2022-07-15 18:53:49 +02:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
|
|
|
import json
|
2022-07-18 13:08:26 +02:00
|
|
|
import logging
|
2022-07-15 18:53:49 +02:00
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
from datetime import date, datetime, timedelta
|
|
|
|
from typing import Any, Dict, Optional, Union
|
2022-07-15 18:53:49 +02:00
|
|
|
|
|
|
|
from har2tree import CrawledTree
|
2022-07-18 13:08:26 +02:00
|
|
|
from passivetotal import AccountClient, DnsRequest, WhoisRequest # type: ignore
|
|
|
|
from requests import Response
|
2022-07-15 18:53:49 +02:00
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
from ..default import ConfigError, get_homedir, get_config
|
|
|
|
from ..exceptions import ModuleError
|
2022-07-15 18:53:49 +02:00
|
|
|
from ..helpers import get_cache_directory
|
|
|
|
|
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
class RiskIQError(ModuleError):
|
|
|
|
|
|
|
|
def __init__(self, response: Response):
|
|
|
|
self.response = response
|
|
|
|
|
|
|
|
|
2022-07-15 18:53:49 +02:00
|
|
|
class RiskIQ():
|
|
|
|
|
|
|
|
def __init__(self, config: Dict[str, Any]):
|
|
|
|
if not (config.get('user') and config.get('apikey')):
|
|
|
|
self.available = False
|
|
|
|
return
|
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
self.logger = logging.getLogger(f'{self.__class__.__name__}')
|
|
|
|
self.logger.setLevel(get_config('generic', 'loglevel'))
|
|
|
|
|
2022-07-15 18:53:49 +02:00
|
|
|
self.available = True
|
|
|
|
self.allow_auto_trigger = False
|
2022-07-18 13:08:26 +02:00
|
|
|
|
|
|
|
try:
|
2022-07-22 14:29:19 +02:00
|
|
|
# Check if account is working
|
|
|
|
test_client = AccountClient(username=config.get('user'), api_key=config.get('apikey'), exception_class=RiskIQError)
|
2022-07-18 13:08:26 +02:00
|
|
|
details = test_client.get_account_details()
|
|
|
|
except RiskIQError as e:
|
2022-07-22 14:29:19 +02:00
|
|
|
self.available = False
|
|
|
|
if hasattr(e, 'response'):
|
|
|
|
details = e.response.json()
|
|
|
|
if 'message' in details:
|
|
|
|
self.logger.warning(f'RiskIQ not available, {details["message"]}')
|
|
|
|
self.logger.warning(f'RiskIQ not available: {e}')
|
|
|
|
return
|
2022-07-24 20:57:16 +02:00
|
|
|
except Exception as e:
|
|
|
|
self.available = False
|
|
|
|
self.logger.warning(f'RiskIQ not available: {e}')
|
|
|
|
return
|
2022-07-18 13:08:26 +02:00
|
|
|
|
|
|
|
self.client_dns = DnsRequest(username=config.get('user'), api_key=config.get('apikey'), exception_class=RiskIQError)
|
|
|
|
self.client_whois = WhoisRequest(username=config.get('user'), api_key=config.get('apikey'), exception_class=RiskIQError)
|
2022-07-15 18:53:49 +02:00
|
|
|
|
|
|
|
if config.get('allow_auto_trigger'):
|
|
|
|
self.allow_auto_trigger = True
|
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
self.default_first_seen = config.get('default_first_seen_in_days', 5)
|
|
|
|
|
2022-07-15 18:53:49 +02:00
|
|
|
self.storage_dir_riskiq = get_homedir() / 'riskiq'
|
|
|
|
self.storage_dir_riskiq.mkdir(parents=True, exist_ok=True)
|
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
def get_passivedns(self, query: str) -> Optional[Dict[str, Any]]:
|
2022-07-15 18:53:49 +02:00
|
|
|
# The query can be IP or Hostname. For now, we only do it on domains.
|
|
|
|
url_storage_dir = get_cache_directory(self.storage_dir_riskiq, query, 'pdns')
|
|
|
|
if not url_storage_dir.exists():
|
|
|
|
return None
|
|
|
|
cached_entries = sorted(url_storage_dir.glob('*'), reverse=True)
|
|
|
|
if not cached_entries:
|
|
|
|
return None
|
|
|
|
|
|
|
|
with cached_entries[0].open() as f:
|
|
|
|
return json.load(f)
|
|
|
|
|
|
|
|
def capture_default_trigger(self, crawled_tree: CrawledTree, /, *, force: bool=False, auto_trigger: bool=False) -> Dict:
|
|
|
|
'''Run the module on all the nodes up to the final redirect'''
|
|
|
|
if not self.available:
|
|
|
|
return {'error': 'Module not available'}
|
|
|
|
if auto_trigger and not self.allow_auto_trigger:
|
|
|
|
return {'error': 'Auto trigger not allowed on module'}
|
|
|
|
|
|
|
|
self.pdns_lookup(crawled_tree.root_hartree.rendered_node.hostname, force)
|
|
|
|
return {'success': 'Module triggered'}
|
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
def pdns_lookup(self, hostname: str, force: bool=False, first_seen: Optional[Union[date, datetime]]=None) -> None:
|
2022-07-15 18:53:49 +02:00
|
|
|
'''Lookup an hostname on RiskIQ Passive DNS
|
|
|
|
Note: force means re-fetch the entry RiskIQ even if we already did it today
|
|
|
|
'''
|
|
|
|
if not self.available:
|
|
|
|
raise ConfigError('RiskIQ not available, probably no API key')
|
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
if first_seen is None:
|
|
|
|
first_seen = date.today() - timedelta(days=self.default_first_seen)
|
|
|
|
if isinstance(first_seen, datetime):
|
|
|
|
first_seen = first_seen.date()
|
|
|
|
|
2022-07-15 18:53:49 +02:00
|
|
|
url_storage_dir = get_cache_directory(self.storage_dir_riskiq, hostname, 'pdns')
|
|
|
|
url_storage_dir.mkdir(parents=True, exist_ok=True)
|
|
|
|
riskiq_file = url_storage_dir / date.today().isoformat()
|
|
|
|
|
|
|
|
if not force and riskiq_file.exists():
|
|
|
|
return
|
|
|
|
|
2022-07-18 13:08:26 +02:00
|
|
|
pdns_info = self.client_dns.get_passive_dns(query=hostname, start=first_seen.isoformat())
|
2022-07-15 18:53:49 +02:00
|
|
|
if not pdns_info:
|
|
|
|
return
|
2022-07-18 13:08:26 +02:00
|
|
|
pdns_info['results'] = sorted(pdns_info['results'], key=lambda k: k['lastSeen'], reverse=True)
|
2022-07-15 18:53:49 +02:00
|
|
|
with riskiq_file.open('w') as _f:
|
|
|
|
json.dump(pdns_info, _f)
|