matrix-webhook/matrix_webhook/formatters/crowdsec.py

37 lines
1.4 KiB
Python
Raw Permalink Normal View History

import requests
2022-12-08 20:29:01 -05:00
def get_abuse_confidence(ip):
2022-12-08 20:29:01 -05:00
"""get abuseipdb's confidence level on an ip passed in, and return that value"""
base_url = "https://api.abuseipdb.com/api/v2/check"
2022-12-08 20:29:01 -05:00
api_key = "YOUR API KEY"
headers = {"Key": api_key, "Accept": "application/json"}
data = {"ipAddress": ip, "maxAgeInDays": 90}
r = requests.get(base_url, headers=headers, json=data)
2022-12-08 20:29:01 -05:00
confidence = r.json()["data"]["abuseConfidenceScore"]
whitelist = r.json()["data"]["isWhitelisted"]
return [confidence, whitelist]
2022-11-29 22:12:42 -05:00
def formatter(data, headers):
2022-12-08 20:29:01 -05:00
"""format a message sent with crowdsec http endpoints"""
2022-11-29 22:12:42 -05:00
data_out = ""
for row in data["body"]:
2022-12-08 20:29:01 -05:00
ip = row["host"]
duration = row["duration"]
confidence, whitelisted = get_abuse_confidence(ip)
if "crowdsecurity" in row["scenario"]:
source, scenario, *_ = row["scenario"].split("/")
row[
"scenario"
] = f"[{scenario}](https://hub.crowdsec.net/author/crowdsecurity/configurations/{scenario})"
data_out += f"{ip} has been banned {duration} due to {row['scenario']}\n\n"
if whitelisted:
data_out += "**Note: AbuseIPDB has whitelisted this address\n\n"
data_out += (
f"[AbuseIPDB](https://www.abuseipdb.com/check/{row['host']})({confidence}%) | "
f"[Crowdsec](https://app.crowdsec.net/cti/{row['host']})\n\n"
)
2022-11-29 22:12:42 -05:00
data["body"] = data_out
return data