diff --git a/extra/msft-public-ips.csv b/extra/msft-public-ips.csv
new file mode 100644
index 00000000..9019a3d1
--- /dev/null
+++ b/extra/msft-public-ips.csv
@@ -0,0 +1,473 @@
+Prefix,Type
+1.186.0.0/16, MSFT Public IP Address Block
+4.128.0.0/12, MSFT Public IP Address Block
+4.144.0.0/12, MSFT Public IP Address Block
+4.160.0.0/12, MSFT Public IP Address Block
+4.176.0.0/12, MSFT Public IP Address Block
+4.192.0.0/12, MSFT Public IP Address Block
+4.208.0.0/12, MSFT Public IP Address Block
+4.224.0.0/12, MSFT Public IP Address Block
+4.240.0.0/12, MSFT Public IP Address Block
+9.129.0.0/16, MSFT Public IP Address Block
+9.130.0.0/16, MSFT Public IP Address Block
+9.131.0.0/16, MSFT Public IP Address Block
+9.132.0.0/16, MSFT Public IP Address Block
+9.133.0.0/16, MSFT Public IP Address Block
+9.135.0.0/16, MSFT Public IP Address Block
+9.136.0.0/16, MSFT Public IP Address Block
+9.141.0.0/16, MSFT Public IP Address Block
+9.145.0.0/16, MSFT Public IP Address Block
+9.146.0.0/16, MSFT Public IP Address Block
+9.149.0.0/16, MSFT Public IP Address Block
+9.160.0.0/16, MSFT Public IP Address Block
+9.163.0.0/16, MSFT Public IP Address Block
+9.164.0.0/16, MSFT Public IP Address Block
+9.166.0.0/16, MSFT Public IP Address Block
+9.167.0.0/16, MSFT Public IP Address Block
+9.169.0.0/16, MSFT Public IP Address Block
+9.177.0.0/16, MSFT Public IP Address Block
+9.185.0.0/16, MSFT Public IP Address Block
+9.205.0.0/16, MSFT Public IP Address Block
+9.220.0.0/16, MSFT Public IP Address Block
+9.223.0.0/16, MSFT Public IP Address Block
+9.228.0.0/16, MSFT Public IP Address Block
+9.229.0.0/16, MSFT Public IP Address Block
+9.231.0.0/16, MSFT Public IP Address Block
+9.234.0.0/15, MSFT Public IP Address Block
+9.248.0.0/16, MSFT Public IP Address Block
+13.64.0.0/11, MSFT Public IP Address Block
+13.96.0.0/13, MSFT Public IP Address Block
+13.104.0.0/14, MSFT Public IP Address Block
+13.117.0.0/16, MSFT Public IP Address Block
+13.118.0.0/15, MSFT Public IP Address Block
+13.123.0.0/16, MSFT Public IP Address Block
+13.240.0.0/16, MSFT Public IP Address Block
+13.241.0.0/16, MSFT Public IP Address Block
+13.242.0.0/15, MSFT Public IP Address Block
+20.0.0.0/11, MSFT Public IP Address Block
+20.33.0.0/16, MSFT Public IP Address Block
+20.34.0.0/15, MSFT Public IP Address Block
+20.36.0.0/14, MSFT Public IP Address Block
+20.40.0.0/13, MSFT Public IP Address Block
+20.48.0.0/12, MSFT Public IP Address Block
+20.64.0.0/10, MSFT Public IP Address Block
+20.128.0.0/16, MSFT Public IP Address Block
+20.130.0.0/16, MSFT Public IP Address Block
+20.135.0.0/16, MSFT Public IP Address Block
+20.136.0.0/16, MSFT Public IP Address Block
+20.140.0.0/15, MSFT Public IP Address Block
+20.143.0.0/16, MSFT Public IP Address Block
+20.144.0.0/14, MSFT Public IP Address Block
+20.150.0.0/15, MSFT Public IP Address Block
+20.152.0.0/16, MSFT Public IP Address Block
+20.153.0.0/16, MSFT Public IP Address Block
+20.157.0.0/16, MSFT Public IP Address Block
+20.158.0.0/15, MSFT Public IP Address Block
+20.160.0.0/12, MSFT Public IP Address Block
+20.176.0.0/14, MSFT Public IP Address Block
+20.180.0.0/14, MSFT Public IP Address Block
+20.184.0.0/13, MSFT Public IP Address Block
+20.192.0.0/10, MSFT Public IP Address Block
+23.96.0.0/13, MSFT Public IP Address Block
+40.17.0.0/16, MSFT Public IP Address Block
+40.21.0.0/16, MSFT Public IP Address Block
+40.25.0.0/16, MSFT Public IP Address Block
+40.33.0.0/16, MSFT Public IP Address Block
+40.34.0.0/16, MSFT Public IP Address Block
+40.47.0.0/16, MSFT Public IP Address Block
+40.64.0.0/10, MSFT Public IP Address Block
+40.146.0.0/16, MSFT Public IP Address Block
+40.148.0.0/16, MSFT Public IP Address Block
+40.155.0.0/16, MSFT Public IP Address Block
+40.159.0.0/16, MSFT Public IP Address Block
