MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add expand whois

pull/208/head
Sebdraven 2018-06-29 17:57:11 +02:00
parent f1c6095914
commit 34da5cdb76
1 changed files with 51 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
misp_modules/modules/expansion/dnstrails.py
View File

@ -16,7 +16,10 @@ log.addHandler(ch)
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
mispattributes = { mispattributes = {
'input': ['hostname', 'domain', 'ip-src', 'ip-dst'], 'input': ['hostname', 'domain', 'ip-src', 'ip-dst'],
'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'dns-soa-email'] 'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'dns-soa-email',
'whois-registrant-email', 'whois-registrant-phone',
'whois-registrant-name',
'whois-registrar', 'whois-creation-date', 'domain']
} }
moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven', moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven',
@ -77,6 +80,14 @@ def handle_domain(api, domain, misperrors):
r, status_ok = expand_subdomains(api, domain) r, status_ok = expand_subdomains(api, domain)
if status_ok:
result_filtered['results'].extend(r)
else:
misperrors['error'] = 'Error dns result'
return misperrors
r, status_ok = expand_whois(api, domain)
if status_ok: if status_ok:
result_filtered['results'].extend(r) result_filtered['results'].extend(r)
else: else:
@ -181,6 +192,7 @@ def expand_subdomains(api, domain):
r = [] r = []
status_ok = False status_ok = False
try: try:
results = api.subdomains(domain) results = api.subdomains(domain)
@ -200,10 +212,47 @@ def expand_subdomains(api, domain):
return r, status_ok return r, status_ok
def expand_whois(api, domain):
r = []
status_ok = False
try:
results = api.whois(domain)
if results:
status_ok = True
item_registrant = __select_registrant_item(results)
r.append({
'types': ['whois-registrant-email', 'whois-registrant-phone',
'whois-registrant-name', 'whois-registrar',
'whois-creation-date'],
'values': [item_registrant['email'],
item_registrant['telephone'],
item_registrant['name'], results['registrarName'],
results['creationDate']],
'categories': ['attribution'],
'comment': 'whois information of %s by securitytrails' % domain
}
)
except APIError as e:
misperrors['error'] = e
return r, status_ok
def introspection(): def introspection():
return mispattributes return mispattributes
def version(): def version():
moduleinfo['config'] = moduleconfig moduleinfo['config'] = moduleconfig
return moduleinfo return moduleinfo
def __select_registrant_item(entry):
if 'contacts' in entry:
for c in entry['contacts']:
if c['type'] == 'registrant':
return entry