mirror of https://github.com/MISP/misp-modules
chg: [farsight_passivedns] More context added to the results
- References between the passive-dns objects and the initial attribute - Comment on object attributes mentioning whether the results come from an rrset or an rdata lookupcomposite_attributes_proposal
parent
f7b00deafc
commit
294ac9d01e
|
@ -35,6 +35,13 @@ class FarsightDnsdbParser():
|
||||||
'zone_time_first': {'type': 'datetime', 'object_relation': 'zone_time_first'},
|
'zone_time_first': {'type': 'datetime', 'object_relation': 'zone_time_first'},
|
||||||
'zone_time_last': {'type': 'datetime', 'object_relation': 'zone_time_last'}
|
'zone_time_last': {'type': 'datetime', 'object_relation': 'zone_time_last'}
|
||||||
}
|
}
|
||||||
|
self.type_to_feature = {
|
||||||
|
'domain': 'domain name',
|
||||||
|
'hostname': 'hostname',
|
||||||
|
'ip-src': 'IP address',
|
||||||
|
'ip-dst': 'IP address'
|
||||||
|
}
|
||||||
|
self.comment = 'Result from an %s lookup on DNSDB about the %s: %s'
|
||||||
|
|
||||||
def parse_passivedns_results(self, query_response):
|
def parse_passivedns_results(self, query_response):
|
||||||
default_fields = ('count', 'rrname', 'rrname')
|
default_fields = ('count', 'rrname', 'rrname')
|
||||||
|
@ -45,30 +52,30 @@ class FarsightDnsdbParser():
|
||||||
'zone_time_first',
|
'zone_time_first',
|
||||||
'zone_time_last'
|
'zone_time_last'
|
||||||
)
|
)
|
||||||
for result in query_response:
|
for query_type, results in query_response.items():
|
||||||
passivedns_object = MISPObject('passive-dns')
|
comment = self.comment % (query_type, self.type_to_feature[self.attribute['type']], self.attribute['value'])
|
||||||
for feature in default_fields:
|
for result in results:
|
||||||
passivedns_object.add_attribute(**self._parse_attribute(feature, result[feature]))
|
passivedns_object = MISPObject('passive-dns')
|
||||||
for feature in optional_fields:
|
for feature in default_fields:
|
||||||
if result.get(feature):
|
passivedns_object.add_attribute(**self._parse_attribute(comment, feature, result[feature]))
|
||||||
passivedns_object.add_attribute(**self._parse_attribute(
|
for feature in optional_fields:
|
||||||
feature,
|
if result.get(feature):
|
||||||
result[feature]
|
passivedns_object.add_attribute(**self._parse_attribute(comment, feature, result[feature]))
|
||||||
))
|
if isinstance(result['rdata'], list):
|
||||||
if isinstance(result['rdata'], list):
|
for rdata in result['rdata']:
|
||||||
for rdata in result['rdata']:
|
passivedns_object.add_attribute(**self._parse_attribute(comment, 'rdata', rdata))
|
||||||
passivedns_object.add_attribute(**self._parse_attribute('rdata', rdata))
|
else:
|
||||||
else:
|
passivedns_object.add_attribute(**self._parse_attribute(comment, 'rdata', result['rdata']))
|
||||||
passivedns_object.add_attribute(**self._parse_attribute('rdata', result['rdata']))
|
passivedns_object.add_reference(self.attribute['uuid'], 'related-to')
|
||||||
self.misp_event.add_object(passivedns_object)
|
self.misp_event.add_object(passivedns_object)
|
||||||
|
|
||||||
def get_results(self):
|
def get_results(self):
|
||||||
event = json.loads(self.misp_event.to_json())
|
event = json.loads(self.misp_event.to_json())
|
||||||
results = {key: event[key] for key in ('Attribute', 'Object')}
|
results = {key: event[key] for key in ('Attribute', 'Object')}
|
||||||
return {'results': results}
|
return {'results': results}
|
||||||
|
|
||||||
def _parse_attribute(self, feature, value):
|
def _parse_attribute(self, comment, feature, value):
|
||||||
attribute = {'value': value}
|
attribute = {'value': value, 'comment': comment}
|
||||||
attribute.update(self.passivedns_mapping[feature])
|
attribute.update(self.passivedns_mapping[feature])
|
||||||
return attribute
|
return attribute
|
||||||
|
|
||||||
|
@ -100,14 +107,15 @@ def handler(q=False):
|
||||||
|
|
||||||
|
|
||||||
def lookup_name(client, name):
|
def lookup_name(client, name):
|
||||||
|
response = {}
|
||||||
try:
|
try:
|
||||||
res = client.query_rrset(name) # RRSET = entries in the left-hand side of the domain name related labels
|
res = client.query_rrset(name) # RRSET = entries in the left-hand side of the domain name related labels
|
||||||
response = list(res)
|
response['rrset'] = list(res)
|
||||||
except QueryError:
|
except QueryError:
|
||||||
response = []
|
pass
|
||||||
try:
|
try:
|
||||||
res = client.query_rdata_name(name) # RDATA = entries on the right-hand side of the domain name related labels
|
res = client.query_rdata_name(name) # RDATA = entries on the right-hand side of the domain name related labels
|
||||||
response.extend(list(res))
|
response['rdata'] = list(res)
|
||||||
except QueryError:
|
except QueryError:
|
||||||
pass
|
pass
|
||||||
return response
|
return response
|
||||||
|
@ -116,9 +124,9 @@ def lookup_name(client, name):
|
||||||
def lookup_ip(client, ip):
|
def lookup_ip(client, ip):
|
||||||
try:
|
try:
|
||||||
res = client.query_rdata_ip(ip)
|
res = client.query_rdata_ip(ip)
|
||||||
response = list(res)
|
response = {'rdata': list(res)}
|
||||||
except QueryError:
|
except QueryError:
|
||||||
response = []
|
response = {}
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue