Skip to content

Commit

Permalink
IP Quality Score changes (smicallef#1105)
Browse files Browse the repository at this point in the history 
* IPQS improvements
  • Loading branch information
@krishnasism
krishnasism authored Oct 12, 2020
1 parent 9d7f457 commit 1cd66bd
Showing 1 changed file with 79 additions and 15 deletions.
94 changes: 79 additions & 15 deletions modules/sfp_ipqualityscore.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,14 @@ class sfp_ipqualityscore(SpiderFootPlugin):

opts = {
"api_key": "",
"abuse_score_threshold": 85
"abuse_score_threshold": 85,
"strictness": 0
}

optdescs = {
"api_key": "IPQualityScore API Key",
"abuse_score_threshold": "Minimum abuse score for target to be considered malicious"
"abuse_score_threshold": "Minimum abuse score for target to be considered malicious (0 - 100)",
"strictness": "Depth of the reputation checks to be performed on the target (0 - 2)"
}

errorState = False
Expand All @@ -65,18 +67,22 @@ def setup(self, sfc, userOpts=None):

def watchedEvents(self):
return [
"PHONE_NUMBER",
"DOMAIN_NAME",
"EMAILADDR",
"IP_ADDRESS",
"DOMAIN_NAME"
"PHONE_NUMBER",
]

def producedEvents(self):
return [
"EMAILADDR_DISPOSABLE",
"EMAILADDR_COMPROMISED",
"GEOINFO",
"MALICIOUS_PHONE_NUMBER",
"MALICIOUS_EMAILADDR",
"MALICIOUS_IPADDR",
"MALICIOUS_INTERNET_NAME",
"PHONE_NUMBER_TYPE",
"RAW_RIR_DATA"
]

Expand All @@ -98,11 +104,11 @@ def handle_error_response(self, qry, res):
def query(self, qry, eventName):
queryString = ""
if eventName == "PHONE_NUMBER":
queryString = f"https://ipqualityscore.com/api/json/phone/{self.opts['api_key']}/{qry}"
queryString = f"https://ipqualityscore.com/api/json/phone/{self.opts['api_key']}/{qry}?strictness={self.opts['strictness']}"
elif eventName == "EMAILADDR":
queryString = f"https://ipqualityscore.com/api/json/email/{self.opts['api_key']}/{qry}"
queryString = f"https://ipqualityscore.com/api/json/email/{self.opts['api_key']}/{qry}?strictness={self.opts['strictness']}"
elif eventName == "IP_ADDRESS" or eventName == "DOMAIN_NAME":
queryString = f"https://ipqualityscore.com/api/json/ip/{self.opts['api_key']}/{qry}"
queryString = f"https://ipqualityscore.com/api/json/ip/{self.opts['api_key']}/{qry}?strictness={self.opts['strictness']}"

res = self.sf.fetchUrl(
queryString,
Expand All @@ -126,6 +132,27 @@ def query(self, qry, eventName):

return None

def getGeoInfo(self, data):
geoInfo = ""

city = data.get('city')
country = data.get('country')
if not country:
country = data.get('country_code')
zipcode = data.get('zip_code')
region = data.get('region')

if city:
geoInfo += city + ", "
if region:
geoInfo += region + ", "
if country:
geoInfo += country + " "
if zipcode:
geoInfo += zipcode

return geoInfo

def handleEvent(self, event):
eventName = event.eventType
srcModuleName = event.module
Expand Down Expand Up @@ -156,21 +183,58 @@ def handleEvent(self, event):
fraudScore = data.get('fraud_score')
recentAbuse = data.get('recent_abuse')
botStatus = data.get('bot_status')
malicious = False
maliciousDesc = ""

if fraudScore >= self.opts['abuse_score_threshold'] or recentAbuse or botStatus:
evt = SpiderFootEvent("RAW_RIR_DATA", str(data), self.__name__, event)
self.notifyListeners(evt)
malicious = True
maliciousDesc = f"IPQualityScore [{eventData}]\n"

if eventName == "PHONE_NUMBER":
if malicious:
maliciousDesc += f" - FRAUD SCORE : {fraudScore}\n - ACTIVE : {data.get('active')}\n - RISKY : {data.get('risky')}\n - RECENT ABUSE : {recentAbuse}"
evt = SpiderFootEvent("MALICIOUS_PHONE_NUMBER", maliciousDesc, self.__name__, event)
self.notifyListeners(evt)

phoneNumberType = data.get('line_type')
if phoneNumberType:
evt = SpiderFootEvent("PHONE_NUMBER_TYPE", phoneNumberType, self.__name__, event)
self.notifyListeners(evt)

geoInfo = self.getGeoInfo(data)
if geoInfo:
evt = SpiderFootEvent("GEOINFO", geoInfo, self.__name__, event)
self.notifyListeners(evt)

if eventName == "PHONE_NUMBER":
evt = SpiderFootEvent("MALICIOUS_PHONE_NUMBER", "IPQualityScore [" + eventData + "]", self.__name__, event)
elif eventName == "EMAILADDR":
if malicious:
maliciousDesc += f" - FRAUD SCORE : {fraudScore}\n - HONEYPOT : {data.get('honeypot')}\n - SPAM TRAP SCORE : {data.get('spam_trap_score')}\n - RECENT ABUSE : {recentAbuse}"
evt = SpiderFootEvent("MALICIOUS_EMAILADDR", maliciousDesc, self.__name__, event)
self.notifyListeners(evt)
elif eventName == "EMAILADDR":
evt = SpiderFootEvent("MALICIOUS_EMAILADDR", "IPQualityScore [" + eventData + "]", self.__name__, event)

if data.get('disposable'):
evt = SpiderFootEvent("EMAILADDR_DISPOSABLE", eventData, self.__name__, event)
self.notifyListeners(evt)
elif eventName == "IP_ADDRESS":
evt = SpiderFootEvent("MALICIOUS_IPADDR", "IPQualityScore [" + eventData + "]", self.__name__, event)

if data.get('leaked'):
evt = SpiderFootEvent("EMAILADDR_COMPROMISED", f"{eventData} [Unknown]", self.__name__, event)
self.notifyListeners(evt)
elif eventName == "DOMAIN_NAME":
evt = SpiderFootEvent("MALICIOUS_INTERNET_NAME", "IPQualityScore [" + eventData + "]", self.__name__, event)

elif eventName == "IP_ADDRESS" or eventName == "DOMAIN_NAME":
if malicious:
maliciousDesc += f" - FRAUD SCORE : {fraudScore}\n - BOT STATUS : {botStatus}\n - RECENT ABUSE : {recentAbuse}\n - ABUSE VELOCITY : {data.get('abuse_velocity')}\n - VPN : {data.get('vpn')}\n - ACTIVE VPN : {data.get('active_vpn')}\n - TOR : {data.get('tor')}\n - ACTIVE TOR : {data.get('active_tor')}"

if eventName == "IP_ADDRESS":
evt = SpiderFootEvent("MALICIOUS_IPADDR", maliciousDesc, self.__name__, event)
elif eventName == "DOMAIN_NAME":
evt = SpiderFootEvent("MALICIOUS_INTERNET_NAME", maliciousDesc, self.__name__, event)
self.notifyListeners(evt)

geoInfo = self.getGeoInfo(data)
if geoInfo:
evt = SpiderFootEvent("GEOINFO", geoInfo, self.__name__, event)
self.notifyListeners(evt)

# End of sfp_ipqualityscore class

0 comments on commit 1cd66bd

Please sign in to comment.