passivetotal 0.2.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ba999440914765150f5879f7e1477360c8004395
-  data.tar.gz: 4c5af19bed80397c721e95908500993825d15675
+  metadata.gz: d1844555714450cff7c7fdf042d3bd9888e300eb
+  data.tar.gz: a1b743c9a386b12981e533cbbcdfcd60568bcede
 SHA512:
-  metadata.gz: 3ab4e9de47859d9a39ff2529701fdeb7bd71f625dfa62643a2ab043bca552c0e51a796401b008f7a1024a8f1f6acbe1aaec1e9c7c27e6f67338f5b6898130289
-  data.tar.gz: e7b9320ce2cd7638ee222220ed314de0c7044c5675273bc5be2b6e2fed643f568c36a324161a302cf3250b85f5d01207c95777275ba2095c57e79c18a4761a69
+  metadata.gz: b154abc61be44ad6be8b96afcdaff311022d18722f26192d6cb498a31f872be038c7ffec72a5a8b1255ca378d30271b32419ea89282a3c514e9dc47c89cb92ba
+  data.tar.gz: 51432b063381d9169e6694577ff42eec84b7f58ca5dddfebcb767fdb4958fa715663193e7e162cfd477f3cc31f7f53a9981c113b29ddee9fcb0b157c448b294d

data/.gitignore

@@ -7,3 +7,5 @@
 /pkg/
 /spec/reports/
 /tmp/
+.DS_Store
+rdoc

data/README.md

@@ -22,9 +22,10 @@ Or install it yourself as:
 
 Included in the gem is a command-line tool, passivetotal, with the following usage:
 
-	Usage: passivetotal [-h] [-v] [-k <apikey>] [[-m|-p|-c|-t|-e|-w] <ip or dom>] [[-s|-d] <dom>] [-x <ip>] [-l <ip or hash>] [-i <value>]
+	Usage: bin/passivetotal [-v] [-u <username>] [-k <apikey>] <action flag> <query> [-i <value>]
 	-h                Help
 	-v                Verbose output
+	-u <username>     Sets the Username, defaults to the environment variable PASSIVETOTAL_USERNAME
 	-k <apikey>       Sets the APIKEY, defaults to the environment variable PASSIVETOTAL_APIKEY
 	ACTIONS (You have to select one, last one wins)  -m <ip or dom>  Queries metadata for given IP or domain
 	  -p <ip or dom>  Queries passive DNS data for given IP or domain
@@ -36,35 +37,37 @@ Included in the gem is a command-line tool, passivetotal, with the following usa
 	  -s <dom>        Queries the subdomains for a given domain
 	  -d <dom>        Queries (or sets) if a domain is a dynamic DNS domain
 	  -x <ip>         Queries (or sets) if a given IP is a sinkhole
-	  -l <ip or hash> Queries for SSL Certificates/IP addresses associated with a given IP or SHA-1 hash
+	  -l <hash> Queries for SSL certificates/IP addresses associated with a given SHA-1 hash
+	  -H <ip or hash> Queries for SSL certificate history associated with a given IP or SHA-1 hash
+	  -T <ip or dom>  Queries for Tracker information associated with a given IP or domain
+	  -o <ip or dom>  Queries for OSINT on a given IP or domain
 	SETTING VALUES  -i <value>      Sets the value, used in conjuntion with -c, -t, -e, -w, -d, or -x
 	                  Valid values for -i depend on what it's used with:
-	                  -c : targeted, crime, multiple, benign
+	                  -c : malicious, non-malicious, suspicious, unknown
 	                  -t : <a tag name consisting of characters: [a-zA-Z_]>
 	                  -e, -w, -d, -x: true, false
-
 ## Usage
 
-    # Initialize the API wrapper with an apikey (using the default endpoint URL of https://www.passivetotal.org/api/v1/)
-    pt = PassiveTotal::API.new(apikey)
+    # Initialize the API wrapper with an apikey (using the default endpoint URL of https://api.passivetotal.org/v2/)
+    pt = PassiveTotal::API.new(user, apikey)
     # Create an array to shove results into
-    res = []
-    # query metadata for the domain, www.passivetotal.org
-    res << @pt.metadata('www.passivetotal.org')
-    # query metadata for the ipv4 address, 107.170.89.121
-    res << @pt.metadata('107.170.89.121')
+    res = Array.new
+    # query enrichment for the domain, www.passivetotal.org
+    res << @pt.enrichment('www.passivetotal.org')
+    # query enrichment for the ipv4 address, 107.170.89.121
+    res << @pt.enrichment('107.170.89.121')
     # query passive DNS results for the domain, www.passivetotal.org
     res << @pt.passive('www.passivetotal.org')
     # query passive DNS results for the ipv4 address, 107.170.89.121
     res << @pt.passive('107.170.89.121')
     # query for subdomains of passivetotal.org
-    res << @pt.subdomains('passivetotal.org')
+    #res << @pt.subdomains('passivetotal.org')
     # query for unique IPv4 resolutions of passivetotal.org
     res << @pt.unique('passivetotal.org')
     # query for the classification of www.passivetotal.org
     res << @pt.classification('www.passivetotal.org')
     # set the classification of www.passivetotal.org as benign
-    res << @pt.classification('www.passivetotal.org', 'benign')
+    res << @pt.classification('www.passivetotal.org', 'non-malicious')
     # query for the tags associated with www.chrisleephd.us
     res << @pt.tags('www.chrisleephd.us')
     # add the "cool" tag to www.chrisleephd.us
@@ -84,13 +87,17 @@ Included in the gem is a command-line tool, passivetotal, with the following usa
     # flag www.passivetotal.org as not a dynamic dns domain/host
     res << @pt.dynamic('www.passivetotal.org', false)
     # check if www.passivetotal.org is being watched
-    res << @pt.watching('www.passivetotal.org')
+    res << @pt.monitor('www.passivetotal.org')
     # unwatch www.passivetotal.org
-    res << @pt.watching('www.passivetotal.org', false)
-    # list SSL certificates associated with IPV4 address 104.131.121.205
-    res << @pt.ssl_certificate('104.131.121.205')
+    res << @pt.monitor('www.passivetotal.org', false)
     # list sites associated with SSL certificates with SHA-1 hash of e9a6647d6aba52dc47b3838c920c9ee59bad7034
     res << @pt.ssl_certificate('e9a6647d6aba52dc47b3838c920c9ee59bad7034')
+    # list sites associated with SSL certificates with SHA-1 hash of e9a6647d6aba52dc47b3838c920c9ee59bad7034
+    res << @pt.ssl_certificate('2317683628587350290823564500811277499', 'serialNumber')
+    # retrieve certificate history based on SHA-1 hash of e9a6647d6aba52dc47b3838c920c9ee59bad7034
+    res << @pt.ssl_certificate_history('e9a6647d6aba52dc47b3838c920c9ee59bad7034')
+    # retrieve certificate history from IPv4 address of 52.8.228.23
+    res << @pt.ssl_certificate_history('52.8.228.23')
     # dump all this glorious information to feast your eyes upon
     pp res
 

