Nmap Development mailing list archives
Re: [NSE] New script dns-blacklist
From: Duarte Silva <duarte.silva () serializing me>
Date: Mon, 02 Jan 2012 19:08:17 +0000
On Monday 02 January 2012 16:11:34 Patrik Karlsson wrote:
On Mon, Jan 2, 2012 at 12:31 PM, Duarte Silva <duarte.silva () serializing me>wrote:Hi Patrik, I added two new DNSBL providers, one for TOR nodes [1] and another for malware attacks [2]. I ended up stumbling on http:BL [3], which I wanted to add since it has some nice functionality. The problem is that this provider needs the user to provide a API key. Currently the library doesn't support user provided arguments. I already have some ideas on how to tackle the problem in a generic way (support for other providers) but I was wondering if you think the functionality the provider has, makes up for the trouble of changing the dnsbl library? [1] https://www.dan.me.uk/dnsbl [2] http://www.blocklist.de/en/api.html#dns [3] http://www.projecthoneypot.org/httpbl_api.php Regards, Duarte SilvaHi Duarte,
Hi Patrik,
There was no patch for the first two services attached to your post? I checked them out and they both seem interesting, the first one would probably fit under the PROXY section, while the second one should probably go into a category called ATTACK or similar?
No sory, I dind't send the patch. I wanted to do it once I had added the three providers. Yes, the first one is in the PROXY category and the second one I created the ATTACK category. The output of "dns-blacklist.list" is the following: Pre-scan script results: | dns-blacklist: | ATTACK | all.bl.blocklist.de | dnsbl.httpbl.org | dnsbl.httpbl.org.apikey - the http:BL API key | PROXY | dnsbl.ahbl.org | socks.dnsbl.sorbs.net | misc.dnsbl.sorbs.net | http.dnsbl.sorbs.net | tor.dan.me.uk | dnsbl.tornevall.org | SPAM | dnsbl.ahbl.org | dnsbl.inps.de | bl.nszones.com | l2.apews.org | list.quorum.to | all.spamrats.com | bl.spamcop.net | spam.dnsbl.sorbs.net |_ sbl.spamhaus.org You can see that it is listing the API key argument that must be specified for the "dnsbl.httpbl.org" provider.
In regards to the third one I think it both looks interesting and something to add. For the key part I don't think it's very difficult to do with the existing library. One way of doing it would be to get a script argument with the key in the fmt_query function of each services that needs one. Check out the first service in the list, it has a fmt_query function to show how it works. I guess it could look something like this: fmt_query = function(ip) local rev_ip = dns.reverse(ip):match("^(.*)%.in%-addr%.arpa$") local key = stdnse.get_script_args("dnsbl.key.dnsbl.httpbl.org") if ( not(key) ) then return end return ("%s.%s.dnsbl.httpbl.org"):format(key,rev_ip) end I guess the checkBL function would need to be patched to handle an empty response from the fmt_query function.
I have a somewhat similar solution. You can check the patch, it isn't fully implemented though.
Cheers, Patrik
Attachment:
dnsbl.patch
Description:
Attachment:
dns-blacklist.patch
Description:
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 02)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 02)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 02)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 02)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 03)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 06)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 06)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 02)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 02)
- Re: [NSE] New script dns-blacklist Arne Martin Wandsvig (Jan 07)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 08)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 08)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 08)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 15)