def dotransform(request, response, config):
error, found = lookup_whois(request.value)
if not error and found:
if dict == type(found):
for result, value in found.iteritems():
if set == type(value):
if "whois_domains" == result:
for d in value:
if d:
e = Domain(d)
e.fqdn = d
response += e
if "whois_emails" == result:
for em in value:
if em:
e = EmailAddress(em)
response += e
if "whois_nameservers" == result:
for w in value:
if w:
e = NSRecord(w)
response += e
#Display error message in Transform Output
response += UIMessage(error)
return response
def dotransform(request, response, config):
error, found = lookup_whois(request.value)
if not error and found:
if dict == type(found):
for result, value in found.iteritems():
if set == type(value):
if "whois_domains" == result:
for d in value:
if d:
e = Domain(d)
e.fqdn = d
response += e
if "whois_emails" == result:
for em in value:
if em:
e = EmailAddress(em)
response += e
if "whois_nameservers" == result:
for w in value:
if w:
e = NSRecord(w)
response += e
#Display error message in Transform Output
response += UIMessage(error)
return response
def dotransform(request, response, config):
tr_details = [
'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen',
'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags',
'Comment', 'RootNode', 'Confidence'
]
#Default link color is black
linkcolor = "0x000000"
cache, found = search(request.value)
if found:
if list == type(found):
for indicator in found:
debug(indicator)
e = ''
indtype = indicator['Type'].lower().strip()
if "whois email" == indtype:
e = EmailAddress(indicator['Indicator'])
#response += e
if "name server" == indtype:
e = NSRecord(indicator['Indicator'])
#response += e
if "domain" == indtype:
e = Domain(indicator['Indicator'])
e.fqdn = indicator['Indicator']
#response += e
#IF Type is not domain, check if Rrname is not empty
elif indicator['Rrname'] and indicator['Rrname'] != 'NA':
d = Domain(indicator['Rrname'])
d.fqdn = indicator['Rrname']
response += d
if "ip" == indtype:
e = IPv4Address(indicator['Indicator'])
#response += e
#IF Type is not IP, check if Rdata is not empty
elif indicator['Rdata']:
i = IPv4Address(indicator['Rdata'])
response += i
if "phone or fax no." == indtype:
e = PhoneNumber(indicator['Indicator'])
#response += e
if "whois address component" == indtype:
e = Phrase(indicator['Indicator'])
#response += e
if "email" == indtype:
e = EmailAddress(indicator['Indicator'])
#response += e
if "netname" == indtype:
e = NetNameThreatRecon(indicator['Indicator'])
#response += e
if "cidr" == indtype:
e = IPv4Address(indicator['Indicator'])
#response += e
if "netrange" == indtype:
e = Netblock(indicator['Indicator'])
#response += e
if indicator['Country']:
l = Location(indicator['Country'])
response += l
#Add Comments and details to own Entity
entity = e #request.entity
#Set comments
if indicator['Comment']:
entity.notes = string_filter(indicator['Comment'])
#Set Details
for detail in tr_details:
if detail in indicator:
if indicator[detail]:
entity += Label(name=detail,
value=string_filter(
indicator[detail]))
#Set link color
if "Confidence" in indicator:
if indicator['Confidence'] >= 70:
linkcolor = "0xff0000"
entity.linkcolor = linkcolor
response += entity
return response
