Source code for mentat.plugin.enricher.whois

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#-------------------------------------------------------------------------------
# This file is part of Mentat system (https://mentat.cesnet.cz/).
#
# Copyright (C) since 2011 CESNET, z.s.p.o (http://www.ces.net/)
# Use of this source is governed by the MIT license, see LICENSE file.
#-------------------------------------------------------------------------------

"""
`IDEA <https://idea.cesnet.cz/en/index>`__ message enrichment plugin for the
:ref:`section-bin-mentat-enricher` daemon module performing lookup of all
``Source/IPx`` addresses within configured **whois** service.

.. todo::

    Documentation is still work in progress, please refer to the source code for
    details.

"""


__author__ = "Jan Mach <jan.mach@cesnet.cz>"
__credits__ = "Pavel Kácha <pavel.kacha@cesnet.cz>, Andrea Kropáčová <andrea.kropacova@cesnet.cz>"


import collections
import pprint


#
# Custom libraries
#
import pynspect.jpath
import mentat.const
import mentat.services.whois


[docs]class WhoisEnricherPlugin: """ Enricher plugin performing lookup of all Source/IPx addresses within configured whois service. """ def __init__(self): self.whois_service = None
[docs] def setup(self, daemon, config_updates = None): """ Setup plugin. """ whois_manager = mentat.services.whois.WhoisServiceManager( daemon.config, config_updates ) self.whois_service = whois_manager.service() daemon.logger.info( "Initialized '%s' enricher plugin: %s", self.__class__.__name__, pprint.pformat(self.whois_service.status()) )
[docs] def process(self, daemon, message_id, message): """ Process and enrich given message. """ daemon.logger.debug( "WHOIS - processing message '%s'", message_id ) sources = [] sources += pynspect.jpath.jpath_values(message, 'Source.IP4') sources += pynspect.jpath.jpath_values(message, 'Source.IP6') resolved_abuses = collections.defaultdict(int) for src in sources: result = self.whois_service.lookup_abuse(src) if result is None: continue for res in result: resolved_abuses[res] += 1 changed = False resolved_abuses = sorted(resolved_abuses.keys()) if resolved_abuses: pynspect.jpath.jpath_set(message, '_CESNET.ResolvedAbuses', resolved_abuses) daemon.logger.debug( "WHOIS - Enriched message '%s' with attribute '_CESNET.ResolvedAbuses' and values %s", message_id, pprint.pformat(resolved_abuses) ) changed = True return (daemon.FLAG_CONTINUE, changed)