fixed spacing, addressed error handling for public api, added subdomains, and added context comment

misp_modules/modules/expansion/virustotal.py

@@ -7,7 +7,8 @@ import os
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "sha512"],
-                  'output':['domain', "ip-src", "ip-dst", "text", "md5", "sha1", "sha256", "sha512", "ssdeep", "authentihash", "filename"]
+                  'output': ['domain', "ip-src", "ip-dst", "text", "md5", "sha1", "sha256", "sha512", "ssdeep",
+                             "authentihash", "filename"]
                   }
 
 # possible module-types: 'expansion', 'hover' or both
@@ -18,6 +19,8 @@ moduleinfo = {'version': '2', 'author': 'Hannah Ward',
 # config fields that your code expects from the site admin
 moduleconfig = ["apikey", "event_limit"]
 limit = 5  # Default
+comment = '%s: Enriched via VT'
+
 
 def handler(q=False):
     global limit
@@ -55,12 +58,17 @@ def handler(q=False):
     r["results"] = uniq
     return r
 
+
 def getHash(hash, key, do_not_recurse=False):
     global limit
     toReturn = []
+    try:
         req = requests.get("https://www.virustotal.com/vtapi/v2/file/report",
                            params={"allinfo": 1, "apikey": key, 'resource': hash}
                            ).json()
+    except:
+        return []
+
     if req["response_code"] == 0:
         # Nothing found
         return []
@@ -68,19 +76,24 @@ def getHash(hash, key, do_not_recurse = False):
     toReturn += getMoreInfo(req, key)
     return toReturn
 
+
 def getIP(ip, key, do_not_recurse=False):
     global limit
     toReturn = []
+    try:
         req = requests.get("https://www.virustotal.com/vtapi/v2/ip-address/report",
                            params={"ip": ip, "apikey": key}
                            ).json()
+    except:
+        return []
+
     if req["response_code"] == 0:
         # Nothing found
         return []
 
     if "resolutions" in req:
         for res in req["resolutions"][:limit]:
-        toReturn.append( {"types":["domain"], "values":[res["hostname"]]})
+            toReturn.append({"types": ["domain"], "values": [res["hostname"]], "comment":comment % ip})
             # Pivot from here to find all domain info
             if not do_not_recurse:
                 toReturn += getDomain(res["hostname"], key, True)
@@ -88,25 +101,34 @@ def getIP(ip, key, do_not_recurse = False):
     toReturn += getMoreInfo(req, key)
     return toReturn
 
+
 def getDomain(domain, key, do_not_recurse=False):
     global limit
     toReturn = []
+    try:
         req = requests.get("https://www.virustotal.com/vtapi/v2/domain/report",
                            params={"domain": domain, "apikey": key}
                            ).json()
+    except:
+        return []
+
     if req["response_code"] == 0:
         # Nothing found
         return []
 
     if "resolutions" in req:
         for res in req["resolutions"][:limit]:
-        toReturn.append( {"types":["ip-dst", "ip-src"], "values":[res["ip_address"]]})
+            toReturn.append({"types": ["ip-dst", "ip-src"], "values": [res["ip_address"]], "comment":comment % domain})
             # Pivot from here to find all info on IPs
             if not do_not_recurse:
                 toReturn += getIP(res["ip_address"], key, True)
+    if "subdomains" in req:
+        for subd in req["subdomains"]:
+            toReturn.append({"types": ["domain"], "values": [subd], "comment": comment % domain})
     toReturn += getMoreInfo(req, key)
     return toReturn
 
+
 def findAll(data, keys):
     a = []
     if isinstance(data, dict):
@@ -122,6 +144,7 @@ def findAll(data, keys):
 
     return a
 
+
 def getMoreInfo(req, key):
     global limit
     r = []
@@ -131,22 +154,25 @@ def getMoreInfo(req, key):
     r.append({"types": ["md5", "sha1", "sha256", "sha512"], "values": hashes})
     for hsh in hashes[:limit]:
         # Search VT for some juicy info
+        try:
             data = requests.get("http://www.virustotal.com/vtapi/v2/file/report",
                                 params={"allinfo": 1, "apikey": key, "resource": hsh}
                                 ).json()
+        except:
+            continue
 
         # Go through each key and check if it exists
         if "submission_names" in data:
-        r.append({'types':["filename"], "values":data["submission_names"]})
+            r.append({'types': ["filename"], "values": data["submission_names"], "comment":comment % hsh})
 
         if "ssdeep" in data:
-        r.append({'types':["ssdeep"], "values":[data["ssdeep"]]})
+            r.append({'types': ["ssdeep"], "values": [data["ssdeep"]], "comment":comment % hsh})
 
         if "authentihash" in data:
-        r.append({"types":["authentihash"], "values":[data["authentihash"]]})
+            r.append({"types": ["authentihash"], "values": [data["authentihash"]], "comment":comment % hsh})
 
         if "ITW_urls" in data:
-        r.append({"types":["url"], "values":data["ITW_urls"]})
+            r.append({"types": ["url"], "values": data["ITW_urls"], "comment":comment % hsh})
 
         # Get the malware sample
         sample = requests.get("https://www.virustotal.com/vtapi/v2/file/download",
@@ -165,10 +191,11 @@ def getMoreInfo(req, key):
 
     return r
 
+
 def introspection():
     return mispattributes
 
+
 def version():
     moduleinfo['config'] = moduleconfig
     return moduleinfo
-