misp-modules 2.4.196__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (194) hide show
  1. misp_modules/__init__.py +379 -0
  2. misp_modules/helpers/__init__.py +1 -0
  3. misp_modules/helpers/cache.py +84 -0
  4. misp_modules/lib/__init__.py +4 -0
  5. misp_modules/lib/_vmray/__init__.py +0 -0
  6. misp_modules/lib/_vmray/parser.py +1417 -0
  7. misp_modules/lib/_vmray/rest_api.py +148 -0
  8. misp_modules/lib/cof2misp/LICENSE-2.0.txt +202 -0
  9. misp_modules/lib/cof2misp/__init__.py +0 -0
  10. misp_modules/lib/cof2misp/cof.py +165 -0
  11. misp_modules/lib/joe_mapping.py +114 -0
  12. misp_modules/lib/joe_parser.py +573 -0
  13. misp_modules/lib/lastline_api.py +841 -0
  14. misp_modules/lib/qintel_helper.py +263 -0
  15. misp_modules/lib/stix2misp.py +2080 -0
  16. misp_modules/lib/stix2misp_mapping.py +460 -0
  17. misp_modules/lib/synonymsToTagNames.json +1 -0
  18. misp_modules/lib/vt_graph_parser/__init__.py +8 -0
  19. misp_modules/lib/vt_graph_parser/errors.py +20 -0
  20. misp_modules/lib/vt_graph_parser/helpers/__init__.py +7 -0
  21. misp_modules/lib/vt_graph_parser/helpers/parsers.py +88 -0
  22. misp_modules/lib/vt_graph_parser/helpers/rules.py +304 -0
  23. misp_modules/lib/vt_graph_parser/helpers/wrappers.py +58 -0
  24. misp_modules/lib/vt_graph_parser/importers/__init__.py +7 -0
  25. misp_modules/lib/vt_graph_parser/importers/base.py +98 -0
  26. misp_modules/lib/vt_graph_parser/importers/pymisp_response.py +73 -0
  27. misp_modules/modules/__init__.py +4 -0
  28. misp_modules/modules/action_mod/__init__.py +1 -0
  29. misp_modules/modules/action_mod/_utils/__init__.py +1 -0
  30. misp_modules/modules/action_mod/_utils/utils.py +70 -0
  31. misp_modules/modules/action_mod/mattermost.py +113 -0
  32. misp_modules/modules/action_mod/slack.py +96 -0
  33. misp_modules/modules/action_mod/testaction.py +68 -0
  34. misp_modules/modules/expansion/__init__.py +36 -0
  35. misp_modules/modules/expansion/_dnsdb_query/COPYRIGHT +27 -0
  36. misp_modules/modules/expansion/_dnsdb_query/LICENSE +202 -0
  37. misp_modules/modules/expansion/_dnsdb_query/README.md +162 -0
  38. misp_modules/modules/expansion/_dnsdb_query/__init__.py +0 -0
  39. misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +327 -0
  40. misp_modules/modules/expansion/_ransomcoindb/__init__.py +0 -0
  41. misp_modules/modules/expansion/_ransomcoindb/ransomcoindb.py +96 -0
  42. misp_modules/modules/expansion/_vulnerability_parser/__init__.py +0 -0
  43. misp_modules/modules/expansion/_vulnerability_parser/vulnerability_parser.py +118 -0
  44. misp_modules/modules/expansion/abuseipdb.py +146 -0
  45. misp_modules/modules/expansion/apiosintds.py +365 -0
  46. misp_modules/modules/expansion/apivoid.py +133 -0
  47. misp_modules/modules/expansion/assemblyline_query.py +179 -0
  48. misp_modules/modules/expansion/assemblyline_submit.py +100 -0
  49. misp_modules/modules/expansion/backscatter_io.py +84 -0
  50. misp_modules/modules/expansion/btc_scam_check.py +54 -0
  51. misp_modules/modules/expansion/btc_steroids.py +238 -0
  52. misp_modules/modules/expansion/censys_enrich.py +287 -0
  53. misp_modules/modules/expansion/circl_passivedns.py +85 -0
  54. misp_modules/modules/expansion/circl_passivessl.py +113 -0
  55. misp_modules/modules/expansion/clamav.py +129 -0
  56. misp_modules/modules/expansion/cluster25_expand.py +239 -0
  57. misp_modules/modules/expansion/countrycode.py +69 -0
  58. misp_modules/modules/expansion/cpe.py +140 -0
  59. misp_modules/modules/expansion/crowdsec.py +235 -0
  60. misp_modules/modules/expansion/crowdstrike_falcon.py +148 -0
  61. misp_modules/modules/expansion/cuckoo_submit.py +161 -0
  62. misp_modules/modules/expansion/cve.py +57 -0
  63. misp_modules/modules/expansion/cve_advanced.py +185 -0
  64. misp_modules/modules/expansion/cytomic_orion.py +196 -0
  65. misp_modules/modules/expansion/dbl_spamhaus.py +78 -0
  66. misp_modules/modules/expansion/dns.py +71 -0
  67. misp_modules/modules/expansion/docx_enrich.py +71 -0
  68. misp_modules/modules/expansion/domaintools.py +290 -0
  69. misp_modules/modules/expansion/eql.py +91 -0
  70. misp_modules/modules/expansion/eupi.py +86 -0
  71. misp_modules/modules/expansion/extract_url_components.py +83 -0
  72. misp_modules/modules/expansion/farsight_passivedns.py +243 -0
  73. misp_modules/modules/expansion/geoip_asn.py +75 -0
  74. misp_modules/modules/expansion/geoip_city.py +75 -0
  75. misp_modules/modules/expansion/geoip_country.py +73 -0
  76. misp_modules/modules/expansion/google_safe_browsing.py +86 -0
  77. misp_modules/modules/expansion/google_search.py +57 -0
  78. misp_modules/modules/expansion/google_threat_intelligence.py +453 -0
  79. misp_modules/modules/expansion/greynoise.py +346 -0
  80. misp_modules/modules/expansion/hashdd.py +53 -0
  81. misp_modules/modules/expansion/hashlookup.py +118 -0
  82. misp_modules/modules/expansion/hibp.py +62 -0
  83. misp_modules/modules/expansion/html_to_markdown.py +63 -0
  84. misp_modules/modules/expansion/hyasinsight.py +881 -0
  85. misp_modules/modules/expansion/intel471.py +73 -0
  86. misp_modules/modules/expansion/intelmq_eventdb.py.experimental +67 -0
  87. misp_modules/modules/expansion/ip2locationio.py +90 -0
  88. misp_modules/modules/expansion/ipasn.py +70 -0
  89. misp_modules/modules/expansion/ipinfo.py +112 -0
  90. misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py +633 -0
  91. misp_modules/modules/expansion/iprep.py +98 -0
  92. misp_modules/modules/expansion/jinja_template_rendering.py +54 -0
  93. misp_modules/modules/expansion/joesandbox_query.py +91 -0
  94. misp_modules/modules/expansion/joesandbox_submit.py +147 -0
  95. misp_modules/modules/expansion/lastline_query.py +148 -0
  96. misp_modules/modules/expansion/lastline_submit.py +180 -0
  97. misp_modules/modules/expansion/macaddress_io.py +130 -0
  98. misp_modules/modules/expansion/macvendors.py +55 -0
  99. misp_modules/modules/expansion/malshare_upload.py +107 -0
  100. misp_modules/modules/expansion/malwarebazaar.py +67 -0
  101. misp_modules/modules/expansion/mcafee_insights_enrich.py +249 -0
  102. misp_modules/modules/expansion/mmdb_lookup.py +138 -0
  103. misp_modules/modules/expansion/module.py.skeleton +44 -0
  104. misp_modules/modules/expansion/mwdb.py +152 -0
  105. misp_modules/modules/expansion/ocr_enrich.py +74 -0
  106. misp_modules/modules/expansion/ods_enrich.py +71 -0
  107. misp_modules/modules/expansion/odt_enrich.py +61 -0
  108. misp_modules/modules/expansion/onyphe.py +243 -0
  109. misp_modules/modules/expansion/onyphe_full.py +387 -0
  110. misp_modules/modules/expansion/otx.py +167 -0
  111. misp_modules/modules/expansion/passive_ssh.py +150 -0
  112. misp_modules/modules/expansion/passivetotal.py +358 -0
  113. misp_modules/modules/expansion/pdf_enrich.py +58 -0
  114. misp_modules/modules/expansion/pptx_enrich.py +65 -0
