def load_client(context):
"""Get an instance of a loaded client."""
username = context.getTransformSetting('username')
api_key = context.getTransformSetting('aKey')
test_status = context.getTransformSetting('test_local')
if test_status and test_status == 'True':
server = context.getTransformSetting('server')
version = context.getTransformSetting('version')
return WhoisRequest(username, api_key, server, version)
else:
return WhoisRequest(username, api_key, headers=gen_debug(request))
def run(self):
Analyzer.run(self)
data = self.getData()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username, api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)
def get_whois(self, **kwargs):
client = WhoisRequest(self.username, self.apikey)
keys = ['query', 'compact', 'field']
params = self._cleanup_params(keys, **kwargs)
if not params.get('field'):
return client.get_whois_details(**params)
else:
return client.search_whois_by_field(**params)
def run(self, conf, args, plugins):
if 'subcommand' in args:
if args.subcommand == 'whois':
client = WhoisRequest(conf['PassiveTotal']['username'],
conf['PassiveTotal']['key'])
if args.domain:
raw_results = client.search_whois_by_field(query=unbracket(
args.domain.strip()),
field="domain")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
elif args.file:
with open(args.file, 'r') as infile:
data = infile.read().split()
print(
"Domain|Date|Registrar|name|email|Phone|organization|Street|City|Postal Code|State|Country"
)
for d in data:
do = unbracket(d.strip())
# FIXME: bulk request here
raw_results = client.search_whois_by_field(
query=do, field="domain")
if "results" not in raw_results:
print("%s|||||||||||" % bracket(do))
else:
if len(raw_results["results"]) == 0:
print("%s|||||||||||" % bracket(do))
else:
r = raw_results["results"][0]
if "registered" in r:
dd = datetime.datetime.strptime(
r["registered"],
"%Y-%m-%dT%H:%M:%S.%f%z")
ddo = dd.strftime("%m/%d/%Y %H:%M:%S")
else:
ddo = ""
print(
"%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s" %
(bracket(do), ddo, r["registrar"]
if "registrar" in r else "",
r["registrant"]["name"]
if "name" in r["registrant"] else "",
r["registrant"]["email"]
if "email" in r["registrant"] else "",
r["registrant"]["telephone"]
if "telephone" in r["registrant"] else "",
r["registrant"]["organization"] if
"organization" in r["registrant"] else "",
r["registrant"]["street"]
if "street" in r["registrant"] else "",
r["registrant"]["city"]
if "city" in r["registrant"] else "",
r["registrant"]["postalCode"] if
"postalCode" in r["registrant"] else "",
r["registrant"]["state"]
if "state" in r["registrant"] else "",
r["registrant"]["country"]
if "country" in r["registrant"] else ""))
elif args.email:
raw_results = client.search_whois_by_field(
query=args.email.strip(), field="email")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
else:
self.parser.print_help()
elif args.subcommand == "dns":
client = DnsRequest(conf['PassiveTotal']['username'],
conf['PassiveTotal']['key'])
raw_results = client.get_passive_dns(query=unbracket(
args.DOMAIN), )
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
elif args.subcommand == "malware":
client = EnrichmentRequest(conf["PassiveTotal"]["username"],
conf["PassiveTotal"]['key'])
if args.domain:
raw_results = client.get_malware(query=args.domain)
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
elif args.file:
with open(args.file, 'r') as infile:
data = infile.read().split()
domain_list = list(set([a.strip() for a in data]))
if len(domain_list) < 51:
raw_results = client.get_bulk_malware(
query=domain_list)
if "results" not in raw_results or not raw_results[
"success"]:
print("Request failed")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
sys.exit(1)
else:
results = raw_results["results"]
else:
results = {}
bulk_size = 50
i = 0
while i * bulk_size < len(domain_list):
raw_results = client.get_bulk_malware(
query=domain_list[i * bulk_size:(i + 1) *
bulk_size])
if "results" not in raw_results or not raw_results[
"success"]:
print("Request failed")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
sys.exit(1)
else:
results.update(raw_results["results"])
i += 1
if args.raw:
print(
json.dumps(results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
else:
print("Domain|Date|Sample|Source|Source URL")
for domain in results:
if "results" in results[domain]:
