AbuseIO is a toolkit to receive, process, correlate and notify about abuse reports received by network operators, typically hosting and access providers.

Related tags

Frameworks AbuseIO
Overview

AbuseIO - Abusemanagement tools

StyleCI Build Status Total Downloads Latest Stable Version Latest Unstable Version License

AbuseIO is a toolkit to receive, process, correlate and notify end users about abuse reports received by network operators, typically hosting and access providers. The purpose is to consolidate efforts by various companies and individuals to automate and improve the abuse handling process.

Official Documentation

Documentation for AbuseIO can be found in its own repository.

An online version of the documentation can be found on https://docs.abuse.io/

Contributing

Thank you for considering contributing to AbuseIO! The contribution guide can be found in the AbuseIO website.

Security Vulnerabilities

If you discover a security vulnerability within AbuseIO, please send an e-mail to the AbuseIO CERT at [email protected] (GPG available on Key servers). All security vulnerabilities will be promptly addressed.

License

AbuseIO is open-sourced software licensed under the GNUv2 license

Comments
  • Analytics screen does not work

    Analytics screen does not work

    I have a new install of AbuseIO via Ansible and it seems that Analytics screen is not functioning. None of the options are clickable nor is there a way to enter a date range or do other filtering. I have tried in Chrome and Safari.

    opened by webtel 20
  • Migration from 4.0 to 4.1

    Migration from 4.0 to 4.1

    While doing migration from 4.0 to 4.1 , I followed steps given in https://docs.abuse.io/en/latest/migration/.

    4.0 to 4.1 Migration was successful.

    After migration found that found that additional table "ticket_graph_points" added in 4.1, which has missing analytics data.

    How to make use of "ticket_graph_points" table for existing 4.0 DB data ?

    opened by aarakh 13
  • Problem parsing google abuse reports

    Problem parsing google abuse reports

    https://github.com/AbuseIO/parser-google

    Hi everyone,

    Just wondering if anyone else has the same problem as I do, constant failing google abuse reports (SBR) failing to be parsed.

    I'm doing some troubleshooting now but I think there may be a few possible source:

    • DKIM parsing problems which causes the parsing to fail (In which case you may be able to make use of something such as https://github.com/angrychimp/php-dkim which can parse the DKIM or build something to do so if this is the problem )
    • Multiple "Received:" Headers?

    If anyone's experienced this previously or has any ideas I'd love some input!

    Dank je 😄

    opened by CrazyLlama 12
  • New tickets are not getting created

    New tickets are not getting created

    Installation done successfully with PHP 5.6.32.

    Abuseio version4.0.0, Found that framework.log was not created in /var/log/abuseio.

    Also able to see tickets when imported sample mails, however when tried to create ticket by sending email to [email protected] not created any ticket.

    Nothing in postfix log of abuseio server. from sender's logs it shows message delivered

    Could you help what goes wrong here?

    opened by aarakh 11
  • Tickets do not get created.

    Tickets do not get created.

    Unable to get the ticket creation part to work. The server is able to receive emails however any email being sent to notifier@domain doesn't create a ticket in the system.

    None of the log files present in /var/log/abuseio show any information related to this. PostFix logs show the email was received.

    opened by iamgaurav 11
  • Support sending AdminAlert'ed attachments in zip format

    Support sending AdminAlert'ed attachments in zip format

    I've seen that some mail systems (Microsoft 365, for one) seem to truncate the attachments on emails that get bounded to admins. These are the emails which AbuseIO has not been able to parse, and so it send to be triaged manually.

    I've therefore added support for bundling attachments in a .zip file instead of attaching them as-is to the bounce email. From my testing, this stops the attachments from getting truncated.

    I've added the new config option app.attachment_format (APP_ATTACHMENT_FORMAT environment variable) to enable overriding the default (I've named multifile) with the new option zipfile).

    If no config changes are made, things carry on as-is. If attachment_format is changed to zipfile, it will create a .zip in /tmp, add all attachments into it, then send that to the admin instead.

    opened by miff2000 9
  •  Illegal offset type in isset or empty when sending out a notification

    Illegal offset type in isset or empty when sending out a notification

    This is with default notification configuration.

