diff --git a/misp_modules/modules/expansion/whois.py b/misp_modules/modules/expansion/whois.py index 59b7e47a..58e96406 100755 --- a/misp_modules/modules/expansion/whois.py +++ b/misp_modules/modules/expansion/whois.py @@ -1,10 +1,7 @@ # -*- coding: utf-8 -*- import json -try: - from uwhois import Uwhois -except ImportError: - print("uwhois module not installed.") +import socket misperrors = {'error': 'Error'} mispattributes = {'input': ['domain', 'ip-src', 'ip-dst'], 'output': ['freetext']} @@ -17,7 +14,7 @@ moduleinfo = { 'logo': '', 'requirements': ['uwhois: A whois python library'], 'features': "This module takes a domain or IP address attribute as input and queries a 'Univseral Whois proxy server' to get the correct details of the Whois query on the input value (check the references for more details about this whois server).", - 'references': ['https://github.com/rafiot/uwhoisd'], + 'references': ['https://github.com/Lookyloo/uwhoisd'], 'input': 'A domain or IP address attribute.', 'output': 'Text describing the result of a whois request for the input value.', } @@ -43,14 +40,21 @@ def handler(q=False): misperrors['error'] = 'Whois local instance address is missing' return misperrors - uwhois = Uwhois(request['config']['server'], int(request['config']['port'])) - if 'event_id' in request: - return handle_expansion(uwhois, toquery) + return handle_expansion(request['config']['server'], int(request['config']['port']), toquery) -def handle_expansion(w, domain): - return {'results': [{'types': mispattributes['output'], 'values': w.query(domain)}]} +def handle_expansion(server, port, query): + bytes_whois = b'' + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect((server, port)) + sock.sendall(f'{query}\n'.encode()) + while True: + data = sock.recv(2048) + if not data: + break + bytes_whois += data + return {'results': [{'types': mispattributes['output'], 'values': bytes_whois.decode()}]} def introspection():