  115. misp_modules/modules/expansion/qintel_qsentry.py +229 -0
  116. misp_modules/modules/expansion/qrcode.py +99 -0
  117. misp_modules/modules/expansion/ransomcoindb.py +82 -0
  118. misp_modules/modules/expansion/rbl.py +126 -0
  119. misp_modules/modules/expansion/recordedfuture.py +544 -0
  120. misp_modules/modules/expansion/reversedns.py +77 -0
  121. misp_modules/modules/expansion/securitytrails.py +571 -0
  122. misp_modules/modules/expansion/shodan.py +244 -0
  123. misp_modules/modules/expansion/sigma_queries.py +61 -0
  124. misp_modules/modules/expansion/sigma_syntax_validator.py +49 -0
  125. misp_modules/modules/expansion/sigmf_expand.py +303 -0
  126. misp_modules/modules/expansion/socialscan.py +108 -0
  127. misp_modules/modules/expansion/sophoslabs_intelix.py +146 -0
  128. misp_modules/modules/expansion/sourcecache.py +57 -0
  129. misp_modules/modules/expansion/stairwell.py +156 -0
  130. misp_modules/modules/expansion/stix2_pattern_syntax_validator.py +56 -0
  131. misp_modules/modules/expansion/threatcrowd.py +170 -0
  132. misp_modules/modules/expansion/threatfox.py +75 -0
  133. misp_modules/modules/expansion/threatminer.py +152 -0
  134. misp_modules/modules/expansion/triage_submit.py +119 -0
  135. misp_modules/modules/expansion/trustar_enrich.py +235 -0
  136. misp_modules/modules/expansion/urlhaus.py +164 -0
  137. misp_modules/modules/expansion/urlscan.py +269 -0
  138. misp_modules/modules/expansion/variotdbs.py +133 -0
  139. misp_modules/modules/expansion/virustotal.py +311 -0
  140. misp_modules/modules/expansion/virustotal_public.py +272 -0
  141. misp_modules/modules/expansion/virustotal_upload.py +91 -0
  142. misp_modules/modules/expansion/vmray_submit.py +161 -0
  143. misp_modules/modules/expansion/vmware_nsx.py +628 -0
  144. misp_modules/modules/expansion/vulndb.py +292 -0
  145. misp_modules/modules/expansion/vulnerability_lookup.py +324 -0
  146. misp_modules/modules/expansion/vulners.py +81 -0
  147. misp_modules/modules/expansion/vysion.py +221 -0
  148. misp_modules/modules/expansion/whois.py +72 -0
  149. misp_modules/modules/expansion/whoisfreaks.py +232 -0
  150. misp_modules/modules/expansion/wiki.py +58 -0
  151. misp_modules/modules/expansion/xforceexchange.py +189 -0
  152. misp_modules/modules/expansion/xlsx_enrich.py +63 -0
  153. misp_modules/modules/expansion/yara_query.py +70 -0
  154. misp_modules/modules/expansion/yara_syntax_validator.py +49 -0
  155. misp_modules/modules/expansion/yeti.py +196 -0
  156. misp_modules/modules/export_mod/__init__.py +3 -0
  157. misp_modules/modules/export_mod/cef_export.py +93 -0
  158. misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py +150 -0
  159. misp_modules/modules/export_mod/defender_endpoint_export.py +141 -0
  160. misp_modules/modules/export_mod/goamlexport.py +255 -0
  161. misp_modules/modules/export_mod/liteexport.py +97 -0
  162. misp_modules/modules/export_mod/mass_eql_export.py +106 -0
  163. misp_modules/modules/export_mod/nexthinkexport.py +131 -0
  164. misp_modules/modules/export_mod/osqueryexport.py +125 -0
  165. misp_modules/modules/export_mod/pdfexport.py +107 -0
  166. misp_modules/modules/export_mod/testexport.py +73 -0
  167. misp_modules/modules/export_mod/threatStream_misp_export.py +114 -0
  168. misp_modules/modules/export_mod/threat_connect_export.py +125 -0
  169. misp_modules/modules/export_mod/virustotal_collections.py +141 -0
  170. misp_modules/modules/export_mod/vt_graph.py +120 -0
  171. misp_modules/modules/export_mod/yara_export.py +290 -0
  172. misp_modules/modules/import_mod/__init__.py +22 -0
  173. misp_modules/modules/import_mod/cof2misp.py +264 -0
  174. misp_modules/modules/import_mod/csvimport.py +319 -0
  175. misp_modules/modules/import_mod/cuckooimport.py +749 -0
  176. misp_modules/modules/import_mod/email_import.py +294 -0
  177. misp_modules/modules/import_mod/goamlimport.py +188 -0
  178. misp_modules/modules/import_mod/import_blueprint.py +93 -0
  179. misp_modules/modules/import_mod/joe_import.py +74 -0
  180. misp_modules/modules/import_mod/lastline_import.py +160 -0
  181. misp_modules/modules/import_mod/mispjson.py +73 -0
  182. misp_modules/modules/import_mod/ocr.py +122 -0
  183. misp_modules/modules/import_mod/openiocimport.py +99 -0
  184. misp_modules/modules/import_mod/taxii21.py +383 -0
  185. misp_modules/modules/import_mod/testimport.py +73 -0
  186. misp_modules/modules/import_mod/threatanalyzer_import.py +552 -0
  187. misp_modules/modules/import_mod/url_import.py +97 -0
  188. misp_modules/modules/import_mod/vmray_import.py +96 -0
  189. misp_modules/modules/import_mod/vmray_summary_json_import.py +87 -0
  190. misp_modules-2.4.196.dist-info/LICENSE +661 -0
  191. misp_modules-2.4.196.dist-info/METADATA +281 -0
  192. misp_modules-2.4.196.dist-info/RECORD +194 -0
  193. misp_modules-2.4.196.dist-info/WHEEL +4 -0
  194. misp_modules-2.4.196.dist-info/entry_points.txt +3 -0
@@ -0,0 +1,571 @@
1
+ import json
2
+ import logging
3
+ import sys
4
+ import time
5
+
6
+ from dnstrails import APIError
7
+ from dnstrails import DnsTrails
8
+
9
+ log = logging.getLogger('dnstrails')
10
+ log.setLevel(logging.DEBUG)
11
+ ch = logging.StreamHandler(sys.stdout)
12
+ ch.setLevel(logging.DEBUG)
13
+ formatter = logging.Formatter(
14
+ '%(asctime)s - %(name)s - %(levelname)s - %(message)s')
15
+ ch.setFormatter(formatter)
16
+ log.addHandler(ch)
17
+
18
+ misperrors = {'error': 'Error'}
19
+ mispattributes = {
20
+ 'input': ['hostname', 'domain', 'ip-src', 'ip-dst'],
21
+ 'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'dns-soa-email',
22
+ 'whois-registrant-email', 'whois-registrant-phone',
23
+ 'whois-registrant-name',
24
+ 'whois-registrar', 'whois-creation-date', 'domain']
25
+ }
26
+
27
+ moduleinfo = {
28
+ 'version': '1',
29
+ 'author': 'Sebastien Larinier @sebdraven',
30
+ 'description': 'An expansion modules for SecurityTrails.',
31
+ 'module-type': ['expansion', 'hover'],
32
+ 'name': 'SecurityTrails Lookup',
33
+ 'logo': 'securitytrails.png',
34
+ 'requirements': ['dnstrails python library', 'An access to the SecurityTrails API (apikey)'],
35
+ 'features': 'The module takes a domain, hostname or IP address attribute as input and queries the SecurityTrails API with it.\n\nMultiple parsing operations are then processed on the result of the query to extract a much information as possible.\n\nFrom this data extracted are then mapped MISP attributes.',
36
+ 'references': ['https://securitytrails.com/'],
37
+ 'input': 'A domain, hostname or IP address attribute.',
38
+ 'output': 'MISP attributes resulting from the query on SecurityTrails API, included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- dns-soa-email\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- domain',
39
+ }
40
+
41
+ # config fields that your code expects from the site admin
42
+ moduleconfig = ['apikey']
