[edbb89]: phish / askquestions_phish.py  Maximize  Restore  History

Download this file

156 lines (133 with data), 5.2 kB

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
''' askQuestions_phish :
Routines to get data from the user
0.01 - 08-2012 - pcain
'''
from datetime import datetime
questions = {
# question, mandatory answer, where answer goes, answer choices, default answer
'en-US' : {
'mandatory' : 'Questions marked with a * require answers.\n',
'address4' : 'Please enter a VALID IP Address!',
'text' : 'This is a text field.',
'dns' : 'Please enter a DNS name.',
'struct' : 'Please pick a member of the list provided.',
'phishCmae' : 'How did you receive this phishing lure?',
'phishBrandName' : 'The Name of the Organization Phished:',
'phishFraudParam' : 'What was the subject line of this lure?',
'phishNumber' : 'The number of these lures received:',
'phishDate' : 'The date and time you received this lure:',
'phishSite' : 'Where did the lure want you to go (i.e., URL, phone number, etc)?',
'phishDNS' : 'Do you have DNS or location data on that?',
'phishURL' : 'Please enter that URL here',
#Please enter that IP Address here:
#Please enter that Email or SMS Address here:
#Please enter that DNS domain name here
#Please enter that IP Address here
#Please enter it here
'phishConfq' : 'What is your confidence that this is a real phishing site?'
'Description' : 'Is there Other Information we should be aware of? ',
'Comment' : 'Feel free to enter an Optional Comment: '
} # lang
#
}
phishConf = {
'100' : '100% - Independently verified by us',
'85' : '85% - Experienced person looked at it',
'75' : '75% - Generated or verified by an automatic tool',
'65' : '65% - Quickly looking, it seems like a phish',
'50' : '50% - It sure looks phishy',
'7' : '7% - This is a test submission. Do not include in lists.',
'0' : '0% - This is a false positive; it is not a phish'
}
phishType = {
'email' : 'email message',
'im' : 'instant message',
'sms' : 'SMS or text message',
'phone' : 'telephone call',
'unknown' : "unknown, or I don't know"
}
def validate(type, value, struct):
if type == 'address4':
parts = value.split(".")
if len(parts) != 4:
return False
for item in parts:
if not 0 <= int(item) <= 255:
return False
return True
if type == 'dns':
# We should do some checking, but I wonder what?
return True
if type == 'struct':
# See if the choice is a member of the structure
if value in struct:
value = struct.get(value)
return True
return False
if type == 'text':
return True
return False
def askQuestions_phish(_language, botStruct):
''' This is the base questions and answer strucutre.
[0] - dictionary key to puit answer
[1] - second-level dictionary key for answer
[2] - question in question dictionary
[3] - default answer
[4] - type of answer
[5] - if type is struct, this is the struct
[6] - Is it mandatory to answer?
'''
asker = [
('infectee','address', 'infectee-address', '', 'address4', None, True),
('infectee','dnsName', 'infectee-dnsName','unknown', 'dns', None, False),
('botName', None, 'botName', '', 'text', None, False),
('botType', None, 'botType', '', 'text', None, False),
('botVersion', None, 'botVersion', '', 'text', None, False),
('detectedBy', None, 'detectedBy', '', 'struct', detectionType, True),
('controller','address', 'controller-address', '', 'address4', None, False),
('controller','dnsName', 'controller-dnsName', '', 'text', None, False),
('controller','port', 'controller-port', '', 'text', None, False),
('botNetName', None, 'botNetName', '', 'text', None, False),
('botActivity', None, 'botActivity', '', 'struct', activity, False),
('detectTime', None, 'botType', datetime.utcnow().replace(microsecond=0).isofo
rmat()+'-00:00', 'text', None, True),
('infector','address', 'infector-address', '', 'address4', None, False),
('infector','dnsName', 'infector-dnsName', '', 'text', None, False),
('Description', None, 'Description', '', 'text', None, False),
('Comment', None, 'Comment', '', 'text', None, False)
]
print questions[_language]['mandatory']
for i in iter(asker):
_invalid = True
while _invalid:
words = questions[_language][i[2]]
if i[5]:
# Print out the possible answers
for (key1,value1) in i[5].items():
words = words + ', %s-%s' % (key1, value1)
# Check the mandatory flag
if i[6]: char1='*'
else: char1=''
# Ask the user for some answers
rawch = raw_input( "%s [ %s ]%s: " % (words, i[3], char1) )
if rawch == '' or rawch == '\n':
rawch = i[3] # default
# See if the user paid attention
# a. Is it mandatory and no value -> err
if (i[6] and rawch == ''):
print questions[_language][i[4]]
# b. Is the value good?
elif rawch != '':
if validate( i[4], rawch, i[5]):
_invalid = False
else:
print questions[_language][i[4]]
else:
_invalid = False
# End the while loop
if i[5]: rawch = i[5].get(rawch)
if i[1]:
botStruct[ i[0] ][i[1]] = rawch
else:
botStruct[ i[0]] = rawch
return rawch

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks