Spamhouse parser

Spamhouse often sends data like:

['111.111.111.183', 'AS11178', 'LV', '1471111139', 'iotmirai', '-', '?', '?', '?', '?']
['111.111.111.230', 'AS11178', 'LV', '1471111134', 'gootkit', '', '111.111.111.166', '1696', 'xxxxxxxxxxx.com', 'tcp']

..these are columns from [0] to [9]. Current parser fails because:

1. '?' is not a valid value;
2. field [8] is not a valid local_port (sometimes we see a domain);

Could you add the IP checking function inside class SpamhausCERTParserBot(Bot):

def is_valid_ip(self, ip):
        m = re.match(r"^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$", ip)
        return bool(m) and all(map(lambda n: 0 <= int(n) <= 255, m.groups()))

and check if fields 6..9 are valid:

if self.is_valid_ip(row_splitted[6]):
    event.add('destination.ip', row_splitted[6])
if row_splitted[7].isdigit():
    event.add('destination.port', row_splitted[7])
if row_splitted[8].isdigit():
    event.add('extra', {'destination.local_port':
                         int(row_splitted[8])})
if row_splitted[9] != "?":
    event.add('protocol.transport', row_splitted[9])

[aaronkaplan]

Hey.

On 26.10.2016, at 16:17, CERT.LV notifications@github.com wrote:

Spamhouse often sends data like:

['111.111.111.183', 'AS11178', 'LV', '1471111139', 'iotmirai', '-', '?', '?', '?', '?']
['111.111.111.230', 'AS11178', 'LV', '1471111134', 'gootkit', '', '111.111.111.166', '1696', 'xxxxxxxxxxx.com', 'tcp']
..these are columns from [0] to [9]. Current parser fails because:

1. '?' is not a valid value;

Okay so how about making this column optional then (if indeed it is optional)?

2. field [8] is not a valid local_port (sometimes we see a domain);

Okay this is a problem. I recommend doing some pre processing so that a local port is a local port and that a domain is move to for example the local_hostname field.

In fact what would be the right architectural approach is to refactor the Shadowserver parser into a generic CSV parser. It contains a function for specifying which fields map to what other fields in the DHO.

Could you add the IP checking function inside class SpamhausCERTParserBot(Bot):

def is_valid_ip(self, ip):
m = re.match(r"^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$", ip)
return bool(m) and all(map(lambda n: 0 <= int(n) <= 255, m.groups()))

Why not use python3's built in ipaddr module?
Such as
Try:
ip_parsed = ipaddress.ipaddress(ip)
Except:
Handle...

In fact this is what's happening in harmonization.py.

I prefer that we keep the validation of IP addresses central in the code and only once. (In harmonization.py).

and check if fields 6..9 are valid:

if self.is_valid_ip(row_splitted[6]):
event.add('destination.ip', row_splitted[6])
if row_splitted[7].isdigit():
event.add('destination.port', row_splitted[7])
if row_splitted[8].isdigit():
event.add('extra', {'destination.local_port':

Yes that kind of code makes sense in a parser. Agreed with that :)

int(row_splitted[8])})
if row_splitted[9] != "?":
event.add('protocol.transport', row_splitted[9])

Hope my feedback was useful for you.

A.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Hi,

Okay so how about making this column optional then (if indeed it is optional)?

But if someone will still want to store this field?

Okay this is a problem. I recommend doing some pre processing so that a local port is a local port and that a domain is move to for example the local_hostname field.

Even better.

Will you add changes to the Spamhouse parser or we should wait for a CSV general parser? Preprocessing of some fields (like local_port or local_hostname in Spamhouse case) will still be needed

A fix is in 87ff32f, depends on #841.