def load_client(context): """Get an instance of a loaded client.""" username = context.getTransformSetting('username') api_key = context.getTransformSetting('aKey') test_status = context.getTransformSetting('test_local') if test_status and test_status == 'True': server = context.getTransformSetting('server') version = context.getTransformSetting('version') return WhoisRequest(username, api_key, server, version) else: return WhoisRequest(username, api_key, headers=gen_debug(request))
def run(self): Analyzer.run(self) data = self.getData() try: # enrichment service if self.service == 'enrichment': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_enrichment(query=data) self.report(result) # malware service elif self.service == 'malware': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_malware(query=data) self.report(result) # osint service elif self.service == 'osint': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_osint(query=data) self.report(result) # passive dns service elif self.service == 'passive_dns': dns_request = DnsRequest(username=self.username, api_key=self.api_key) result = dns_request.get_passive_dns(query=data) self.report(result) # ssl certificate details service elif self.service == 'ssl_certificate_details': ssl_request = SslRequest(username=self.username, api_key=self.api_key) result = ssl_request.get_ssl_certificate_details(query=data) self.report(result) # ssl certificate history service elif self.service == 'ssl_certificate_history': ssl_request = SslRequest(username=self.username, api_key=self.api_key) result = ssl_request.get_ssl_certificate_history(query=data) self.report(result) # unique resolutions service elif self.service == 'unique_resolutions': dns_request = DnsRequest(username=self.username, api_key=self.api_key) result = dns_request.get_unique_resolutions(query=data) self.report(result) # whois details service elif self.service == 'whois_details': whois_request = WhoisRequest(username=self.username, api_key=self.api_key) result = whois_request.get_whois_details(query=data) self.report(result) else: self.error('Unknown PassiveTotal service') except Exception as e: self.unexpectedError(e)
def get_whois(self, **kwargs): client = WhoisRequest(self.username, self.apikey) keys = ['query', 'compact', 'field'] params = self._cleanup_params(keys, **kwargs) if not params.get('field'): return client.get_whois_details(**params) else: return client.search_whois_by_field(**params)
def run(self, conf, args, plugins): if 'subcommand' in args: if args.subcommand == 'whois': client = WhoisRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) if args.domain: raw_results = client.search_whois_by_field(query=unbracket( args.domain.strip()), field="domain") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) elif args.file: with open(args.file, 'r') as infile: data = infile.read().split() print( "Domain|Date|Registrar|name|email|Phone|organization|Street|City|Postal Code|State|Country" ) for d in data: do = unbracket(d.strip()) # FIXME: bulk request here raw_results = client.search_whois_by_field( query=do, field="domain") if "results" not in raw_results: print("%s|||||||||||" % bracket(do)) else: if len(raw_results["results"]) == 0: print("%s|||||||||||" % bracket(do)) else: r = raw_results["results"][0] if "registered" in r: dd = datetime.datetime.strptime( r["registered"], "%Y-%m-%dT%H:%M:%S.%f%z") ddo = dd.strftime("%m/%d/%Y %H:%M:%S") else: ddo = "" print( "%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s" % (bracket(do), ddo, r["registrar"] if "registrar" in r else "", r["registrant"]["name"] if "name" in r["registrant"] else "", r["registrant"]["email"] if "email" in r["registrant"] else "", r["registrant"]["telephone"] if "telephone" in r["registrant"] else "", r["registrant"]["organization"] if "organization" in r["registrant"] else "", r["registrant"]["street"] if "street" in r["registrant"] else "", r["registrant"]["city"] if "city" in r["registrant"] else "", r["registrant"]["postalCode"] if "postalCode" in r["registrant"] else "", r["registrant"]["state"] if "state" in r["registrant"] else "", r["registrant"]["country"] if "country" in r["registrant"] else "")) elif args.email: raw_results = client.search_whois_by_field( query=args.email.strip(), field="email") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) else: self.parser.print_help() elif args.subcommand == "dns": client = DnsRequest(conf['PassiveTotal']['username'], conf['PassiveTotal']['key']) raw_results = client.get_passive_dns(query=unbracket( args.DOMAIN), ) print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) elif args.subcommand == "malware": client = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) if args.domain: raw_results = client.get_malware(query=args.domain) print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) elif args.file: with open(args.file, 'r') as infile: data = infile.read().split() domain_list = list(set([a.strip() for a in data])) if len(domain_list) < 51: raw_results = client.get_bulk_malware( query=domain_list) if "results" not in raw_results or not raw_results[ "success"]: print("Request failed") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) sys.exit(1) else: results = raw_results["results"] else: results = {} bulk_size = 50 i = 0 while i * bulk_size < len(domain_list): raw_results = client.get_bulk_malware( query=domain_list[i * bulk_size:(i + 1) * bulk_size]) if "results" not in raw_results or not raw_results[ "success"]: print("Request failed") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) sys.exit(1) else: results.update(raw_results["results"]) i += 1 if args.raw: print( json.dumps(results, sort_keys=True, indent=4, separators=(',', ': '))) else: print("Domain|Date|Sample|Source|Source URL") for domain