def load_client(context):
"""Get an instance of a loaded client."""
username = context.getTransformSetting('username')
api_key = context.getTransformSetting('aKey')
test_status = context.getTransformSetting('test_local')
if test_status and test_status == 'True':
server = context.getTransformSetting('server')
version = context.getTransformSetting('version')
return SslRequest(username, api_key, server, version)
else:
return SslRequest(username, api_key, headers=gen_debug(request))
def get_ssl(self, **kwargs):
client = SslRequest(self.username, self.apikey)
keys = ['query', 'compact', 'field', 'type']
params = self._cleanup_params(keys, **kwargs)
if not params.get('type'):
return client.get_ssl_certificate_details(**params)
elif params.get('type') == 'history':
return client.get_ssl_certificate_history(**params)
elif params.get('type') == 'search' and params.get('field'):
return client.search_ssl_certificate_by_field(**params)
else:
self.stoq.log.error("No SSL field provided.")
return None
def call_ssl(args):
"""Abstract call to SSL-based queries."""
client = SslRequest.from_config()
pruned = prune_args(
query=args.query,
compact_record=args.compact,
field=args.field,
)
valid_types = ['search', 'history']
if args.type and args.type not in valid_types:
raise ValueError("Invalid type specified.")
if not args.type:
data = SSLResponse.process(
{'results': [client.get_ssl_certificate_details(**pruned)]})
elif args.type == 'history':
data = SSLHistoryResponse.process(
client.get_ssl_certificate_history(**pruned))
elif args.type == 'search' and args.field:
data = SSLResponse.process(
client.search_ssl_certificate_by_field(**pruned))
else:
raise ValueError("Field argument was missing from the call.")
return data
def get_ssl(self, **kwargs):
client = SslRequest(self.username, self.apikey)
keys = ['query', 'compact', 'field', 'type']
params = self._cleanup_params(keys, **kwargs)
if not params.get('type'):
return client.get_ssl_certificate_details(**params)
elif params.get('type') == 'history':
return client.get_ssl_certificate_history(**params)
elif params.get('type') == 'search' and params.get('field'):
return client.search_ssl_certificate_by_field(**params)
else:
self.log.error("No SSL field provided.")
return None
def __init__(self):
try:
self.clients = {
'ssl': SslRequest.from_config(),
'dns': DnsRequest.from_config(),
'enrichment': EnrichmentRequest.from_config(),
'whois': WhoisRequest.from_config(),
'attribute': AttributeRequest.from_config(),
}
except Exception:
self.clients = None
def run(self):
Analyzer.run(self)
data = self.getData()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username, api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)
def call_ssl(args):
"""Abstract call to SSL-based queries."""
client = SslRequest.from_config()
pruned = prune_args(
query=args.query,
compact_record=args.compact,
field=args.field,
type=args.type
)
valid_types = ['search', 'history']
if args.type and args.type not in valid_types:
raise ValueError("Invalid type specified.")
if not args.type:
data = client.get_ssl_certificate_details(**pruned)
elif args.type == 'history':
data = client.get_ssl_certificate_history(**pruned)
elif args.type == 'search' and args.field:
data = client.search_ssl_certificate_by_field(**pruned)
else:
raise ValueError("Field argument was missing from the call.")
return data
def setup_class(self):
self.patcher = patch('passivetotal.api.Client._get', fake_request)
self.patcher.start()
self.client = SslRequest('--No-User--', '--No-Key--')
class SslTestCase(unittest.TestCase):
"""Test case for SSL certificate methods."""
formats = ['json']
def setup_class(self):
self.patcher = patch('passivetotal.api.Client._get', fake_request)
self.patcher.start()
self.client = SslRequest('--No-User--', '--No-Key--')
def teardown_class(self):
self.patcher.stop()
def test_ssl_certificate_details(self):
"""Test getting SSL certificate details."""
payload = {'query': 'e9a6647d6aba52dc47b3838c920c9ee59bad7034'}
response = self.client.get_ssl_certificate_details(**payload)
assert (response.get('serialNumber')
) == '2317683628587350290823564500811277499'
def test_process_ssl_certificate_details(self):
"""Test processing SSL certificate details."""
payload = {'query': 'e9a6647d6aba52dc47b3838c920c9ee59bad7034'}
response = self.client.get_ssl_certificate_details(**payload)
wrapped = Response(response)
for item in self.formats:
assert (getattr(wrapped, item))
def test_property_load(self):
"""Test loading properties on a result."""
payload = {'query': 'e9a6647d6aba52dc47b3838c920c9ee59bad7034'}
response = self.client.get_ssl_certificate_details(**payload)
wrapped = Response(response)
for key, value in iteritems(response):
assert (getattr(wrapped, key)) == value
def test_ssl_certificate_search(self):
"""Test getting a SSL certificate search."""
payload = {
'query': 'www.passivetotal.org',
'field': 'subjectCommonName'
}
response = self.client.search_ssl_certificate_by_field(**payload)
assert (response['results'][0]['serialNumber']
) == '2317683628587350290823564500811277499'
def test_ssl_certificate_search_bad_field(self):
"""Test sending a bad field in a search."""
with pytest.raises(INVALID_FIELD_TYPE) as excinfo:
def invalid_field():
payload = {'query': 'www.passivetotal.org', 'field': '_'}
self.client.search_ssl_certificate_by_field(**payload)
invalid_field()
assert 'must be one of the following' in str(excinfo.value)
def test_ssl_certificate_search_missing_field(self):
"""Test missing a field in a search."""
with pytest.raises(MISSING_FIELD) as excinfo:
def missing_field():
payload = {'query': 'www.passivetotal.org', 'no-field': '_'}
self.client.search_ssl_certificate_by_field(**payload)
missing_field()
assert 'value is required' in str(excinfo.value)
def test_process_ssl_certificate_search(self):
"""Test processing search results."""
