Diff of /phish/askquestions_phish.py [000000] .. [edbb89]  Maximize  Restore

Switch to side-by-side view

--- a
+++ b/phish/askquestions_phish.py
@@ -0,0 +1,155 @@
+''' askQuestions_phish :
+	Routines to get data from the user
+
+    0.01 - 08-2012 - pcain 
+
+'''
+
+from datetime import datetime
+
+questions = {
+# question, mandatory answer, where answer goes, answer choices, default answer 
+'en-US' : {
+'mandatory' : 'Questions marked with a * require answers.\n',
+'address4' : 'Please enter a VALID IP Address!',
+'text' : 'This is a text field.',
+'dns' : 'Please enter a DNS name.',
+'struct' : 'Please pick a member of the list provided.',
+'phishCmae' : 'How did you receive this phishing lure?',
+'phishBrandName' : 'The Name of the Organization Phished:',
+'phishFraudParam' : 'What was the subject line of this lure?',
+'phishNumber' : 'The number of these lures received:',
+'phishDate' : 'The date and time you received this lure:',
+'phishSite' : 'Where did the lure want you to go (i.e., URL, phone number, etc)?',
+'phishDNS' : 'Do you have DNS or location data on that?',
+'phishURL' : 'Please enter that URL here',
+#Please enter that IP Address here:
+#Please enter that Email or SMS Address here:
+#Please enter that DNS domain name here
+#Please enter that IP Address here
+#Please enter it here
+'phishConfq' : 'What is your confidence that this is a real phishing site?'
+
+
+'Description' : 'Is there Other Information we should be aware of? ', 
+'Comment' : 'Feel free to enter an Optional Comment: '
+} # lang
+#
+}
+
+
+phishConf = {
+	'100' :	'100% - Independently verified by us',
+	 '85' : '85% - Experienced person looked at it',
+         '75' : '75% - Generated or verified by an automatic tool',
+         '65' : '65% - Quickly looking, it seems like a phish',
+         '50' : '50% - It sure looks phishy',
+          '7' : '7% - This is a test submission. Do not include in lists.',
+          '0' : '0% - This is a false positive; it is not a phish'
+}
+
+phishType = {
+	'email' : 'email message',
+      	'im' 	: 'instant message',
+      	'sms'	: 'SMS or text message',
+    	'phone'	: 'telephone call',
+ 	'unknown' : "unknown, or I don't know"
+}
+  
+
+def validate(type, value, struct):
+    if type == 'address4':
+        parts = value.split(".")
+        if len(parts) != 4:
+          return False
+        for item in parts:
+          if not 0 <= int(item) <= 255:
+            return False
+        return True
+    if type == 'dns':
+	# We should do some checking, but I wonder what?
+        return True
+    if type == 'struct':
+	# See if the choice is a  member of the structure
+	if value in struct:
+	  value = struct.get(value)
+	  return True
+        return False
+    if type == 'text':
+        return True
+
+    return False
+
+
+def askQuestions_phish(_language, botStruct):
+
+
+  ''' This is the base questions and answer strucutre.
+      [0] - dictionary key to puit answer
+      [1] - second-level dictionary key for answer
+      [2] - question in question dictionary
+      [3] - default answer
+      [4] - type of answer
+      [5] - if type is struct, this is the struct
+      [6] - Is it mandatory to answer?
+  '''
+  asker = [
+  ('infectee','address', 'infectee-address', '', 'address4', None, True),
+  ('infectee','dnsName', 'infectee-dnsName','unknown', 'dns', None, False),
+  ('botName', None, 'botName', '', 'text', None, False),
+  ('botType', None, 'botType', '', 'text', None, False),
+  ('botVersion', None, 'botVersion', '', 'text', None, False),
+  ('detectedBy', None, 'detectedBy', '', 'struct', detectionType, True),
+  ('controller','address', 'controller-address', '', 'address4', None, False),
+  ('controller','dnsName', 'controller-dnsName', '', 'text', None, False),
+  ('controller','port', 'controller-port', '', 'text', None, False),
+  ('botNetName', None, 'botNetName', '', 'text', None, False),
+  ('botActivity', None, 'botActivity', '', 'struct', activity, False),
+  ('detectTime', None, 'botType', datetime.utcnow().replace(microsecond=0).isofo
+rmat()+'-00:00', 'text', None, True),
+  ('infector','address', 'infector-address', '', 'address4', None, False),
+  ('infector','dnsName', 'infector-dnsName', '', 'text', None, False),
+  ('Description', None, 'Description', '', 'text', None, False),
+  ('Comment', None, 'Comment', '', 'text', None, False)
+  ]
+
+  print questions[_language]['mandatory']
+  for i in iter(asker):
+    _invalid = True
+    while _invalid: 
+
+      words = questions[_language][i[2]]
+      if i[5]:
+        # Print out the possible answers
+        for (key1,value1) in i[5].items(): 
+	  words = words + ', %s-%s' % (key1, value1)
+      # Check the mandatory flag
+      if i[6]: char1='*'
+      else: char1=''
+      # Ask the user for some answers
+      rawch = raw_input( "%s [ %s ]%s: " % (words, i[3], char1) )
+      if rawch == '' or rawch == '\n':
+        rawch = i[3]  # default
+      
+      # See if the user paid attention
+      # a. Is it mandatory and no value  -> err
+      if (i[6] and rawch == ''):
+        print questions[_language][i[4]]
+      # b. Is the value good?
+      elif rawch != '':
+          if validate( i[4], rawch, i[5]):
+            _invalid = False
+          else:
+            print questions[_language][i[4]]
+      else:
+            _invalid = False
+    # End the while loop
+    if i[5]: rawch = i[5].get(rawch)
+    if i[1]:
+        botStruct[ i[0] ][i[1]] = rawch
+    else:
+        botStruct[ i[0]] = rawch
+  return rawch
+
+
+