def __get_top_level_domain__(self):
try:
if is_ip(self.domain) or not self.domain or self.domain == '':
return None
d = get_tld('http://www.'+self.domain)
if d.find('www.') >= 0:
return d.split('www.')[1]
else:
return d
except:
return None
def stix(self):
"""Output data as STIX.
STIX is highly subjective and difficult to format without getting more
data from the user. Passive DNS results are formtted into a STIX
watchlist with descriptions and other details about the record.
:return: STIX formatted watchlist
"""
if python3:
raise RuntimeError("STIX is not supported when using Python 3 due to dependency libraries.")
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Passive DNS resolutions associated" \
" with %s during the time periods of " \
" %s - %s" % (self.queryValue,
self.firstSeen,
self.lastSeen)
stix_package.stix_header = stix_header
for record in self._records:
indicator = Indicator(
title="Observed from %s - %s" % (
record.firstSeen,
record.lastSeen
),
short_description="Resolution observed by %s." % (
','.join(record.source)
),
description="Passive DNS data collected and aggregated from" \
" PassiveTotal services."
)
if is_ip(record.resolve):
indicator.add_indicator_type('IP Watchlist')
ioc = Address(
address_value=record.resolve,
category=Address.CAT_IPV4
)
else:
indicator.add_indicator_type('Domain Watchlist')
ioc = DomainName(value=record.resolve)
ioc.condition = "Equals"
indicator.add_observable(ioc)
stix_package.add_indicator(indicator)
output = stix_package.to_xml()
return output
def process_passive_dns(instance, query):
"""Process passive DNS data."""
log.debug("Passive DNS: starting")
tmp = list()
_ = instance.get_unique_resolutions(query=query)
err = _has_error(_)
if err:
raise Exception("We hit an error, time to bail!")
if is_ip(query):
tmp = [{'types': ['domain', 'hostname'], 'values': _.get('results', [])}]
else:
tmp = [{'types': ['ip-src', 'ip-dst'], 'values': _.get('results', [])}]
log.debug("Passive DNS: ending")
return tmp
def process_passive_dns(instance, query):
"""Process passive DNS data."""
log.debug("Passive DNS: starting")
tmp = list()
_ = instance.get_unique_resolutions(query=query)
err = _has_error(_)
if err:
raise Exception("We hit an error, time to bail!")
if is_ip(query):
tmp = [{
'types': ['domain', 'hostname'],
'values': _.get('results', [])
}]
else:
tmp = [{'types': ['ip-src', 'ip-dst'], 'values': _.get('results', [])}]
log.debug("Passive DNS: ending")
return tmp
import sys
from passivetotal.libs.dns import DnsRequest
from passivetotal.libs.dns import DnsUniqueResponse
from passivetotal.libs.whois import WhoisRequest
from passivetotal.libs.whois import WhoisResponse
from passivetotal.common.utilities import is_ip
query = sys.argv[1]
if not is_ip(query):
raise Exception("This script only accepts valid IP addresses!")
sys.exit(1)
# look up the unique resolutions
client = DnsRequest.from_config()
raw_results = client.get_unique_resolutions(query=query)
loaded = DnsUniqueResponse(raw_results)
whois_client = WhoisRequest.from_config()
for record in loaded.get_records()[:3]:
raw_whois = whois_client.get_whois_details(query=record.resolve)
whois = WhoisResponse(raw_whois)
print record.resolve, whois.contactEmail
