Skip to content
Permalink
Browse files

ioc2rpz is a place where threat intelligence meets DNS

  • Loading branch information...
Homas committed Aug 17, 2019
1 parent 1f962af commit 78dc95fe9b33c2b6b9f4a04306ddcefdae2e492d
Showing with 25 additions and 8 deletions.
  1. +4 −0 ChangeLog.md
  2. +3 −0 README.md
  3. +3 −1 TODO.md
  4. +1 −1 include/ioc2rpz.hrl
  5. +1 −1 src/ioc2rpz.app.src
  6. +13 −5 src/ioc2rpz.erl
@@ -1,5 +1,9 @@
# ioc2rpz change log
[CB] - Changed Behaviour
## 2019-07-21 v1.0.0.2
-IPv4/IPv6 networks detection in IOCs for mixed zones
-IPv6 localhost network detection in IOCs

## 2019-07-21 v1.0.0.1
- RPZ statistics collected: # rules and # indicators

@@ -388,6 +388,9 @@ You can find other IOC feeds on the wiki-page: https://github.com/Homas/ioc2rpz/
- [Cowboy Web Server](https://ninenines.eu)
- [Rebar3](https://www.rebar3.org)
# Contact us
You can contact us by email: feedback(at)ioc2rpz[.]net or in [Telegram](https://t.me/ioc2rpz).
# License
Copyright 2017 - 2019 Vadim Pavlov ioc2rpz[at]gmail[.]com
@@ -1,5 +1,5 @@
## Bugs
- [ ] Config reload kills RPZ statistics
- [x] Config reload kills RPZ statistics

## Core / DNS
- [ ] RPZ storage type: ets, mnesia
@@ -20,6 +20,7 @@
- [ ] DoD https://tools.ietf.org/html/draft-ietf-dprive-dnsodtls-06

- [ ] EUnit Tests for main funs.
- [ ] Handle RPZ update if one of a sources is not availble or a recent update returned significatnly low number of indicators

## Sources
- [ ] Add a script for RPZ via "shell:"
@@ -42,6 +43,7 @@


## RPZ
- [ ] Monitor significant drop in # of IoCs and if detected - postpone an update to 1 - 3 IXF cycles or specified time
- [ ] RPZ by source intersection
- [ ] Max # of IOCs
- [ ] Catalog zones
@@ -46,7 +46,7 @@
%%%%%%
%%%%%% Do not modify any settings below the line
%%%%%%
-define(ioc2rpz_ver, "1.0.0.1-2019072201").
-define(ioc2rpz_ver, "1.0.0.2-2019081601").

-define(ZNameZip,16#c00c:16). %Zone name/original fqdn from a request is always at byte 10 in the response
-define(ZNameZipN,16#c00c). % Offset in bytes - Zone name/original fqdn from a request is always at byte 10 in the response
@@ -16,7 +16,7 @@
{application, ioc2rpz,
[
{description, ""},
{vsn, "0.9.3.0"},
{vsn, "1.0.0.1"},
{modules, [
ioc2rpz_app,
ioc2rpz_sup,
@@ -21,7 +21,7 @@
-include_lib("ioc2rpz.hrl").

-export([init/1, handle_call/3, handle_cast/2, handle_info/2, terminate/2, code_change/3]).
-export([start_ioc2rpz/2,send_notify/1,send_packets/20,domstr_to_bin/2,send_zone_live/9,mrpz_from_ioc/2,parse_dns_request/3,ip_to_str/1,dombin_to_str/1]).
-export([start_ioc2rpz/2,send_notify/1,send_packets/20,domstr_to_bin/2,send_zone_live/9,mrpz_from_ioc/2,parse_dns_request/3,ip_to_str/1,dombin_to_str/1,reverse_IP/1]).


%-compile([export_all]).
@@ -692,7 +692,8 @@ send_zone_live(Socket,Op,Zone,PktH,Questions, SOAREC,NSRec,TSIG,Proto) ->
case {Op, Zone#rpz.ioc_md5} of
{cache, MD5} -> {updateSOA, MD5, Zone#rpz.rule_count, Zone#rpz.max_ioc};
_Else ->
{ok,MP} = re:compile("^([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})$"), %
% {ok,MP} = re:compile("^([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})$"), %
{ok,MP} = re:compile("^([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(\\/[0-9]{1,3})?)|(.*::.*)$"),
PktHLen = 12+byte_size(Questions),
ioc2rpz_db:write_db_record(Zone,IOC,axfr),
ioc2rpz_db:delete_old_db_record(Zone),
@@ -1064,8 +1065,8 @@ gen_rpzrule(Domain,_,_,_,Action,_,_,_) ->
{ok,0,[<<>>],[<<>>]}.


reverse_IP(OrigIP) when OrigIP == <<"::1">>;OrigIP == <<"::1/128">> ->
<<"128.1:zz">>;
%reverse_IP(OrigIP) when OrigIP == <<"::1">>;OrigIP == <<"::1/128">>;OrigIP == <<"::01">>;OrigIP == <<"::01/128">> ->
% <<"128.1.zz">>;

reverse_IP(OrigIP) ->
[IP|Mask] = ioc2rpz_fun:split_tail(OrigIP, <<"/">>),
@@ -1085,8 +1086,12 @@ reverse_IP6(<<>>,OrigIP,[Mask],_) ->
IPv6=reverse_IP6(<<>>,OrigIP,no),
<<Mask/binary, ".", IPv6/binary>>.

reverse_IP6(<<>>,[<<>>|TAIL],ZZ) when ZZ == no ->
reverse_IP6([<<"zz">>],TAIL,yes);
reverse_IP6(<<>>,[DIP|TAIL],ZZ) ->
reverse_IP6(DIP,TAIL,ZZ);
%reverse_IP6(RIP,[<<>>,<<>>|TAIL],ZZ) when ZZ == no ->
% reverse_IP6([<<"zz.">>,RIP],TAIL,yes);
reverse_IP6(RIP,[],_ZZ) ->
list_to_binary(RIP);
reverse_IP6(RIP,[<<>>|TAIL],ZZ) when ZZ == no ->
@@ -1201,5 +1206,8 @@ reverse_IP_test() ->[
?assert(reverse_IP(<<"10.20.30.40">>) =:= <<"32.40.30.20.10">>),
?assert(reverse_IP(<<"10.20.30.40/24">>) =:= <<"24.40.30.20.10">>),
?assert(reverse_IP(<<"fc00:01::01">>) =:= <<"128.01.zz.01.fc00">>),
?assert(reverse_IP(<<"fc00::01/64">>) =:= <<"64.01.zz.fc00">>)
?assert(reverse_IP(<<"fc00::01/64">>) =:= <<"64.01.zz.fc00">>),
?assert(reverse_IP(<<"fd00::/8">>) =:= <<"8.zz.fd00">>),
?assert(reverse_IP(<<"::1">>) =:= <<"128.1.zz">>),
?assert(reverse_IP(<<"::01/128">>) =:= <<"128.01.zz">>)
].

0 comments on commit 78dc95f

Please sign in to comment.
You can’t perform that action at this time.