Checking if domain is blocklisted during analysis

phishdetect · Nov 13, 2020 · 7bf8777 · 7bf8777
1 parent 11cbd36
commit 7bf8777
Showing 1 changed file with 49 additions and 0 deletions.
diff --git a/analysis.go b/analysis.go
@@ -27,6 +27,31 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
+func checkIfBlocklisted(target string) (phishdetect.Warning, error) {
+	link, err := phishdetect.NewLink(target)
+	toCheck := []string{
+		encodeSHA256(strings.ToLower(strings.TrimSpace(link.Domain))),
+		encodeSHA256(strings.ToLower(strings.TrimSpace(link.TopDomain))),
+	}
+
+	iocs, err := db.GetIndicators(IndicatorsLimitAll, IndicatorsStatusEnabled)
+	if err != nil {
+		return phishdetect.Warning{}, err
+	}
+	for _, ioc := range iocs {
+		if phishdetect.SliceContains(toCheck, ioc.Hashed) {
+			log.Debug("Target ", target, " is blocklisted by indicator with hash ", ioc.Hashed)
+			return phishdetect.Warning{
+				Score: 100,
+				Name: "blocklisted",
+				Description: fmt.Sprintf("The domain was blocklisted in PhishDetect Node by indicator with hash %s", ioc.Hashed),
+			}, nil
+		}
+	}
+
+	return phishdetect.Warning{}, nil
+}
+
 // analyzeDomain is used to statically analyze a domain name.
 func analyzeDomain(domain string) (*AnalysisResults, error) {
 	urlNormalized := phishdetect.NormalizeURL(domain)
@@ -56,6 +81,12 @@ func analyzeDomain(domain string) (*AnalysisResults, error) {
 		Warnings:   analysis.Warnings,
 	}
 
+	blocklisted, err := checkIfBlocklisted(domain)
+	if err == nil && blocklisted.Score > 0 {
+		results.Score += blocklisted.Score
+		results.Warnings = append(results.Warnings, blocklisted)
+	}
+
 	return &results, nil
 }
 
@@ -88,6 +119,12 @@ func analyzeURL(url string) (*AnalysisResults, error) {
 		Warnings:   analysis.Warnings,
 	}
 
+	blocklisted, err := checkIfBlocklisted(urlFinal)
+	if err == nil && blocklisted.Score > 0 {
+		results.Score += blocklisted.Score
+		results.Warnings = append(results.Warnings, blocklisted)
+	}
+
 	return &results, nil
 }
 
@@ -148,6 +185,12 @@ func analyzeLink(url string) (*AnalysisResults, error) {
 		HTML:       browser.HTML,
 	}
 
+	blocklisted, err := checkIfBlocklisted(urlFinal)
+	if err == nil && blocklisted.Score > 0 {
+		results.Score += blocklisted.Score
+		results.Warnings = append(results.Warnings, blocklisted)
+	}
+
 	return &results, nil
 }
 
@@ -195,5 +238,11 @@ func analyzeHTML(url, htmlEncoded string) (*AnalysisResults, error) {
 		HTML:       html,
 	}
 
+	blocklisted, err := checkIfBlocklisted(urlFinal)
+	if err == nil && blocklisted.Score > 0 {
+		results.Score += blocklisted.Score
+		results.Warnings = append(results.Warnings, blocklisted)
+	}
+
 	return &results, nil
 }