#!/usr/bin/php
<?php
	$starttime = explode(' ', microtime());
	$starttime =  $starttime[1] + $starttime[0];
	$rpckey = "<your key here>";
	$rpcurl = "http://www.dronebl.org/RPC2";
	$rpctypes = array(
			3	=>	"IRC spam drone (litmus/sdbot/fyle)",
			5	=>	"Bottler (experimental)",
			6	=>	"Unknown worm or spambot",
			7	=>	"DDoS drone",
			8	=>	"Open SOCKS proxy",
			9	=>	"Open HTTP proxy",
			10	=>	"Proxychain",
			13	=>	"Automated dictionary attacks",
			14	=>	"Open WINGATE proxy",
			15	=>	"Compromised router / gateway",
			255	=>	"Uncategorized threat class"
		    );

	function getArgs($args) {
		$out = array();
		$last_arg = null;
		for($i=1,$il=sizeof($args);$i<$il;$i++) {
			if((bool)preg_match("/^--(.+)/",$args[$i],$match)) {
				$parts = explode("=", $match[1]);
				$key = preg_replace("/[^a-z0-9]+/", "", $parts[0]);
				if(isset($parts[1]))
					$out[$key] = $parts[1];
				else
					$out[$key] = true;
				$last_arg = $key;
			} else if((bool)preg_match("/^-([a-zA-Z0-9]+)/",$args[$i],$match)) {
				for($j=0,$jl=strlen($match[1]);$j<$jl;$j++) {
					$key = $match[1]{$j};
					$out[$key] = true;
				}
				$last_arg = $key;
			} else if($last_arg !== null)
				$out[$last_arg] = $args[$i];
		}
		return $out;
	}

	function array_remove($array,$value) {
		$tmp = array();
		foreach ($array AS $data) {
			if ($data != $value)
				array_push($tmp,$data);
		}
		return $tmp;
	}

	$comms = getArgs($_SERVER['argv']);
	$errors = 0;

	if ($comms['help'] || empty($_SERVER['argv'][1])) {
		echo 	"-----------------------------------------------------------------\n".
			" Logfile to DroneBL reporter v1.5 <outsider@scarynet.org> \n".
			"-----------------------------------------------------------------\n".
			" Usage: ".$_SERVER['argv'][0]." <options>\n\n".
			" <options> are:\n\n".
			"   -i <file>	  : get data from specified file.\n".
			"                 : by default data is read from stdin.\n".
			"   -t <type>	  : report as certain type (default: 6).\n".
			"   		  : if no type specified after -t, show list.\n".
			"   -v            : also show statistics.\n".
			"   -q		  : turn quiet operation on.\n".
			"   --help        : show this help and exit.\n".
			"   --noreport	  : do not report result to dronebl.\n".
			"   --offset <n>  : ip is found at index <n> (default: autoscan).\n".
			"  		    (0 being the first index).\n";
		exit;
	}

	$reportas = 6;
	if (!empty($comms['t']) && $rpctypes[$comms['t']])
		$reportas = intval($comms['t']);
	elseif ($comms['t']) {
		if (!is_numeric($comms['t']) && !empty($comms['t']))
			echo "Type has to be numeric. ";
		echo "Possible types are:\n\n";
		echo "\tType:\tDescription:\n\t-----\t------------\n";
		foreach (array_keys($rpctypes) AS $types)
			echo "\t".$types."\t".$rpctypes[$types]."\n";
		exit;
	}

	if ($comms['q'])
		$quiet = TRUE;

	if ($comms['noreport'])
		$noreport = TRUE;

	if ($comms['v'])
		$verbose = TRUE;

	$offset = -1;
	if ($comms['offset'] != "") {
		if (is_numeric($comms['offset']))
			$offset = intval($comms['offset']);
		else {
			echo "--offset requires a number (0 = first word).\n";
			$errors++;
		}
	}

	if (!empty($comms['i']) && file_exists($comms['i']))
		$iplist = file_get_contents($comms['i']);
	else {
		if ($comms['i'] && empty($comms['i'])) {
			echo "-i requires an input file to be specified.\n";
			$errors++;
		} elseif ($comms['i']) {
			echo "No such file: ".$comms['i']."\n";
			$errors++;
		} else {
			$fd = fopen("php://stdin","rb"); 
			while(!feof($fd)) 
				$iplist .= fread($fd, 4096 );
			fclose($fd);
		}
	}
	$strips = array("\r","(",")","[","]");
	foreach ($strips as $tostrip)
		$iplist = str_replace($tostrip,"",$iplist);

	if ($errors > 0) {
		echo (!$quiet?"Errors detected in commandline. Please fix and try again.\n":"");
		exit;
	}

	if (!$iplist || empty($iplist)) {
		echo (!$quiet?"No ip's found to parse.\n":"");
		exit;
	}