data/lib/passivetotal/api.rb

@@ -9,10 +9,12 @@ require 'passivetotal/version'
 module PassiveTotal # :nodoc:
   
   class InvalidAPIKeyError < ArgumentError; end
+  class APIUsageError < StandardError; end
+  class ExceededQuotaError < StandardError; end
   
   class Transaction < Struct.new(:query, :response, :response_time); end
   class Query < Struct.new(:api, :query, :set, :url, :parameters); end
-  class Response < Struct.new(:json, :success, :request_time, :raw_query, :error, :result_count, :results); end
+  class Response < Struct.new(:json, :success, :results); end
   
   # The API class wraps the PassiveTotal.org web API for all the verbs that it supports
   # See https://www.passivetotal.org/api/docs for the API documentation.
@@ -23,167 +25,309 @@ module PassiveTotal # :nodoc:
     TLDS = "abb,abbott,abogado,ac,academy,accenture,accountant,accountants,active,actor,ad,ads,adult,ae,aeg,aero,af,afl,ag,agency,ai,aig,airforce,al,allfinanz,alsace,am,amsterdam,an,android,ao,apartments,aq,aquarelle,ar,archi,army,arpa,as,asia,associates,at,attorney,au,auction,audio,auto,autos,aw,ax,axa,az,azure,ba,band,bank,bar,barclaycard,barclays,bargains,bauhaus,bayern,bb,bbc,bbva,bd,be,beer,berlin,best,bf,bg,bh,bharti,bi,bible,bid,bike,bing,bingo,bio,biz,bj,black,blackfriday,bloomberg,blue,bm,bmw,bn,bnl,bnpparibas,bo,boats,bond,boo,boutique,br,bradesco,bridgestone,broker,brother,brussels,bs,bt,budapest,build,builders,business,buzz,bv,bw,by,bz,bzh,ca,cab,cafe,cal,camera,camp,cancerresearch,canon,capetown,capital,caravan,cards,care,career,careers,cars,cartier,casa,cash,casino,cat,catering,cba,cbn,cc,cd,center,ceo,cern,cf,cfa,cfd,cg,ch,channel,chat,cheap,chloe,christmas,chrome,church,ci,cisco,citic,city,ck,cl,claims,cleaning,click,clinic,clothing,cloud,club,cm,cn,co,coach,codes,coffee,college,cologne,com,commbank,community,company,computer,condos,construction,consulting,contractors,cooking,cool,coop,corsica,country,coupons,courses,cr,credit,creditcard,cricket,crown,crs,cruises,cu,cuisinella,cv,cw,cx,cy,cymru,cyou,cz,dabur,dad,dance,date,dating,datsun,day,dclk,de,deals,degree,delivery,democrat,dental,dentist,desi,design,dev,diamonds,diet,digital,direct,directory,discount,dj,dk,dm,dnp,do,docs,dog,doha,domains,doosan,download,drive,durban,dvag,dz,earth,eat,ec,edu,education,ee,eg,email,emerck,energy,engineer,engineering,enterprises,epson,equipment,er,erni,es,esq,estate,et,eu,eurovision,eus,events,everbank,exchange,expert,exposed,express,fail,faith,fan,fans,farm,fashion,feedback,fi,film,finance,financial,firmdale,fish,fishing,fit,fitness,fj,fk,flights,florist,flowers,flsmidth,fly,fm,fo,foo,football,forex,forsale,foundation,fr,frl,frogans,fund,furniture,futbol,fyi,ga,gal,gallery,garden,gb,gbiz,gd,gdn,ge,gent,genting,gf,gg,ggee,gh,gi,gift,gifts,gives,gl,glass,gle,global,globo,gm,gmail,gmo,gmx,gn,gold,goldpoint,golf,goo,goog,google,gop,gov,gp,gq,gr,graphics,gratis,green,gripe,gs,gt,gu,guge,guide,guitars,guru,gw,gy,hamburg,hangout,haus,healthcare,help,here,hermes,hiphop,hitachi,hiv,hk,hm,hn,hockey,holdings,holiday,homedepot,homes,honda,horse,host,hosting,hoteles,hotmail,house,how,hr,ht,hu,ibm,icbc,icu,id,ie,ifm,il,im,immo,immobilien,in,industries,infiniti,info,ing,ink,institute,insure,int,international,investments,io,iq,ir,irish,is,it,iwc,java,jcb,je,jetzt,jewelry,jlc,jll,jm,jo,jobs,joburg,jp,juegos,kaufen,kddi,ke,kg,kh,ki,kim,kitchen,kiwi,km,kn,koeln,komatsu,kp,kr,krd,kred,kw,ky,kyoto,kz,la,lacaixa,land,lasalle,lat,latrobe,law,lawyer,lb,lc,lds,lease,leclerc,legal,lgbt