    Exception trace: () at /opt/abuseio/bootstrap/cache/compiled.php:14081 Illuminate\Foundation\Bootstrap\HandleExceptions->handleError() at /opt/abuseio/bootstrap/cache/compiled.php:14081 Illuminate\View\Factory->make() at /opt/abuseio/vendor/laravel/framework/src/Illuminate/Foundation/helpers.php:748 view() at /opt/abuseio/vendor/abuseio/notification-mail/src/Mail.php:130 AbuseIO\Notification\Mail->send() at /opt/abuseio/app/Jobs/Notification.php:44 AbuseIO\Jobs\Notification->send() at /opt/abuseio/app/Jobs/Notification.php:111 AbuseIO\Jobs\Notification->walkList() at /opt/abuseio/app/Console/Commands/Housekeeper/NotificationsCommand.php:141 AbuseIO\Console\Commands\Housekeeper\NotificationsCommand->handle() at n/a:n/a call_user_func_array() at /opt/abuseio/bootstrap/cache/compiled.php:1187 Illuminate\Container\Container->call() at /opt/abuseio/vendor/laravel/framework/src/Illuminate/Console/Command.php:150 Illuminate\Console\Command->execute() at /opt/abuseio/vendor/symfony/console/Command/Command.php:256 Symfony\Component\Console\Command\Command->run() at /opt/abuseio/vendor/laravel/framework/src/Illuminate/Console/Command.php:136 Illuminate\Console\Command->run() at /opt/abuseio/vendor/symfony/console/Application.php:844 Symfony\Component\Console\Application->doRunCommand() at /opt/abuseio/vendor/symfony/console/Application.php:189 Symfony\Component\Console\Application->doRun() at /opt/abuseio/vendor/symfony/console/Application.php:120 Symfony\Component\Console\Application->run() at /opt/abuseio/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php:107 Illuminate\Foundation\Console\Kernel->handle() at /opt/abuseio/artisan:36

    Note that the line number for Mail.php is not the right one since I added some debug code to try and figure this out. The problematic line is:

    $htmlmail = view(['template' => $htmlmail], $replacements)->render();

    opened by dgagnon 9
  • Added whitelisting feature for IPv4/Subnets

    Added whitelisting feature for IPv4/Subnets

    What does this PR do?

    I have added a feature that enables admins to ignore incidents for certain IPs/Subnets in a netblock.

    Aren't we able to do this anyway?

    It is currently possible but one would have to split a netblock in two, in order to ignore a single IPv4, a solution that is not convenient (especially for several, sparse IP addresses in a netblock).

    So can't they just mark the created tickets as ignored?

    That would suffice as well, but it becomes irritating for our customers' sysadmins.

    How do we test this?

    All you have to do is drop the config file (config/whitelist.json) under your config folder (development or production based on your APP_ENV in .env), add 'whitelist' to your 'interface/navigation' bar in main.php. Then you can test it under /admin/whitelist. You can update the list with the following values:

    • A single IPv4 ,e.g. 147.102.10.10
    • An IPv4 CIDR subnet, e.g. 147.102.10.0/24

    After you are done updating the whitelist press Update. At this point, you can feed the pipeline with emails in order to test that the right incidents are being ignored.

    Does this feature add any dependencies?

    No

    UI View

    screenshot from 2018-04-25 12-17-35

    Motivation

    We (GRNET) are using AbuseIO as we are an ISP for several public entities (e.g. academic institutions, hospitals, etc.). Recently a research team from a lab under our constituency deployed several high-interaction honeypots for research purposes. That triggered our AbuseIO source (internal and external), and so several tickets opened. We were asked to stop sending tickets for specific IPv4 addresses. Unfortunately, there was no straightforward/scalable way to do that.

    Awaiting feedback! :grinning:

    opened by linosgian 8
  • "Report date" should contain the timezone

    Looking at report that come out of coloclue's abuse.io server, I see the timezone is missing:

    Without timezone specification, the date is meaningless.

    I recommend ISO 8601, example: 2016-10-15T13:09:16Z is used.

    Ticket #305: Report for IP address XXX (Open Netbios Server)
    Category: Information message, we strongly advice this matter to be resolved
    Report date: 2016-08-28 01:37
    Report count: 1
    Source: Shadowserver
    Reply or help: https://ash.abuseio.coloclue.net/?id=305&token=XX
    Report information:
      - mac_address: 00-00-00-00-00-00
      - workgroup: WORKGROUP
      - machine_name: SERVER
      - username: SERVER
      - Address: XXX
    
    enhancement confirmed 
    opened by job 8
  • Indirect access to mailbox (according to documentation

    Indirect access to mailbox (according to documentation

    Hi

    I have a problem of understanding and hope that someone can help. According to the documentation it should be possible to receive mails instead of your own MTA by accessing a mailbox (IMAP or POP3?) and parse them.

