mirror of https://github.com/MISP/misp-modules
Add reverse lookup
Raphaël Vinot
parent
4a8ccb54fb
commit
467e50327d
|
|
@ -33,7 +33,7 @@ moduleconfig = ['username', 'api_key']
|
||||||
query_profiles = [
|
query_profiles = [
|
||||||
{'inputs': ['domain'], 'services': ['parsed_whois', 'domain_profile', 'reputation', 'reverse_ip']},
|
{'inputs': ['domain'], 'services': ['parsed_whois', 'domain_profile', 'reputation', 'reverse_ip']},
|
||||||
{'inputs': ['email-src', 'email-dst', 'target-email', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-phone'], 'services': ['reverse_whois']},
|
{'inputs': ['email-src', 'email-dst', 'target-email', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-phone'], 'services': ['reverse_whois']},
|
||||||
{'inputs': ['ip-src', 'ip-dst'], 'services': ['host_domains', 'reverse_ip_whois']}
|
{'inputs': ['ip-src', 'ip-dst'], 'services': ['host_domains']}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -173,11 +173,9 @@ def domain_profile(domtools, to_query, values):
|
||||||
def reputation(domtools, to_query, values):
|
def reputation(domtools, to_query, values):
|
||||||
rep = domtools.reputation(to_query, include_reasons=True)
|
rep = domtools.reputation(to_query, include_reasons=True)
|
||||||
# NOTE: use that value in a tag when we will have attribute level tagging
|
# NOTE: use that value in a tag when we will have attribute level tagging
|
||||||
|
|
||||||
if rep and not rep.get('error'):
|
if rep and not rep.get('error'):
|
||||||
reasons = ', '.join(rep['reasons'])
|
reasons = ', '.join(rep['reasons'])
|
||||||
values.risk = [rep['risk_score'], 'Risk value of {} (via Domain Tools), Reasons: {}'.format(to_query, reasons)]
|
values.risk = [rep['risk_score'], 'Risk value of {} (via Domain Tools), Reasons: {}'.format(to_query, reasons)]
|
||||||
|
|
||||||
return values
|
return values
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -191,6 +189,41 @@ def reverse_ip(domtools, to_query, values):
|
||||||
return values
|
return values
|
||||||
|
|
||||||
|
|
||||||
|
def reverse_whois(domtools, to_query, values):
|
||||||
|
rev_whois = domtools.reverse_whois(to_query, mode='purchase')
|
||||||
|
if rev_whois.get('error'):
|
||||||
|
misperrors['error'] = rev_whois['error']['message']
|
||||||
|
return misperrors
|
||||||
|
for d in rev_whois['domains']:
|
||||||
|
values.add_domain(d, 'Reverse domain related to {}.'.format(to_query))
|
||||||
|
return values
|
||||||
|
|
||||||
|
|
||||||
|
def host_domains(domtools, to_query, values):
|
||||||
|
hostdom = domtools.host_domains(to_query)
|
||||||
|
if hostdom.get('error'):
|
||||||
|
misperrors['error'] = hostdom['error']['message']
|
||||||
|
return misperrors
|
||||||
|
ip_addresses = hostdom['ip_addresses']
|
||||||
|
if to_query != ip_addresses['ip_address']:
|
||||||
|
values.add_ip(ip_addresses['ip_address'], 'IP of {} (via DomainTools). Has {} other domains.'.format(to_query, ip_addresses['domain_count']))
|
||||||
|
for d in ip_addresses['domain_names']:
|
||||||
|
values.add_domain(d, 'Other domain on {}.'.format(ip_addresses['ip_address']))
|
||||||
|
return values
|
||||||
|
|
||||||
|
|
||||||
|
def reverse_ip_whois(domtools, to_query, values):
|
||||||
|
# Disabled for now, dies with domaintools.exceptions.NotAuthorizedException
|
||||||
|
rev_whois = domtools.reverse_ip_whois(ip=to_query)
|
||||||
|
print(rev_whois)
|
||||||
|
if rev_whois.get('error'):
|
||||||
|
misperrors['error'] = rev_whois['error']['message']
|
||||||
|
return misperrors
|
||||||
|
# for d in rev_whois['domains']:
|
||||||
|
# values.add_domain(d, 'Reverse domain related to {}.'.format(to_query))
|
||||||
|
return values
|
||||||
|
|
||||||
|
|
||||||
def get_services(request):
|
def get_services(request):
|
||||||
for t in mispattributes['input']:
|
for t in mispattributes['input']:
|
||||||
to_query = request.get(t)
|
to_query = request.get(t)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue