misp-modules/misp_modules/modules/expansion/farsight_passivedns.py

82 lines
2.6 KiB
Python
Executable File

import json
from ._dnsdb_query.dnsdb_query import DnsdbClient, QueryError
misperrors = {'error': 'Error'}
mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst'], 'output': ['freetext']}
moduleinfo = {'version': '0.1', 'author': 'Christophe Vandeplas', 'description': 'Module to access Farsight DNSDB Passive DNS', 'module-type': ['expansion', 'hover']}
moduleconfig = ['apikey']
server = 'https://api.dnsdb.info'
# TODO return a MISP object with the different attributes
def handler(q=False):
if q is False:
return False
request = json.loads(q)
if (request.get('config')):
if (request['config'].get('apikey') is None):
misperrors['error'] = 'Farsight DNSDB apikey is missing'
return misperrors
client = DnsdbClient(server, request['config']['apikey'])
if request.get('hostname'):
res = lookup_name(client, request['hostname'])
elif request.get('domain'):
res = lookup_name(client, request['domain'])
elif request.get('ip-src'):
res = lookup_ip(client, request['ip-src'])
elif request.get('ip-dst'):
res = lookup_ip(client, request['ip-dst'])
else:
misperrors['error'] = "Unsupported attributes type"
return misperrors
out = ''
for v in set(res): # uniquify entries
out = out + "{} ".format(v)
r = {'results': [{'types': mispattributes['output'], 'values': out}]}
return r
def lookup_name(client, name):
try:
res = client.query_rrset(name) # RRSET = entries in the left-hand side of the domain name related labels
for item in res:
if item.get('rrtype') in ['A', 'AAAA', 'CNAME']:
for i in item.get('rdata'):
yield(i.rstrip('.'))
if item.get('rrtype') in ['SOA']:
for i in item.get('rdata'):
# grab email field and replace first dot by @ to convert to an email address
yield(i.split(' ')[1].rstrip('.').replace('.', '@', 1))
except QueryError as e:
pass
try:
res = client.query_rdata_name(name) # RDATA = entries on the right-hand side of the domain name related labels
for item in res:
if item.get('rrtype') in ['A', 'AAAA', 'CNAME']:
yield(item.get('rrname').rstrip('.'))
except QueryError as e:
pass
def lookup_ip(client, ip):
try:
res = client.query_rdata_ip(ip)
for item in res:
yield(item['rrname'].rstrip('.'))
except QueryError as e:
pass
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo