Update network_cnc_generic.py

Excluded the verification of IP addresses belonging to the MICROSOFT-CORP-MSN-AS-BLOCK to prevent triggering the signature unnecessarily when the machine is connected to the internet.
CAPESandbox · May 9, 2024 · d0aaa66 · d0aaa66
1 parent 4ae2a64
commit d0aaa66
Showing 1 changed file with 31 additions and 4 deletions.
diff --git a/modules/signatures/all/network_cnc_generic.py b/modules/signatures/all/network_cnc_generic.py
@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Kevin Ross
-#
+# Copyright (C) 2024 Wassime BATTA
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,6 +14,28 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from lib.cuckoo.common.abstracts import Signature
+import os
+from lib.cuckoo.common.constants import CUCKOO_ROOT
+import ipaddress
+import csv
+
+
+def load_ip_ranges_from_csv(csv_file):
+    ip_ranges = []
+    with open(csv_file, 'r') as file:
+        reader = csv.DictReader(file)
+        for row in reader:
+            ip_ranges.append(row['Prefix'])
+    return ip_ranges
+
+
+def check_ip_in_ranges(ip_address, ip_ranges):
+    ip = ipaddress.ip_address(ip_address)
+    for ip_range in ip_ranges:
+        network = ipaddress.ip_network(ip_range)
+        if ip in network:
+            return True
+    return False
 
 
 class NetworkCountryDistribution(Signature):
@@ -52,21 +74,26 @@ class NetworkMultipleDirectIPConnections(Signature):
     severity = 2
     confidence = 30
     categories = ["network", "c2"]
-    authors = ["Kevin Ross"]
+    authors = ["Kevin Ross","Wassime BATTA"]
     minimum = "1.3"
 
     filter_analysistypes = set(["file"])
 
     def run(self):
         count = 0
         ips = []
+        msf_ips_file = "extra/msft-public-ips.csv"
+        msf_public_ips_list = os.path.join(CUCKOO_ROOT, msf_ips_file)
         if "network" in self.results and "hosts" in self.results["network"]:
+            ip_ranges = load_ip_ranges_from_csv(msf_public_ips_list)
             for host in self.results["network"]["hosts"]:
                 ip = host["ip"]
                 hostname = host["hostname"]
                 if ip not in ips and not hostname and not ip.startswith(("10.", "172.16.", "192.168.")):
-                    ips.append(ip)
-                    count += 1
+                    # Verify whether they are not part of the MICROSOFT-CORP-MSN-AS-BLOCK.
+                    if not check_ip_in_ranges(ip, ip_ranges):
+                        ips.append(ip)
+                        count += 1
 
         if count > 5:
             self.data.append({"direct_ip_connections": "Made direct connections to %s unique IP addresses" % (count)})