43
+
44
+
45
+ def handler(q=False):
46
+ if q:
47
+
48
+ request = json.loads(q)
49
+
50
+ if not request.get('config') or not (request['config'].get('apikey')):
51
+ misperrors['error'] = 'SecurityTrails authentication is missing'
52
+ return misperrors
53
+
54
+ api = DnsTrails(request['config'].get('apikey'))
55
+
56
+ if not api:
57
+ misperrors['error'] = 'SecurityTrails Error instance api'
58
+ return misperrors
59
+ if request.get('ip-src'):
60
+ ip = request['ip-src']
61
+ return handle_ip(api, ip, misperrors)
62
+ elif request.get('ip-dst'):
63
+ ip = request['ip-dst']
64
+ return handle_ip(api, ip, misperrors)
65
+ elif request.get('domain'):
66
+ domain = request['domain']
67
+ return handle_domain(api, domain, misperrors)
68
+ elif request.get('hostname'):
69
+ hostname = request['hostname']
70
+ return handle_domain(api, hostname, misperrors)
71
+ else:
72
+ misperrors['error'] = "Unsupported attributes types"
73
+ return misperrors
74
+ else:
75
+ return False
76
+
77
+
78
+ def handle_domain(api, domain, misperrors):
79
+ result_filtered = {"results": []}
80
+
81
+ r, status_ok = expand_domain_info(api, misperrors, domain)
82
+
83
+ if status_ok:
84
+ if r:
85
+ result_filtered['results'].extend(r)
86
+ else:
87
+ misperrors['error'] = misperrors['error'] + ' Error DNS result'
88
+ return misperrors
89
+
90
+ time.sleep(1)
91
+ r, status_ok = expand_subdomains(api, domain)
92
+
93
+ if status_ok:
94
+ if r:
95
+ result_filtered['results'].extend(r)
96
+ else:
97
+ misperrors['error'] = misperrors['error'] + ' Error subdomains result'
98
+ return misperrors
99
+
100
+ time.sleep(1)
101
+ r, status_ok = expand_whois(api, domain)
102
+
103
+ if status_ok:
104
+ if r:
105
+ result_filtered['results'].extend(r)
106
+
107
+ time.sleep(1)
108
+ r, status_ok = expand_history_ipv4_ipv6(api, domain)
109
+
110
+ if status_ok:
111
+ if r:
112
+ result_filtered['results'].extend(r)
113
+ else:
114
+ misperrors['error'] = misperrors['error'] + ' Error history ipv4'
115
+ return misperrors
116
+
117
+ time.sleep(1)
118
+
119
+ r, status_ok = expand_history_dns(api, domain)
120
+
121
+ if status_ok:
122
+ if r:
123
+ result_filtered['results'].extend(r)
124
+ else:
125
+ misperrors['error'] = misperrors['error'] + ' Error in expand History DNS'
126
+ return misperrors
127
+
128
+ r, status_ok = expand_history_whois(api, domain)
129
+
130
+ if status_ok:
131
+ if r:
132
+ result_filtered['results'].extend(r)
133
+ else:
134
+ misperrors['error'] = misperrors['error'] + ' Error in expand History Whois'
135
+ return misperrors
136
+
137
+ return result_filtered
138
+
139
+
140
+ def handle_ip(api, ip, misperrors):
141
+ result_filtered = {"results": []}
142
+
143
+ r, status_ok = expand_searching_domain(api, ip)
144
+
145
+ if status_ok:
146
+ if r:
147
+ result_filtered['results'].extend(r)
148
+ else:
149
+ misperrors['error'] += ' Error in expand searching domain'
150
+ return misperrors
151
+
152
+ return result_filtered
153
+
154
+
155
+ def expand_domain_info(api, misperror, domain):
156
+ r = []
157
+ status_ok = False
158
+ ns_servers = []
159
+ list_ipv4 = []
160
+ list_ipv6 = []
161
+ servers_mx = []
162
+ soa_hostnames = []
163
+
164
+ try:
165
+ results = api.domain(domain)
166
+ except APIError as e:
167
+ misperrors['error'] = e.value
168
+ return [], False
169
+
170
+ if results:
171
+ status_ok = True
172
+ if 'current_dns' in results:
173
