add expand whois

2018-06-29 17:57:11 +02:00 · 2018-06-29 17:57:11 +02:00 · 34da5cdb76
parent f1c6095914
commit 34da5cdb76
1 changed files with 51 additions and 2 deletions
--- a/misp_modules/modules/expansion/dnstrails.py
+++ b/misp_modules/modules/expansion/dnstrails.py
@ -16,7 +16,10 @@ log.addHandler(ch)
 misperrors = {'error': 'Error'}
 mispattributes = {
    'input': ['hostname', 'domain', 'ip-src', 'ip-dst'],
-    'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'dns-soa-email']
+    'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'dns-soa-email',
+               'whois-registrant-email', 'whois-registrant-phone',
+               'whois-registrant-name',
+               'whois-registrar', 'whois-creation-date', 'domain']
 }

 moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven',
@ -77,6 +80,14 @@ def handle_domain(api, domain, misperrors):

    r, status_ok = expand_subdomains(api, domain)

+    if status_ok:
+        result_filtered['results'].extend(r)
+    else:
+        misperrors['error'] = 'Error dns result'
+        return misperrors
+
+    r, status_ok = expand_whois(api, domain)
+
    if status_ok:
        result_filtered['results'].extend(r)
    else:
@ -181,6 +192,7 @@ def expand_subdomains(api, domain):
    r = []
    status_ok = False

+
    try:
        results = api.subdomains(domain)

@ -200,10 +212,47 @@ def expand_subdomains(api, domain):
    return r, status_ok


+def expand_whois(api, domain):
+    r = []
+    status_ok = False
+
+    try:
+        results = api.whois(domain)
+
+        if results:
+            status_ok = True
+            item_registrant = __select_registrant_item(results)
+
+            r.append({
+                'types': ['whois-registrant-email', 'whois-registrant-phone',
+                          'whois-registrant-name', 'whois-registrar',
+                          'whois-creation-date'],
+                'values': [item_registrant['email'],
+                           item_registrant['telephone'],
+                           item_registrant['name'], results['registrarName'],
+                           results['creationDate']],
+                'categories': ['attribution'],
+                'comment': 'whois information of %s by securitytrails' % domain
+            }
+
+            )
+
+    except APIError as e:
+        misperrors['error'] = e
+
+    return r, status_ok
+
 def introspection():
    return mispattributes


 def version():
    moduleinfo['config'] = moduleconfig
-    return moduleinfo
+    return moduleinfo
+
+
+def __select_registrant_item(entry):
+    if 'contacts' in entry:
+        for c in entry['contacts']:
+            if c['type'] == 'registrant':
+                return entry