From cfe971a27185a1f64fc2927f3ffbe9b74a98ffcc Mon Sep 17 00:00:00 2001
From: Sebdraven <slarinier@gmail.com>
Date: Fri, 29 Jun 2018 15:50:26 +0200
Subject: [PATCH] add expand domains

---
 misp_modules/modules/expansion/dnstrails.py | 140 ++++++++++++++++++++
 1 file changed, 140 insertions(+)

diff --git a/misp_modules/modules/expansion/dnstrails.py b/misp_modules/modules/expansion/dnstrails.py
index d77c8d1..3655269 100644
--- a/misp_modules/modules/expansion/dnstrails.py
+++ b/misp_modules/modules/expansion/dnstrails.py
@@ -1,5 +1,7 @@
+import json
 import logging
 import sys
+from dnstrails import DnsTrails
 
 log = logging.getLogger('dnstrails')
 log.setLevel(logging.DEBUG)
@@ -23,3 +25,141 @@ moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven',
 moduleconfig = ['apikey']
 
 
+def handler(q=False):
+    if q:
+
+        request = json.loads(q)
+
+        if not request.get('config') and not (request['config'].get('apikey')):
+            misperrors['error'] = 'DNS authentication is missing'
+            return misperrors
+
+        api = DnsTrails(request['config'].get('apikey'))
+
+        if not api:
+            misperrors['error'] = 'Onyphe Error instance api'
+
+        ip = ""
+        dns_name = ""
+
+        ip = ''
+        if request.get('ip-src'):
+            ip = request['ip-src']
+            return handle_ip(api, ip, misperrors)
+        elif request.get('ip-dst'):
+            ip = request['ip-dst']
+            return handle_ip(api, ip, misperrors)
+        elif request.get('domain'):
+            domain = request['domain']
+            return handle_domain(api, domain, misperrors)
+        elif request.get('hostname'):
+            hostname = request['hostname']
+            return handle_domain(api, hostname, misperrors)
+        else:
+            misperrors['error'] = "Unsupported attributes type"
+            return misperrors
+    else:
+        return False
+
+
+def handle_domain(api, domain, misperrors):
+    result_filtered = {"results": []}
+
+    r, status_ok = expand_domain_info(api, misperrors, domain)
+
+    if status_ok:
+        result_filtered['results'].extend(r)
+    else:
+        misperrors['error'] = 'Error pastries result'
+        return misperrors
+
+    return result_filtered
+
+def handle_ip(api, ip, misperrors):
+    pass
+
+
+def expand_domain_info(api, misperror,domain):
+    r = []
+    status_ok = False
+    ns_servers = []
+    list_ipv4 = []
+    list_ipv6 = []
+    servers_mx = []
+    soa_hostnames = []
+
+    results = api.domain(domain)
+
+    if results:
+        if 'current_dns' in results:
+            if 'values' in results['current_dns']['ns']:
+                ns_servers = [ns_entry['nameserver'] for ns_entry in
+                              results['current_dns']['ns']['values']
+                              if 'nameserver' in ns_entry]
+            if 'values' in results['current_dns']['a']:
+                list_ipv4 = [a_entry['ip'] for a_entry in
+                             results['current_dns']['a']['values'] if
+                             'ip' in a_entry]
+
+            if 'values' in results['current_dns']['aaaa']:
+                list_ipv6 = [ipv6_entry['ipv6'] for ipv6_entry in
+                             results['current_ns']['aaaa']['values'] if
+                             'ipv6' in ipv6_entry]
+
+            if 'values' in results['current_dns']['mx']:
+                servers_mx = [mx_entry['hostname'] for mx_entry in
+                           results['current_dns']['mx']['values'] if
+                           'hostname' in mx_entry]
+            if 'values' in results['current_dns']['soa']:
+                soa_hostnames = [soa_entry['email'] for soa_entry in
+                               results['current_dns']['soa']['values'] if
+                               'email' in soa_entry]
+
+        if ns_servers:
+            r.append({'type': ['domain'],
+                      'values': ns_servers,
+                      'Category': ['Network Activity'],
+                      'comment': 'List of name servers  of %s first seen %s ' %
+                                 (domain, results['current_dns']['ns']['first_seen'])
+        })
+
+        if list_ipv4:
+            r.append({'type': ['domain|ip'],
+                      'values': ['%s|%s' % (domain, ipv4) for ipv4 in list_ipv4],
+                      'Category': ['Network Activity'],
+                      'comment': ' List ipv4 of %s first seen %s' %
+                                 (domain,
+                                  results['current_dns']['a']['first_seen'])
+
+            })
+        if list_ipv6:
+            r.append({'type': ['domain|ip'],
+                      'values': ['%s|%s' % (domain, ipv6) for ipv6 in
+                                 list_ipv6],
+                      'Category': ['Network Activity'],
+                      'comment': ' List ipv6 of %s first seen %s' %
+                                 (domain,
+                                  results['current_dns']['aaaa']['first_seen'])
+
+                      })
+
+        if servers_mx:
+            r.append({'type': ['domain'],
+                      'values': servers_mx,
+                      'Category': ['Network Activity'],
+                      'comment': ' List mx of %s first seen %s' %
+                                 (domain,
+                                  results['current_dns']['mx']['first_seen'])
+
+                      })
+        if soa_hostnames:
+            r.append({'type': ['domain'],
+                      'values': soa_hostnames,
+                      'Category': ['Network Activity'],
+                      'comment': ' List soa of %s first seen %s' %
+                                 (domain,
+                                  results['current_dns']['soa']['first_seen'])
+                      })
+
+
+    return r, status_ok