Skip to content
Permalink
Browse files

ioc2rpz is a place where threat intelligence meets DNS

  • Loading branch information
Homas committed Dec 28, 2019
1 parent 257fe61 commit 5700de004b0c20df233ce125c5531fbe0a80ba48
Showing with 18 additions and 12 deletions.
  1. +3 −0 ChangeLog.md
  2. +2 −2 TODO.md
  3. +1 −1 include/ioc2rpz.hrl
  4. +1 −8 src/ioc2rpz_conn.erl
  5. +10 −0 src/ioc2rpz_fun.erl
  6. +1 −1 src/ioc2rpz_rest.erl
@@ -1,5 +1,8 @@
# ioc2rpz change log
[CB] - Changed Behaviour
## 2019-12-11 v1.1.1.3
- [CB] IoC lookup REST API call. The submitted indicator converted to lowcase before the lookups.

## 2019-12-11 v1.1.1.2
- [CB] IoC lookup REST API call output was modified

@@ -1,8 +1,8 @@
## Bugs
- [ ] wildcard rule is generated
- [x] wildcard rule is generated

## Core / DNS
- [-] check IoC in the RPZs feeds "What's in your DNS?"
- [x] check IoC in the RPZs feeds "What's in your DNS?"
- [ ] simple permissions model
- [ ] REST API rate limiting
- [ ] DNS requests rate limiting
@@ -48,7 +48,7 @@
%%%%%%
%%%%%% Do not modify any settings below the line
%%%%%%
-define(ioc2rpz_ver, "1.1.1.2-2019122001").
-define(ioc2rpz_ver, "1.1.1.3-2019127001").

-define(ZNameZip,16#c00c:16). %Zone name/original fqdn from a request is always at byte 10 in the response
-define(ZNameZipN,16#c00c). % Offset in bytes - Zone name/original fqdn from a request is always at byte 10 in the response
@@ -22,14 +22,7 @@ get_ioc(URL,REGEX,Source) ->
case get_ioc(URL,?Src_Retry) of
{ok, Bin} ->
ioc2rpz_fun:logMessage("Source: ~p, size: ~s (~p), MD5: ~p ~n",[Source#source.name, ioc2rpz_fun:conv_to_Mb(byte_size(Bin)),byte_size(Bin), ioc2rpz_fun:bin_to_hexstr(crypto:hash(md5,Bin))]), %TODO debug
%Uncomment next 2 lines in case of limited memory. REGEX must be prepared for lowcase sources
%BinLow=ioc2rpz_fun:bin_to_lowcase(Bin),
%L=clean_feed(ioc2rpz_fun:split_tail(BinLow,<<"\n">>),REGEX),

%methods used below consume more memory. It is not possible to run ioc2rpz with 1M indicator on AWS free tier
%L=clean_feed_bin(ioc2rpz_fun:split_tail(Bin,<<"\n">>),REGEX),
%Comment next 1 line in case of limited memory. REGEX must be prepared for lowcase sources


%TODO spawn cleanup
CTime=ioc2rpz_fun:curr_serial_60(),
%L=[ {ioc2rpz_fun:bin_to_lowcase(X),Y} || {X,Y} <- clean_feed(ioc2rpz_fun:split_tail(Bin,<<"\n">>),REGEX) ],
@@ -297,3 +297,13 @@ base64url_decode_test() -> [
?assert(base64url_decode(<<"AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE">>) =:= {ok,<<0,0,1,0,0,1,0,0,0,0,0,0,7,101,120,97,109,112,108,101,3,99,111,109,0,0,1,0,1>>}),
?assert(base64url_decode(<<"AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE==">>) =:= {error,<<>>})
].

bin_to_lowcase_test() ->[
?assert(bin_to_lowcase(<<"fC00::01">>) =:= <<"fc00::01">>),
?assert(bin_to_lowcase(<<"Aaaaaa">>) =:= <<"aaaaaa">>),
?assert(bin_to_lowcase(<<"bBbBbB">>) =:= <<"bbbbbb">>),
?assert(bin_to_lowcase(<<"ccC">>) =:= <<"ccc">>),
?assert(bin_to_lowcase(<<"D">>) =:= <<"d">>),
?assert(bin_to_lowcase(<<"f">>) =:= <<"f">>),
?assert(bin_to_lowcase(<<"eeeeeeeeeeeeeeeeeeeeeee">>) =:= <<"eeeeeeeeeeeeeeeeeeeeeee">>)
].
@@ -220,7 +220,7 @@ srv_mgmt(Req, State, Format) when State#state.op == get_rpz -> % Get RPZ
srv_mgmt(Req, State, Format) when State#state.op == get_ioc -> % check IoC
#{peer := {IP, Port}} = Req,
ioc2rpz_fun:logMessageCEF(ioc2rpz_fun:msg_CEF(230),[ioc2rpz:ip_to_str(IP), Port, cowboy_req:path(Req), ""]),
IOC = cowboy_req:binding(ioc, Req),
IOC = ioc2rpz_fun:bin_to_lowcase(cowboy_req:binding(ioc, Req)),
TKEY = try
maps:get(tkey,cowboy_req:match_qs([tkey],Req)) %%%%% parse_qs
catch _:_ ->

0 comments on commit 5700de0

Please sign in to comment.
You can’t perform that action at this time.