New blacklist module. Fixes #48

[Zalgo2462]

The previous blacklist module possessed some issues which involved mixing up ips, urls, and hostnames. Additionally, it had a hard time distinguishing between blacklisted hosts which initiated connections and received them. These kludges lead to difficulty in expanding the blacklisted module.

This new blacklist module accompanies a new rita blacklist backend. The new backend is meant to handle various types of blacklists, enforce the database abstraction, and provide support for blacklists that are managed by outside software. This has allowed the removal of the google safebrowsing code from RITA and the addition of the code to rita-bl. (Fixes issue #48)

The manner in which user defined lists has changed, as has the RITA config file.
User defined blacklists are expected to be simple line separated lists. These simple files are then registered with RITA in the config file.
Here is an example of a new blacklisted configuration section.

BlackListed:
    Database: rita-blacklist
    # These are blacklists built into rita-blacklist. Set these to false
    # to disable checks against them.
    myIP.ms: true
    MalwareDomains.com: true
    MalwareDomainList.com: true

    # Google SafeBrowsing requires an api key and a file to cache the results in.
    # If either APIKey or Database is an empty string, Google SafeBrowsing will 
    # not be queried.
    SafeBrowsing:
        APIKey: "YOUR API KEY"
        Database: $HOME/.rita/safebrowsing

    # These are custom blacklists that you may define. They are lists of either
    # file paths or urls. These custom blacklists are expected to be simple,
    # line separated text documents containing a list of blacklisted entries.

    # Example: CustomIPBlacklists: ["$HOME/.rita/myIPBlacklist.txt"]
    # myIPBlacklist.txt would look like this:
    # 192.168.0.1
    # 10.10.174.1

    #Lists containing both IPv4 and IPv6 addresses are acceptable
    CustomIPBlacklists: []
    #Lists containing hostnames, domain names, and FQDNs are acceptable
    CustomHostnameBlacklists: ["$HOME/.rita/hostnamesBL.txt"]
    #URLs must each contain a protocol, a host, and a resource
    #Ex: http://google.com/
    #Ex: ftp://myftpserver.com/a/file/over/here.txt
    CustomURLBlacklists: ["$HOME/.rita/urlsBL.txt"]

    # Table names
    SourceIPsTable: blSourceIPs
    DestIPsTable: blDestIPs
    HostnamesTable: blHostnames
    UrlsTable: blUrls

The new blacklist module brings with it four new commands.

     show-bl-hostnames       Print blacklisted hostnames which recieved connections
     show-bl-source-ips        Print blacklisted IPs which initiated connections
     show-bl-dest-ips            Print blacklisted IPs which recieved connections
     show-bl-urls                   Print blacklisted URLs which were visited

The html output has been updated with a page for each of these commands.
Finally, crossref has been simplified to source and destination collections rather than internal/ external. The new blacklist information has been integrated into this new crossref configuration.

[Zalgo2462]

We chunk up the checks against RITA-BL. RITA-BL returns maps of (hosts or ip addresses or urls) to their results. The channel is used for communication.

[Zalgo2462]

cache time, could use a comment

[lisaSW]

comment would be very helpful :)

[Zalgo2462]

Rita-bl expects a function which returns (io.ReadCloser, error) to get the data from.

[Zalgo2462]

This line forces ritaBL to update its cache.

[Zalgo2462]

true is for source ip addresses, false if for destination ip addresses.

[Zalgo2462]

expand lists

[lisaSW]

At some point, we can probably just rename this rita-blacklist and get rid of the other one...

[lisaSW]

Is there a chance that the "src" and "dst" strings could ever change? Should they be variables?

[lisaSW]

Is this something that could or should be in the config file?

[lisaSW]

Could or should this be a config option?

[Zalgo2462]

This can be a config option, but I don't see any reason why it should be changed. It is the amount of entries to check against rita-bl at a time. The chunking is mainly for rita-bl RPC's such as google safebrowsing. Some RPC's can take advantage of this chunked behavior when querying the internet. The proper thing to do here is probably change it to a constant in the blacklist package.

[lisaSW]

Yep, please make this a constant

[lisaSW]

What happens in the case of a different url prefix?

[Zalgo2462]

So yeah. This is something I really struggled with. RITA-BL expects a prefix for its urls, and bro-ids does not, particularly since it places urls in files separated by protocol. Right now, we only pull urls from the http.log. The buildBlacklistedURLS function, however, is set up to take in a generic url iterator and protocol prefix. If we start reading the ftp log for instance, we can use buildBlacklistURLs(ftpIter, res, ritaBL, buffersize, "ftp://")

[lisaSW]

sounds good.

[lisaSW]

This structure is being treated as an array of strings, but if that ever changes, this will break. Will we ever need to add fields to this structure?

[Zalgo2462]

See comment above

[lisaSW]

This structure is being treated as an array of strings, but if that ever changes, this will break. Will we ever need to add fields to this structure?

[Zalgo2462]

I don't foresee having to change this structure. In this piece of the code we are only checking hostnames. Perhaps hostnames may need to be represented by their individual labels for some reason in the future, but this line can be altered to match that.
Overall since this piece of code deals specifically with hostnames, I felt comfortable going with this solution.
(Same answer for ip addresses since RITA-BL treats both ip v4 and v6 addresses as strings)

[lisaSW]

sounds good.

[lisaSW]

On this line, it looks like the url prefix is hardcoded to http... Will other prefixes still work and if so, how?

[Zalgo2462]

Currently, we will never pull an ftp url out of the bro logs. In the future, we may read the bro ftp.log. We would prepend ftp:// to the urls in that file so as to match these blacklist entries.

[lisaSW]

sounds good.

[lisaSW]

I've got a few inline comments up, @Zalgo2462 could you please take a look and reply to my questions?