+40.162.0.0/16, MSFT Public IP Address Block
+40.169.0.0/16, MSFT Public IP Address Block
+40.170.0.0/16, MSFT Public IP Address Block
+40.171.0.0/16, MSFT Public IP Address Block
+40.212.0.0/16, MSFT Public IP Address Block
+40.218.0.0/16, MSFT Public IP Address Block
+40.249.0.0/16, MSFT Public IP Address Block
+40.253.0.0/16, MSFT Public IP Address Block
+42.159.0.0/16, MSFT Public IP Address Block
+42.159.128.3/32, MSFT Public IP Address Block
+42.159.128.4/32, MSFT Public IP Address Block
+48.192.0.0/12, MSFT Public IP Address Block
+48.208.0.0/13, MSFT Public IP Address Block
+48.216.0.0/14, MSFT Public IP Address Block
+48.220.0.0/15, MSFT Public IP Address Block
+48.222.0.0/15, MSFT Public IP Address Block
+48.224.0.0/11, MSFT Public IP Address Block
+50.20.0.0/18, MSFT Public IP Address Block
+50.20.64.0/19, MSFT Public IP Address Block
+50.20.128.0/18, MSFT Public IP Address Block
+50.21.32.0/19, MSFT Public IP Address Block
+50.85.0.0/16, MSFT Public IP Address Block
+51.1.0.0/16, MSFT Public IP Address Block
+51.4.0.0/15, MSFT Public IP Address Block
+51.8.0.0/16, MSFT Public IP Address Block
+51.10.0.0/15, MSFT Public IP Address Block
+51.12.0.0/15, MSFT Public IP Address Block
+51.18.0.0/16, MSFT Public IP Address Block
+51.42.0.0/16, MSFT Public IP Address Block
+51.51.0.0/16, MSFT Public IP Address Block
+51.53.0.0/16, MSFT Public IP Address Block
+51.54.0.0/15, MSFT Public IP Address Block
+51.56.0.0/14, MSFT Public IP Address Block
+51.103.0.0/16, MSFT Public IP Address Block
+51.104.0.0/15, MSFT Public IP Address Block
+51.107.0.0/16, MSFT Public IP Address Block
+51.109.0.0/16, MSFT Public IP Address Block
+51.111.0.0/16, MSFT Public IP Address Block
+51.116.0.0/16, MSFT Public IP Address Block
+51.120.0.0/16, MSFT Public IP Address Block
+51.124.0.0/16, MSFT Public IP Address Block
+51.126.0.0/16, MSFT Public IP Address Block
+51.132.0.0/16, MSFT Public IP Address Block
+51.136.0.0/15, MSFT Public IP Address Block
+51.138.0.0/16, MSFT Public IP Address Block
+51.140.0.0/14, MSFT Public IP Address Block
+51.144.0.0/15, MSFT Public IP Address Block
+52.96.0.0/12, MSFT Public IP Address Block
+52.112.0.0/14, MSFT Public IP Address Block
+52.120.0.0/14, MSFT Public IP Address Block
+52.125.0.0/16, MSFT Public IP Address Block
+52.126.0.0/15, MSFT Public IP Address Block
+52.130.0.0/15, MSFT Public IP Address Block
+52.132.0.0/14, MSFT Public IP Address Block
+52.136.0.0/13, MSFT Public IP Address Block
+52.145.0.0/16, MSFT Public IP Address Block
+52.146.0.0/15, MSFT Public IP Address Block
+52.148.0.0/14, MSFT Public IP Address Block
+52.152.0.0/13, MSFT Public IP Address Block
+52.160.0.0/11, MSFT Public IP Address Block
+52.224.0.0/11, MSFT Public IP Address Block
+54.15.0.0/16, MSFT Public IP Address Block
+54.18.0.0/16, MSFT Public IP Address Block
+54.27.0.0/16, MSFT Public IP Address Block
+54.29.0.0/16, MSFT Public IP Address Block
+54.104.0.0/16, MSFT Public IP Address Block
+54.119.0.0/16, MSFT Public IP Address Block
+54.133.0.0/16, MSFT Public IP Address Block
+54.135.0.0/16, MSFT Public IP Address Block
+54.139.0.0/16, MSFT Public IP Address Block
+57.150.0.0/15, MSFT Public IP Address Block
+57.152.0.0/14, MSFT Public IP Address Block
+57.156.0.0/14, MSFT Public IP Address Block
+57.160.0.0/12, MSFT Public IP Address Block
+62.10.0.0/15, MSFT Public IP Address Block
+64.4.0.0/18, MSFT Public IP Address Block
+64.207.0.0/18, MSFT Public IP Address Block
+64.236.0.0/16, MSFT Public IP Address Block
+64.238.96.0/19, MSFT Public IP Address Block
+65.52.0.0/14, MSFT Public IP Address Block
+66.119.144.0/20, MSFT Public IP Address Block
+66.180.96.0/19, MSFT Public IP Address Block
+68.18.0.0/15, MSFT Public IP Address Block
+68.154.0.0/15, MSFT Public IP Address Block
+68.210.0.0/15, MSFT Public IP Address Block