,li,liaison,lidl,life,lighting,limited,limo,link,lk,loan,loans,lol,london,lotte,lotto,love,lr,ls,lt,ltda,lu,lupin,luxe,luxury,lv,ly,ma,madrid,maif,maison,management,mango,market,marketing,markets,marriott,mba,mc,md,me,media,meet,melbourne,meme,memorial,men,menu,mg,mh,miami,microsoft,mil,mini,mk,ml,mm,mma,mn,mo,mobi,moda,moe,monash,money,montblanc,mormon,mortgage,moscow,motorcycles,mov,movie,movistar,mp,mq,mr,ms,mt,mtn,mtpc,mu,museum,mv,mw,mx,my,mz,na,nadex,nagoya,name,navy,nc,ne,nec,net,netbank,network,neustar,new,news,nexus,nf,ng,ngo,nhk,ni,nico,ninja,nissan,nl,no,np,nr,nra,nrw,ntt,nu,nyc,nz,office,okinawa,om,omega,one,ong,onl,online,ooo,oracle,org,organic,osaka,otsuka,ovh,pa,page,panerai,paris,partners,parts,party,pe,pf,pg,ph,pharmacy,philips,photo,photography,photos,physio,piaget,pics,pictet,pictures,pink,pizza,pk,pl,place,play,plumbing,plus,pm,pn,pohl,poker,porn,post,pr,praxi,press,pro,prod,productions,prof,properties,property,ps,pt,pub,pw,py,qa,qpon,quebec,racing,re,realtor,recipes,red,redstone,rehab,reise,reisen,reit,ren,rent,rentals,repair,report,republican,rest,restaurant,review,reviews,rich,ricoh,rio,rip,ro,rocks,rodeo,rs,rsvp,ru,ruhr,run,rw,ryukyu,sa,saarland,sale,samsung,sandvik,sandvikcoromant,sap,sarl,saxo,sb,sc,sca,scb,schmidt,scholarships,school,schule,schwarz,science,scor,scot,sd,se,seat,sener,services,sew,sex,sexy,sg,sh,shiksha,shoes,show,shriram,si,singles,site,sj,sk,ski,sky,skype,sl,sm,sn,sncf,so,soccer,social,software,sohu,solar,solutions,sony,soy,space,spiegel,spreadbetting,sr,st,starhub,statoil,study,style,su,sucks,supplies,supply,support,surf,surgery,suzuki,sv,swatch,swiss,sx,sy,sydney,systems,sz,taipei,tatar,tattoo,tax,taxi,tc,td,team,tech,technology,tel,telefonica,temasek,tennis,tf,tg,th,thd,theater,tickets,tienda,tips,tires,tirol,tj,tk,tl,tm,tn,to,today,tokyo,tools,top,toray,toshiba,tours,town,toys,tr,trade,trading,training,travel,trust,tt,tui,tv,tw,tz,ua,ug,uk,university,uno,uol,us,uy,uz,va,vacations,vc,ve,vegas,ventures,versicherung,vet,vg,vi,viajes,video,villas,vision,vista,vistaprint,vlaanderen,vn,vodka,vote,voting,voto,voyage,vu,wales,walter,wang,watch,webcam,website,wed,wedding,weir,wf,whoswho,wien,wiki,williamhill,win,windows,wme,work,works,world,ws,wtc,wtf,xbox,xerox,xin,xn--1qqw23a,xn--30rr7y,xn--3bst00m,xn--3ds443g,xn--3e0b707e,xn--45brj9c,xn--45q11c,xn--4gbrim,xn--55qw42g,xn--55qx5d,xn--6frz82g,xn--6qq986b3xl,xn--80adxhks,xn--80ao21a,xn--80asehdb,xn--80aswg,xn--90a3ac,xn--90ais,xn--9et52u,xn--b4w605ferd,xn--c1avg,xn--cg4bki,xn--clchc0ea0b2g2a9gcd,xn--czr694b,xn--czrs0t,xn--czru2d,xn--d1acj3b,xn--d1alf,xn--estv75g,xn--fiq228c5hs,xn--fiq64b,xn--fiqs8s,xn--fiqz9s,xn--fjq720a,xn--flw351e,xn--fpcrj9c3d,xn--fzc2c9e2c,xn--gecrj9c,xn--h2brj9c,xn--hxt814e,xn--i1b6b1a6a2e,xn--imr513n,xn--io0a7i,xn--j1amh,xn--j6w193g,xn--kcrx77d1x4a,xn--kprw13d,xn--kpry57d,xn--kput3i,xn--l1acc,xn--lgbbat1ad8j,xn--mgb9awbf,xn--mgba3a4f16a,xn--mgbaam7a8h,xn--mgbab2bd,xn--mgbayh7gpa,xn--mgbbh1a71e,xn--mgbc0a9azcg,xn--mgberp4a5d4ar,xn--mgbpl2fh,xn--mgbx4cd0ab,xn--mxtq1m,xn--ngbc5azd,xn--node,xn--nqv7f,xn--nqv7fs00ema,xn--nyqy26a,xn--o3cw4h,xn--ogbpf8fl,xn--p1acf,xn--p1ai,xn--pgbs0dh,xn--q9jyb4c,xn--qcka1pmc,xn--rhqv96g,xn--s9brj9c,xn--ses554g,xn--unup4y,xn--vermgensberater-ctb,xn--vermgensberatung-pwb,xn--vhquv,xn--vuq861b,xn--wgbh1c,xn--wgbl6a,xn--xhq521b,xn--xkc2al3hye2a,xn--xkc2dl3a5ee0h,xn--y9a3aq,xn--yfro4i67o,xn--ygbi2ammx,xn--zfr164b,xxx,xyz,yachts,yandex,ye,yodobashi,yoga,yokohama,youtube,yt,za,zip,zm,zone,zuerich,zw".split(/,/)
     
     # initialize a new PassiveTotal::API object
+    # username: the email address associated with your PassiveTotal API key.
     # apikey: is 64-hexcharacter string
-    # endpoint: base URL for the web service, defaults to https://www.passivetotal.org/api/v1/
-    def initialize(apikey, endpoint = 'https://www.passivetotal.org/api/v1/')
+    # endpoint: base URL for the web service, defaults to https://api.passivetotal.org/v2/
+    def initialize(username, apikey, endpoint = 'https://api.passivetotal.org/v2/')
       unless apikey =~ /^[a-fA-F0-9]{64}$/
         raise ArgumentError.new("apikey must be a 64 character hex string")
       end
+      @username = username
       @apikey = apikey
       @endpoint = endpoint
     end
     
-    # Metadata describes the item being queried and includes many of the options available inside of the action API calls.
+    # Account : Get account details your account.
+    def account
+      get('account')
+    end
+    
+    # Account History : Get history associated with your account.
+    def account_history
+      get('account/history')
+    end
+    
+    # history is an alias for account_history
+    alias_method :history, :account_history
+    
+    # Account notifications : Get notifications that have been posted to your account.
+    def account_notifications
+      get('account/notifications')
+    end
+    
+    # notifications is an alias for account_notifications
+    alias_method :notifications, :account_notifications
+    
+    # Account organization : Get details about the organization your account is associated with.
+    def account_organization
+      get('account/organization')
+    end
+    
+    # organization is an alias for account_organization
+    alias_method :organization, :account_organization
+    
+    # Account organization teamstream : Get the teamstream for the organization your account is associated with.
+    def account_organization_teamstream
+      get('account/organization/teamstream')
+    end
+    
+    # teamstream is an alias for account_organization_teamstream
+    alias_method :teamstream, :account_organization_teamstream
+    
+    # Account sources : Get source details for a specific source.
+    def account_sources(source)
+      get('account/sources', {'source' => source})
+    end
+    
+    # sources is an alias for account_sources
+    alias_method :sources, :account_sources
+    
+
+    # Passive provides a complete passive DNS picture for a domain or IP address including first/last seen values, deconflicted values, sources used, unique counts and enrichment for all values.
     # query: A domain or IP address to query
-    def metadata(query)
+    def passive(query)
       is_valid_with_error(__method__, [:ipv4, :domain], query)
       if domain?(query)
         query = normalize_domain(query)
       end
-      get(__method__, query)
+      get('dns/passive', {'query' => query})
     end
-    
+
     # Passive provides a complete passive DNS picture for a domain or IP address including first/last seen values, deconflicted values, sources used, unique counts and enrichment for all values.
     # query: A domain or IP address to query
-    def passive(query)
+    def passive_unique(query)
       is_valid_with_error(__method__, [:ipv4, :domain], query)
       if domain?(query)
         query = normalize_domain(query)
       end
-      get(__method__, query)
-    end
-
-    # Subdomains provides a comprehensive view of all known subdomains for a registered domain with associated passive DNS information. This call is best used to understand the activity of a particular domain over a period of time. Passive DNS information is only deconflicted at the subdomain level, not across the entire domain.
-    # query: A domain to query
-    def subdomains(query)
-      is_valid_with_error(__method__, [:domain], query)
-      query = normalize_domain(query)
-      get(__method__, query)
+      get('dns/passive/unique', {'query' => query})
     end
-
-    # Each domain or IP address with results has a unique set of resolving items. This call provides those unique items and a frequency count of how often they show up in sorted order.
+    
+    # unique is an alias for passive_unique
+    alias_method :unique, :passive_unique
+    
+    # Enrichment : Enrich the given query with metadata
     # query: A domain or IP address to query
-    def unique(query)
+    def enrichment(query)
       is_valid_with_error(__method__, [:ipv4, :domain], query)
       if domain?(query)
         query = normalize_domain(query)
       end
-      get(__method__, query)
+      get('enrichment', {'query' => query})
     end
     
-    # PassiveTotal uses the notion of classifications to highlight table rows a certain color based on how they have been rated.
-    # PassiveTotal::API#classification() queries if only one argument is given, and sets if both are given
+    # metadata is an alias for enrichment
+    alias_method :metadata, :enrichment
+    
+    # osint: Get opensource intelligence data
     # query: A domain or IP address to query
-    # set: classification label, one of [targeted, crime, multiple, benign]
-    def classification(query, set=nil)
+    def osint(query)
       is_valid_with_error(__method__, [:ipv4, :domain], query)
       if domain?(query)
         query = normalize_domain(query)
       end
-      if set.nil?
-        get(__method__, query)
+      get('enrichment/osint', {'query' => query})
+    end
+    
+    # subdomains: Get subdomains using a wildcard query
+    # query: A domain with wildcard, e.g., *.passivetotal.org
+    def subdomains(query)
+      get('enrichment/subdomains', {'query' => query})
+    end
+      
+    # whois: Get WHOIS data for a domain or IP address
+    # query: ipv4, domain, or, if you specify a field, any value for that field
+    # field: field name to query if not the default ip/domain field
+    #   field names: domain, email, name, organization, address, phone, nameserver
+    def whois(query, field=nil)
+      if field
+        is_valid_with_error(__method__, [:whois_field], field)
+        get('whois/search', {'field' => field, 'query' => query})
       else
-        is_valid_with_error(__method__, [:classification], set)
-        post(__method__, query, set)
+        is_valid_with_error(__method__, [:ipv4, :domain], query)
+        if domain?(query)
+          query = normalize_domain(query)
+        end
+        get('whois', {'query' => query, 'compact_record' => 'false'})
       end
     end
+        
+    # Add a user-tag to an IP or domain
+    # query: A domain or IP address to tag
+    # tag: Value used to tag query value. Should only consist of alphanumeric, underscores and hyphen values
+    def add_tag(query, tag)
+      is_valid_with_error(__method__, [:ipv4, :domain], query)
+      is_valid_with_error(__method__, [:tag], tag)
+      post('actions/tags', { 'query' => query, 'tags' => [tag] })
+    end
     
-    # PassiveTotal allows users to notate if an IP address is a known sinkhole. These values are shared globally with everyone in the platform.
-    # PassiveTotal::API#sinkhole() queries if only one argument is given, and sets if both are given
-    # query: An IP address to set as a sinkhole or not
-    # set: String-boolean of "true" or "false"
-    def sinkhole(query, set=nil)
-      is_valid_with_error(__method__, [:ipv4], query)
+    # Remove a user-tag to an IP or domain
+    # query: A domain or IP address to remove a tag from
+    # tag: Value used to tag query value. Should only consist of alphanumeric, underscores and hyphen values
+    def remove_tag(query, tag)
+      is_valid_with_error(__method__, [:ipv4, :domain], query)
+      is_valid_with_error(__method__, [:tag], tag)
+      delete('actions/tags', { 'query' => query, 'tags' => [tag] })
+    end
+    
+    # PassiveTotal uses the notion of classifications to highlight table rows a certain color based on how they have been rated.
+    # PassiveTotal::API#classification() queries if only one argument is given, and sets if both are given
+    # query: A domain or IP address to query
+    def classification(query, set=nil)
+      is_valid_with_error(__method__, [:ipv4, :domain], query)
+      if domain?(query)
+        query = normalize_domain(query)
+      end
       if set.nil?
-        get(__method__, query)
+        get('actions/classification', {'query' => query})
       else
-        is_valid_with_error(__method__, [:bool], set)
-        post(__method__, query, set)
+        is_valid_with_error(__method__.to_s, [:classification], set)
+        post('actions/classification', { 'query' => query, 'classification' => set })
       end
     end
     
     # PassiveTotal allows users to notate if a domain or IP address have ever been compromised. These values aid in letting users know that a site may be benign, but it was used in an attack at some point in time.
     # PassiveTotal::API#ever_compromised() queries if only one argument is given, and sets if both are given
     # query: A domain or IP address to query
-    # set: String-boolean of "true" or "false"
+    # set: a boolean flag
     def ever_compromised(query, set=nil)
       is_valid_with_error(__method__, [:ipv4, :domain], query)
       if domain?(query)
         query = normalize_domain(query)
       end
       if set.nil?
-        get(__method__, query)
+        get('actions/ever-compromised', {'query' => query})
       else
         is_valid_with_error(__method__, [:bool], set)
-        post(__method__, query, set)
+        post('actions/ever-compromised', { 'query' => query, 'status' => set })
       end
     end
     
+    alias_method :compromised, :ever_compromised
+    
     # PassiveTotal allows users to notate if a domain is associated with a dynamic DNS provider.
     # PassiveTotal::API#dynamic() queries if only one argument is given, and sets if both are given
     # query: A domain to query
-    # set: String-boolean of "true" or "false"
+    # set: a boolean flag
     def dynamic(query, set=nil)
       is_valid_with_error(__method__, [:domain], query)
       query = normalize_domain(query)
       if set.nil?
-        get(__method__, query)
+        get('actions/dynamic-dns', {'query' => query})
       else
         is_valid_with_error(__method__, [:bool], set)
-        post(__method__, query, set)
+        post('actions/dynamic-dns', { 'query' => query, 'status' => set })
       end
     end
     
-    # PassiveTotal allows users to "watch" domains or IP addresses in order to get notified of any changes.
-    # PassiveTotal::API#watching() queries if only one argument is given, and sets if both are given
-    # query: A domain or IP address to query
-    # set: String-boolean of "true" or "false"
-    def watching(query, set=nil)
+    # PassiveTotal allows users to notate if an ip or domain is "monitored".
+    # PassiveTotal::API#monitor() queries if only one argument is given, and sets if both are given
+    # query: A domain to query
+    # set: a boolean flag
+    def monitor(query, set=nil)
       is_valid_with_error(__method__, [:ipv4, :domain], query)
       if domain?(query)
         query = normalize_domain(query)
       end
       if set.nil?
-        get(__method__, query)
+        get('actions/monitor', {'query' => query})
+      else
+        is_valid_with_error(__method__, [:bool], set)
+        post('actions/monitor', { 'query' => query, 'status' => set })
+      end
+    end
+    
+    # monitoring is an alias for monitor
+    alias_method :monitoring, :monitor
+    alias_method :watching, :monitor
+
+    # PassiveTotal allows users to notate if an IP address is a known sinkhole. These values are shared globally with everyone in the platform.
+    # PassiveTotal::API#sinkhole() queries if only one argument is given, and sets if both are given
+    # query: An IP address to set as a sinkhole or not
+    # set: a boolean flag
+    def sinkhole(query, set=nil)
+      is_valid_with_error(__method__, [:ipv4], query)
+      if set.nil?
+        get('actions/sinkhole', {'query' => query})
       else
         is_valid_with_error(__method__, [:bool], set)
-        post(__method__, query, set)
+        post('actions/sinkhole', { 'query' => query, 'status' => set })
+      end
+    end
+    
+
+    # PassiveTotal uses three types of tags (user, global, and temporal) in order to provide context back to the user.
+    # query: A domain or IP address to query
+    # set: if supplied, adds a tag to an entity
+    def tags(query, set=nil)
+      is_valid_with_error(__method__, [:ipv4, :domain], query)
+      if domain?(query)
+        query = normalize_domain(query)
+      end
+      if set.nil?
+        get('actions/tags', {'query' => query})
+      else
+        is_valid_with_error(__method__, [:tag], set)
+        post('actions/tag', { 'query' => query, 'tags' => [set] })
       end
     end
     
+    # Search Tags : Search for items based on tag value
     # PassiveTotal uses three types of tags (user, global, and temporal) in order to provide context back to the user.
     # query: A domain or IP address to query
-    def tags(query)
+    def tags_search(query)
       is_valid_with_error(__method__, [:ipv4, :domain], query)
-      get("user/tags", query)
+      if domain?(query)
+        query = normalize_domain(query)
+      end
+      get('actions/tags/search', {'query' => query})
     end
 
-    # Add a user-tag to an IP or domain
-    # query: A domain or IP address to tag
-    # tag: Value used to tag query value. Should only consist of alphanumeric, underscores and hyphen values
-    def add_tag(query, tag)
-      is_valid_with_error(__method__, [:ipv4, :domain], query)
-      is_valid_with_error(__method__, [:tag], tag)
-      post_tag("user/tag/add", query, tag)
+    # PassiveTotal collects and provides SSL certificates as an enrichment point when possible. Beyond the certificate data itself, PassiveTotal keeps a record of the IP address of where the certificate was found and the time in which it was collected.
+    # query: A SHA-1 hash to query
+    def ssl_certificate_history(query)
+      is_valid_with_error(__method__, [:ipv4, :hash], query)
+      get('ssl-certificate/history', {'query' => query})
+    end
+
+    # ssl_certificate: returns details about SSL certificates
+    # query: SHA-1 has to query, or, if field is set, a valid value for that field
+    # field: the certificate field to query upon
+    #  certificate fields: issuer_surname, subject_organizationName, issuer_country, issuer_organizationUnitName, fingerprint, subject_organizationUnitName, serialNumber, subject_emailAddress, subject_country, issuer_givenName, subject_commonName, issuer_commonName, issuer_stateOrProvinceName, issuer_province, subject_stateOrProvinceName, sha1, sslVersion, subject_streetAddress, subject_serialNumber, issuer_organizationName, subject_surname, subject_localityName, issuer_streetAddress, issuer_localityName, subject_givenName, subject_province, issuer_serialNumber, issuer_emailAddress
+    def ssl_certificate(query, field=nil)
+      if field.nil?
+        is_valid_with_error(__method__, [:hash], query)
+        get('ssl-certificate', {'query' => query})
+      else
+        is_valid_with_error(__method__, [:ssl_field], field)
+        get_params('ssl-certificate/search', { 'query' => query, 'field' => field })
+      end
     end
     
-    # Remove a user-tag to an IP or domain
-    # query: A domain or IP address to remove a tag from
-    # tag: Value used to tag query value. Should only consist of alphanumeric, underscores and hyphen values
-    def remove_tag(query, tag)
+    # PassiveTotal tracks some interesting metadata about a host
+    # query: a hostname or ip address
+    def components(query)
       is_valid_with_error(__method__, [:ipv4, :domain], query)
-      is_valid_with_error(__method__, [:tag], tag)
-      post_tag("user/tag/remove", query, tag)
+      if domain?(query)
+        query = normalize_domain(query)
+      end
+      get('host-attributes/components', {'query' => query})
     end
     
-    # PassiveTotal collects and provides SSL certificates as an enrichment point when possible. Beyond the certificate data itself, PassiveTotal keeps a record of the IP address of where the certificate was found and the time in which it was collected.
-    # query: An IP address or SHA-1 hash to query
-    def ssl_certificate(query)
-      is_valid_with_error(__method__, [:ipv4, :hash], query)
-      if ipv4?(query)
-        get("ssl_certificate/ip_address", query)
-      elsif hash?(query)
-        get("ssl_certificate/hash", query)
+    # trackers: Get all tracking codes for a domain or IP address.
+    # query: ip or domain, or, if type is supplied, a valid tracker ID
+    # type: A valid tracker type to search:
+    #   tracker types: YandexMetricaCounterId, ClickyId, GoogleAnalyticsAccountNumber, NewRelicId, MixpanelId, GoogleAnalyticsTrackingId
+    def trackers(query, type=nil)
+      if type.nil?
+        is_valid_with_error(__method__, [:ipv4, :domain], query)
+        if domain?(query)
+          query = normalize_domain(query)
+        end
+        get('host-attributes/trackers', {'query' => query})
+      else
+        is_valid_with_error(__method__, [:tracker_type], type)
+        get('trackers/search', {'query' => query, 'type' => type})
       end
     end
 
@@ -215,7 +359,7 @@ module PassiveTotal # :nodoc:
     
     # returns true if the given string matches a valid classification
     def classification?(c)
-      not ['targeted', 'crime', 'multiple', 'benign'].index(c).nil?
+      not ["malicious", "non-malicious", "suspicious", "unknown"].index(c).nil?
     end
     
     # returns true is the given object matches true or false
@@ -232,34 +376,56 @@ module PassiveTotal # :nodoc:
       false
     end
     
+    def ssl_field?(f)
+      return false if f.nil?
+      not ["issuerSurname", "subjectOrganizationName", "issuerCountry", "issuerOrganizationUnitName", 
+        "fingerprint", "subjectOrganizationUnitName", "serialNumber", "subjectEmailAddress", "subjectCountry", 
+        "issuerGivenName", "subjectCommonName", "issuerCommonName", "issuerStateOrProvinceName", "issuerProvince", 
+        "subjectStateOrProvinceName", "sha1", "sslVersion", "subjectStreetAddress", "subjectSerialNumber", 
+        "issuerOrganizationName", "subjectSurname", "subjectLocalityName", "issuerStreetAddress", 
+        "issuerLocalityName", "subjectGivenName", "subjectProvince", "issuerSerialNumber", "issuerEmailAddress"].index(f).nil?
+    end
+    
+    def whois_field?(f)
+      return false if f.nil?
+      not ["domain", "email", "name", "organization", "address", "phone", "nameserver"].index(f).nil?
+    end
+    
+    def tracker_type?(t)
+      return false if t.nil?
+      not ["YandexMetricaCounterId", "ClickyId", "GoogleAnalyticsAccountNumber", "NewRelicId", "MixpanelId", "GoogleAnalyticsTrackingId"].index(t).nil?
+    end
+    
     # lowercases and removes a trailing period (if one exists) from a domain name
     def normalize_domain(domain)
       return domain.downcase.gsub(/\.$/,'')
     end
 
     # helper function to perform an HTTP GET against the web API
-    def get(api, query)
-      params = { 'api_key' => @apikey, 'query' => query }
+    def get(api, params={})
+      url2json(:GET, "#{@endpoint}#{api}", params)
+    end
+ 
+    # helper function to perform an HTTP GET against the web API
+    def get_params(api, params)
       url2json(:GET, "#{@endpoint}#{api}", params)
     end
     
     # helper function to perform an HTTP POST against the web API
-    def post(api, query, set)
-      params = { 'api_key' => @apikey, 'query' => query, api => set }
+    def post(api, params)
       url2json(:POST, "#{@endpoint}#{api}", params)
     end
     
-    # helper function to perform an HTTP POST against the web API, but sets the parameter to 'tag' instead of the api name
-    def post_tag(api, query, set)
-      params = { 'api_key' => @apikey, 'query' => query, 'tag' => set }
-      url2json(:POST, "#{@endpoint}#{api}", params)
+    # helper function to perform an HTTP DELETE against the web API
+    def delete(api, params)
+      url2json(:DELETE, "#{@endpoint}#{api}", params)
     end
-
+    
     # main helper function to perform HTTP interactions with the web API.
     def url2json(method, url, params)
       if method == :GET
         url << "?" + params.map{|k,v| "#{k}=#{v}"}.join("&")
-      end      
+      end
 			url = URI.parse url
 			http = Net::HTTP.new(url.host, url.port)
 			http.use_ssl = (url.scheme == 'https')
@@ -268,10 +434,24 @@ module PassiveTotal # :nodoc:
       request = nil
       if method == :GET
         request = Net::HTTP::Get.new(url.request_uri)
-      else
+      elsif method == :POST
         request = Net::HTTP::Post.new(url.request_uri)
+        form_data = params.to_json
+        request.content_type = 'application/json'
+        request.body = form_data
+      elsif method == :DELETE
+        request = Net::HTTP::Delete.new(url.request_uri)
+        form_data = params.to_json
+        request.content_type = 'application/json'
+        request.body = form_data
+      elsif method == :HEAD
+        request = Net::HTTP::Head.new(url.request_uri)
+        request.set_form_data(params)
+      elsif method == :PUT
+        request = Net::HTTP::Put.new(url.request_uri)
         request.set_form_data(params)
       end
+      request.basic_auth(@username, @apikey)
       request.add_field("User-Agent", "Ruby/#{RUBY_VERSION} passivetotal rubygem v#{PassiveTotal::VERSION}")
 			t1 = Time.now
 			response = http.request(request)
@@ -280,9 +460,21 @@ module PassiveTotal # :nodoc:
       
       obj = Transaction.new(
         Query.new(method, params['query'], params[method] || params['tag'], url, params),
-        Response.new(response.body, data['success'], data['request_time'], data['raw_query'], data['error'], data['result_count'], data['results']),
+        Response.new(response.body, response.code == '200', data),
         delta
       )
+      
+      if data['error']
+        message = data['error']['message']
+        case message
+        when "API key provided does not match any user."
+          raise InvalidAPIKeyError.new(obj)
+        when "Quota has been exceeded!"
+          raise ExceededQuotaError.new(obj)
+        else
+          raise APIUsageError.new(obj)
+        end
+      end
 
       return obj
     end
@@ -302,6 +494,12 @@ module PassiveTotal # :nodoc:
           return true if tag?(item)
         elsif type == :bool
           return true if bool?(item)
+        elsif type == :ssl_field
+          return true if ssl_field?(item)
+        elsif type == :whois_field
+          return true if whois_field?(item)
+        elsif type == :tracker_type
+          return true if tracker_type?(item)
         end
       end
       return false

data/lib/passivetotal/cli.rb

@@ -20,6 +20,7 @@ module PassiveTotal # :nodoc:
       opts = GetoptLong.new(
       	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
       	[ '--debug', '-v', GetoptLong::NO_ARGUMENT ],
+        [ '--username', '-u', GetoptLong::REQUIRED_ARGUMENT ],
         [ '--apikey', '-k', GetoptLong::REQUIRED_ARGUMENT ],
       	[ '--metadata', '-m', GetoptLong::REQUIRED_ARGUMENT ],
       	[ '--passive', '-p', GetoptLong::REQUIRED_ARGUMENT ],
@@ -31,6 +32,9 @@ module PassiveTotal # :nodoc:
       	[ '--dynamic', '-d', GetoptLong::REQUIRED_ARGUMENT ],
       	[ '--watching', '-w', GetoptLong::REQUIRED_ARGUMENT ],
       	[ '--sslcertificate', '-l', GetoptLong::REQUIRED_ARGUMENT ],
+        [ '--ssl_history', '-H', GetoptLong::REQUIRED_ARGUMENT ],
+        [ '--trackers', '-T', GetoptLong::REQUIRED_ARGUMENT ],
+        [ '--osint', '-o', GetoptLong::REQUIRED_ARGUMENT ],
         [ '--set', '-i', GetoptLong::REQUIRED_ARGUMENT ]
       )
       