	$buffer = array();
	$resolve = 0;
	if ($offset == -1) {
		if (preg_match_all("/([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s/",$iplist,$matches,PREG_SET_ORDER)) {
			foreach ($matches AS $match) {
				$ip = $match[0];
				$ip = trim(str_replace("\n","",$ip));
				if (!in_array($ip,$buffer))
					array_push($buffer,$ip);
			}
		}
		$iplist = preg_replace("/(.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}[\s\t].*\n)/i","",$iplist);
		if (preg_match_all("/([a-z0-9.-]{4,})/i",$iplist,$matches,PREG_SET_ORDER)) {
			foreach ($matches AS $match) {
				if (!preg_match("/[^@]/i",$match[1]) || 
				    !preg_match("/[a-z0-9.-]{4,}\.[a-z]{2,4}/i",$match[1]))
					continue;
				$ip = $match[1];
				$ip = trim(str_replace("\n","",$ip));
				if (!preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/",$ip)) {
					$ip = gethostbyname($ip);
					$resolve++;
				}
				if (!preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/",$ip)) {
					echo (!$quiet?"Unable to resolve $ip\n":"");
					continue;
				}
				if (!in_array($ip,$buffer))
					array_push($buffer,$ip);
			}
		}
		$iplist = $buffer;
	} else {			
		$lines = split("\n",$iplist);
		foreach ($lines AS $line) {
			$line = str_replace("\n","",$line);
			$line = trim($line);
			$words = split(" ",$line);
			list($dummy,$host) = split("@",$words[$offset],2);
			if (empty($host))
				$host = $dummy;
			if (!empty($host) && !in_array($host,$buffer))
				array_push($buffer,$host);
		}
		$ips = array();
		foreach ($buffer AS $ip) {
			if (!preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/",$ip)) {
				if (preg_match("/[a-z0-9.-]{4,}\.[a-z]{2,4}/i",$ip)) {
					$ip = gethostbyname($ip);
					$resolve++;
				} else
					continue;
			}
			if (!preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/",$ip)) {
				echo (!$quiet?"Unable to resolve $ip\n":"");
				continue;
			}
			if (!in_array($ip,$ips))
				array_push($ips,$ip);
		}
		$iplist = $ips;
	}

	$data = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n<request key='".$rpckey."'>\n";
	foreach ($iplist AS $ip)
		$data .= "\t<lookup ip='".$ip."' />\n";
	$data .= "</request>\n";

	$ch = curl_init($rpcurl);
	curl_setopt($ch,CURLOPT_POST,1);
	curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
	curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
	curl_setopt($ch,CURLOPT_HEADER,0);
	curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
	$result = curl_exec($ch);

	$xml_parser = xml_parser_create('');
	xml_parse_into_struct($xml_parser, $result, $vals, $index);
	xml_parser_free($xml_parser);
	$existing = array();
	foreach ($vals AS $val) {
		if ($val["tag"]=="RESULT" && $val["attributes"]["IP"]) {
			$ip = $val["attributes"]["IP"];
			if ($val["attributes"]["LISTED"] == 1) {
				if (!in_array($ip,$existing))
					array_push($existing,$ip);
				$iplist = array_remove($iplist,$ip);
			}
		}
	}

	echo ($verbose?"Results:\n-----------------------------\n":"");
	echo (!$quiet&&$verbose?
		"Host DNS Lookups       :".$resolve."\n".
		"Count of ips to report :".count($iplist)."\n".
		"Already known          :".count($existing)."\n":"");
	var_dump($iplist);
	if (empty($iplist)) {
		echo (!$quiet?"No entries found needing to report.\n":"");
	} elseif (!$noreport) {
		echo	(!$quiet&&$verbose?"Reporting Results...\n":"");
		$data = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n<request key='".$rpckey."'>\n";
		foreach ($iplist AS $ip)
			$data .= "\t<add ip='".$ip."' type='".$reportas."' />\n";
		$data .= "</request>";
		curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
		$dummy = curl_exec($ch);
		echo (!$quiet?"Reported ".count($iplist)." hosts to DroneBL.\n":"");
	}
	$mtime = explode(' ', microtime());
	$totaltime = sprintf('%.3f',$mtime[0]+$mtime[1]-$starttime);
	echo (!$quiet&&$verbose?"Total processing time: ".$totaltime." seconds.\n":"");
?>