+68.218.0.0/15, MSFT Public IP Address Block
+68.220.0.0/15, MSFT Public IP Address Block
+69.15.0.0/16, MSFT Public IP Address Block
+69.198.0.0/15, MSFT Public IP Address Block
+70.37.0.0/17, MSFT Public IP Address Block
+70.37.128.0/18, MSFT Public IP Address Block
+70.152.0.0/15, MSFT Public IP Address Block
+70.156.0.0/15, MSFT Public IP Address Block
+72.16.128.0/17, MSFT Public IP Address Block
+72.54.0.0/16, MSFT Public IP Address Block
+72.144.0.0/14, MSFT Public IP Address Block
+72.152.0.0/14, MSFT Public IP Address Block
+74.7.0.0/16, MSFT Public IP Address Block
+74.144.0.0/12, MSFT Public IP Address Block
+74.160.0.0/14, MSFT Public IP Address Block
+74.176.0.0/14, MSFT Public IP Address Block
+74.224.0.0/14, MSFT Public IP Address Block
+74.234.0.0/15, MSFT Public IP Address Block
+74.240.0.0/14, MSFT Public IP Address Block
+74.248.0.0/15, MSFT Public IP Address Block
+82.87.0.0/16, MSFT Public IP Address Block
+82.171.0.0/16, MSFT Public IP Address Block
+84.81.0.0/16, MSFT Public IP Address Block
+84.222.0.0/16, MSFT Public IP Address Block
+84.223.0.0/16, MSFT Public IP Address Block
+85.210.0.0/15, MSFT Public IP Address Block
+85.212.0.0/16, MSFT Public IP Address Block
+86.91.0.0/16, MSFT Public IP Address Block
+91.190.216.0/21, MSFT Public IP Address Block
+94.245.64.0/18, MSFT Public IP Address Block
+98.64.0.0/14, MSFT Public IP Address Block
+98.70.0.0/15, MSFT Public IP Address Block
+102.37.0.0/16, MSFT Public IP Address Block
+102.133.0.0/16, MSFT Public IP Address Block
+103.9.8.0/22, MSFT Public IP Address Block
+103.25.156.0/24, MSFT Public IP Address Block
+103.25.157.0/24, MSFT Public IP Address Block
+103.25.158.0/23, MSFT Public IP Address Block
+103.36.96.0/22, MSFT Public IP Address Block
+103.255.140.0/22, MSFT Public IP Address Block
+104.40.0.0/13, MSFT Public IP Address Block
+104.146.0.0/15, MSFT Public IP Address Block
+104.208.0.0/13, MSFT Public IP Address Block
+108.140.0.0/14, MSFT Public IP Address Block
+109.246.0.0/16, MSFT Public IP Address Block
+111.221.16.0/20, MSFT Public IP Address Block
+111.221.64.0/18, MSFT Public IP Address Block
+122.149.0.0/16, MSFT Public IP Address Block
+124.252.0.0/16, MSFT Public IP Address Block
+128.24.0.0/16, MSFT Public IP Address Block
+128.85.0.0/16, MSFT Public IP Address Block
+128.94.0.0/16, MSFT Public IP Address Block
+128.203.0.0/16, MSFT Public IP Address Block
+128.251.0.0/16, MSFT Public IP Address Block
+129.75.0.0/16, MSFT Public IP Address Block
+129.135.0.0/16, MSFT Public IP Address Block
+130.33.0.0/16, MSFT Public IP Address Block
+130.107.0.0/16, MSFT Public IP Address Block
+130.131.0.0/16, MSFT Public IP Address Block
+130.213.0.0/16, MSFT Public IP Address Block
+131.107.0.0/16, MSFT Public IP Address Block
+131.145.0.0/16, MSFT Public IP Address Block
+131.163.0.0/16, MSFT Public IP Address Block
+131.189.0.0/16, MSFT Public IP Address Block
+131.253.1.0/24, MSFT Public IP Address Block
+131.253.3.0/24, MSFT Public IP Address Block
+131.253.5.0/24, MSFT Public IP Address Block
+131.253.6.0/24, MSFT Public IP Address Block
+131.253.8.0/24, MSFT Public IP Address Block
+131.253.12.0/22, MSFT Public IP Address Block
+131.253.16.0/23, MSFT Public IP Address Block
+131.253.18.0/24, MSFT Public IP Address Block
+131.253.21.0/24, MSFT Public IP Address Block
+131.253.22.0/23, MSFT Public IP Address Block
+131.253.24.0/21, MSFT Public IP Address Block
+131.253.32.0/20, MSFT Public IP Address Block
+131.253.61.0/24, MSFT Public IP Address Block
+131.253.62.0/23, MSFT Public IP Address Block
+131.253.64.0/18, MSFT Public IP Address Block
+131.253.128.0/17, MSFT Public IP Address Block
+132.164.0.0/16, MSFT Public IP Address Block
+132.196.0.0/16, MSFT Public IP Address Block
+132.220.0.0/16, MSFT Public IP Address Block
