Sources that always work (botvrij, disconnect, oisd, openphish, phishtank, quad9) drop their user-facing enable_* option; the rule's enabled/disabled state is now solely controlled by the SDK rule toggle. Sources that require credentials (criminalip, malwarebazaar, otx, pulsedive, safebrowsing, threatfox, urlhaus, virustotal) instead implement the new SourcePrecheck interface so the host UI can surface "not configured" before attempting a query.
Each registered Source now becomes its own CheckRule (name = source ID)
implementing CheckRuleWithOptions, so the host can toggle blacklists
individually and the per-source option fields show up under the rule
that owns them instead of one flat global option list.
Collect honours the host's per-rule enable map (via the SDK's
RuleEnabled context helper) and skips the network call for disabled
sources entirely, not just their evaluation.
Detects domains blocked by Quad9's threat intelligence by comparing
the secure resolver (9.9.9.9) against the unsecured peer (9.9.9.10).
No API key required; enabled by default via the enable_quad9 user option.
Implements the Criminal IP API (api.criminalip.io/v1/domain/report) as a
new blacklist source. Returns crit for High/Critical inbound or outbound
risk scores, warn for Moderate; Safe and Low scores are not flagged.
Downloads and caches the Disconnect.me services.json feed (24h TTL),
matching domains against the Advertising, Analytics, Social, Content,
and Disconnect categories. Severity is warn (privacy classification,
not malware). Reuses the shared feedCache infrastructure.
Downloads the Botvrij.eu public IOC domain list (no API key required),
caches it in-process with a 6h TTL, and flags any registered domain
that appears directly or as a parent of a feed entry.
Add two shared helpers to source.go and apply them across all sources:
- disabledResult(id, name) replaces the repeated inline SourceResult literal
- evidenceEval(r, severity) replaces the identical Evaluate body in 6 sources
ThreatFox queries the IOC database for domain indicators (C2 servers,
malware distribution, phishing); MalwareBazaar searches for malware
samples tagged with the domain. Both require a free abuse.ch Auth-Key.
Each source's Query() method previously set r.Listed and r.Severity,
embedding verdict logic inside the prober. Evaluation now lives in a
dedicated Evaluate(SourceResult) (bool, string) method per source,
keeping Query() as pure observation.
A package-level EvaluateResult() helper looks up the source by ID and
delegates to its Evaluate method; rules.go, report.go, types.go, and
provider.go all call this instead of reading pre-set r.Listed/r.Severity
values. An unknownSource sentinel handles results whose source is no
longer registered.
