ioc2rpz is a place where threat intelligence meets DNS

ChangeLog.md

@@ -1,5 +1,8 @@
 # ioc2rpz change log
 [CB] - Changed Behaviour
+## 2019-12-11 v1.1.1.3
+- [CB] IoC lookup REST API call. The submitted indicator converted to lowcase before the lookups.
+
 ## 2019-12-11 v1.1.1.2
 - [CB] IoC lookup REST API call output was modified
 

TODO.md

@@ -1,8 +1,8 @@
 ## Bugs
-- [ ] wildcard rule is generated
+- [x] wildcard rule is generated
 
 ## Core / DNS
-- [-] check IoC in the RPZs feeds "What's in your DNS?"
+- [x] check IoC in the RPZs feeds "What's in your DNS?"
 - [ ] simple permissions model
 - [ ] REST API rate limiting
 - [ ] DNS requests rate limiting

include/ioc2rpz.hrl

@@ -48,7 +48,7 @@
 %%%%%%
 %%%%%% Do not modify any settings below the line
 %%%%%%
--define(ioc2rpz_ver, "1.1.1.2-2019122001").
+-define(ioc2rpz_ver, "1.1.1.3-2019127001").
 
 -define(ZNameZip,16#c00c:16). %Zone name/original fqdn from a request is always at byte 10 in the response
 -define(ZNameZipN,16#c00c). % Offset in bytes - Zone name/original fqdn from a request is always at byte 10 in the response

src/ioc2rpz_conn.erl

@@ -22,14 +22,7 @@ get_ioc(URL,REGEX,Source) ->
   case get_ioc(URL,?Src_Retry) of
     {ok, Bin} ->
       ioc2rpz_fun:logMessage("Source: ~p, size: ~s (~p), MD5: ~p ~n",[Source#source.name, ioc2rpz_fun:conv_to_Mb(byte_size(Bin)),byte_size(Bin), ioc2rpz_fun:bin_to_hexstr(crypto:hash(md5,Bin))]), %TODO debug
-      %Uncomment next 2 lines in case of limited memory. REGEX must be prepared for lowcase sources
-      %BinLow=ioc2rpz_fun:bin_to_lowcase(Bin),
-      %L=clean_feed(ioc2rpz_fun:split_tail(BinLow,<<"\n">>),REGEX),
-
-      %methods used below consume more memory. It is not possible to run ioc2rpz with 1M indicator on AWS free tier
-      %L=clean_feed_bin(ioc2rpz_fun:split_tail(Bin,<<"\n">>),REGEX),
-      %Comment next 1 line in case of limited memory. REGEX must be prepared for lowcase sources
-
+
       %TODO spawn cleanup
       CTime=ioc2rpz_fun:curr_serial_60(),
       %L=[ {ioc2rpz_fun:bin_to_lowcase(X),Y} || {X,Y} <- clean_feed(ioc2rpz_fun:split_tail(Bin,<<"\n">>),REGEX) ],

src/ioc2rpz_fun.erl

@@ -297,3 +297,13 @@ base64url_decode_test() -> [
  ?assert(base64url_decode(<<"AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE">>) =:= {ok,<<0,0,1,0,0,1,0,0,0,0,0,0,7,101,120,97,109,112,108,101,3,99,111,109,0,0,1,0,1>>}),
  ?assert(base64url_decode(<<"AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE==">>) =:= {error,<<>>})
 ].
+
+bin_to_lowcase_test() ->[
+	?assert(bin_to_lowcase(<<"fC00::01">>) =:= <<"fc00::01">>),
+	?assert(bin_to_lowcase(<<"Aaaaaa">>) =:= <<"aaaaaa">>),
+	?assert(bin_to_lowcase(<<"bBbBbB">>) =:= <<"bbbbbb">>),
+	?assert(bin_to_lowcase(<<"ccC">>) =:= <<"ccc">>),
+	?assert(bin_to_lowcase(<<"D">>) =:= <<"d">>),
+	?assert(bin_to_lowcase(<<"f">>) =:= <<"f">>),
+	?assert(bin_to_lowcase(<<"eeeeeeeeeeeeeeeeeeeeeee">>) =:= <<"eeeeeeeeeeeeeeeeeeeeeee">>)
+].

src/ioc2rpz_rest.erl

@@ -220,7 +220,7 @@ srv_mgmt(Req, State, Format) when State#state.op == get_rpz -> % Get RPZ
 srv_mgmt(Req, State, Format) when State#state.op == get_ioc -> % check IoC
 	#{peer := {IP, Port}} = Req,
     ioc2rpz_fun:logMessageCEF(ioc2rpz_fun:msg_CEF(230),[ioc2rpz:ip_to_str(IP), Port, cowboy_req:path(Req), ""]),
-		IOC = cowboy_req:binding(ioc, Req),
+		IOC = ioc2rpz_fun:bin_to_lowcase(cowboy_req:binding(ioc, Req)),
 		TKEY = try
 				maps:get(tkey,cowboy_req:match_qs([tkey],Req)) %%%%% parse_qs
 			catch _:_ ->