+132.245.0.0/16, MSFT Public IP Address Block
+134.33.0.0/16, MSFT Public IP Address Block
+134.112.0.0/16, MSFT Public IP Address Block
+134.138.0.0/16, MSFT Public IP Address Block
+134.149.0.0/16, MSFT Public IP Address Block
+134.170.0.0/16, MSFT Public IP Address Block
+134.177.0.0/16, MSFT Public IP Address Block
+135.3.0.0/16, MSFT Public IP Address Block
+135.4.0.0/16, MSFT Public IP Address Block
+135.5.0.0/16, MSFT Public IP Address Block
+135.6.0.0/16, MSFT Public IP Address Block
+135.7.0.0/16, MSFT Public IP Address Block
+135.13.0.0/16, MSFT Public IP Address Block
+135.18.0.0/16, MSFT Public IP Address Block
+135.85.0.0/16, MSFT Public IP Address Block
+135.86.0.0/16, MSFT Public IP Address Block
+135.88.0.0/16, MSFT Public IP Address Block
+135.93.0.0/16, MSFT Public IP Address Block
+135.111.0.0/16, MSFT Public IP Address Block
+135.112.0.0/16, MSFT Public IP Address Block
+135.114.0.0/16, MSFT Public IP Address Block
+135.115.0.0/16, MSFT Public IP Address Block
+135.116.0.0/16, MSFT Public IP Address Block
+135.117.0.0/16, MSFT Public IP Address Block
+135.118.0.0/16, MSFT Public IP Address Block
+135.119.0.0/16, MSFT Public IP Address Block
+135.120.0.0/16, MSFT Public IP Address Block
+135.130.0.0/16, MSFT Public IP Address Block
+135.149.0.0/16, MSFT Public IP Address Block
+135.171.0.0/16, MSFT Public IP Address Block
+135.183.0.0/16, MSFT Public IP Address Block
+135.185.0.0/16, MSFT Public IP Address Block
+135.220.0.0/16, MSFT Public IP Address Block
+135.221.0.0/16, MSFT Public IP Address Block
+135.222.0.0/16, MSFT Public IP Address Block
+135.224.0.0/15, MSFT Public IP Address Block
+135.226.0.0/16, MSFT Public IP Address Block
+135.227.0.0/16, MSFT Public IP Address Block
+135.228.0.0/16, MSFT Public IP Address Block
+135.229.0.0/16, MSFT Public IP Address Block
+135.230.0.0/16, MSFT Public IP Address Block
+135.231.0.0/16, MSFT Public IP Address Block
+135.232.0.0/14, MSFT Public IP Address Block
+135.236.0.0/15, MSFT Public IP Address Block
+135.239.0.0/16, MSFT Public IP Address Block
+135.240.0.0/16, MSFT Public IP Address Block
+135.241.0.0/16, MSFT Public IP Address Block
+135.243.0.0/16, MSFT Public IP Address Block
+135.244.0.0/16, MSFT Public IP Address Block
+135.246.0.0/16, MSFT Public IP Address Block
+135.247.0.0/16, MSFT Public IP Address Block
+135.248.0.0/16, MSFT Public IP Address Block
+135.253.0.0/16, MSFT Public IP Address Block
+135.254.0.0/16, MSFT Public IP Address Block
+135.255.0.0/16, MSFT Public IP Address Block
+137.116.0.0/15, MSFT Public IP Address Block
+137.135.0.0/16, MSFT Public IP Address Block
+137.162.0.0/16, MSFT Public IP Address Block
+138.91.0.0/16, MSFT Public IP Address Block
+138.105.0.0/16, MSFT Public IP Address Block
+138.196.0.0/16, MSFT Public IP Address Block
+138.203.0.0/16, MSFT Public IP Address Block
+138.213.0.0/16, MSFT Public IP Address Block
+138.239.0.0/16, MSFT Public IP Address Block
+138.242.0.0/16, MSFT Public IP Address Block
+139.188.0.0/16, MSFT Public IP Address Block
+139.217.0.0/16, MSFT Public IP Address Block
+139.219.0.0/16, MSFT Public IP Address Block
+141.251.0.0/16, MSFT Public IP Address Block
+143.64.0.0/16, MSFT Public IP Address Block
+143.209.0.0/16, MSFT Public IP Address Block
+143.226.0.0/16, MSFT Public IP Address Block
+143.241.0.0/16, MSFT Public IP Address Block
+145.129.0.0/16, MSFT Public IP Address Block
+145.130.0.0/16, MSFT Public IP Address Block
+145.132.0.0/15, MSFT Public IP Address Block
+145.176.0.0/13, MSFT Public IP Address Block
+145.184.0.0/14, MSFT Public IP Address Block
+145.188.0.0/15, MSFT Public IP Address Block
+145.190.0.0/15, MSFT Public IP Address Block
+146.147.0.0/16, MSFT Public IP Address Block
+147.145.0.0/16, MSFT Public IP Address Block