payload = {
'query': 'www.passivetotal.org',
'field': 'subjectCommonName'
}
response = self.client.search_ssl_certificate_by_field(**payload)
results = Response(response)
assert (Response(results.results[0]).serialNumber
) == '2317683628587350290823564500811277499'
def test_process_ssl_certificate_history(self):
"""Test processing search results."""
payload = {'query': '52.8.228.23'}
response = self.client.get_ssl_certificate_history(**payload)
wrapped = Response(response)
record = Response(wrapped.results.pop(0))
assert (record.sha1) == 'e9a6647d6aba52dc47b3838c920c9ee59bad7034'
def setup_class(self):
self.patcher = patch('passivetotal.api.Client._get', fake_request)
self.patcher.start()
self.client = SslRequest('--No-User--', '--No-Key--')
class SslTestCase(unittest.TestCase):
"""Test case for SSL certificate methods."""
formats = ['json', 'xml', 'csv', 'text', 'table']
def setup_class(self):
self.patcher = patch('passivetotal.api.Client._get', fake_request)
self.patcher.start()
self.client = SslRequest('--No-User--', '--No-Key--')
def teardown_class(self):
self.patcher.stop()
def test_ssl_certificate_details(self):
"""Test getting SSL certificate details."""
payload = {'query': 'e9a6647d6aba52dc47b3838c920c9ee59bad7034'}
response = self.client.get_ssl_certificate_details(**payload)
assert (response.get('serialNumber')) == '2317683628587350290823564500811277499'
def test_process_ssl_certificate_details(self):
"""Test processing SSL certificate details."""
payload = {'query': 'e9a6647d6aba52dc47b3838c920c9ee59bad7034'}
response = self.client.get_ssl_certificate_details(**payload)
wrapped = SslResponse(response)
for item in self.formats:
assert (getattr(wrapped, item))
def test_property_load(self):
"""Test loading properties on a result."""
payload = {'query': 'e9a6647d6aba52dc47b3838c920c9ee59bad7034'}
response = self.client.get_ssl_certificate_details(**payload)
wrapped = SslResponse(response)
for key, value in iteritems(response):
assert (getattr(wrapped, key)) == value
def test_ssl_certificate_search(self):
"""Test getting a SSL certificate search."""
payload = {'query': 'www.passivetotal.org', 'field': 'subjectCommonName'}
response = self.client.search_ssl_certificate_by_field(**payload)
assert (response['results'][0]['serialNumber']) == '2317683628587350290823564500811277499'
def test_ssl_certificate_search_bad_field(self):
"""Test sending a bad field in a search."""
with pytest.raises(INVALID_FIELD_TYPE) as excinfo:
def invalid_field():
payload = {'query': 'www.passivetotal.org', 'field': '_'}
self.client.search_ssl_certificate_by_field(**payload)
invalid_field()
assert 'must be one of the following' in str(excinfo.value)
def test_ssl_certificate_search_missing_field(self):
"""Test missing a field in a search."""
with pytest.raises(MISSING_FIELD) as excinfo:
def missing_field():
payload = {'query': 'www.passivetotal.org', 'no-field': '_'}
self.client.search_ssl_certificate_by_field(**payload)
missing_field()
assert 'value is required' in str(excinfo.value)
def test_process_ssl_certificate_search(self):
"""Test processing search results."""
payload = {'query': 'www.passivetotal.org', 'field': 'subjectCommonName'}
response = self.client.search_ssl_certificate_by_field(**payload)
results = SslSearchResponse(response)
assert (results.get_records()[0].serialNumber) == '2317683628587350290823564500811277499'
def test_process_ssl_certificate_history(self):
"""Test processing search results."""
payload = {'query': '52.8.228.23'}
response = self.client.get_ssl_certificate_history(**payload)
wrapped = SslHistoryResponse(response)
record = wrapped.get_records().pop(0)
assert (record.sha1) == 'e9a6647d6aba52dc47b3838c920c9ee59bad7034'
logger.info("Starting command processing")
input_events, dummyresults, settings = splunk.Intersplunk.getOrganizedResults(
)
keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
query_value = options.get("query", "")
logger.info("Query target: %s" % query_value)
logger.debug("Raw options: %s" % str(options))
configuration = get_config("passivetotal", "api-setup")
username = configuration.get('username', None)
api_key = configuration.get('apikey', None)
output_events = list()
ssl = SslRequest(
username, api_key,
headers=build_headers()).get_ssl_certificate_history(query=query_value)
if 'error' in ssl:
raise Exception(
"Whoa there, looks like you reached your quota for today! Please come back tomorrow to resume your investigation or contact support for details on enterprise plans."
)
for result in ssl.get("results", []):
ip_addresses = result.get('ipAddresses', [])
result.pop('ipAddresses', None)
for ip in ip_addresses:
result['resolve'] = ip
output_events.append(result)
output_events.append(result)
splunk.Intersplunk.outputResults(output_events)
except Exception, e:
def run(self):
data = self.get_data()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username,
api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username,
api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username,
api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
print(len(result['results']))
if len(result['results']
) == 1 and result['results'][0]['ipAddresses'] == 'N/A':
print("ok")
self.report({'results': []})
else:
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username,
api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username,
api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
# components service
elif self.service == 'components':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_components(query=data)
self.report(result)
# trackers service
elif self.service == 'trackers':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_trackers(query=data)
self.report(result)
# host pairs service
elif self.service == 'host_pairs':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_host_pairs(query=data,
direction='parents')
children = host_attr_request.get_host_pairs(
query=data, direction='children')
result['totalRecords'] += children['totalRecords']
result['results'] = result['results'] + children['results']
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)
