add history ipv4

2018-07-10 16:31:39 +02:00 · 2018-07-10 16:31:39 +02:00 · 495c720d0f
parent 21794249d0
commit 495c720d0f
1 changed files with 58 additions and 17 deletions
--- a/misp_modules/modules/expansion/dnstrails.py
+++ b/misp_modules/modules/expansion/dnstrails.py
@ -9,7 +9,8 @@ log = logging.getLogger('dnstrails')
 log.setLevel(logging.DEBUG)
 ch = logging.StreamHandler(sys.stdout)
 ch.setLevel(logging.DEBUG)
-formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+formatter = logging.Formatter(
+    '%(asctime)s - %(name)s - %(levelname)s - %(message)s')
 ch.setFormatter(formatter)
 log.addHandler(ch)

@ -94,13 +95,22 @@ def handle_domain(api, domain, misperrors):
        misperrors['error'] = 'Error whois result'
        return misperrors

+    r, status_ok = expand_history_ipv4(api, domain)
+
+    if status_ok:
+        result_filtered['results'].extend(r)
+    else:
+        misperrors['error'] = 'Error history ipv4'
+        return misperrors
+
    return result_filtered

+
 def handle_ip(api, ip, misperrors):
    pass


-def expand_domain_info(api, misperror,domain):
+def expand_domain_info(api, misperror, domain):
    r = []
    status_ok = False
    ns_servers = []
@ -142,12 +152,14 @@ def expand_domain_info(api, misperror,domain):
                      'values': ns_servers,
                      'categories': ['Network activity'],
                      'comment': 'List of name servers  of %s first seen %s ' %
-                                 (domain, results['current_dns']['ns']['first_seen'])
+                                 (domain,
+                                  results['current_dns']['ns']['first_seen'])
                      })

        if list_ipv4:
            r.append({'types': ['domain|ip'],
-                      'values': ['%s|%s' % (domain, ipv4) for ipv4 in list_ipv4],
+                      'values': ['%s|%s' % (domain, ipv4) for ipv4 in
+                                 list_ipv4],
                      'categories': ['Network activity'],

                      'comment': ' List ipv4 of %s first seen %s' %
@ -188,11 +200,9 @@ def expand_domain_info(api, misperror,domain):


 def expand_subdomains(api, domain):
-
    r = []
    status_ok = False

-
    try:
        results = api.subdomains(domain)

@ -201,7 +211,8 @@ def expand_subdomains(api, domain):
            if 'subdomains' in results:
                r.append({
                    'types': ['domain'],
-                    'values': ['%s.%s' % (sub,domain) for sub in results['subdomains']],
+                    'values': ['%s.%s' % (sub, domain)
+                               for sub in results['subdomains']],
                    'categories': ['Network activity'],
                    'comment': 'subdomains of %s' % domain
                }
@ -248,6 +259,36 @@ def expand_whois(api, domain):

    return r, status_ok

+
+def expand_history_ipv4(api, domain):
+    r = []
+    status_ok = False
+
+    try:
+        results = api.history_dns_ipv4(domain)
+
+        if results:
+            status_ok = True
+            if 'records' in results:
+                for record in results['records']:
+                    if 'values' in record:
+                        r.append(
+                            {'type': ['domain|ip'],
+                             'values': ['%s|%s' % (domain, record['ip'])],
+                             'categories': ['Newtwork activity'],
+                             'comment': 'last seen: %s first seen: %s' %
+                                        (record['last_seen'],
+                                         record['first_seen'])
+                             }
+                        )
+
+    except APIError as e:
+        misperrors['error'] = e
+        print(e)
+
+    return r, status_ok
+
+
 def introspection():
    return mispattributes