+147.214.0.0/16, MSFT Public IP Address Block
+147.243.0.0/16, MSFT Public IP Address Block
+148.7.0.0/16, MSFT Public IP Address Block
+148.53.0.0/16, MSFT Public IP Address Block
+149.1.0.0/16, MSFT Public IP Address Block
+149.175.0.0/16, MSFT Public IP Address Block
+149.198.0.0/16, MSFT Public IP Address Block
+149.204.0.0/16, MSFT Public IP Address Block
+150.171.0.0/16, MSFT Public IP Address Block
+150.206.0.0/16, MSFT Public IP Address Block
+150.212.0.0/16, MSFT Public IP Address Block
+150.242.48.0/22, MSFT Public IP Address Block
+151.98.0.0/16, MSFT Public IP Address Block
+151.129.0.0/16, MSFT Public IP Address Block
+151.206.0.0/16, MSFT Public IP Address Block
+152.138.0.0/16, MSFT Public IP Address Block
+155.62.0.0/16, MSFT Public IP Address Block
+156.23.0.0/16, MSFT Public IP Address Block
+157.31.0.0/16, MSFT Public IP Address Block
+157.54.0.0/15, MSFT Public IP Address Block
+157.56.0.0/14, MSFT Public IP Address Block
+157.60.0.0/16, MSFT Public IP Address Block
+157.81.0.0/16, MSFT Public IP Address Block
+157.95.0.0/16, MSFT Public IP Address Block
+157.172.0.0/16, MSFT Public IP Address Block
+157.176.0.0/16, MSFT Public IP Address Block
+157.252.0.0/16, MSFT Public IP Address Block
+158.23.0.0/16, MSFT Public IP Address Block
+158.24.0.0/16, MSFT Public IP Address Block
+158.53.0.0/16, MSFT Public IP Address Block
+158.158.0.0/16, MSFT Public IP Address Block
+159.27.0.0/16, MSFT Public IP Address Block
+159.128.0.0/16, MSFT Public IP Address Block
+160.4.0.0/16, MSFT Public IP Address Block
+160.207.0.0/16, MSFT Public IP Address Block
+160.234.0.0/16, MSFT Public IP Address Block
+161.66.0.0/16, MSFT Public IP Address Block
+161.157.0.0/16, MSFT Public IP Address Block
+161.220.0.0/16, MSFT Public IP Address Block
+163.57.0.0/16, MSFT Public IP Address Block
+163.228.0.0/16, MSFT Public IP Address Block
+165.15.0.0/16, MSFT Public IP Address Block
+165.17.0.0/16, MSFT Public IP Address Block
+167.105.0.0/16, MSFT Public IP Address Block
+167.162.0.0/16, MSFT Public IP Address Block
+167.186.0.0/16, MSFT Public IP Address Block
+167.220.0.0/16, MSFT Public IP Address Block
+167.231.0.0/16, MSFT Public IP Address Block
+168.61.0.0/16, MSFT Public IP Address Block
+168.62.0.0/15, MSFT Public IP Address Block
+169.138.0.0/16, MSFT Public IP Address Block
+170.165.0.0/16, MSFT Public IP Address Block
+172.128.0.0/11, MSFT Public IP Address Block
+172.160.0.0/11, MSFT Public IP Address Block
+172.192.0.0/13, MSFT Public IP Address Block
+172.200.0.0/13, MSFT Public IP Address Block
+172.208.0.0/13, MSFT Public IP Address Block
+173.200.0.0/16, MSFT Public IP Address Block
+191.232.0.0/13, MSFT Public IP Address Block
+192.32.0.0/16, MSFT Public IP Address Block
+192.48.225.0/24, MSFT Public IP Address Block
+192.84.159.0/24, MSFT Public IP Address Block
+192.84.160.0/23, MSFT Public IP Address Block
+192.146.133.0/24, MSFT Public IP Address Block
+192.153.251.0/24, MSFT Public IP Address Block
+192.197.157.0/24, MSFT Public IP Address Block
+192.237.67.0/24, MSFT Public IP Address Block
+193.149.64.0/19, MSFT Public IP Address Block
+193.221.113.0/24, MSFT Public IP Address Block
+194.69.96.0/19, MSFT Public IP Address Block
+194.110.197.0/24, MSFT Public IP Address Block
+194.238.128.0/17, MSFT Public IP Address Block
+195.134.224.0/19, MSFT Public IP Address Block
+198.105.232.0/22, MSFT Public IP Address Block
+198.137.97.0/24, MSFT Public IP Address Block
+198.200.130.0/24, MSFT Public IP Address Block
+198.206.164.0/24, MSFT Public IP Address Block
+199.30.16.0/20, MSFT Public IP Address Block
+199.50.0.0/16, MSFT Public IP Address Block
+199.60.28.0/24, MSFT Public IP Address Block
+199.74.210.0/24, MSFT Public IP Address Block
+199.103.90.0/23, MSFT Public IP Address Block
+199.103.122.0/24, MSFT Public IP Address Block