+ if 'values' in results['current_dns']['ns']:
174
+ ns_servers = [ns_entry['nameserver'] for ns_entry in
175
+ results['current_dns']['ns']['values']
176
+ if 'nameserver' in ns_entry]
177
+ if 'values' in results['current_dns']['a']:
178
+ list_ipv4 = [a_entry['ip'] for a_entry in
179
+ results['current_dns']['a']['values'] if
180
+ 'ip' in a_entry]
181
+
182
+ if 'values' in results['current_dns']['aaaa']:
183
+ list_ipv6 = [ipv6_entry['ipv6'] for ipv6_entry in
184
+ results['current_dns']['aaaa']['values'] if
185
+ 'ipv6' in ipv6_entry]
186
+
187
+ if 'values' in results['current_dns']['mx']:
188
+ servers_mx = [mx_entry['hostname'] for mx_entry in
189
+ results['current_dns']['mx']['values'] if
190
+ 'hostname' in mx_entry]
191
+ if 'values' in results['current_dns']['soa']:
192
+ soa_hostnames = [soa_entry['email'] for soa_entry in
193
+ results['current_dns']['soa']['values'] if
194
+ 'email' in soa_entry]
195
+
196
+ if ns_servers:
197
+ r.append({'types': ['domain'],
198
+ 'values': ns_servers,
199
+ 'categories': ['Network activity'],
200
+ 'comment': 'List of name servers of %s first seen %s ' %
201
+ (domain,
202
+ results['current_dns']['ns']['first_seen'])
203
+ })
204
+
205
+ if list_ipv4:
206
+ r.append({'types': ['domain|ip'],
207
+ 'values': ['%s|%s' % (domain, ipv4) for ipv4 in
208
+ list_ipv4],
209
+ 'categories': ['Network activity'],
210
+
211
+ 'comment': ' List ipv4 of %s first seen %s' %
212
+ (domain,
213
+ results['current_dns']['a']['first_seen'])
214
+
215
+ })
216
+ if list_ipv6:
217
+ r.append({'types': ['domain|ip'],
218
+ 'values': ['%s|%s' % (domain, ipv6) for ipv6 in
219
+ list_ipv6],
220
+ 'categories': ['Network activity'],
221
+ 'comment': ' List ipv6 of %s first seen %s' %
222
+ (domain,
223
+ results['current_dns']['aaaa']['first_seen'])
224
+
225
+ })
226
+
227
+ if servers_mx:
228
+ r.append({'types': ['domain'],
229
+ 'values': servers_mx,
230
+ 'categories': ['Network activity'],
231
+ 'comment': ' List mx of %s first seen %s' %
232
+ (domain,
233
+ results['current_dns']['mx']['first_seen'])
234
+
235
+ })
236
+ if soa_hostnames:
237
+ r.append({'types': ['domain'],
238
+ 'values': soa_hostnames,
239
+ 'categories': ['Network activity'],
240
+ 'comment': ' List soa of %s first seen %s' %
241
+ (domain,
242
+ results['current_dns']['soa']['first_seen'])
243
+ })
244
+
245
+ return r, status_ok
246
+
247
+
248
+ def expand_subdomains(api, domain):
249
+ r = []
250
+ status_ok = False
251
+
252
+ try:
253
+ results = api.subdomains(domain)
254
+
255
+ if results:
256
+ status_ok = True
257
+ if 'subdomains' in results:
258
+ r.append({
259
+ 'types': ['domain'],
260
+ 'values': ['%s.%s' % (sub, domain)
261
+ for sub in results['subdomains']],
262
+ 'categories': ['Network activity'],
263
+ 'comment': 'subdomains of %s' % domain
264
+ }
265
+
266
+ )
267
+ except APIError as e:
268
+ misperrors['error'] = e.value
269
+ return [], False
270
+
271
+ return r, status_ok
272
+
273
+
274
+ def expand_whois(api, domain):
275
+ r = []
276
+ status_ok = False
277
+
278
+ try:
279
+ results = api.whois(domain)
280
+
281
+ if results:
282
+ status_ok = True
283
+ item_registrant = __select_registrant_item(results)
284
+ if item_registrant:
285
+
286
+ if 'email' in item_registrant[0]:
287
+ r.append(
288
+ {
289
+ 'types': ['whois-registrant-email'],
290
+ 'values': [item_registrant[0]['email']],
291
+ 'categories': ['Attribution'],
292
