This documentation describes the Blacklist scanner that has been developed as part of SIWECOS.
Initially this scanner was developed for Initiative-S. When Initiative-S was discontinued, the scanner was rewritten for Siwecos.
The scanner regularly fetches known blacklists from the net.
Every checked domain is matched against the blacklists and a report will be generated about each blacklist mentioning the domain.
Depending on the kind of blacklist the score of the domain is reduced.
Current kinds of Blacklists are:
-
PHISHING
The domain was reported to be used in Phishing attempts.
-
MALWARE
The domain was reported to contain or spread Malware.
-
SPAM
The domain was advertised in Spam mails.
docker run -it --name siwecos-blacklist-scanner -p 2019:8080 -v /PATH/TO/STORAGE:/storage siwecos/ini-s-scanner
Send a POST-Request to http://localhost:2019/api/v1/check:
curl --data '{
"url":"https://05p.com",
"callbackurls":["http://host.docker.internal:9000"],
"dangerlevel": 10
}' -H 'Content-type: application/json' \
http://localhost:2019/api/v1/checkNote: You have to have something listening on port 9000 on your docker host for this example.
The parameter url is required:
urlmust be astring.
{
"name": "INI_S",
"version": "3.0.0",
"hasError": false,
"errorMessage": null,
"score": 66,
"tests": [
{
"name": "MALWARE",
"hasError": false,
"errorMessage": null,
"score": 0,
"scoreType": "critical",
"testDetails": [
{
"translationStringId": "DOMAIN_FOUND",
"placeholders": {
"DOMAIN": "05p.com",
"LISTNAME": "hpHosts-Hijacking",
"LISTURL": "https:\/\/hosts-file.net\/?s=Browse&f=HJK"
}
},
{
"translationStringId": "DOMAIN_FOUND",
"placeholders": {
"DOMAIN": "www.05p.com",
"LISTNAME": "hpHosts-Hijacking",
"LISTURL": "https:\/\/hosts-file.net\/?s=Browse&f=HJK"
}
}
]
},
{
"name": "PHISHING",
"hasError": false,
"errorMessage": null,
"score": 100,
"scoreType": "success",
"testDetails": []
},
{
"name": "SPAM",
"hasError": false,
"errorMessage": null,
"score": 100,
"scoreType": "success",
"testDetails": []
}
]
}Direct scanning via CLI is also possible:
docker run -it --rm -v /PATH/TO/STORAGE:/storage siwecos/ini-s-scanner blacklist get /check/05p.com
All tests and results are described in texts.en.md (english) and text.de.md (german).
The configuration file is /app/blacklist_checker/etc/blacklist_checker.conf. It has 3 main sections:
Blacklists are loaded from several sources. Please refer to the inline documentation given in the configuration file to see how to configure them.
The included webserver is Mojolicious' hypnotoad. Its configuration can be set as well.
Minion is the job queue used. It requires the location where to store its SQLite database for persisting its job data.
These environment variables are used:
-
MOJO_MODE
Defines in which mode to run the application
productionordevelopment(default). -
PHISHTANK_API
It is advised to register an API key for the Phishtank blacklist and to set the key using this variable. The variable is used in the default blacklist_checker.conf.
The startup is done by /app/blacklist_checker/script/start. It will
- download blacklists if they are missing
- start the webserver
- initialize a recurring job to update the blacklists
- start the job queue
Upon first startup, all blacklists will be downloaded. This will take some time. The downloaded lists will be persisted to the filesystem in /storage/blacklists/ (configurable) for faster startup.
For convenience the main script /app/blacklist_checker/script/blacklist_checker is available via a symbolic link in /usr/local/bin/blacklist.
Besides the standard commands available in every Mojolicious application, four commands are available to manage the update job:
-
blacklist list scheduleThis command is used during startup to initialize an update job. Please note that there shouldn't be more than one update job. This command will not start a new update job as long as there is already one present.
-
blacklist list statusThis will display information about the last update run.
-
blacklist list showThis will list the status of all the blacklists currently in use.
-
blacklist list updateThis will update all lists without waiting for the next scheduled run.
Currently 13 blacklists are configured. Please check /app/blacklist_checker/etc/blacklist_checker.conf for details.
The number of blacklists can be extended with (relative) ease. You just have to give the list a name and need to define from where to download and how to extract the domain names from the downloaded file. Check the documentation and examples in the default configuration file.
Please note that blacklists shouldn't be downloaded too frequently without contacting the blacklist owners.
Please also note that it is advised to register an API key for the Phishtank blacklist and to configure it via the environmant variable PHISHTANK_API.
-
Cannot createXXX:REASON -
Failed to renameXXX##toXXX:REASONThe blacklist couldn't be saved to filesystem. Check existance of the directories and permissions.
-
Cannot readXXX:REASONThe blacklist couldn't be read from filesystem. Check existance of the file and permissions.
-
Couldn't createpath_to_storage.$index -
Failed to save temporary index file -
Failed to save index fileThe scanner couldn't create its index file. Check existance of the directories and permissions.
-
Config error: Missing blacklistsThe config file or the blacklist sction in the config file is missing.
-
Config error: No storage defined for MinionYou need to define where to store minion's job database.
-
Missing blacklist idA blacklist needs to have an id, a unique name.
-
Missing blacklist config forNAMEEach blacklist needs to have a configuration.
-
XXX
not defined forNAMEXXX can be one of reader, kind, reference or url. You forgot to define one of these for the blacklist NAME.
-
no valid url defined forNAMEThe url for the blacklist NAME seems invalid.
-
startXXXforNAME*is neither a number nor a regexpThe
startproperty must be a number to denote the line where data starts, or a regular expression to find the line after which data starts. -
No separator regexp defined forNAMEIn order to split columns, you need to give a regular expression defining the column separartor.
-
headersometextforNAMEs neither a number nor a regexpThe header has to be set to either a number, denoting the line in which the header (of a csv) will be found, or a regular expression matching the header line.
-
header set but no column defined forNAMEIt's required to define in which column the domains will be found.
-
Column 0 forNAME `is not a valid column index. Columns are 1-based`` -
ColumnsomenumberforNAMEis not a valid column numberThe column must exist. Either a number has to be given or its name.
-
No column inNAMEis labeled $column.The column requested was not found in the blacklist file.
-
Could not parsesometextwith Text::CSVThe CSV parser had difficulties "understanding" a line found in the blacklist file. Check that you download the correct file and that the file looks as expected.
-
Could not create a Text::CSV readerIf this happens it seems as if the CPAN module Text::CSV had an issue.
-
###
response:sometextThis happens when the update process couldn't contact a blacklist server. It also can happen when the result callback couldn't contact the server.
-
Failed to downloadURLA blacklist couldn't be downloaded
-
Too many redirects forURLUsually this is an indicator for a misconfiguration at the blacklist server. The server answered with more than the allowed number of redirects. Double check with the blacklist owner or refrain from using that blacklist.
-
Could not updateNAMEThe update process couldn't download a blacklist.