@@ -39,7 +43,8 @@ module PassiveTotal # :nodoc:
         :query => nil,
         :set => nil,
         :debug => false,
-        :apikey => ENV['PASSIVETOTAL_APIKEY']
+        :apikey => ENV['PASSIVETOTAL_APIKEY'],
+        :username => ENV['PASSIVETOTAL_USERNAME']
       }
 
       opts.each do |opt, arg|
@@ -48,6 +53,8 @@ module PassiveTotal # :nodoc:
           options[:method] = :usage
         when '--debug'
           options[:debug] = true
+        when '--username'
+          options[:username] = arg
         when '--apikey'
           options[:apikey] = arg
         when '--metadata'
@@ -80,6 +87,15 @@ module PassiveTotal # :nodoc:
         when '--sslcertificate'
           options[:method] = :ssl_certificate
           options[:query] = arg
+        when '--ssl_history'
+          options[:method] = :ssl_certificate_history
+          options[:query] = arg
+        when '--trackers'
+          options[:method] = :trackers
+          options[:query] = arg
+        when '--osint'
+          options[:method] = :osint
+          options[:query] = arg
         when '--set'
           options[:set] = arg.dup
         else
@@ -100,11 +116,12 @@ module PassiveTotal # :nodoc:
 
       if options[:debug]
         $stderr.puts "PassiveTotal CLI Options"
-        $stderr.puts "  apikey: #{options[:apikey]}"
-        $stderr.puts "  debug:  #{options[:debug]}"
-        $stderr.puts "  method: #{options[:method]}"
-        $stderr.puts "  query:  #{options[:query]}"
-        $stderr.puts "  set:    #{options[:set]}"
+        $stderr.puts "  username: #{options[:username]}"
+        $stderr.puts "    apikey: #{options[:apikey]}"
+        $stderr.puts "     debug: #{options[:debug]}"
+        $stderr.puts "    method: #{options[:method]}"
+        $stderr.puts "     query: #{options[:query]}"
+        $stderr.puts "       set: #{options[:set]}"
       end
       
       return options
@@ -112,9 +129,10 @@ module PassiveTotal # :nodoc:
     
     # returns a string containing the usage information
     def self.usage
-      help_text = "Usage: #{$0} [-h] [-v] [-k <apikey>] [[-m|-p|-c|-t|-e|-w] <ip or dom>] [[-s|-d] <dom>] [-x <ip>] [-l <ip or hash>] [-i <value>]\n"
+      help_text = "Usage: #{$0} [-v] [-u <username>] [-k <apikey>] <action flag> <query> [-i <value>]\n"
       help_text << "-h                Help\n"
       help_text << "-v                Verbose output\n"
+      help_text << "-u <username>     Sets the Username, defaults to the environment variable PASSIVETOTAL_USERNAME\n"
       help_text << "-k <apikey>       Sets the APIKEY, defaults to the environment variable PASSIVETOTAL_APIKEY\n"
       help_text << "ACTIONS (You have to select one, last one wins)"
       help_text << "  -m <ip or dom>  Queries metadata for given IP or domain\n"
@@ -127,11 +145,14 @@ module PassiveTotal # :nodoc:
       help_text << "  -s <dom>        Queries the subdomains for a given domain\n"
       help_text << "  -d <dom>        Queries (or sets) if a domain is a dynamic DNS domain\n"
       help_text << "  -x <ip>         Queries (or sets) if a given IP is a sinkhole\n"
-      help_text << "  -l <ip or hash> Queries for SSL Certificates/IP addresses associated with a given IP or SHA-1 hash\n"
+      help_text << "  -l <hash> Queries for SSL certificates/IP addresses associated with a given SHA-1 hash\n"
+      help_text << "  -H <ip or hash> Queries for SSL certificate history associated with a given IP or SHA-1 hash\n"
+      help_text << "  -T <ip or dom>  Queries for Tracker information associated with a given IP or domain\n"
+      help_text << "  -o <ip or dom>  Queries for OSINT on a given IP or domain\n"
       help_text << "SETTING VALUES"
       help_text << "  -i <value>      Sets the value, used in conjuntion with -c, -t, -e, -w, -d, or -x\n"
       help_text << "                  Valid values for -i depend on what it's used with:\n"
-      help_text << "                  -c : targeted, crime, multiple, benign\n"
+      help_text << "                  -c : malicious, non-malicious, suspicious, unknown\n"
       help_text << "                  -t : <a tag name consisting of characters: [a-zA-Z_]>\n"
       help_text << "                  -e, -w, -d, -x: true, false\n"
       help_text
@@ -141,14 +162,14 @@ module PassiveTotal # :nodoc:
     def self.run(args)
       options = parse_command_line(args)
       return usage() if options[:method] == :usage
-      pt = PassiveTotal::API.new(options[:apikey])
+      pt = PassiveTotal::API.new(options[:username], options[:apikey])
       if pt.respond_to?(options[:method])
         if options[:set]
           data = pt.send(options[:method], options[:query], options[:set])
         else
           data = pt.send(options[:method], options[:query])
         end
-        data.response.results['response_time'] = data.query.response_time
+        data.response.results['response_time'] = data.response_time
         return JSON.pretty_generate(data.response.results)
       end
       return ''

data/lib/passivetotal/version.rb

@@ -1,3 +1,3 @@
 module PassiveTotal
-  VERSION = "0.2.0"
+  VERSION = "1.0.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passivetotal
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.0.0
 platform: ruby
 authors:
 - chrislee35
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-04 00:00:00.000000000 Z
+date: 2016-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json