in results: if "results" in results[domain]: for sample in results[domain]["results"]: print("%s|%s|%s|%s|%s" % (domain, sample["collectionDate"], sample["sample"], sample["source"], sample["sourceUrl"])) else: self.parser.print_help() elif args.subcommand == "osint": # FIXME: add research of projects client = EnrichmentRequest(conf["PassiveTotal"]["username"], conf["PassiveTotal"]['key']) if args.domain: raw_results = client.get_osint(query=args.domain) print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) elif args.file: with open(args.file, 'r') as infile: data = infile.read().split() domain_list = list(set([a.strip() for a in data])) if len(domain_list) < 51: raw_results = client.get_bulk_osint(query=domain_list) if "results" not in raw_results or not raw_results[ "success"]: print("Request failed") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) sys.exit(1) else: results = raw_results["results"] else: results = {} bulk_size = 50 i = 0 while i * bulk_size < len(domain_list): raw_results = client.get_bulk_osint( query=domain_list[i * bulk_size:(i + 1) * bulk_size]) if "results" not in raw_results or not raw_results[ "success"]: print("Request failed") print( json.dumps(raw_results, sort_keys=True, indent=4, separators=(',', ': '))) sys.exit(1) else: results.update(raw_results["results"]) i += 1 if args.raw: print( json.dumps(results, sort_keys=True, indent=4, separators=(',', ': '))) else: print("Domain|Source|URL|Tags") for domain in results: if "results" in results[domain]: for report in results[domain]["results"]: print("%s|%s|%s|%s" % (domain, report["source"], report["source_url"], " / ".join( report["tags"]))) else: self.parser.print_help() else: self.parser.print_help() else: self.parser.print_help()
logger.info("Starting command processing") input_events, dummyresults, settings = splunk.Intersplunk.getOrganizedResults( ) keywords, options = splunk.Intersplunk.getKeywordsAndOptions() query_value = options.get("query", "") logger.info("Query target: %s" % query_value) logger.debug("Raw options: %s" % str(options)) configuration = get_config("passivetotal", "api-setup") username = configuration.get('username', None) api_key = configuration.get('apikey', None) output_events = list() whois = WhoisRequest(username, api_key, headers=build_headers()).get_whois_details( query=query_value, compact_record=True) if 'error' in whois: raise Exception( "Whoa there, looks like you reached your quota for today! Please come back tomorrow to resume your investigation or contact support for details on enterprise plans." ) fields = [ 'contactEmail', 'nameServers', 'registered', 'registryUpdatedAt', 'expiresAt', 'registrar' ] for field in fields: tmp = {'key': gen_label(field), 'value': whois.get(field, '')} output_events.append(tmp) for key, value in whois.get('compact', {}).iteritems(): formatted = list() for item in value.get('values', []):
def setup_class(self): self.patcher = patch('passivetotal.api.Client._get', fake_request) self.patcher.start() self.client = WhoisRequest('--No-User--', '--No-Key--')
def run(self): data = self.get_data() try: # enrichment service if self.service == 'enrichment': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_enrichment(query=data) self.report(result) # malware service elif self.service == 'malware': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_malware(query=data) self.report(result) # osint service elif self.service == 'osint': enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key) result = enrichment_request.get_osint(query=data) self.report(result) # passive dns service elif self.service == 'passive_dns': dns_request = DnsRequest(username=self.username, api_key=self.api_key) result = dns_request.get_passive_dns(query=data) self.report(result) # ssl certificate details service elif self.service == 'ssl_certificate_details': ssl_request = SslRequest(username=self.username, api_key=self.api_key) result = ssl_request.get_ssl_certificate_details(query=data) self.report(result) # ssl certificate history service elif self.service == 'ssl_certificate_history': ssl_request = SslRequest(username=self.username, api_key=self.api_key) result = ssl_request.get_ssl_certificate_history(query=data) print(len(result['results'])) if len(result['results'] ) == 1 and result['results'][0]['ipAddresses'] == 'N/A': print("ok") self.report({'results': []}) else: self.report(result) # unique resolutions service elif self.service == 'unique_resolutions': dns_request = DnsRequest(username=self.username, api_key=self.api_key) result = dns_request.get_unique_resolutions(query=data) self.report(result) # whois details service elif self.service == 'whois_details': whois_request = WhoisRequest(username=self.username, api_key=self.api_key) result = whois_request.get_whois_details(query=data) self.report(result) # components service elif self.service == 'components': host_attr_request = HostAttributeRequest( username=self.username, api_key=self.api_key) result = host_attr_request.get_components(query=data) self.report(result) # trackers service elif self.service == 'trackers': host_attr_request = HostAttributeRequest( username=self.username, api_key=self.api_key) result = host_attr_request.get_trackers(query=data) self.report(result) # host pairs service elif self.service == 'host_pairs': host_attr_request = HostAttributeRequest( username=self.username, api_key=self.api_key) result = host_attr_request.get_host_pairs(query=data, direction='parents') children = host_attr_request.get_host_pairs( query=data, direction='children') result['totalRecords'] += children['totalRecords'] result['results'] = result['results'] + children['results'] self.report(result) else: self.error('Unknown PassiveTotal service') except Exception as e: self.unexpectedError(e)