Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Analyzer] UltraDNS #1783 #2620

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Analyzer] UltraDNS #1783 #2620

wants to merge 1 commit into from

Conversation

pranjalg1331
Copy link

@pranjalg1331 pranjalg1331 commented Dec 26, 2024
edited
Loading

Description

I have added two analyzers for UltraDNS ( ultradns resolver and ultradns malicious detector). I have added the migration files for both of the analysers and have also added the migration files to add them both to the free_to_use playbook.

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue).
  • [ x] New feature (non-breaking change which adds functionality).
  • Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

  • [x ] I have read and understood the rules about how to Contribute to this project
  • [ x] The pull request is for the branch develop
  • [ x] A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
    • [x ] I strictly followed the documentation "How to create a Plugin"
    • Usage file was updated.
    • Advanced-Usage was updated (in case the plugin provides additional optional configuration).
    • [ x] I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
    • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
    • [ x] If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
    • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
    • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
    • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks.
    • [ x] If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
    • [ x] I have added that raw JSON sample to the MockUpResponse of the _monkeypatch() method. This serves us to provide a valid sample for testing.
  • If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
  • [ x] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
  • I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
  • If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md).
  • If the GUI has been modified:
    • I have a provided a screenshot of the result in the PR.
    • I have created new frontend tests for the new component or updated existing ones.
  • After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

Important Rules

  • If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
  • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review. After being reviewed and received a "change request", you should explicitly ask for a review again once you have made the requested changes.

@pranjalg1331
<Analyzers> UltraDns, Closes intelowlproject#1783
5b5bafd 
Signed-off-by: pranjalg1331 <pranjaloff13@gmail.com>
@pranjalg1331
Copy link
Author

@mlodic, Please review.

@mlodic mlodic linked an issue Jan 2, 2025 that may be closed by this pull request
[Analyzer] UltraDNS #1783
Open
mlodic
mlodic requested changes Jan 2, 2025
View reviewed changes
Copy link
Member

@mlodic mlodic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please review the checklist, some important steps are missing

...zers_manager/observable_analyzers/dns/dns_malicious_detectors/ultradns_malicious_detector.py
Comment on lines +63 to +64
except Exception as e:
raise AnalyzerRunException(f"An error occurred: {e}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not needed cause the framework already manages it in this way (the upper class)

...zers_manager/observable_analyzers/dns/dns_malicious_detectors/ultradns_malicious_detector.py
Comment on lines +38 to +57
try:
answers = resolver.resolve(observable, "A")
for rdata in answers:
resolution = rdata.to_text()
# Check if the resolution falls in the sinkhole range
if ipaddress.ip_address(resolution) in sinkhole_range:
is_malicious = True
break
except dns.exception.Timeout:
# If primary DNS times out, try backup DNS
resolver.nameservers = [backup_dns]
try:
answers = resolver.resolve(observable, "A")
for rdata in answers:
resolution = rdata.to_text()
if ipaddress.ip_address(resolution) in sinkhole_range:
is_malicious = True
break
except dns.exception.Timeout:
raise AnalyzerRunException("Connection to UltraDNS failed")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optimize this code cause redundant. I think that you could list both the nameservers together in the list

api_app/playbooks_manager/migrations/0057_add_ultradns_to_free_to_use.py
@@ -0,0 +1,34 @@
# This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please merge these 2 migrations in a single one

api_app/analyzers_manager/migrations/0143_analyzer_config_ultradns_malicious_detector.py
@@ -0,0 +1,128 @@
from django.db import migrations
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

merge these 2 migrations in a single one and adjust the migration numbers (pull from develop to get the most recent changes)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mlodic Should I merge them manually or there is an option to auto-generate migration for two analyzers in the same file?
Currently I was using this command docker exec -ti intelowl_uwsgi python3 manage.py dumpplugin AnalyzerConfig <new_analyzer_name>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok I don't want to overcomplicate things. I am more bothered about the 2 playbooks migrations. Try to merge them manually (it is easy), while leave these analyzers migrations separated for sake of simplicity

@pranjalg1331 pranjalg1331 mentioned this pull request Jan 3, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlodic mlodic mlodic requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Analyzer] UltraDNS
2 participants
@pranjalg1331 @mlodic