Re: [NSE] New script dns-blacklist

[Duarte Silva <duarte.silva () serializing me>]

On Friday 06 January 2012 16:08:31 Duarte Silva wrote:
> Hi all,
>
> finally, I feel comfortable with the solution developed in order to add the
> ability to configure providers using script arguments in the DNSBL library.
>
> I kept Patrik solution of adding the "new" function to each service and
> ended up also, implementing Patrik's idea on the "fmt_query" function
> (removed my "check" function, in this case I opted for a more complex logic
> instead of code increase).
>
> I added three new providers:
> - ATTACK
>   - all.bl.blocklist.de
>   - dnsbl.httpbl.org
> - PROXY
>   - tor.dan.me.uk
>
> As usual patch follows in the attachments (the patch also removes tabs some
> misplaced tabs).
>
> Two questions:
>
> - Shouldn't the Zeus tracker script (dns-zeustracker.nse) be merged into the
> DNSBL library? Maybe not, since it's to specific? Or maybe we can reuse
> some code in the library? What do you think?
>
> - I feel that the "ATTACK" category can be changed to a more generic
> category, like "THREAT"?
>
> Regards,
> Duarte Silva

New patch, forgot to add "short" and "long" mode support to the http:BL 
provider.

Regards,
Duarte Silva

> On Monday 02 January 2012 21:52:33 Patrik Karlsson wrote:
> > > Hi Patrik,
> > >
> > > > There was no patch for the first two services attached to your
> > > > post?
> > > > I checked them out and they both seem interesting, the first one
> > > > would
> > > > probably fit under the PROXY section, while the second one
> > > > should
> > >
> > > probably
> > >
> > > > go into a category called ATTACK or similar?
> > >
> > > No sory, I dind't send the patch. I wanted to do it once I had added
> > > the three
> > > providers. Yes, the first one is in the PROXY category and the
> > > second
> > > one I created the ATTACK category. The output of
> > > "dns-blacklist.list"
> > > is the following:
> > >
> > > Pre-scan script results:
> > > | dns-blacklist:
> > > |   ATTACK
> > > |   
> > > |     all.bl.blocklist.de
> > > |     dnsbl.httpbl.org
> > > |     
> > > |       dnsbl.httpbl.org.apikey - the http:BL API key
> > > |   
> > > |   PROXY
> > > |   
> > > |     dnsbl.ahbl.org
> > > |     socks.dnsbl.sorbs.net
> > > |     misc.dnsbl.sorbs.net
> > > |     http.dnsbl.sorbs.net
> > > |     tor.dan.me.uk
> > > |     dnsbl.tornevall.org
> > > |   
> > > |   SPAM
> > > |   
> > > |     dnsbl.ahbl.org
> > > |     dnsbl.inps.de
> > > |     bl.nszones.com
> > > |     l2.apews.org
> > > |     list.quorum.to
> > > |     all.spamrats.com
> > > |     bl.spamcop.net
> > > |     spam.dnsbl.sorbs.net
> > > |
> > > |_    sbl.spamhaus.org
> > >
> > > You can see that it is listing the API key argument that must be
> > > specified for
> > > the "dnsbl.httpbl.org" provider.
> > >
> > > > In regards to the third one I think it both looks interesting
> > > > and
> > >
> > > something
> > >
> > > > to add. For the key part I don't think it's very difficult to do
> > > > with the existing library. One way of doing it would be to get a
> > > > script argument with the key in the fmt_query function of each
> > > > services that needs one. Check out the first service in the
> > > > list,
> > > > it has a fmt_query function to show how it works. I guess it
> > > > could
> > > > look something like this:
> > > >
> > > > fmt_query   = function(ip)
> > > >
> > > >   local rev_ip =
> > > >   dns.reverse(ip):match("^(.*)%.in%-addr%.arpa$")
> > > >   local key =
> > > >   stdnse.get_script_args("dnsbl.key.dnsbl.httpbl.org")
> > > >   if ( not(key) ) then
> > > >   
> > > >     return
> > > >   
> > > >   end
> > > >   return ("%s.%s.dnsbl.httpbl.org"):format(key,rev_ip)
> > > >
> > > > end
> > > >
> > > > I guess the checkBL function would need to be patched to handle
> > > > an
> > > > empty response from the fmt_query function.
> > >
> > > I have a somewhat similar solution. You can check the patch, it
> > > isn't
> > > fully implemented though.
> > >
> > > > Cheers,
> > > > Patrik
> >
> > Hi Duarte,
> >
> > I changed so that each service now has a "new" function through which it
> > can be instantiated.
> > This way it can get the configuration there and it does no longer have
> > to
> > be passed to each and every function.
> > Maybe this is a bit too ambitious or just a bad idea, as most of the
> > services don't have any benefit of this?
> > I've attached a patch against SVN but haven't done any extensive testing
> > of the change.
> >
> > Cheers,
> > Patrik

Attachment: dnsbl.patch
Description:

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/