Browse Source

First version of a passivetotal MISP expansion module

pull/2/head
Alexandre Dulaunoy 6 years ago
parent
commit
d86b58165e
  1. 1
      REQUIREMENTS
  2. 61
      modules/expansion/passivetotal.py
  3. 1
      tests/bodypassivetotal.json.sample

1
REQUIREMENTS

@ -1,2 +1,3 @@
tornado
dnspython3
requests

61
modules/expansion/passivetotal.py

@ -0,0 +1,61 @@
import json
import requests
misperrors = {'error' : 'Error'}
mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'module-username','module-password'], 'output': ['ip-src', 'ip-dst', 'hostname', 'domain']}
moduleinfo = "0.1"
passivetotal_url = 'https://api.passivetotal.org/v2/dns/passive?query='
def handler(q=False):
if q is False:
return False
request = json.loads(q)
if (request.get('module-username') is False) or (request.get('module-password') is False):
misperrors['error'] = 'Passivetotal authentication is missing'
return misperrors
if request.get('hostname'):
toquery = request['hostname']
queryhost = True
elif request.get('domain'):
toquery = request['domain']
queryhost = True
elif request.get('ip-src'):
toquery = request['ip-src']
queryhost = False
elif request.get('ip-dst'):
toquery = request['ip-dst']
queryhost = False
else:
return False
r = requests.get(passivetotal_url+toquery, auth=(request.get('module-username'),request.get('module-password')))
if r.status_code == 200:
x = json.loads(r.text)
a = []
if queryhost:
mispattributes['output'] = ['ip-src', 'ip-dst']
else:
mispattributes['output'] = ['hostname']
for y in x['results']:
if queryhost:
a.append(y['resolve'])
else:
a.append(y['resolve'])
elif r.status_code >= 400 and r.status_code < 404 :
misperrors['error'] = 'Passivetotal.org incorrect authentication'
return misperrors['error']
else:
misperrors['error'] = 'Passivetotal.org is not reachable'
return misperrors['error']
r = {'results': [{'types': mispattributes['output'], 'values': a}]}
return r
def introspection():
return mispattributes
def version():
return moduleinfo

1
tests/bodypassivetotal.json.sample

@ -0,0 +1 @@
{"module": "passivetotal", "hostname": "www.circl.lu", "module-username": "bar@foo", "module-password": "yourpassword" }
Loading…
Cancel
Save