Added URL blacklist filter module

CESNET · Feb 25, 2025 · 3da9e9d · 3da9e9d
1 parent 84f6f1b
commit 3da9e9d
Show file tree

Hide file tree

Showing 6 changed files with 483 additions and 0 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -12,6 +12,7 @@ SUBDIRS=amplification_detection \
 	sip_bf_detector \
 	smtp_spam_detector \
 	tunnel_detection \
+        url_blacklist_filter \
 	voip_fraud_detection \
 	vportscan_detector \
 	waintrusion_detector

diff --git a/configure.ac b/configure.ac
@@ -139,6 +139,7 @@ AC_CONFIG_FILES([Makefile
                  smtp_spam_detector/smtp_spam_detector
                  smtp_spam_detector/smtp_spam_detector_files/Makefile
                  tunnel_detection/Makefile
+                 url_blacklist_filter/Makefile
                  voip_fraud_detection/Makefile
                  vportscan_detector/Makefile
                  waintrusion_detector/Makefile

diff --git a/nemea-detectors.spec.in b/nemea-detectors.spec.in
@@ -75,6 +75,7 @@ make -j5 DESTDIR=$RPM_BUILD_ROOT install
 %{_bindir}/nemea/haddrscan_aggregator.py
 %{_bindir}/nemea/hoststatsnemea
 %{_bindir}/nemea/miner_detector
+%{_bindir}/nemea/url_blacklist_filter
 %{_bindir}/nemea/voip_fraud_detection
 %{_bindir}/nemea/vportscan_detector
 %{_bindir}/nemea/waintrusion_detector.py

diff --git a/url_blacklist_filter/Makefile.am b/url_blacklist_filter/Makefile.am
@@ -0,0 +1,10 @@
+bin_PROGRAMS=url_blacklist_filter
+url_blacklist_filter_SOURCES=url_blacklist_filter.c fields.c fields.h
+url_blacklist_filter_CFLAGS=-std=gnu99
+url_blacklist_filter_LDADD=-lunirec -ltrap
+
+EXTRA_DIST=README.md
+pkgdocdir=${docdir}/url_blacklist_filter
+pkgdoc_DATA=README.md
+
+include ../aminclude.am
diff --git a/url_blacklist_filter/README.md b/url_blacklist_filter/README.md
@@ -0,0 +1,51 @@
+# URL blacklist filter - NEMEA module
+
+## Description
+
+This modul recieves UniRec, checks if URL is on blacklist, if it is on blacklist, then it sends this UniRec to output. It requires file with blacklist as parameter.
+The primary function of tthis module is to monitor incoming HTTP network traffic and detect any attempts to access addresses listed on a pre-established blacklist. This module acts as a filter. 
+When a malicious address is detected, the module forwards it to the output interface, which should be connected to input of the [urlblacklist2idea](https://github.com/CESNET/URL_Evaluator/tree/main/nemea_modules/urlblacklist2idea) reporting module (part of [URL Evaluator](https://github.com/CESNET/URL_Evaluator)).
+
+### Input
+
+Number of inputs: 1\
+Description of input: The module receives UniRec data related to HTTP traffic. Required UniRec fields for this module are HTTP_REQUEST_HOST and HTTP_REQUEST_URL
+
+### Output
+
+Number of outputs: 1\
+Description of output: Incoming UniRec data is sent to the output if the URL within the UniRec entry is found on a blacklist.
+
+## Installation
+
+1) Let Autotools process the configuration files.\
+``` autoreconf -i ```
+
+2) Configure the module directory.\
+``` ./configure ```
+
+3) Build the module.\
+``` make ```
+
+4) Install the module. The command should be performed as root (e.g. using sudo). \
+``` make install ```
+
+## Usage
+
+``` url_blacklist_filter -f FILE_PATH -i IFC_SPEC ```
+
+### Parameters of module [OPTIONS]
+
+|Parameter|Description|
+|---|---|
+|-f  --file <char*>|Path to blacklist file with list of malicious URL addresses. Each line in the provided text file should contain a single URL.|
+
+### Common TRAP parameters [COMMON]
+
+|Parameter|Description|
+|---|---|
+|-h [trap,1]|If no argument, print this message. If "trap" or 1 is given, print TRAP help.|
+|-i IFC_SPEC|Specification of interface types and their parameters, see "-h trap" (mandatory parameter).|
+|-v|Be verbose.|
+|-vv|Be more verbose.|
+|-vvv|Be even more verbose.|