From d86b58165e13e07432dee80c6dfce626a5218e65 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 2 Mar 2016 21:17:37 +0100
Subject: [PATCH] First version of a passivetotal MISP expansion module

---
 REQUIREMENTS                       |  1 +
 modules/expansion/passivetotal.py  | 61 ++++++++++++++++++++++++++++++
 tests/bodypassivetotal.json.sample |  1 +
 3 files changed, 63 insertions(+)
 create mode 100755 modules/expansion/passivetotal.py
 create mode 100644 tests/bodypassivetotal.json.sample

diff --git a/REQUIREMENTS b/REQUIREMENTS
index 7c0bab1..f60bfe6 100644
--- a/REQUIREMENTS
+++ b/REQUIREMENTS
@@ -1,2 +1,3 @@
 tornado
 dnspython3
+requests
diff --git a/modules/expansion/passivetotal.py b/modules/expansion/passivetotal.py
new file mode 100755
index 0000000..cdabd00
--- /dev/null
+++ b/modules/expansion/passivetotal.py
@@ -0,0 +1,61 @@
+import json
+import requests
+
+misperrors = {'error' : 'Error'}
+mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'module-username','module-password'], 'output': ['ip-src', 'ip-dst', 'hostname', 'domain']}
+moduleinfo = "0.1"
+passivetotal_url = 'https://api.passivetotal.org/v2/dns/passive?query='
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    if (request.get('module-username') is False) or (request.get('module-password') is False):
+        misperrors['error'] = 'Passivetotal authentication is missing'
+        return misperrors
+    if request.get('hostname'):
+        toquery = request['hostname']
+        queryhost = True
+    elif request.get('domain'):
+        toquery = request['domain']
+        queryhost = True
+    elif request.get('ip-src'):
+        toquery = request['ip-src']
+        queryhost = False
+    elif request.get('ip-dst'):
+        toquery = request['ip-dst']
+        queryhost = False
+    else:
+        return False
+
+    r = requests.get(passivetotal_url+toquery, auth=(request.get('module-username'),request.get('module-password')))
+    if r.status_code == 200:
+        x = json.loads(r.text)
+        a = []
+        if queryhost:
+            mispattributes['output'] = ['ip-src', 'ip-dst']
+        else:
+            mispattributes['output'] = ['hostname']
+
+        for y in x['results']:
+            if queryhost:
+                a.append(y['resolve'])
+            else:
+                a.append(y['resolve'])
+    elif r.status_code >= 400 and r.status_code < 404 :
+        misperrors['error'] = 'Passivetotal.org incorrect authentication'
+        return misperrors['error']
+    else:
+        misperrors['error'] = 'Passivetotal.org is not reachable'
+        return misperrors['error']
+
+    r = {'results': [{'types': mispattributes['output'], 'values': a}]}
+    return r
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    return moduleinfo
diff --git a/tests/bodypassivetotal.json.sample b/tests/bodypassivetotal.json.sample
new file mode 100644
index 0000000..826e624
--- /dev/null
+++ b/tests/bodypassivetotal.json.sample
@@ -0,0 +1 @@
+{"module": "passivetotal", "hostname": "www.circl.lu", "module-username": "bar@foo", "module-password": "yourpassword" }