Current File : //opt/imunify360/venv/lib64/python3.11/site-packages/defence360agent/model/infected_domain.py |
import itertools
import logging
import time
from peewee import (
CharField,
FloatField,
IntegerField,
TextField,
)
from defence360agent.model import instance, Model
logger = logging.getLogger(__name__)
class InfectedDomainList(Model):
"""Domains with bad reputation, used for Reputation Management feature."""
id = IntegerField(primary_key=True)
#: Username associated with the domain in hosting panel.
username = CharField(null=True)
#: Domain name.
name = CharField(null=False)
#: The kind of threat reported by reputation engine,
#: e.g. "SOCIAL_ENGINEERING".
threat_type = CharField(null=False)
#: The time when Imunify first detected that the domain has bad reputation.
timestamp = FloatField()
#: The name of the reputation engine, e.g. "google-safe-browsing".
vendor = TextField(null=True)
class Meta:
database = instance.db
db_table = "infected_domain_list"
@classmethod
def get_by_user(cls, existing_users, offset=0, limit=50):
# to be able to filter query results using existing_users,
# limit/offset os applied on python side
query = cls.select().order_by(
cls.username, cls.name, cls.timestamp.desc()
)
filtered_by_user = (
row for row in query.dicts() if row["username"] in existing_users
)
grouped = itertools.groupby(
filtered_by_user, key=lambda row: (row["username"], row["name"])
)
max_count = 0
result = []
for i, value in enumerate(grouped):
max_count += 1
if (len(result) < limit) and (i >= offset):
group, threats = value
username, name = group
result.append(
{
"username": username,
"domain": name,
"threats": [
{
"type": t["threat_type"],
"vendor": t["vendor"],
"timestamp": t["timestamp"],
}
for t in threats
],
}
)
return result, max_count
@classmethod
def refresh_domains(cls, domains, domains_to_users):
"""
Update domain reputatuion info. If threat info already exists, do not
update timestamp
:param domains: reputation data from server
:param domains_to_users: domain -> users mapping from hosting panel
:return:
"""
existing = {
(r["name"], r["threat_type"], r["vendor"]): r["timestamp"]
for r in cls.select().dicts()
}
with instance.db.atomic():
cls.delete().execute()
now = time.time()
for domain_info in domains:
domain = domain_info["query"]
if domain not in domains_to_users:
logger.warning("Users for domain %s not found.", domain)
continue
for user in domains_to_users[domain]:
vendor = domain_info["vendor"]
if vendor in (
"google-safe-browsing",
"yandex-safe-browsing",
):
threat_type = domain_info["details"]["threat_type"]
elif vendor == "spamhaus":
threat_type = domain_info["details"]
elif vendor in ("phishtank", "openphish"):
# https://cloudlinux.atlassian.net/wiki/spaces/IPT/pages/929759302/4.1+Multiple+vendors+in+Reputation+Management+ver.4.2 # noqa: E501
threat_type = "spam domain"
else:
threat_type = "THREAT_TYPE_UNSPECIFIED"
timestamp = existing.get(
(domain, threat_type, vendor), now
)
cls.create(
username=user,
name=domain,
threat_type=threat_type,
vendor=vendor,
timestamp=timestamp,
)