mirror of https://github.com/MISP/misp-modules
70 lines
2.2 KiB
Python
Executable File
70 lines
2.2 KiB
Python
Executable File
import json
|
|
import requests
|
|
|
|
misperrors = {'error' : 'Error'}
|
|
mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst'], 'output': ['ip-src', 'ip-dst', 'hostname', 'domain']}
|
|
moduleinfo = {'version': '0.1', 'author': 'Alexandre Dulaunoy', 'description': 'PassiveTotal expansion service to expand values with multiple Passive DNS sources'}
|
|
moduleconfig = ['username', 'password']
|
|
passivetotal_url = 'https://api.passivetotal.org/v2/dns/passive?query='
|
|
|
|
|
|
def handler(q=False):
|
|
if q is False:
|
|
return False
|
|
request = json.loads(q)
|
|
|
|
if (request.get('config')):
|
|
if (request['config'].get('username') is None) or (request['config'].get('password') is None):
|
|
misperrors['error'] = 'Passivetotal authentication is missing'
|
|
return misperrors
|
|
else:
|
|
misperrors['error'] = 'config is missing'
|
|
return misperrors
|
|
if request.get('hostname'):
|
|
toquery = request['hostname']
|
|
queryhost = True
|
|
elif request.get('domain'):
|
|
toquery = request['domain']
|
|
queryhost = True
|
|
elif request.get('ip-src'):
|
|
toquery = request['ip-src']
|
|
queryhost = False
|
|
elif request.get('ip-dst'):
|
|
toquery = request['ip-dst']
|
|
queryhost = False
|
|
else:
|
|
return False
|
|
|
|
r = requests.get(passivetotal_url+toquery, auth=(request['config'].get('username'),request['config'].get('password')))
|
|
if r.status_code == 200:
|
|
x = json.loads(r.text)
|
|
a = []
|
|
if queryhost:
|
|
mispattributes['output'] = ['ip-src', 'ip-dst']
|
|
else:
|
|
mispattributes['output'] = ['hostname']
|
|
|
|
for y in x['results']:
|
|
if queryhost:
|
|
a.append(y['resolve'])
|
|
else:
|
|
a.append(y['resolve'])
|
|
elif r.status_code >= 400 and r.status_code < 404 :
|
|
misperrors['error'] = 'Passivetotal.org incorrect authentication'
|
|
return misperrors['error']
|
|
else:
|
|
misperrors['error'] = 'Passivetotal.org is not reachable'
|
|
return misperrors['error']
|
|
|
|
r = {'results': [{'types': mispattributes['output'], 'values': a}]}
|
|
return r
|
|
|
|
|
|
def introspection():
|
|
return mispattributes
|
|
|
|
|
|
def version():
|
|
moduleinfo['config'] = moduleconfig
|
|
return moduleinfo
|