misp-modules 2.4.196__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- misp_modules/__init__.py +379 -0
- misp_modules/helpers/__init__.py +1 -0
- misp_modules/helpers/cache.py +84 -0
- misp_modules/lib/__init__.py +4 -0
- misp_modules/lib/_vmray/__init__.py +0 -0
- misp_modules/lib/_vmray/parser.py +1417 -0
- misp_modules/lib/_vmray/rest_api.py +148 -0
- misp_modules/lib/cof2misp/LICENSE-2.0.txt +202 -0
- misp_modules/lib/cof2misp/__init__.py +0 -0
- misp_modules/lib/cof2misp/cof.py +165 -0
- misp_modules/lib/joe_mapping.py +114 -0
- misp_modules/lib/joe_parser.py +573 -0
- misp_modules/lib/lastline_api.py +841 -0
- misp_modules/lib/qintel_helper.py +263 -0
- misp_modules/lib/stix2misp.py +2080 -0
- misp_modules/lib/stix2misp_mapping.py +460 -0
- misp_modules/lib/synonymsToTagNames.json +1 -0
- misp_modules/lib/vt_graph_parser/__init__.py +8 -0
- misp_modules/lib/vt_graph_parser/errors.py +20 -0
- misp_modules/lib/vt_graph_parser/helpers/__init__.py +7 -0
- misp_modules/lib/vt_graph_parser/helpers/parsers.py +88 -0
- misp_modules/lib/vt_graph_parser/helpers/rules.py +304 -0
- misp_modules/lib/vt_graph_parser/helpers/wrappers.py +58 -0
- misp_modules/lib/vt_graph_parser/importers/__init__.py +7 -0
- misp_modules/lib/vt_graph_parser/importers/base.py +98 -0
- misp_modules/lib/vt_graph_parser/importers/pymisp_response.py +73 -0
- misp_modules/modules/__init__.py +4 -0
- misp_modules/modules/action_mod/__init__.py +1 -0
- misp_modules/modules/action_mod/_utils/__init__.py +1 -0
- misp_modules/modules/action_mod/_utils/utils.py +70 -0
- misp_modules/modules/action_mod/mattermost.py +113 -0
- misp_modules/modules/action_mod/slack.py +96 -0
- misp_modules/modules/action_mod/testaction.py +68 -0
- misp_modules/modules/expansion/__init__.py +36 -0
- misp_modules/modules/expansion/_dnsdb_query/COPYRIGHT +27 -0
- misp_modules/modules/expansion/_dnsdb_query/LICENSE +202 -0
- misp_modules/modules/expansion/_dnsdb_query/README.md +162 -0
- misp_modules/modules/expansion/_dnsdb_query/__init__.py +0 -0
- misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +327 -0
- misp_modules/modules/expansion/_ransomcoindb/__init__.py +0 -0
- misp_modules/modules/expansion/_ransomcoindb/ransomcoindb.py +96 -0
- misp_modules/modules/expansion/_vulnerability_parser/__init__.py +0 -0
- misp_modules/modules/expansion/_vulnerability_parser/vulnerability_parser.py +118 -0
- misp_modules/modules/expansion/abuseipdb.py +146 -0
- misp_modules/modules/expansion/apiosintds.py +365 -0
- misp_modules/modules/expansion/apivoid.py +133 -0
- misp_modules/modules/expansion/assemblyline_query.py +179 -0
- misp_modules/modules/expansion/assemblyline_submit.py +100 -0
- misp_modules/modules/expansion/backscatter_io.py +84 -0
- misp_modules/modules/expansion/btc_scam_check.py +54 -0
- misp_modules/modules/expansion/btc_steroids.py +238 -0
- misp_modules/modules/expansion/censys_enrich.py +287 -0
- misp_modules/modules/expansion/circl_passivedns.py +85 -0
- misp_modules/modules/expansion/circl_passivessl.py +113 -0
- misp_modules/modules/expansion/clamav.py +129 -0
- misp_modules/modules/expansion/cluster25_expand.py +239 -0
- misp_modules/modules/expansion/countrycode.py +69 -0
- misp_modules/modules/expansion/cpe.py +140 -0
- misp_modules/modules/expansion/crowdsec.py +235 -0
- misp_modules/modules/expansion/crowdstrike_falcon.py +148 -0
- misp_modules/modules/expansion/cuckoo_submit.py +161 -0
- misp_modules/modules/expansion/cve.py +57 -0
- misp_modules/modules/expansion/cve_advanced.py +185 -0
- misp_modules/modules/expansion/cytomic_orion.py +196 -0
- misp_modules/modules/expansion/dbl_spamhaus.py +78 -0
- misp_modules/modules/expansion/dns.py +71 -0
- misp_modules/modules/expansion/docx_enrich.py +71 -0
- misp_modules/modules/expansion/domaintools.py +290 -0
- misp_modules/modules/expansion/eql.py +91 -0
- misp_modules/modules/expansion/eupi.py +86 -0
- misp_modules/modules/expansion/extract_url_components.py +83 -0
- misp_modules/modules/expansion/farsight_passivedns.py +243 -0
- misp_modules/modules/expansion/geoip_asn.py +75 -0
- misp_modules/modules/expansion/geoip_city.py +75 -0
- misp_modules/modules/expansion/geoip_country.py +73 -0
- misp_modules/modules/expansion/google_safe_browsing.py +86 -0
- misp_modules/modules/expansion/google_search.py +57 -0
- misp_modules/modules/expansion/google_threat_intelligence.py +453 -0
- misp_modules/modules/expansion/greynoise.py +346 -0
- misp_modules/modules/expansion/hashdd.py +53 -0
- misp_modules/modules/expansion/hashlookup.py +118 -0
- misp_modules/modules/expansion/hibp.py +62 -0
- misp_modules/modules/expansion/html_to_markdown.py +63 -0
- misp_modules/modules/expansion/hyasinsight.py +881 -0
- misp_modules/modules/expansion/intel471.py +73 -0
- misp_modules/modules/expansion/intelmq_eventdb.py.experimental +67 -0
- misp_modules/modules/expansion/ip2locationio.py +90 -0
- misp_modules/modules/expansion/ipasn.py +70 -0
- misp_modules/modules/expansion/ipinfo.py +112 -0
- misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py +633 -0
- misp_modules/modules/expansion/iprep.py +98 -0
- misp_modules/modules/expansion/jinja_template_rendering.py +54 -0
- misp_modules/modules/expansion/joesandbox_query.py +91 -0
- misp_modules/modules/expansion/joesandbox_submit.py +147 -0
- misp_modules/modules/expansion/lastline_query.py +148 -0
- misp_modules/modules/expansion/lastline_submit.py +180 -0
- misp_modules/modules/expansion/macaddress_io.py +130 -0
- misp_modules/modules/expansion/macvendors.py +55 -0
- misp_modules/modules/expansion/malshare_upload.py +107 -0
- misp_modules/modules/expansion/malwarebazaar.py +67 -0
- misp_modules/modules/expansion/mcafee_insights_enrich.py +249 -0
- misp_modules/modules/expansion/mmdb_lookup.py +138 -0
- misp_modules/modules/expansion/module.py.skeleton +44 -0
- misp_modules/modules/expansion/mwdb.py +152 -0
- misp_modules/modules/expansion/ocr_enrich.py +74 -0
- misp_modules/modules/expansion/ods_enrich.py +71 -0
- misp_modules/modules/expansion/odt_enrich.py +61 -0
- misp_modules/modules/expansion/onyphe.py +243 -0
- misp_modules/modules/expansion/onyphe_full.py +387 -0
- misp_modules/modules/expansion/otx.py +167 -0
- misp_modules/modules/expansion/passive_ssh.py +150 -0
- misp_modules/modules/expansion/passivetotal.py +358 -0
- misp_modules/modules/expansion/pdf_enrich.py +58 -0
- misp_modules/modules/expansion/pptx_enrich.py +65 -0
- misp_modules/modules/expansion/qintel_qsentry.py +229 -0
- misp_modules/modules/expansion/qrcode.py +99 -0
- misp_modules/modules/expansion/ransomcoindb.py +82 -0
- misp_modules/modules/expansion/rbl.py +126 -0
- misp_modules/modules/expansion/recordedfuture.py +544 -0
- misp_modules/modules/expansion/reversedns.py +77 -0
- misp_modules/modules/expansion/securitytrails.py +571 -0
- misp_modules/modules/expansion/shodan.py +244 -0
- misp_modules/modules/expansion/sigma_queries.py +61 -0
- misp_modules/modules/expansion/sigma_syntax_validator.py +49 -0
- misp_modules/modules/expansion/sigmf_expand.py +303 -0
- misp_modules/modules/expansion/socialscan.py +108 -0
- misp_modules/modules/expansion/sophoslabs_intelix.py +146 -0
- misp_modules/modules/expansion/sourcecache.py +57 -0
- misp_modules/modules/expansion/stairwell.py +156 -0
- misp_modules/modules/expansion/stix2_pattern_syntax_validator.py +56 -0
- misp_modules/modules/expansion/threatcrowd.py +170 -0
- misp_modules/modules/expansion/threatfox.py +75 -0
- misp_modules/modules/expansion/threatminer.py +152 -0
- misp_modules/modules/expansion/triage_submit.py +119 -0
- misp_modules/modules/expansion/trustar_enrich.py +235 -0
- misp_modules/modules/expansion/urlhaus.py +164 -0
- misp_modules/modules/expansion/urlscan.py +269 -0
- misp_modules/modules/expansion/variotdbs.py +133 -0
- misp_modules/modules/expansion/virustotal.py +311 -0
- misp_modules/modules/expansion/virustotal_public.py +272 -0
- misp_modules/modules/expansion/virustotal_upload.py +91 -0
- misp_modules/modules/expansion/vmray_submit.py +161 -0
- misp_modules/modules/expansion/vmware_nsx.py +628 -0
- misp_modules/modules/expansion/vulndb.py +292 -0
- misp_modules/modules/expansion/vulnerability_lookup.py +324 -0
- misp_modules/modules/expansion/vulners.py +81 -0
- misp_modules/modules/expansion/vysion.py +221 -0
- misp_modules/modules/expansion/whois.py +72 -0
- misp_modules/modules/expansion/whoisfreaks.py +232 -0
- misp_modules/modules/expansion/wiki.py +58 -0
- misp_modules/modules/expansion/xforceexchange.py +189 -0
- misp_modules/modules/expansion/xlsx_enrich.py +63 -0
- misp_modules/modules/expansion/yara_query.py +70 -0
- misp_modules/modules/expansion/yara_syntax_validator.py +49 -0
- misp_modules/modules/expansion/yeti.py +196 -0
- misp_modules/modules/export_mod/__init__.py +3 -0
- misp_modules/modules/export_mod/cef_export.py +93 -0
- misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py +150 -0
- misp_modules/modules/export_mod/defender_endpoint_export.py +141 -0
- misp_modules/modules/export_mod/goamlexport.py +255 -0
- misp_modules/modules/export_mod/liteexport.py +97 -0
- misp_modules/modules/export_mod/mass_eql_export.py +106 -0
- misp_modules/modules/export_mod/nexthinkexport.py +131 -0
- misp_modules/modules/export_mod/osqueryexport.py +125 -0
- misp_modules/modules/export_mod/pdfexport.py +107 -0
- misp_modules/modules/export_mod/testexport.py +73 -0
- misp_modules/modules/export_mod/threatStream_misp_export.py +114 -0
- misp_modules/modules/export_mod/threat_connect_export.py +125 -0
- misp_modules/modules/export_mod/virustotal_collections.py +141 -0
- misp_modules/modules/export_mod/vt_graph.py +120 -0
- misp_modules/modules/export_mod/yara_export.py +290 -0
- misp_modules/modules/import_mod/__init__.py +22 -0
- misp_modules/modules/import_mod/cof2misp.py +264 -0
- misp_modules/modules/import_mod/csvimport.py +319 -0
- misp_modules/modules/import_mod/cuckooimport.py +749 -0
- misp_modules/modules/import_mod/email_import.py +294 -0
- misp_modules/modules/import_mod/goamlimport.py +188 -0
- misp_modules/modules/import_mod/import_blueprint.py +93 -0
- misp_modules/modules/import_mod/joe_import.py +74 -0
- misp_modules/modules/import_mod/lastline_import.py +160 -0
- misp_modules/modules/import_mod/mispjson.py +73 -0
- misp_modules/modules/import_mod/ocr.py +122 -0
- misp_modules/modules/import_mod/openiocimport.py +99 -0
- misp_modules/modules/import_mod/taxii21.py +383 -0
- misp_modules/modules/import_mod/testimport.py +73 -0
- misp_modules/modules/import_mod/threatanalyzer_import.py +552 -0
- misp_modules/modules/import_mod/url_import.py +97 -0
- misp_modules/modules/import_mod/vmray_import.py +96 -0
- misp_modules/modules/import_mod/vmray_summary_json_import.py +87 -0
- misp_modules-2.4.196.dist-info/LICENSE +661 -0
- misp_modules-2.4.196.dist-info/METADATA +281 -0
- misp_modules-2.4.196.dist-info/RECORD +194 -0
- misp_modules-2.4.196.dist-info/WHEEL +4 -0
- misp_modules-2.4.196.dist-info/entry_points.txt +3 -0
|
@@ -0,0 +1,571 @@
|
|
|
1
|
+
import json
|
|
2
|
+
import logging
|
|
3
|
+
import sys
|
|
4
|
+
import time
|
|
5
|
+
|
|
6
|
+
from dnstrails import APIError
|
|
7
|
+
from dnstrails import DnsTrails
|
|
8
|
+
|
|
9
|
+
log = logging.getLogger('dnstrails')
|
|
10
|
+
log.setLevel(logging.DEBUG)
|
|
11
|
+
ch = logging.StreamHandler(sys.stdout)
|
|
12
|
+
ch.setLevel(logging.DEBUG)
|
|
13
|
+
formatter = logging.Formatter(
|
|
14
|
+
'%(asctime)s - %(name)s - %(levelname)s - %(message)s')
|
|
15
|
+
ch.setFormatter(formatter)
|
|
16
|
+
log.addHandler(ch)
|
|
17
|
+
|
|
18
|
+
misperrors = {'error': 'Error'}
|
|
19
|
+
mispattributes = {
|
|
20
|
+
'input': ['hostname', 'domain', 'ip-src', 'ip-dst'],
|
|
21
|
+
'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'dns-soa-email',
|
|
22
|
+
'whois-registrant-email', 'whois-registrant-phone',
|
|
23
|
+
'whois-registrant-name',
|
|
24
|
+
'whois-registrar', 'whois-creation-date', 'domain']
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
moduleinfo = {
|
|
28
|
+
'version': '1',
|
|
29
|
+
'author': 'Sebastien Larinier @sebdraven',
|
|
30
|
+
'description': 'An expansion modules for SecurityTrails.',
|
|
31
|
+
'module-type': ['expansion', 'hover'],
|
|
32
|
+
'name': 'SecurityTrails Lookup',
|
|
33
|
+
'logo': 'securitytrails.png',
|
|
34
|
+
'requirements': ['dnstrails python library', 'An access to the SecurityTrails API (apikey)'],
|
|
35
|
+
'features': 'The module takes a domain, hostname or IP address attribute as input and queries the SecurityTrails API with it.\n\nMultiple parsing operations are then processed on the result of the query to extract a much information as possible.\n\nFrom this data extracted are then mapped MISP attributes.',
|
|
36
|
+
'references': ['https://securitytrails.com/'],
|
|
37
|
+
'input': 'A domain, hostname or IP address attribute.',
|
|
38
|
+
'output': 'MISP attributes resulting from the query on SecurityTrails API, included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- dns-soa-email\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- domain',
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
# config fields that your code expects from the site admin
|
|
42
|
+
moduleconfig = ['apikey']
|
|
43
|
+
|
|
44
|
+
|
|
45
|
+
def handler(q=False):
|
|
46
|
+
if q:
|
|
47
|
+
|
|
48
|
+
request = json.loads(q)
|
|
49
|
+
|
|
50
|
+
if not request.get('config') or not (request['config'].get('apikey')):
|
|
51
|
+
misperrors['error'] = 'SecurityTrails authentication is missing'
|
|
52
|
+
return misperrors
|
|
53
|
+
|
|
54
|
+
api = DnsTrails(request['config'].get('apikey'))
|
|
55
|
+
|
|
56
|
+
if not api:
|
|
57
|
+
misperrors['error'] = 'SecurityTrails Error instance api'
|
|
58
|
+
return misperrors
|
|
59
|
+
if request.get('ip-src'):
|
|
60
|
+
ip = request['ip-src']
|
|
61
|
+
return handle_ip(api, ip, misperrors)
|
|
62
|
+
elif request.get('ip-dst'):
|
|
63
|
+
ip = request['ip-dst']
|
|
64
|
+
return handle_ip(api, ip, misperrors)
|
|
65
|
+
elif request.get('domain'):
|
|
66
|
+
domain = request['domain']
|
|
67
|
+
return handle_domain(api, domain, misperrors)
|
|
68
|
+
elif request.get('hostname'):
|
|
69
|
+
hostname = request['hostname']
|
|
70
|
+
return handle_domain(api, hostname, misperrors)
|
|
71
|
+
else:
|
|
72
|
+
misperrors['error'] = "Unsupported attributes types"
|
|
73
|
+
return misperrors
|
|
74
|
+
else:
|
|
75
|
+
return False
|
|
76
|
+
|
|
77
|
+
|
|
78
|
+
def handle_domain(api, domain, misperrors):
|
|
79
|
+
result_filtered = {"results": []}
|
|
80
|
+
|
|
81
|
+
r, status_ok = expand_domain_info(api, misperrors, domain)
|
|
82
|
+
|
|
83
|
+
if status_ok:
|
|
84
|
+
if r:
|
|
85
|
+
result_filtered['results'].extend(r)
|
|
86
|
+
else:
|
|
87
|
+
misperrors['error'] = misperrors['error'] + ' Error DNS result'
|
|
88
|
+
return misperrors
|
|
89
|
+
|
|
90
|
+
time.sleep(1)
|
|
91
|
+
r, status_ok = expand_subdomains(api, domain)
|
|
92
|
+
|
|
93
|
+
if status_ok:
|
|
94
|
+
if r:
|
|
95
|
+
result_filtered['results'].extend(r)
|
|
96
|
+
else:
|
|
97
|
+
misperrors['error'] = misperrors['error'] + ' Error subdomains result'
|
|
98
|
+
return misperrors
|
|
99
|
+
|
|
100
|
+
time.sleep(1)
|
|
101
|
+
r, status_ok = expand_whois(api, domain)
|
|
102
|
+
|
|
103
|
+
if status_ok:
|
|
104
|
+
if r:
|
|
105
|
+
result_filtered['results'].extend(r)
|
|
106
|
+
|
|
107
|
+
time.sleep(1)
|
|
108
|
+
r, status_ok = expand_history_ipv4_ipv6(api, domain)
|
|
109
|
+
|
|
110
|
+
if status_ok:
|
|
111
|
+
if r:
|
|
112
|
+
result_filtered['results'].extend(r)
|
|
113
|
+
else:
|
|
114
|
+
misperrors['error'] = misperrors['error'] + ' Error history ipv4'
|
|
115
|
+
return misperrors
|
|
116
|
+
|
|
117
|
+
time.sleep(1)
|
|
118
|
+
|
|
119
|
+
r, status_ok = expand_history_dns(api, domain)
|
|
120
|
+
|
|
121
|
+
if status_ok:
|
|
122
|
+
if r:
|
|
123
|
+
result_filtered['results'].extend(r)
|
|
124
|
+
else:
|
|
125
|
+
misperrors['error'] = misperrors['error'] + ' Error in expand History DNS'
|
|
126
|
+
return misperrors
|
|
127
|
+
|
|
128
|
+
r, status_ok = expand_history_whois(api, domain)
|
|
129
|
+
|
|
130
|
+
if status_ok:
|
|
131
|
+
if r:
|
|
132
|
+
result_filtered['results'].extend(r)
|
|
133
|
+
else:
|
|
134
|
+
misperrors['error'] = misperrors['error'] + ' Error in expand History Whois'
|
|
135
|
+
return misperrors
|
|
136
|
+
|
|
137
|
+
return result_filtered
|
|
138
|
+
|
|
139
|
+
|
|
140
|
+
def handle_ip(api, ip, misperrors):
|
|
141
|
+
result_filtered = {"results": []}
|
|
142
|
+
|
|
143
|
+
r, status_ok = expand_searching_domain(api, ip)
|
|
144
|
+
|
|
145
|
+
if status_ok:
|
|
146
|
+
if r:
|
|
147
|
+
result_filtered['results'].extend(r)
|
|
148
|
+
else:
|
|
149
|
+
misperrors['error'] += ' Error in expand searching domain'
|
|
150
|
+
return misperrors
|
|
151
|
+
|
|
152
|
+
return result_filtered
|
|
153
|
+
|
|
154
|
+
|
|
155
|
+
def expand_domain_info(api, misperror, domain):
|
|
156
|
+
r = []
|
|
157
|
+
status_ok = False
|
|
158
|
+
ns_servers = []
|
|
159
|
+
list_ipv4 = []
|
|
160
|
+
list_ipv6 = []
|
|
161
|
+
servers_mx = []
|
|
162
|
+
soa_hostnames = []
|
|
163
|
+
|
|
164
|
+
try:
|
|
165
|
+
results = api.domain(domain)
|
|
166
|
+
except APIError as e:
|
|
167
|
+
misperrors['error'] = e.value
|
|
168
|
+
return [], False
|
|
169
|
+
|
|
170
|
+
if results:
|
|
171
|
+
status_ok = True
|
|
172
|
+
if 'current_dns' in results:
|
|
173
|
+
if 'values' in results['current_dns']['ns']:
|
|
174
|
+
ns_servers = [ns_entry['nameserver'] for ns_entry in
|
|
175
|
+
results['current_dns']['ns']['values']
|
|
176
|
+
if 'nameserver' in ns_entry]
|
|
177
|
+
if 'values' in results['current_dns']['a']:
|
|
178
|
+
list_ipv4 = [a_entry['ip'] for a_entry in
|
|
179
|
+
results['current_dns']['a']['values'] if
|
|
180
|
+
'ip' in a_entry]
|
|
181
|
+
|
|
182
|
+
if 'values' in results['current_dns']['aaaa']:
|
|
183
|
+
list_ipv6 = [ipv6_entry['ipv6'] for ipv6_entry in
|
|
184
|
+
results['current_dns']['aaaa']['values'] if
|
|
185
|
+
'ipv6' in ipv6_entry]
|
|
186
|
+
|
|
187
|
+
if 'values' in results['current_dns']['mx']:
|
|
188
|
+
servers_mx = [mx_entry['hostname'] for mx_entry in
|
|
189
|
+
results['current_dns']['mx']['values'] if
|
|
190
|
+
'hostname' in mx_entry]
|
|
191
|
+
if 'values' in results['current_dns']['soa']:
|
|
192
|
+
soa_hostnames = [soa_entry['email'] for soa_entry in
|
|
193
|
+
results['current_dns']['soa']['values'] if
|
|
194
|
+
'email' in soa_entry]
|
|
195
|
+
|
|
196
|
+
if ns_servers:
|
|
197
|
+
r.append({'types': ['domain'],
|
|
198
|
+
'values': ns_servers,
|
|
199
|
+
'categories': ['Network activity'],
|
|
200
|
+
'comment': 'List of name servers of %s first seen %s ' %
|
|
201
|
+
(domain,
|
|
202
|
+
results['current_dns']['ns']['first_seen'])
|
|
203
|
+
})
|
|
204
|
+
|
|
205
|
+
if list_ipv4:
|
|
206
|
+
r.append({'types': ['domain|ip'],
|
|
207
|
+
'values': ['%s|%s' % (domain, ipv4) for ipv4 in
|
|
208
|
+
list_ipv4],
|
|
209
|
+
'categories': ['Network activity'],
|
|
210
|
+
|
|
211
|
+
'comment': ' List ipv4 of %s first seen %s' %
|
|
212
|
+
(domain,
|
|
213
|
+
results['current_dns']['a']['first_seen'])
|
|
214
|
+
|
|
215
|
+
})
|
|
216
|
+
if list_ipv6:
|
|
217
|
+
r.append({'types': ['domain|ip'],
|
|
218
|
+
'values': ['%s|%s' % (domain, ipv6) for ipv6 in
|
|
219
|
+
list_ipv6],
|
|
220
|
+
'categories': ['Network activity'],
|
|
221
|
+
'comment': ' List ipv6 of %s first seen %s' %
|
|
222
|
+
(domain,
|
|
223
|
+
results['current_dns']['aaaa']['first_seen'])
|
|
224
|
+
|
|
225
|
+
})
|
|
226
|
+
|
|
227
|
+
if servers_mx:
|
|
228
|
+
r.append({'types': ['domain'],
|
|
229
|
+
'values': servers_mx,
|
|
230
|
+
'categories': ['Network activity'],
|
|
231
|
+
'comment': ' List mx of %s first seen %s' %
|
|
232
|
+
(domain,
|
|
233
|
+
results['current_dns']['mx']['first_seen'])
|
|
234
|
+
|
|
235
|
+
})
|
|
236
|
+
if soa_hostnames:
|
|
237
|
+
r.append({'types': ['domain'],
|
|
238
|
+
'values': soa_hostnames,
|
|
239
|
+
'categories': ['Network activity'],
|
|
240
|
+
'comment': ' List soa of %s first seen %s' %
|
|
241
|
+
(domain,
|
|
242
|
+
results['current_dns']['soa']['first_seen'])
|
|
243
|
+
})
|
|
244
|
+
|
|
245
|
+
return r, status_ok
|
|
246
|
+
|
|
247
|
+
|
|
248
|
+
def expand_subdomains(api, domain):
|
|
249
|
+
r = []
|
|
250
|
+
status_ok = False
|
|
251
|
+
|
|
252
|
+
try:
|
|
253
|
+
results = api.subdomains(domain)
|
|
254
|
+
|
|
255
|
+
if results:
|
|
256
|
+
status_ok = True
|
|
257
|
+
if 'subdomains' in results:
|
|
258
|
+
r.append({
|
|
259
|
+
'types': ['domain'],
|
|
260
|
+
'values': ['%s.%s' % (sub, domain)
|
|
261
|
+
for sub in results['subdomains']],
|
|
262
|
+
'categories': ['Network activity'],
|
|
263
|
+
'comment': 'subdomains of %s' % domain
|
|
264
|
+
}
|
|
265
|
+
|
|
266
|
+
)
|
|
267
|
+
except APIError as e:
|
|
268
|
+
misperrors['error'] = e.value
|
|
269
|
+
return [], False
|
|
270
|
+
|
|
271
|
+
return r, status_ok
|
|
272
|
+
|
|
273
|
+
|
|
274
|
+
def expand_whois(api, domain):
|
|
275
|
+
r = []
|
|
276
|
+
status_ok = False
|
|
277
|
+
|
|
278
|
+
try:
|
|
279
|
+
results = api.whois(domain)
|
|
280
|
+
|
|
281
|
+
if results:
|
|
282
|
+
status_ok = True
|
|
283
|
+
item_registrant = __select_registrant_item(results)
|
|
284
|
+
if item_registrant:
|
|
285
|
+
|
|
286
|
+
if 'email' in item_registrant[0]:
|
|
287
|
+
r.append(
|
|
288
|
+
{
|
|
289
|
+
'types': ['whois-registrant-email'],
|
|
290
|
+
'values': [item_registrant[0]['email']],
|
|
291
|
+
'categories': ['Attribution'],
|
|
292
|
+
'comment': 'Whois information of %s by securitytrails'
|
|
293
|
+
% domain
|
|
294
|
+
}
|
|
295
|
+
)
|
|
296
|
+
|
|
297
|
+
if 'telephone' in item_registrant[0]:
|
|
298
|
+
r.append(
|
|
299
|
+
{
|
|
300
|
+
'types': ['whois-registrant-phone'],
|
|
301
|
+
'values': [item_registrant[0]['telephone']],
|
|
302
|
+
'categories': ['Attribution'],
|
|
303
|
+
'comment': 'Whois information of %s by securitytrails'
|
|
304
|
+
% domain
|
|
305
|
+
}
|
|
306
|
+
)
|
|
307
|
+
|
|
308
|
+
if 'name' in item_registrant[0]:
|
|
309
|
+
r.append(
|
|
310
|
+
{
|
|
311
|
+
'types': ['whois-registrant-name'],
|
|
312
|
+
'values': [item_registrant[0]['name']],
|
|
313
|
+
'categories': ['Attribution'],
|
|
314
|
+
'comment': 'Whois information of %s by securitytrails'
|
|
315
|
+
% domain
|
|
316
|
+
}
|
|
317
|
+
)
|
|
318
|
+
|
|
319
|
+
if 'registrarName' in item_registrant[0]:
|
|
320
|
+
r.append(
|
|
321
|
+
{
|
|
322
|
+
'types': ['whois-registrar'],
|
|
323
|
+
'values': [item_registrant[0]['registrarName']],
|
|
324
|
+
'categories': ['Attribution'],
|
|
325
|
+
'comment': 'Whois information of %s by securitytrails'
|
|
326
|
+
% domain
|
|
327
|
+
}
|
|
328
|
+
)
|
|
329
|
+
|
|
330
|
+
if 'createdDate' in item_registrant[0]:
|
|
331
|
+
r.append(
|
|
332
|
+
{
|
|
333
|
+
'types': ['whois-creation-date'],
|
|
334
|
+
'values': [item_registrant[0]['createdDate']],
|
|
335
|
+
'categories': ['Attribution'],
|
|
336
|
+
'comment': 'Whois information of %s by securitytrails'
|
|
337
|
+
% domain
|
|
338
|
+
}
|
|
339
|
+
)
|
|
340
|
+
|
|
341
|
+
except APIError as e:
|
|
342
|
+
misperrors['error'] = e.value
|
|
343
|
+
return [], False
|
|
344
|
+
|
|
345
|
+
return r, status_ok
|
|
346
|
+
|
|
347
|
+
|
|
348
|
+
def expand_history_ipv4_ipv6(api, domain):
|
|
349
|
+
r = []
|
|
350
|
+
status_ok = False
|
|
351
|
+
|
|
352
|
+
try:
|
|
353
|
+
results = api.history_dns_ipv4(domain)
|
|
354
|
+
|
|
355
|
+
if results:
|
|
356
|
+
status_ok = True
|
|
357
|
+
r.extend(__history_ip(results, domain))
|
|
358
|
+
|
|
359
|
+
time.sleep(1)
|
|
360
|
+
results = api.history_dns_aaaa(domain)
|
|
361
|
+
|
|
362
|
+
if results:
|
|
363
|
+
status_ok = True
|
|
364
|
+
r.extend(__history_ip(results, domain, type_ip='ipv6'))
|
|
365
|
+
|
|
366
|
+
except APIError as e:
|
|
367
|
+
misperrors['error'] = e.value
|
|
368
|
+
return [], False
|
|
369
|
+
|
|
370
|
+
return r, status_ok
|
|
371
|
+
|
|
372
|
+
|
|
373
|
+
def expand_history_dns(api, domain):
|
|
374
|
+
r = []
|
|
375
|
+
status_ok = False
|
|
376
|
+
|
|
377
|
+
try:
|
|
378
|
+
|
|
379
|
+
results = api.history_dns_ns(domain)
|
|
380
|
+
if results:
|
|
381
|
+
r.extend(__history_dns(results, domain, 'nameserver', 'ns'))
|
|
382
|
+
|
|
383
|
+
time.sleep(1)
|
|
384
|
+
|
|
385
|
+
results = api.history_dns_soa(domain)
|
|
386
|
+
|
|
387
|
+
if results:
|
|
388
|
+
r.extend(__history_dns(results, domain, 'email', 'soa'))
|
|
389
|
+
|
|
390
|
+
time.sleep(1)
|
|
391
|
+
|
|
392
|
+
results = api.history_dns_mx(domain)
|
|
393
|
+
|
|
394
|
+
if results:
|
|
395
|
+
status_ok = True
|
|
396
|
+
r.extend(__history_dns(results, domain, 'host', 'mx'))
|
|
397
|
+
|
|
398
|
+
except APIError as e:
|
|
399
|
+
misperrors['error'] = e.value
|
|
400
|
+
return [], False
|
|
401
|
+
|
|
402
|
+
status_ok = True
|
|
403
|
+
|
|
404
|
+
return r, status_ok
|
|
405
|
+
|
|
406
|
+
|
|
407
|
+
def expand_history_whois(api, domain):
|
|
408
|
+
r = []
|
|
409
|
+
status_ok = False
|
|
410
|
+
try:
|
|
411
|
+
results = api.history_whois(domain)
|
|
412
|
+
|
|
413
|
+
if results:
|
|
414
|
+
|
|
415
|
+
if 'items' in results['result']:
|
|
416
|
+
for item in results['result']['items']:
|
|
417
|
+
item_registrant = __select_registrant_item(item)
|
|
418
|
+
|
|
419
|
+
r.append(
|
|
420
|
+
{
|
|
421
|
+
'types': ['domain'],
|
|
422
|
+
'values': item['nameServers'],
|
|
423
|
+
'categories': ['Network activity'],
|
|
424
|
+
'comment': 'Whois history Name Servers of %s '
|
|
425
|
+
'Status: %s ' % (
|
|
426
|
+
domain, ' '.join(item['status']))
|
|
427
|
+
|
|
428
|
+
}
|
|
429
|
+
)
|
|
430
|
+
if item_registrant:
|
|
431
|
+
|
|
432
|
+
if 'email' in item_registrant[0]:
|
|
433
|
+
r.append(
|
|
434
|
+
{
|
|
435
|
+
'types': ['whois-registrant-email'],
|
|
436
|
+
'values': [item_registrant[0]['email']],
|
|
437
|
+
'categories': ['Attribution'],
|
|
438
|
+
'comment': 'Whois history registrant email of %s'
|
|
439
|
+
'Status: %s' % (
|
|
440
|
+
domain,
|
|
441
|
+
' '.join(item['status']))
|
|
442
|
+
}
|
|
443
|
+
)
|
|
444
|
+
|
|
445
|
+
if 'telephone' in item_registrant[0]:
|
|
446
|
+
r.append(
|
|
447
|
+
{
|
|
448
|
+
'types': ['whois-registrant-phone'],
|
|
449
|
+
'values': [item_registrant[0]['telephone']],
|
|
450
|
+
'categories': ['Attribution'],
|
|
451
|
+
