Re: [NSE] New script dns-blacklist

[Duarte Silva <duarte.silva () serializing me>]

On Monday 02 January 2012 16:11:34 Patrik Karlsson wrote:
> On Mon, Jan 2, 2012 at 12:31 PM, Duarte Silva
>
> <duarte.silva () serializing me>wrote:
> > Hi Patrik,
> >
> > I added two new DNSBL providers, one for TOR nodes [1] and another for
> > malware
> > attacks [2].
> >
> > I ended up stumbling on http:BL [3], which I wanted to add since it has
> > some
> > nice functionality. The problem is that this provider needs the user to
> > provide a API key. Currently the library doesn't support user provided
> > arguments. I already have some ideas on how to tackle the problem in a
> > generic
> > way (support for other providers) but I was wondering if you think the
> > functionality the provider has, makes up for the trouble of changing the
> > dnsbl
> > library?
> >
> > [1] https://www.dan.me.uk/dnsbl
> > [2] http://www.blocklist.de/en/api.html#dns
> > [3] http://www.projecthoneypot.org/httpbl_api.php
> >
> > Regards,
> > Duarte Silva
>
> Hi Duarte,

Hi Patrik,
 
> There was no patch for the first two services attached to your post?
> I checked them out and they both seem interesting, the first one would
> probably fit under the PROXY section, while the second one should probably
> go into a category called ATTACK or similar?

No sory, I dind't send the patch. I wanted to do it once I had added the three 
providers. Yes, the first one is in the PROXY category and the second one I 
created the ATTACK category. The output of "dns-blacklist.list" is the 
following:

Pre-scan script results:
| dns-blacklist: 
|   ATTACK
|     all.bl.blocklist.de
|     dnsbl.httpbl.org
|       dnsbl.httpbl.org.apikey - the http:BL API key
|   PROXY
|     dnsbl.ahbl.org
|     socks.dnsbl.sorbs.net
|     misc.dnsbl.sorbs.net
|     http.dnsbl.sorbs.net
|     tor.dan.me.uk
|     dnsbl.tornevall.org
|   SPAM
|     dnsbl.ahbl.org
|     dnsbl.inps.de
|     bl.nszones.com
|     l2.apews.org
|     list.quorum.to
|     all.spamrats.com
|     bl.spamcop.net
|     spam.dnsbl.sorbs.net
|_    sbl.spamhaus.org

You can see that it is listing the API key argument that must be specified for 
the "dnsbl.httpbl.org" provider.

> In regards to the third one I think it both looks interesting and something
> to add. For the key part I don't think it's very difficult to do with the
> existing library. One way of doing it would be to get a script argument
> with the key in the fmt_query function of each services that needs one.
> Check out the first service in the list, it has a fmt_query function to
> show how it works. I guess it could look something like this:
>
> fmt_query   = function(ip)
>   local rev_ip = dns.reverse(ip):match("^(.*)%.in%-addr%.arpa$")
>   local key = stdnse.get_script_args("dnsbl.key.dnsbl.httpbl.org")
>   if ( not(key) ) then
>     return
>   end
>   return ("%s.%s.dnsbl.httpbl.org"):format(key,rev_ip)
> end
>
> I guess the checkBL function would need to be patched to handle an empty
> response from the fmt_query function.

I have a somewhat similar solution. You can check the patch, it isn't fully 
implemented though.

 
> Cheers,
> Patrik

Attachment: dnsbl.patch
Description:

Attachment: dns-blacklist.patch
Description:

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/