def __get_top_level_domain__(self): try: if is_ip(self.domain) or not self.domain or self.domain == '': return None d = get_tld('http://www.'+self.domain) if d.find('www.') >= 0: return d.split('www.')[1] else: return d except: return None
def stix(self): """Output data as STIX. STIX is highly subjective and difficult to format without getting more data from the user. Passive DNS results are formtted into a STIX watchlist with descriptions and other details about the record. :return: STIX formatted watchlist """ if python3: raise RuntimeError("STIX is not supported when using Python 3 due to dependency libraries.") stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Passive DNS resolutions associated" \ " with %s during the time periods of " \ " %s - %s" % (self.queryValue, self.firstSeen, self.lastSeen) stix_package.stix_header = stix_header for record in self._records: indicator = Indicator( title="Observed from %s - %s" % ( record.firstSeen, record.lastSeen ), short_description="Resolution observed by %s." % ( ','.join(record.source) ), description="Passive DNS data collected and aggregated from" \ " PassiveTotal services." ) if is_ip(record.resolve): indicator.add_indicator_type('IP Watchlist') ioc = Address( address_value=record.resolve, category=Address.CAT_IPV4 ) else: indicator.add_indicator_type('Domain Watchlist') ioc = DomainName(value=record.resolve) ioc.condition = "Equals" indicator.add_observable(ioc) stix_package.add_indicator(indicator) output = stix_package.to_xml() return output
def process_passive_dns(instance, query): """Process passive DNS data.""" log.debug("Passive DNS: starting") tmp = list() _ = instance.get_unique_resolutions(query=query) err = _has_error(_) if err: raise Exception("We hit an error, time to bail!") if is_ip(query): tmp = [{'types': ['domain', 'hostname'], 'values': _.get('results', [])}] else: tmp = [{'types': ['ip-src', 'ip-dst'], 'values': _.get('results', [])}] log.debug("Passive DNS: ending") return tmp
def process_passive_dns(instance, query): """Process passive DNS data.""" log.debug("Passive DNS: starting") tmp = list() _ = instance.get_unique_resolutions(query=query) err = _has_error(_) if err: raise Exception("We hit an error, time to bail!") if is_ip(query): tmp = [{ 'types': ['domain', 'hostname'], 'values': _.get('results', []) }] else: tmp = [{'types': ['ip-src', 'ip-dst'], 'values': _.get('results', [])}] log.debug("Passive DNS: ending") return tmp
import sys from passivetotal.libs.dns import DnsRequest from passivetotal.libs.dns import DnsUniqueResponse from passivetotal.libs.whois import WhoisRequest from passivetotal.libs.whois import WhoisResponse from passivetotal.common.utilities import is_ip query = sys.argv[1] if not is_ip(query): raise Exception("This script only accepts valid IP addresses!") sys.exit(1) # look up the unique resolutions client = DnsRequest.from_config() raw_results = client.get_unique_resolutions(query=query) loaded = DnsUniqueResponse(raw_results) whois_client = WhoisRequest.from_config() for record in loaded.get_records()[:3]: raw_whois = whois_client.get_whois_details(query=record.resolve) whois = WhoisResponse(raw_whois) print record.resolve, whois.contactEmail