+199.118.0.0/16, MSFT Public IP Address Block
+199.242.32.0/20, MSFT Public IP Address Block
+199.242.48.0/21, MSFT Public IP Address Block
+202.89.224.0/20, MSFT Public IP Address Block
+204.13.120.0/21, MSFT Public IP Address Block
+204.14.180.0/22, MSFT Public IP Address Block
+204.79.135.0/24, MSFT Public IP Address Block
+204.79.179.0/24, MSFT Public IP Address Block
+204.79.181.0/24, MSFT Public IP Address Block
+204.79.188.0/24, MSFT Public IP Address Block
+204.79.195.0/24, MSFT Public IP Address Block
+204.79.196.0/23, MSFT Public IP Address Block
+204.79.252.0/24, MSFT Public IP Address Block
+204.152.18.0/23, MSFT Public IP Address Block
+204.152.140.0/23, MSFT Public IP Address Block
+204.231.192.0/24, MSFT Public IP Address Block
+204.231.194.0/23, MSFT Public IP Address Block
+204.231.197.0/24, MSFT Public IP Address Block
+204.231.198.0/23, MSFT Public IP Address Block
+204.231.200.0/21, MSFT Public IP Address Block
+204.231.208.0/20, MSFT Public IP Address Block
+204.231.236.0/24, MSFT Public IP Address Block
+205.174.224.0/20, MSFT Public IP Address Block
+206.138.168.0/21, MSFT Public IP Address Block
+206.191.224.0/19, MSFT Public IP Address Block
+207.46.0.0/16, MSFT Public IP Address Block
+207.68.128.0/18, MSFT Public IP Address Block
+207.103.0.0/16, MSFT Public IP Address Block
+208.68.136.0/21, MSFT Public IP Address Block
+208.76.44.0/22, MSFT Public IP Address Block
+208.84.0.0/21, MSFT Public IP Address Block
+209.199.0.0/16, MSFT Public IP Address Block
+209.240.192.0/19, MSFT Public IP Address Block
+212.132.0.0/19, MSFT Public IP Address Block
+212.173.0.0/17, MSFT Public IP Address Block
+212.207.0.0/16, MSFT Public IP Address Block
+213.54.0.0/16, MSFT Public IP Address Block
+213.199.128.0/18, MSFT Public IP Address Block
+216.32.180.0/22, MSFT Public IP Address Block
+216.220.208.0/20, MSFT Public IP Address Block
+217.176.0.0/16, MSFT Public IP Address Block
+217.177.96.0/19, MSFT Public IP Address Block
+2001:67c:1020::/48, MSFT Public IP Address Block
+2001:df0:7::/48, MSFT Public IP Address Block
+2001:df0:d7::/48, MSFT Public IP Address Block
+2001:df0:d8::/48, MSFT Public IP Address Block
+2001:df0:d9::/48, MSFT Public IP Address Block
+2001:4898::/32, MSFT Public IP Address Block
+2001:489a:2000::/35, MSFT Public IP Address Block
+2404:f801::/32, MSFT Public IP Address Block
+2602:fd5e::/36, MSFT Public IP Address Block
+2603:1000::/24, MSFT Public IP Address Block
+2620:0:30::/45, MSFT Public IP Address Block
+2620:1ec::/36, MSFT Public IP Address Block
+2801:80:1d0::/48, MSFT Public IP Address Block
+2a01:110::/32, MSFT Public IP Address Block
+2a01:111::/32, MSFT Public IP Address Block
+2a01:4180::/32, MSFT Public IP Address Block
diff --git a/modules/signatures/all/network_cnc_generic.py b/modules/signatures/all/network_cnc_generic.py
index 71cd237e..841dacca 100644
--- a/modules/signatures/all/network_cnc_generic.py
+++ b/modules/signatures/all/network_cnc_generic.py
@@ -1,5 +1,5 @@
# Copyright (C) 2018 Kevin Ross
-#
+# Copyright (C) 2024 Wassime BATTA
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -13,8 +13,38 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+
+import os
+import logging
+import ipaddress
+import csv
+
+from lib.cuckoo.common.constants import CUCKOO_ROOT
from lib.cuckoo.common.abstracts import Signature
+log = logging.getLogger()
+
+ip_ranges = []
+HAVE_MSFT_PUB_IPS = False
+msf_public_ips_list = os.path.join(CUCKOO_ROOT, "extra", "msft-public-ips.csv")
+if os.path.exists(msf_public_ips_list):
+ with open(msf_public_ips_list, 'r') as file:
+ reader = csv.DictReader(file)
+ for row in reader:
+ ip_ranges.append(row['Prefix'])
+ HAVE_MSFT_PUB_IPS = True
+else:
+ log.debug("Missed file extra/msft-public-ips.csv. Get a fresh copy from https://www.microsoft.com/en-us/download/details.aspx?id=53602")
+
+
+def check_ip_in_ranges(ip_address):
+ ip = ipaddress.ip_address(ip_address)
+ for ip_range in ip_ranges:
+ network = ipaddress.ip_network(ip_range)
+ if ip in network:
+ return True
+ return False
+
class NetworkCountryDistribution(Signature):
name = "network_country_distribution"
@@ -30,11 +60,10 @@ class NetworkCountryDistribution(Signature):
def run(self):
countries = []
- if "network" in self.results and "hosts" in self.results["network"]:
- for host in self.results["network"]["hosts"]:
- country = host["country_name"]
- if country and country not in countries:
- countries.append(country)
+ for host in self.results.get("network", {}).get("hosts", []):
+ country = host["country_name"]
+ if country and country not in countries:
+ countries.append(country)
if len(countries) > 5:
for uniq in countries:
@@ -48,24 +77,27 @@ def run(self):
class NetworkMultipleDirectIPConnections(Signature):
name = "network_multiple_direct_ip_connections"
- description = "Multiple direct IP connections"
+ description = "Muliple direct IP connections"
severity = 2
confidence = 30
categories = ["network", "c2"]
- authors = ["Kevin Ross"]
+ authors = ["Kevin Ross","Wassime BATTA"]
minimum = "1.3"
+ enabled = False
filter_analysistypes = set(["file"])
def run(self):
+ if not HAVE_MSFT_PUB_IPS or not ip_ranges:
+ return False
+
count = 0
ips = []
- if "network" in self.results and "hosts" in self.results["network"]:
- for host in self.results["network"]["hosts"]:
- ip = host["ip"]
- hostname = host["hostname"]
- if ip not in ips and not hostname and not ip.startswith(("10.", "172.16.", "192.168.")):
- ips.append(ip)
+ for host in self.results.ge("network", {}).get("hosts", []):
+ if host["ip"] not in ips and not host["hostname"] and not host["ip"].startswith(("10.", "172.16.", "192.168.")):
+ # Verify whether they are not part of the MICROSOFT-CORP-MSN-AS-BLOCK.
+ if not check_ip_in_ranges(host["ip"]):
+ ips.append(host["ip"])
count += 1
if count > 5:
diff --git a/modules/signatures/all/pdf_annot_urls.py b/modules/signatures/all/pdf_annot_urls.py
index 716205dd..200862dc 100644
--- a/modules/signatures/all/pdf_annot_urls.py
+++ b/modules/signatures/all/pdf_annot_urls.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
+# Copyright (C) 2024 Wassime BATTA
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -13,9 +13,28 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-import os.path
+import os
+from urllib.parse import urlparse, parse_qs
from lib.cuckoo.common.abstracts import Signature
+from lib.cuckoo.common.constants import CUCKOO_ROOT
+
+
+def extract_domains(url):
+ domains = set()
+ try:
+ parsed_url = urlparse(url)
+ if parsed_url.netloc:
+ domains.add(parsed_url.netloc)
+ query_params = parse_qs(parsed_url.query)
+ for param_values in query_params.values():
+ for value in param_values:
+ param_url = urlparse(value)
+ if param_url.netloc:
+ domains.add(param_url.netloc)
+ except Exception as e:
+ print("extract_domains, %s", str(e))
+ return domains
class PDF_Annot_URLs_Checker(Signature):
@@ -25,72 +44,81 @@ class PDF_Annot_URLs_Checker(Signature):
categories = ["static"]
authors = ["Wassime BATTA"]
minimum = "0.5"
+ enaled = False
- filter_analysistypes = set(["file", "static"])
+ filter_analysistypes = set(["file","static"])
malicious_tlds_files = (
- "/opt/CAPEv2/custom/data/malicioustlds.txt",
- "/opt/CAPEv2/data/malicioustlds.txt",
+ "custom/data/malicioustlds.txt",
+ "data/malicioustlds.txt",
)
def __init__(self, *args, **kwargs):
super(PDF_Annot_URLs_Checker, self).__init__(*args, **kwargs)
- self.malicious_tlds = self.load_malicious_tlds()
+ self.malicious_tlds = set()
+ if os.path.exists(self.malicious_tlds_file):
+ self.malicious_tlds = self.load_malicious_tlds()
