mirror of https://github.com/MISP/misp-modules
82 lines
2.6 KiB
Python
Executable File
82 lines
2.6 KiB
Python
Executable File
import json
|
|
from ._dnsdb_query.dnsdb_query import DnsdbClient, QueryError
|
|
|
|
|
|
misperrors = {'error': 'Error'}
|
|
mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst'], 'output': ['freetext']}
|
|
moduleinfo = {'version': '0.1', 'author': 'Christophe Vandeplas', 'description': 'Module to access Farsight DNSDB Passive DNS', 'module-type': ['expansion', 'hover']}
|
|
moduleconfig = ['apikey']
|
|
|
|
server = 'https://api.dnsdb.info'
|
|
|
|
# TODO return a MISP object with the different attributes
|
|
|
|
|
|
def handler(q=False):
|
|
if q is False:
|
|
return False
|
|
request = json.loads(q)
|
|
if (request.get('config')):
|
|
if (request['config'].get('apikey') is None):
|
|
misperrors['error'] = 'Farsight DNSDB apikey is missing'
|
|
return misperrors
|
|
client = DnsdbClient(server, request['config']['apikey'])
|
|
if request.get('hostname'):
|
|
res = lookup_name(client, request['hostname'])
|
|
elif request.get('domain'):
|
|
res = lookup_name(client, request['domain'])
|
|
elif request.get('ip-src'):
|
|
res = lookup_ip(client, request['ip-src'])
|
|
elif request.get('ip-dst'):
|
|
res = lookup_ip(client, request['ip-dst'])
|
|
else:
|
|
misperrors['error'] = "Unsupported attributes type"
|
|
return misperrors
|
|
|
|
out = ''
|
|
for v in set(res): # uniquify entries
|
|
out = out + "{} ".format(v)
|
|
r = {'results': [{'types': mispattributes['output'], 'values': out}]}
|
|
return r
|
|
|
|
|
|
def lookup_name(client, name):
|
|
try:
|
|
res = client.query_rrset(name) # RRSET = entries in the left-hand side of the domain name related labels
|
|
for item in res:
|
|
if item.get('rrtype') in ['A', 'AAAA', 'CNAME']:
|
|
for i in item.get('rdata'):
|
|
yield(i.rstrip('.'))
|
|
if item.get('rrtype') in ['SOA']:
|
|
for i in item.get('rdata'):
|
|
# grab email field and replace first dot by @ to convert to an email address
|
|
yield(i.split(' ')[1].rstrip('.').replace('.', '@', 1))
|
|
except QueryError:
|
|
pass
|
|
|
|
try:
|
|
res = client.query_rdata_name(name) # RDATA = entries on the right-hand side of the domain name related labels
|
|
for item in res:
|
|
if item.get('rrtype') in ['A', 'AAAA', 'CNAME']:
|
|
yield(item.get('rrname').rstrip('.'))
|
|
except QueryError:
|
|
pass
|
|
|
|
|
|
def lookup_ip(client, ip):
|
|
try:
|
|
res = client.query_rdata_ip(ip)
|
|
for item in res:
|
|
yield(item['rrname'].rstrip('.'))
|
|
except QueryError:
|
|
pass
|
|
|
|
|
|
def introspection():
|
|
return mispattributes
|
|
|
|
|
|
def version():
|
|
moduleinfo['config'] = moduleconfig
|
|
return moduleinfo
|