clean_labels). Performance should be validated.

## 2019-09-20 v1.0.0.3
- Bug. Incremental update. Indicators w/o expiration date were not added to a zone.

@@ -2,6 +2,7 @@

## Core / DNS
- [ ] Enforce domain validation. Discard indicators with wrong chars
- [ ] (ioc2rpz:clean_labels). Performance should be validated.
- [ ] DoH https://tools.ietf.org/html/rfc8484
```
When using the GET method, the data payload for this media type MUST
@@ -47,7 +47,7 @@
%%%%%%
%%%%%% Do not modify any settings below the line
%%%%%%
-define(ioc2rpz_ver, "1.0.0.3-2019092101").
-define(ioc2rpz_ver, "1.0.0.3-2019092201").

-define(ZNameZip,16#c00c:16). %Zone name/original fqdn from a request is always at byte 10 in the response
-define(ZNameZipN,16#c00c). % Offset in bytes - Zone name/original fqdn from a request is always at byte 10 in the response
@@ -970,6 +970,7 @@ gen_rpzrule(Domain,RPZ,TTL,<<"true">>,Action, LocData,PktHLen,T_ZIP_L) -> %wildc
gen_rpzrule(Domain,RPZ,TTL,<<"false">>,<<"nxdomain">>,[],PktHLen,T_ZIP_L) -> %wildcard = false
case domstr_to_bin_zip(Domain,PktHLen,T_ZIP_L) of
{error, _} ->
?logDebugMSG("Zone ~p bad IOC ~p ~n",[RPZ#rpz.zone_str,Domain]),
{ok,0,[],[]};
{_,BDomain} -> %ok, zip
{ok,1,[list_to_binary([BDomain,<<?T_CNAME:16,?C_IN:16, TTL:32,1:16,0>>])],[<<?T_CNAME:16,?C_IN:16, TTL:32,1:16,0>>]}
@@ -1118,12 +1119,17 @@ domstr_to_bin([],_,Bin) ->


domstr_to_bin_zip(Str,Pos,T_ZIP_L) when byte_size(Str) > 2->
domstr_to_bin_zip(Str,1,Pos,T_ZIP_L);
domstr_to_bin_zip(clean_labels(Str),1,Pos,T_ZIP_L);

domstr_to_bin_zip(Str,_Pos,_T_ZIP_L) ->
domstr_to_bin(Str,0).

domstr_to_bin_zip(Str,Zero,Pos,T_ZIP_L) ->
Labels = ioc2rpz_fun:split_tail(Str, <<".">>),

domstr_to_bin_zip({error,Labels},_Zero,_Pos,_T_ZIP_L) ->
%?logDebugMSG("Bad IOC ~p ~n",[Labels]),
{error,[]};

domstr_to_bin_zip({ok,Labels},Zero,Pos,T_ZIP_L) ->
case ets:lookup(T_ZIP_L, Labels) of
[{_,Offset}] -> BOffset = (16#c000 bor Offset), {zip, <<BOffset:16>>};
[] when Pos =< 16#3FFF -> ets:insert(T_ZIP_L, {Labels, Pos}), %insert_new
@@ -1150,7 +1156,33 @@ domstr_to_bin_zip([],0,Bin,_Pos,_T_ZIP_L) ->
domstr_to_bin_zip([],_Zero,Bin,_Pos,_T_ZIP_L) ->
{ok,list_to_binary([Bin])}.


clean_labels(Str) ->
Labels = ioc2rpz_fun:split_tail(Str, <<".">>),
%?logDebugMSG("Labels ~p ~n",[Labels]),
case clean_labels([], Labels) of
{ok, LabelsFix} -> {ok, LabelsFix};
{error, _} -> {error, Str}
end.

clean_labels(GoodL, [Head|Tail]) when Head == <<>>, Tail =/= [] ->
%?logDebugMSG("GoodL ~p ~p ~n",[GoodL, Tail]),
%{error, []};
clean_labels(GoodL, Tail);

clean_labels(GoodL, [Head|Tail]) ->
%48 - "0", 57 - "9", 45 - "-", 95 - "_", 65 - "A", 90 - "Z", 97 - "a", 122 - "z"
case ([X || <<X>> <= Head, not((X >= 48) and (X =< 57)) and not((X >= 65) and (X =< 90)) and not((X >= 97) and (X =< 122)) and (X /= 45) and (X /= 95)]) of
[] -> clean_labels(GoodL ++ [Head], Tail);
_ -> % ?logDebugMSG("Bad label - ~p ~n",[Head]),
{error,[]}
end;


clean_labels(GoodL, []) when GoodL ==[] ->
{error, []};

clean_labels(GoodL, []) when GoodL /=[] ->
{ok, GoodL}.

dombin_to_str(Dom) ->
dombin_to_str(<<"">>,Dom).

0 comments on commit 41c2f33

Please sign in to comment.
You can’t perform that action at this time.