+ 'comment': 'Whois information of %s by securitytrails'
293
+ % domain
294
+ }
295
+ )
296
+
297
+ if 'telephone' in item_registrant[0]:
298
+ r.append(
299
+ {
300
+ 'types': ['whois-registrant-phone'],
301
+ 'values': [item_registrant[0]['telephone']],
302
+ 'categories': ['Attribution'],
303
+ 'comment': 'Whois information of %s by securitytrails'
304
+ % domain
305
+ }
306
+ )
307
+
308
+ if 'name' in item_registrant[0]:
309
+ r.append(
310
+ {
311
+ 'types': ['whois-registrant-name'],
312
+ 'values': [item_registrant[0]['name']],
313
+ 'categories': ['Attribution'],
314
+ 'comment': 'Whois information of %s by securitytrails'
315
+ % domain
316
+ }
317
+ )
318
+
319
+ if 'registrarName' in item_registrant[0]:
320
+ r.append(
321
+ {
322
+ 'types': ['whois-registrar'],
323
+ 'values': [item_registrant[0]['registrarName']],
324
+ 'categories': ['Attribution'],
325
+ 'comment': 'Whois information of %s by securitytrails'
326
+ % domain
327
+ }
328
+ )
329
+
330
+ if 'createdDate' in item_registrant[0]:
331
+ r.append(
332
+ {
333
+ 'types': ['whois-creation-date'],
334
+ 'values': [item_registrant[0]['createdDate']],
335
+ 'categories': ['Attribution'],
336
+ 'comment': 'Whois information of %s by securitytrails'
337
+ % domain
338
+ }
339
+ )
340
+
341
+ except APIError as e:
342
+ misperrors['error'] = e.value
343
+ return [], False
344
+
345
+ return r, status_ok
346
+
347
+
348
+ def expand_history_ipv4_ipv6(api, domain):
349
+ r = []
350
+ status_ok = False
351
+
352
+ try:
353
+ results = api.history_dns_ipv4(domain)
354
+
355
+ if results:
356
+ status_ok = True
357
+ r.extend(__history_ip(results, domain))
358
+
359
+ time.sleep(1)
360
+ results = api.history_dns_aaaa(domain)
361
+
362
+ if results:
363
+ status_ok = True
364
+ r.extend(__history_ip(results, domain, type_ip='ipv6'))
365
+
366
+ except APIError as e:
367
+ misperrors['error'] = e.value
368
+ return [], False
369
+
370
+ return r, status_ok
371
+
372
+
373
+ def expand_history_dns(api, domain):
374
+ r = []
375
+ status_ok = False
376
+
377
+ try:
378
+
379
+ results = api.history_dns_ns(domain)
380
+ if results:
381
+ r.extend(__history_dns(results, domain, 'nameserver', 'ns'))
382
+
383
+ time.sleep(1)
384
+
385
+ results = api.history_dns_soa(domain)
386
+
387
+ if results:
388
+ r.extend(__history_dns(results, domain, 'email', 'soa'))
389
+
390
+ time.sleep(1)
391
+
392
+ results = api.history_dns_mx(domain)
393
+
394
+ if results:
395
+ status_ok = True
396
+ r.extend(__history_dns(results, domain, 'host', 'mx'))
397
+
398
+ except APIError as e:
399
+ misperrors['error'] = e.value
400
+ return [], False
401
+
402
+ status_ok = True
403
+
404
+ return r, status_ok
405
+
406
+
407
+ def expand_history_whois(api, domain):
408
+ r = []
409
+ status_ok = False
410
+ try:
411
+ results = api.history_whois(domain)
412
+
413
+ if results:
414
+
415
+ if 'items' in results['result']:
416
+ for item in results['result']['items']:
417
+ item_registrant = __select_registrant_item(item)
418
+
419
+ r.append(
420
+ {
421
+ 'types': ['domain'],
422
+ 'values': item['nameServers'],
423
+ 'categories': ['Network activity'],
424
+ 'comment': 'Whois history Name Servers of %s '
425
+ 'Status: %s ' % (
426
+ domain, ' '.join(item['status']))
427
+
428
+ }
429
+ )
430
+ if item_registrant:
431
+
432
+ if 'email' in item_registrant[0]:
433
+ r.append(
434
+ {
435
+ 'types': ['whois-registrant-email'],
436
+ 'values': [item_registrant[0]['email']],
