DB/Active: add "Malware" tags based on <https://sslbl.abuse.ch/>

pirenga · Apr 6, 2022 · 987570d · 987570d
1 parent 41f42eb
commit 987570d
Show file tree

Hide file tree

Showing 6 changed files with 4,981 additions and 11 deletions.
diff --git a/ivre/active/data.py b/ivre/active/data.py
@@ -32,6 +32,7 @@
 from ivre.active.cpe import add_cpe_values
 from ivre.config import VIEW_SYNACK_HONEYPOT_COUNT
 from ivre.data.microsoft.exchange import EXCHANGE_BUILDS
+from ivre.data.abuse_ch.sslbl import SSLBL_CERTIFICATES
 from ivre.types import ParsedCertificate, Tag
 from ivre.types.active import HttpHeader, NmapAddress, NmapHost, NmapPort, NmapScript
 from ivre.utils import (
@@ -394,19 +395,13 @@ def gen_auto_tags(
         for script in port.get("scripts", []):
             if script["id"] == "ssl-cert":
                 for cert in script.get("ssl-cert", []):
-                    if (
-                        cert.get("md5") == "950098276a495286eb2a2556fbab6d83"
-                        or cert.get("sha1")
-                        == "6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c"
-                        or cert.get("sha256")
-                        == "87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c"
-                    ):
+                    if cert.get("sha1") in SSLBL_CERTIFICATES:
                         yield cast(
                             Tag,
                             dict(
                                 TAG_MALWARE,
                                 info=[
-                                    f"Cobalt Strike Team Server default certificate on port {port['protocol']}/{port['port']}"
+                                    f"{SSLBL_CERTIFICATES[cert['sha1']]} certificate on port {port['protocol']}/{port['port']} (SSL Blacklist by abuse.ch)"
                                 ],
                             ),
                         )

diff --git a/ivre/data/abuse_ch/__init__.py b/ivre/data/abuse_ch/__init__.py
@@ -0,0 +1,19 @@
+#! /usr/bin/env python
+
+# This file is part of IVRE.
+# Copyright 2011 - 2022 Pierre LALET <[email protected]>
+#
+# IVRE is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# IVRE is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
+# License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with IVRE. If not, see <http://www.gnu.org/licenses/>.
+
+"""This submodule contains data from abuse.ch."""