'comment': 'Whois history registrant phone of %s'
|
|
452
|
+
'Status: %s' % (
|
|
453
|
+
domain,
|
|
454
|
+
' '.join(item['status']))
|
|
455
|
+
}
|
|
456
|
+
)
|
|
457
|
+
|
|
458
|
+
except APIError as e:
|
|
459
|
+
misperrors['error'] = e.value
|
|
460
|
+
return [], False
|
|
461
|
+
status_ok = True
|
|
462
|
+
|
|
463
|
+
return r, status_ok
|
|
464
|
+
|
|
465
|
+
|
|
466
|
+
def __history_ip(results, domain, type_ip='ip'):
|
|
467
|
+
r = []
|
|
468
|
+
if 'records' in results:
|
|
469
|
+
for record in results['records']:
|
|
470
|
+
if 'values' in record:
|
|
471
|
+
for item in record['values']:
|
|
472
|
+
r.append(
|
|
473
|
+
{'types': ['domain|ip'],
|
|
474
|
+
'values': ['%s|%s' % (domain, item[type_ip])],
|
|
475
|
+
'categories': ['Network activity'],
|
|
476
|
+
'comment': 'History IP on securitytrails %s '
|
|
477
|
+
'last seen: %s first seen: %s' %
|
|
478
|
+
(domain, record['last_seen'],
|
|
479
|
+
record['first_seen'])
|
|
480
|
+
}
|
|
481
|
+
)
|
|
482
|
+
|
|
483
|
+
return r
|
|
484
|
+
|
|
485
|
+
|
|
486
|
+
def __history_dns(results, domain, type_serv, service):
|
|
487
|
+
r = []
|
|
488
|
+
|
|
489
|
+
if 'records' in results:
|
|
490
|
+
for record in results['records']:
|
|
491
|
+
if 'values' in record:
|
|
492
|
+
values = record['values']
|
|
493
|
+
if type(values) is list:
|
|
494
|
+
|
|
495
|
+
for item in record['values']:
|
|
496
|
+
r.append(
|
|
497
|
+
{'types': ['domain|ip'],
|
|
498
|
+
'values': [item[type_serv]],
|
|
499
|
+
'categories': ['Network activity'],
|
|
500
|
+
'comment': 'history %s of %s last seen: %s first seen: %s' %
|
|
501
|
+
(service, domain, record['last_seen'],
|
|
502
|
+
record['first_seen'])
|
|
503
|
+
}
|
|
504
|
+
)
|
|
505
|
+
else:
|
|
506
|
+
r.append(
|
|
507
|
+
{'types': ['domain|ip'],
|
|
508
|
+
'values': [values[type_serv]],
|
|
509
|
+
'categories': ['Network activity'],
|
|
510
|
+
'comment': 'history %s of %s last seen: %s first seen: %s' %
|
|
511
|
+
(service, domain, record['last_seen'],
|
|
512
|
+
record['first_seen'])
|
|
513
|
+
}
|
|
514
|
+
)
|
|
515
|
+
return r
|
|
516
|
+
|
|
517
|
+
|
|
518
|
+
def expand_searching_domain(api, ip):
|
|
519
|
+
r = []
|
|
520
|
+
status_ok = False
|
|
521
|
+
|
|
522
|
+
try:
|
|
523
|
+
results = api.searching_domains(ipv4=ip)
|
|
524
|
+
|
|
525
|
+
if results:
|
|
526
|
+
if 'records' in results:
|
|
527
|
+
res = [(r['host_provider'], r['hostname'], r['whois'])
|
|
528
|
+
for r in results['records']]
|
|
529
|
+
|
|
530
|
+
for host_provider, hostname, whois in res:
|
|
531
|
+
comment = 'domain for %s by %s' % (ip, host_provider[0])
|
|
532
|
+
if whois['registrar']:
|
|
533
|
+
comment = comment + ' registrar %s' % whois['registrar']
|
|
534
|
+
|
|
535
|
+
r.append(
|
|
536
|
+
{
|
|
537
|
+
'types': ['domain'],
|
|
538
|
+
'category': ['Network activity'],
|
|
539
|
+
'values': [hostname],
|
|
540
|
+
'comment': comment
|
|
541
|
+
|
|
542
|
+
}
|
|
543
|
+
)
|
|
544
|
+
status_ok = True
|
|
545
|
+
except APIError as e:
|
|
546
|
+
misperrors['error'] = e.value
|
|
547
|
+
return [], False
|
|
548
|
+
|
|
549
|
+
return r, status_ok
|
|
550
|
+
|
|
551
|
+
|
|
552
|
+
def introspection():
|
|
553
|
+
return mispattributes
|
|
554
|
+
|
|
555
|
+
|
|
556
|
+
def version():
|
|
557
|
+
moduleinfo['config'] = moduleconfig
|
|
558
|
+
return moduleinfo
|
|
559
|
+
|
|
560
|
+
|
|
561
|
+
def __select_registrant_item(entry):
|
|
562
|
+
res = None
|
|
563
|
+
if 'contacts' in entry:
|
|
564
|
+
res = list(filter(lambda x: x['type'] == 'registrant',
|
|
565
|
+
entry['contacts']))
|
|
566
|
+
|
|
567
|
+
if 'contact' in entry:
|
|
568
|
+
res = list(filter(lambda x: x['type'] == 'registrant',
|
|
569
|
+
entry['contact']))
|
|
570
|
+
|
|
571
|
+
return res
|