def load_malicious_tlds(self):
malicious_tlds = set()
+ malicious_tlds_file = False
for malicious_tlds_file in self.malicious_tlds_files:
- if os.path.exists(malicious_tlds_file):
+ path = os.path.join(CUCKOO_ROOT, malicious_tlds_file)
+ if os.path.exists(path):
+ malicious_tlds_file = path
break
- else:
- raise FileNotFoundError(malicious_tlds_file)
- with open(malicious_tlds_file, "r") as f:
- for line in f:
- line = line.strip()
- if line.startswith("."):
- malicious_tlds.add(line)
+ if not malicious_tlds_file:
+ with open(malicious_tlds_file, "r") as f:
+ for line in f:
+ line = line.strip()
+ if line.startswith("."):
+ malicious_tlds.add(line)
return malicious_tlds
def run(self):
found_malicious_extension = False
found_malicious_domain = False
found_domain_only = False
+ found_blacklist_ip = False
suspect = False
- if "PDF" in self.results["target"]["file"].get("type", ""):
- if "Annot_URLs" in self.results["target"]["file"]["pdf"]:
- for entry in self.results["target"]["file"]["pdf"]["Annot_URLs"]:
- entry_lower = entry.lower()
- self.data.append({"url": entry})
- if entry_lower.endswith(
- (".exe", ".php", ".bat", ".cmd", ".js", ".jse", ".vbs", ".vbe", ".ps1", ".psm1", ".sh")
- ) and not entry_lower.startswith("mailto:"):
- found_malicious_extension = True
-
- if entry_lower.startswith("http://") or entry_lower.startswith("https://"):
- domain_start = entry_lower.find("//") + 2
- domain_end = entry_lower.find("/", domain_start)
- if domain_end == -1:
- domain = entry_lower[domain_start:]
- else:
- domain = entry_lower[domain_start:domain_end]
-
- for malicious_tld in self.malicious_tlds:
- if domain.endswith(malicious_tld):
- found_malicious_domain = True
- break
- else:
- # If no malicious TLDs detected, set found_domain_only to True
- found_domain_only = True
-
- if found_malicious_domain or found_malicious_extension:
- self.severity = 6
- self.description = "The PDF contains a Malicious Link Annotation"
- suspect = True
- elif found_domain_only:
- self.severity = 2
- self.description = "The PDF contains a Link Annotation"
- suspect = True
-
+ if "PDF" in self.results.get("target", {}).get("file", {}).get("type"):
+ for entry in self.results.get("target").get("file", {}).get("pdf", {}).get("Annot_URLs", []):
+ entry_lower = entry.lower()
+ self.data.append({"url": entry})
+ if entry_lower.endswith((".exe", ".zip", ".rar", ".bat", ".cmd", ".js", ".jse", ".vbs", ".vbe", ".ps1", ".psm1", ".sh")) \
+ and not entry_lower.startswith("mailto:"):
+ found_malicious_extension = True
+ if entry_lower.startswith(("http://", "https://")):
+ domain_start = entry_lower.find("//") + 2
+ domain_end = entry_lower.find("/", domain_start)
+ if domain_end == -1:
+ domain = entry_lower[domain_start:]
+ else:
+ domain = entry_lower[domain_start:domain_end]
+ for malicious_tld in self.malicious_tlds:
+ if domain.endswith(malicious_tld):
+ found_malicious_domain = True
+ break
+ else:
+ # If no malicious TLDs detected, set found_domain_only to True
+ targets = extract_domains(entry_lower)
+ for target in targets:
+ blacklisted_server, server = self.check_dnsbbl(target)
+ if blacklisted_server:
+ found_blacklist_ip = True
+ self.data.append({"blacklisted": f"The domain or IP address {target} is blacklisted on the following server: {server} "})
+ #break # Stop checking once blacklisted IP is found
+ #print ( blacklisted_server)
+ #else:
+ # print(f"The domain or IP address {target} is not blacklisted.")
+ if found_malicious_domain or found_malicious_extension or found_blacklist_ip :
+ self.severity = 6
+ self.description = "The PDF contains a Malicious Link Annotation"
+ suspect = True
+ elif found_domain_only:
+ self.severity = 2
+ self.description = "The PDF contains a Link Annotation"
+ suspect = True
return suspect