for sample in results[domain]["results"]:
print("%s|%s|%s|%s|%s" %
(domain, sample["collectionDate"],
sample["sample"], sample["source"],
sample["sourceUrl"]))
else:
self.parser.print_help()
elif args.subcommand == "osint":
# FIXME: add research of projects
client = EnrichmentRequest(conf["PassiveTotal"]["username"],
conf["PassiveTotal"]['key'])
if args.domain:
raw_results = client.get_osint(query=args.domain)
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
elif args.file:
with open(args.file, 'r') as infile:
data = infile.read().split()
domain_list = list(set([a.strip() for a in data]))
if len(domain_list) < 51:
raw_results = client.get_bulk_osint(query=domain_list)
if "results" not in raw_results or not raw_results[
"success"]:
print("Request failed")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
sys.exit(1)
else:
results = raw_results["results"]
else:
results = {}
bulk_size = 50
i = 0
while i * bulk_size < len(domain_list):
raw_results = client.get_bulk_osint(
query=domain_list[i * bulk_size:(i + 1) *
bulk_size])
if "results" not in raw_results or not raw_results[
"success"]:
print("Request failed")
print(
json.dumps(raw_results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
sys.exit(1)
else:
results.update(raw_results["results"])
i += 1
if args.raw:
print(
json.dumps(results,
sort_keys=True,
indent=4,
separators=(',', ': ')))
else:
print("Domain|Source|URL|Tags")
for domain in results:
if "results" in results[domain]:
for report in results[domain]["results"]:
print("%s|%s|%s|%s" %
(domain, report["source"],
report["source_url"], " / ".join(
report["tags"])))
else:
self.parser.print_help()
else:
self.parser.print_help()
else:
self.parser.print_help()
logger.info("Starting command processing")
input_events, dummyresults, settings = splunk.Intersplunk.getOrganizedResults(
)
keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
query_value = options.get("query", "")
logger.info("Query target: %s" % query_value)
logger.debug("Raw options: %s" % str(options))
configuration = get_config("passivetotal", "api-setup")
username = configuration.get('username', None)
api_key = configuration.get('apikey', None)
output_events = list()
whois = WhoisRequest(username, api_key,
headers=build_headers()).get_whois_details(
query=query_value, compact_record=True)
if 'error' in whois:
raise Exception(
"Whoa there, looks like you reached your quota for today! Please come back tomorrow to resume your investigation or contact support for details on enterprise plans."
)
fields = [
'contactEmail', 'nameServers', 'registered', 'registryUpdatedAt',
'expiresAt', 'registrar'
]
for field in fields:
tmp = {'key': gen_label(field), 'value': whois.get(field, '')}
output_events.append(tmp)
for key, value in whois.get('compact', {}).iteritems():
formatted = list()
for item in value.get('values', []):
def setup_class(self):
self.patcher = patch('passivetotal.api.Client._get', fake_request)
self.patcher.start()
self.client = WhoisRequest('--No-User--', '--No-Key--')
def run(self):
data = self.get_data()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username,
api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username,
api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username,
api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
print(len(result['results']))
if len(result['results']
) == 1 and result['results'][0]['ipAddresses'] == 'N/A':
print("ok")
self.report({'results': []})
else:
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username,
api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username,
api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
# components service
elif self.service == 'components':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_components(query=data)
self.report(result)
# trackers service
elif self.service == 'trackers':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_trackers(query=data)
self.report(result)
# host pairs service
elif self.service == 'host_pairs':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_host_pairs(query=data,
direction='parents')
children = host_attr_request.get_host_pairs(
query=data, direction='children')
result['totalRecords'] += children['totalRecords']
result['results'] = result['results'] + children['results']
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)