    I just don't understand how I can make this happen. There are no instructions for this, I have overlooked or misunderstood this feature? I'm using AbuseIO 4.0.3.

    Can someone help me with that? How can I give AbuseIO access to an existing mailbox (which has been set up on the mail server for this purpose)? Which file (module) is responsible for this und wie kann ich dieses aktivieren?

    Thank you in advance.

    PS: What does this option/URL mean (as it is not available in my installation)?

    'ash' => [ 'url' => 'https://abuseio.isp.local/ash/', ],

    Best regards, Joh

    opened by JohWayne 7
  • validator error - multiple contact addresses with comma-and-whitespace separator

    validator error - multiple contact addresses with comma-and-whitespace separator

    If I have a comma and a whitespace as address separators in a contact, for example: "[email protected], [email protected]", the following error occurs when parsing a new email ticket:

    Jun 7 18:26:50 machine abuseio[30191]: production.INFO: AbuseIO\Parsers\Shadowserver: Parser run completed for module : Shadowserver Jun 7 18:26:50 machine abuseio[30191]: production.INFO: AbuseIO\Parsers\Shadowserver: : Parser completed with 0 warnings and collected 26 incidents to save Jun 7 18:26:51 machine abuseio[30191]: production.INFO: AbuseIO\Jobs\IncidentsValidate: Validator has ended without errors Jun 7 18:26:51 machine abuseio[30191]: production.ERROR: AbuseIO\Jobs\IncidentsSave: Saver has ended with errors ! : DevError: Internal validation failed when saving the Ticket object All ip contact email addresses should be valid. Jun 7 18:26:51 machine abuseio[30191]: production.ERROR: AbuseIO\Jobs\EmailProcess: Email processor ending with errors. The received e-mail will be deleted from archive and bounced to the admin for investigation

    It works when I don't have whitespaces in the list of addresses: "[email protected],[email protected]"

    This could be fixed in /opt/abuseio/app/Providers/ValidationsServiceProvider.php, by trimming whitespaces in the "validation for multiple comma separated e-mails" code.

    opened by andrege 6
  • Netcraft report changes

    Netcraft report changes

    Since a few months ago, Netcraft stopped sending a "report.txt" attachment, and instead now sends an "xarf.json" attachment (see anonymised examples).

    The parser-netcraft now bounces these messages, instead of parsing them. If you require any other samples to fix this, please let me know.

    xarf-spam.json.txt xarf-webshell.json.txt xarf-malware.json.txt

    opened by pkrul 3
  • Error during php artisan migrate

    Error during php artisan migrate

    Hey, I'm trying to install AbuseIO on my Ubuntu 22.04 Server. After fillign th database credentials to the .env-File I un into this error during php artisan migrate...

    https://paste.robin-it.group/fedakobeve.rb

    opened by RobinDev03 1
  • Add support for configuration options through environment variables

    Add support for configuration options through environment variables

    It would be useful to allow setting some configuration options through environment variables, instead of requiring to change the respective values directly through the source code. All current changes simply allow setting the respective options through environment variables, but keep the default options intact for compatibility purposes.

    opened by gmetaxo 0
  • Shadowserver Report Changes

    Shadowserver Report Changes

    For now just FYI: I haven't looked at the specifics of how this will effect the shadowserver parser:

    Dear Shadowserver Subscriber,

    This is an important update on the upcoming changes to the Shadowserver sinkhole and honeypot report types and formats. We have recently updated our free public benefit reports service by introducing changes to our sinkhole, honeypot and darknet report types. These changes include introducing new report names, types and more standardized formats. These changes will affect how you parse and process our data. The new report types and formats are currently simultaneously delivered to you with the old reports that they are meant to replace.

    Please make yourself (and all your mailing list contacts) familiar with the new report changes that are in effect and published on our website via URL, along with the rationale behind these changes:

    https://www.shadowserver.org/news/changes-in-sinkhole-and-honeypot-report-types-and-formats/

    Please note, as an existing subscriber, you will continue to receive the old reports that are being changed until 2021-06-01, as well as a copy of the new reports that we have introduced.

    If you have any questions or concerns please contact us. We hope that these changes introduce cleaner and more future proof formats, which will allow for a better understanding of our reports and for easier and more flexible processing of our data.