437
+ 'categories': ['Attribution'],
438
+ 'comment': 'Whois history registrant email of %s'
439
+ 'Status: %s' % (
440
+ domain,
441
+ ' '.join(item['status']))
442
+ }
443
+ )
444
+
445
+ if 'telephone' in item_registrant[0]:
446
+ r.append(
447
+ {
448
+ 'types': ['whois-registrant-phone'],
449
+ 'values': [item_registrant[0]['telephone']],
450
+ 'categories': ['Attribution'],
451
+ 'comment': 'Whois history registrant phone of %s'
452
+ 'Status: %s' % (
453
+ domain,
454
+ ' '.join(item['status']))
455
+ }
456
+ )
457
+
458
+ except APIError as e:
459
+ misperrors['error'] = e.value
460
+ return [], False
461
+ status_ok = True
462
+
463
+ return r, status_ok
464
+
465
+
466
+ def __history_ip(results, domain, type_ip='ip'):
467
+ r = []
468
+ if 'records' in results:
469
+ for record in results['records']:
470
+ if 'values' in record:
471
+ for item in record['values']:
472
+ r.append(
473
+ {'types': ['domain|ip'],
474
+ 'values': ['%s|%s' % (domain, item[type_ip])],
475
+ 'categories': ['Network activity'],
476
+ 'comment': 'History IP on securitytrails %s '
477
+ 'last seen: %s first seen: %s' %
478
+ (domain, record['last_seen'],
479
+ record['first_seen'])
480
+ }
481
+ )
482
+
483
+ return r
484
+
485
+
486
+ def __history_dns(results, domain, type_serv, service):
487
+ r = []
488
+
489
+ if 'records' in results:
490
+ for record in results['records']:
491
+ if 'values' in record:
492
+ values = record['values']
493
+ if type(values) is list:
494
+
495
+ for item in record['values']:
496
+ r.append(
497
+ {'types': ['domain|ip'],
498
+ 'values': [item[type_serv]],
499
+ 'categories': ['Network activity'],
500
+ 'comment': 'history %s of %s last seen: %s first seen: %s' %
501
+ (service, domain, record['last_seen'],
502
+ record['first_seen'])
503
+ }
504
+ )
505
+ else:
506
+ r.append(
507
+ {'types': ['domain|ip'],
508
+ 'values': [values[type_serv]],
509
+ 'categories': ['Network activity'],
510
+ 'comment': 'history %s of %s last seen: %s first seen: %s' %
511
+ (service, domain, record['last_seen'],
512
+ record['first_seen'])
513
+ }
514
+ )
515
+ return r
516
+
517
+
518
+ def expand_searching_domain(api, ip):
519
+ r = []
520
+ status_ok = False
521
+
522
+ try:
523
+ results = api.searching_domains(ipv4=ip)
524
+
525
+ if results:
526
+ if 'records' in results:
527
+ res = [(r['host_provider'], r['hostname'], r['whois'])
528
+ for r in results['records']]
529
+
530
+ for host_provider, hostname, whois in res:
531
+ comment = 'domain for %s by %s' % (ip, host_provider[0])
532
+ if whois['registrar']:
533
+ comment = comment + ' registrar %s' % whois['registrar']
534
+
535
+ r.append(
536
+ {
537
+ 'types': ['domain'],
538
+ 'category': ['Network activity'],
539
+ 'values': [hostname],
540
+ 'comment': comment
541
+
542
+ }
543
+ )
544
+ status_ok = True
545
+ except APIError as e:
546
+ misperrors['error'] = e.value
547
+ return [], False
548
+
549
+ return r, status_ok
550
+
551
+
552
+ def introspection():
553
+ return mispattributes
554
+
555
+
556
+ def version():
557
+ moduleinfo['config'] = moduleconfig
558
+ return moduleinfo
559
+
560
+
561
+ def __select_registrant_item(entry):
562
+ res = None
563
+ if 'contacts' in entry:
564
+ res = list(filter(lambda x: x['type'] == 'registrant',
565
+ entry['contacts']))
566
+
567
+ if 'contact' in entry:
568
+ res = list(filter(lambda x: x['type'] == 'registrant',
569
+ entry['contact']))
570
+
571
+ return res