MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add history ipv4

pull/208/head
Sebdraven 2018-07-10 16:31:39 +02:00
parent 21794249d0
commit 495c720d0f
1 changed files with 58 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
misp_modules/modules/expansion/dnstrails.py
View File

@ -9,7 +9,8 @@ log = logging.getLogger('dnstrails')
log.setLevel(logging.DEBUG) log.setLevel(logging.DEBUG)
ch = logging.StreamHandler(sys.stdout) ch = logging.StreamHandler(sys.stdout)
ch.setLevel(logging.DEBUG) ch.setLevel(logging.DEBUG)
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') formatter = logging.Formatter(
'%(asctime)s - %(name)s - %(levelname)s - %(message)s')
ch.setFormatter(formatter) ch.setFormatter(formatter)
log.addHandler(ch) log.addHandler(ch)
@ -94,13 +95,22 @@ def handle_domain(api, domain, misperrors):
misperrors['error'] = 'Error whois result' misperrors['error'] = 'Error whois result'
return misperrors return misperrors
r, status_ok = expand_history_ipv4(api, domain)
if status_ok:
result_filtered['results'].extend(r)
else:
misperrors['error'] = 'Error history ipv4'
return misperrors
return result_filtered return result_filtered
def handle_ip(api, ip, misperrors): def handle_ip(api, ip, misperrors):
pass pass
def expand_domain_info(api, misperror,domain): def expand_domain_info(api, misperror, domain):
r = [] r = []
status_ok = False status_ok = False
ns_servers = [] ns_servers = []
@ -130,31 +140,33 @@ def expand_domain_info(api, misperror,domain):
if 'values' in results['current_dns']['mx']: if 'values' in results['current_dns']['mx']:
servers_mx = [mx_entry['hostname'] for mx_entry in servers_mx = [mx_entry['hostname'] for mx_entry in
results['current_dns']['mx']['values'] if results['current_dns']['mx']['values'] if
'hostname' in mx_entry] 'hostname' in mx_entry]
if 'values' in results['current_dns']['soa']: if 'values' in results['current_dns']['soa']:
soa_hostnames = [soa_entry['email'] for soa_entry in soa_hostnames = [soa_entry['email'] for soa_entry in
results['current_dns']['soa']['values'] if results['current_dns']['soa']['values'] if
'email' in soa_entry] 'email' in soa_entry]
if ns_servers: if ns_servers:
r.append({'types': ['domain'], r.append({'types': ['domain'],
'values': ns_servers, 'values': ns_servers,
'categories': ['Network activity'], 'categories': ['Network activity'],
'comment': 'List of name servers of %s first seen %s ' % 'comment': 'List of name servers of %s first seen %s ' %
(domain, results['current_dns']['ns']['first_seen']) (domain,
}) results['current_dns']['ns']['first_seen'])
})
if list_ipv4: if list_ipv4:
r.append({'types': ['domain|ip'], r.append({'types': ['domain|ip'],
'values': ['%s|%s' % (domain, ipv4) for ipv4 in list_ipv4], 'values': ['%s|%s' % (domain, ipv4) for ipv4 in
list_ipv4],
'categories': ['Network activity'], 'categories': ['Network activity'],
'comment': ' List ipv4 of %s first seen %s' % 'comment': ' List ipv4 of %s first seen %s' %
(domain, (domain,
results['current_dns']['a']['first_seen']) results['current_dns']['a']['first_seen'])
}) })
if list_ipv6: if list_ipv6:
r.append({'types': ['domain|ip'], r.append({'types': ['domain|ip'],
'values': ['%s|%s' % (domain, ipv6) for ipv6 in 'values': ['%s|%s' % (domain, ipv6) for ipv6 in
@ -188,11 +200,9 @@ def expand_domain_info(api, misperror,domain):
def expand_subdomains(api, domain): def expand_subdomains(api, domain):
r = [] r = []
status_ok = False status_ok = False
try: try:
results = api.subdomains(domain) results = api.subdomains(domain)
@ -201,7 +211,8 @@ def expand_subdomains(api, domain):
if 'subdomains' in results: if 'subdomains' in results:
r.append({ r.append({
'types': ['domain'], 'types': ['domain'],
'values': ['%s.%s' % (sub,domain) for sub in results['subdomains']], 'values': ['%s.%s' % (sub, domain)
for sub in results['subdomains']],
'categories': ['Network activity'], 'categories': ['Network activity'],
'comment': 'subdomains of %s' % domain 'comment': 'subdomains of %s' % domain
} }
@ -224,7 +235,7 @@ def expand_whois(api, domain):
status_ok = True status_ok = True
item_registrant = __select_registrant_item(results) item_registrant = __select_registrant_item(results)
types = ['whois-registrant-email', 'whois-registrant-phone', types = ['whois-registrant-email', 'whois-registrant-phone',
'whois-registrant-name', 'whois-registrar', 'whois-registrant-name', 'whois-registrar',
'whois-creation-date'] 'whois-creation-date']
values = [item_registrant['email'], values = [item_registrant['email'],
item_registrant['telephone'], item_registrant['telephone'],
@ -232,10 +243,10 @@ def expand_whois(api, domain):
results['createdDate']] results['createdDate']]
r = [{ r = [{
'types': t, 'types': t,
'values': v, 'values': v,
'categories': ['Attribution'], 'categories': ['Attribution'],
'comment': 'whois information of %s by securitytrails' % domain 'comment': 'whois information of %s by securitytrails' % domain
} for t, v in zip(types, values)] } for t, v in zip(types, values)]
# TODO File "modules/expansion/dnstrails.py", line 230, in expand_whois # TODO File "modules/expansion/dnstrails.py", line 230, in expand_whois
@ -248,6 +259,36 @@ def expand_whois(api, domain):
return r, status_ok return r, status_ok
def expand_history_ipv4(api, domain):
r = []
status_ok = False
try:
results = api.history_dns_ipv4(domain)
if results:
status_ok = True
if 'records' in results:
for record in results['records']:
if 'values' in record:
r.append(
{'type': ['domain|ip'],
'values': ['%s|%s' % (domain, record['ip'])],
'categories': ['Newtwork activity'],
'comment': 'last seen: %s first seen: %s' %
(record['last_seen'],
record['first_seen'])
}
)
except APIError as e:
misperrors['error'] = e
print(e)
return r, status_ok
def introspection(): def introspection():
return mispattributes return mispattributes