    Thanks

    The Shadowserver Foundation

    opened by yakatz 2
  • PackageManifest.php Undefined index: name

    PackageManifest.php Undefined index: name

    Error upon install using composer (version 2.0.11):

    Creating a "abuseio/abuseio" project at "./abuseio"
    Installing abuseio/abuseio (v4.3.0)
      - Downloading abuseio/abuseio (v4.3.0)
      - Installing abuseio/abuseio (v4.3.0): Extracting archive
    Created project in /opt/abuseio
    Loading composer repositories with package information
    Updating dependencies
    ...
    ...
    Generating optimized autoload files
    Class tests\Api\Account\ApiVersionTest located in ./tests/Api/ApiVersionTest.php does not comply with psr-4 autoloading standard. Skipping.
    Class Wpb\String_Blade_Compiler\Facades\StringBlade located in ./vendor/wpb/string-blade-compiler/src/Facade/StringBlade.php does not comply with psr-4 autoloading standard. Skipping.
    > Illuminate\Foundation\ComposerScripts::postAutoloadDump
    > @php artisan package:discover
    
    In PackageManifest.php line 122:
    
      Undefined index: name
    
    Script @php artisan package:discover handling the post-autoload-dump event returned with error code 1
    
    opened by gstorme 1
  • ipechelon/copyrightnotice: filters broken

    ipechelon/copyrightnotice: filters broken

    @kruisdraad

    It appears that filters for both ipechelon and copyrightnotice parsers are broken.

    Let's look at ipechelon, as copyright notice appears to share a lot of code with it.

    Firstly, the following filters are set in the config:

    https://github.com/AbuseIO/parser-ipechelon/blob/4cfc1b9e1472e6c98d93df7556d4cedccbdb9fe3/config/Ipechelon.php#L28-L32

    Primo, all of these are outside of $report_raw['Source'] which we apply filters to

    https://github.com/AbuseIO/parser-ipechelon/blob/4cfc1b9e1472e6c98d93df7556d4cedccbdb9fe3/src/Ipechelon.php#L87

    And then we finally save the $report_raw, completely ignoring $report.

    https://github.com/AbuseIO/parser-ipechelon/blob/4cfc1b9e1472e6c98d93df7556d4cedccbdb9fe3/src/Ipechelon.php#L98

    I am happy to fix these but want to understand what we want to collect for the incident.

    Here is an example of what is currently saved, but the use of $report_raw['Source'] above is quite confusing, so I am not sure what was the intention here. Can you clarify what you've intended to capture and what should be ignored?

    Case ID: [redacted]
    Case Status: Open
    Case Severity: Normal
    Complainant Entity: Paramount Pictures Corporation
    Complainant Contact: IP-Echelon - Compliance
    Complainant Address: 6715 Hollywood Blvd Los Angeles CA 90028 United States of America
    Complainant Phone: +1 (310) 606 2747
    Complainant Email: p2p@[redacted]
    Service_Provider Entity: [redacted]
    Service_Provider Email: abuse@[redacted]
    Source TimeStamp: 2020-03-12T19:02:00Z
    Source IP_Address: [redacted]
    Source Port: 54599
    Source Type: BitTorrent
    Source SubType @attributes: This is filtered due to fourth layer nesting
    Source Number_Files: 1
    Content Item TimeStamp: 2020-03-12T19:02:00Z
    Content Item Title: Sonic the Hedgehog
    Content Item FileName: Sonic The Hedgehog (2020) [1080p] [WEBRip] [YTS.MX]
    Content Item FileSize: 1772912495
    Content Item Hash: f3acfd3979cc1a30cc7f312673ced688ce78ce77
    
    opened by mikenowak 0
Releases(v4.3.1)
Owner
AbuseIO
AbuseIO is a toolkit to receive, process, correlate and notify about abuse reports received by network operators
AbuseIO
Lite & fast micro PHP abuse library that is **easy to use**.

Utopia Abuse Utopia framework abuse library is simple and lite library for managing application usage limits. This library is aiming to be as simple a

utopia 23 Dec 17, 2022
Multi-process coroutine edition Swoole spider !! Learn about Swoole's network programming and the use of its related APIs

swoole_spider php bin/spider // Just do it !! Cache use Swoole\Table; use App\Table\Cache; $table = new Table(1<<20); // capacity size $table->column

null 3 Apr 22, 2021
Laravel 8 Project Restrict User Access From IP Addresses. prevent other ip address that want to access over secure api or urls.

block-ip-address-laravel Laravel 8 Project Restrict User Access From IP Addresses. prevent other ip address that want to access over secure api or url

Hasmukh Dharajiya 2 Mar 24, 2022
The Slim PHP micro framework paired with Laravel's Illuminate Database toolkit.

Slim & Eloquent The Slim PHP micro framework paired with Laravel's Illuminate Database toolkit. Getting started # Download composer curl -s https://ge

Kyle Ladd 111 Jul 23, 2022
PPM is a process manager, supercharger and load balancer for modern PHP applications.

PPM - PHP Process Manager PHP-PM is a process manager, supercharger and load balancer for PHP applications. It's based on ReactPHP and works best with

PPM - PHP Process Manager 6.5k Dec 27, 2022
💾 High-performance PHP application server, load-balancer and process manager written in Golang. RR2 releases repository.

RoadRunner is an open-source (MIT licensed) high-performance PHP application server, load balancer, and process manager. It supports running as a serv

Spiral Scout 45 Nov 29, 2022
🤯 High-performance PHP application server, load-balancer and process manager written in Golang

RoadRunner is an open-source (MIT licensed) high-performance PHP application server, load balancer, and process manager. It supports running as a serv

Spiral Scout 6.9k Jan 3, 2023
Asynchronous server-side framework for network applications implemented in PHP using libevent

phpDaemon https://github.com/kakserpom/phpdaemon Asynchronous framework in PHP. It has a huge number of features. Designed for highload. Each worker i

Vasily Zorin 1.5k Nov 30, 2022
With this extension you can share data from your web pages to any social network!

Extension for sharing on social networks With this extension you can share data from your web pages to any social network! Features: SEO support, defa

Yii Maker 50 Oct 15, 2022
The Semaphore Component manages semaphores, a mechanism to provide exclusive access to a shared resource.

Semaphore Component The Semaphore Component manages semaphores, a mechanism to provide exclusive access to a shared resource. Resources Documentation

Symfony 29 Nov 16, 2022
Access control middleware for Slim framework

Slim Access Access control middleware for Slim framework. Supported formats IPv4 and IPv6 addresses CIDR notation all keyword Installation composer re

Alexandre Bouvier 7 Oct 22, 2019
A simple class that provides access to country & state list.

GeoData A simple class that provides access to country & state list. Installation composer require ahmard/geodata Usage Fetch country list <?php use

Ahmad Mustapha 4 Jun 20, 2022
A easy way to install your basic yii projetc, we have encrypt database password in phpfile, my class with alot funtions to help you encrypt and decrypt and our swoole server install just run ./yii swoole/start and be happy!

Yii 2 Basic Project Template with swoole and Modules Yii 2 Basic Project Template is a skeleton Yii 2 application best for rapidly creating small proj

null 3 Apr 11, 2022
Leaf is a PHP framework that helps you create clean, simple but powerful web apps and APIs quickly and easily.

Leaf is a PHP framework that helps you create clean, simple but powerful web apps and APIs quickly and easily. Leaf introduces a cleaner and much simpler structure to the PHP language while maintaining it's flexibility. With a simple structure and a shallow learning curve, it's an excellent way to rapidly build powerful and high performant web apps and APIs.

Leaf Framework 706 Jan 3, 2023
Symprowire is a PHP MVC Framework based and built on Symfony, using the ProcessWire CMS as DBAL and Service Provider.

Symprowire - PHP MVC Framework for ProcessWire 3.x Symprowire is a PHP MVC Framework based and built on Symfony using ProcessWire 3.x as DBAL and Serv

Luis Mendez 7 Jan 16, 2022
FlyCubePHP is an MVC Web Framework developed in PHP and repeating the ideology and principles of building WEB applications, embedded in Ruby on Rails.

FlyCubePHP FlyCubePHP is an MVC Web Framework developed in PHP and repeating the ideology and principles of building WEB applications, embedded in Rub

Anton 1 Dec 21, 2021
Implementing programming best practices and patterns, and creating a custom PHP framework from scratch.

Implementing programming best practices and patterns, and creating a custom PHP framework from scratch.

Sajidur Rahman 3 Jul 2, 2022
An issue tracking tool based on hyperf+reactjs for small and medium-sized enterprises, open-source and free, similar to Jira.

介绍 本项目以 actionview 为蓝本,使用 Hyperf 框架进行重写。 本项目为 Hyperf 框架的 DEMO 项目 原 ActionView 介绍 English | 中文 一个类Jira的问题需求跟踪工具,前端基于reactjs+redux、后端基于php laravel-frame

Gemini-D 14 Nov 15, 2022
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing. It's the f

FuzzDB Project 7.1k Dec 27, 2022