def run(self):
Analyzer.run(self)
data = self.getData()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username, api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)
def load_client(context):
"""Get an instance of a loaded client."""
username = context.getTransformSetting('username')
api_key = context.getTransformSetting('aKey')
test_status = context.getTransformSetting('test_local')
if test_status and test_status == 'True':
server = context.getTransformSetting('server')
version = context.getTransformSetting('version')
return SslRequest(username, api_key, server, version)
else:
return SslRequest(username, api_key, headers=gen_debug(request))
def get_ssl(self, **kwargs):
client = SslRequest(self.username, self.apikey)
keys = ['query', 'compact', 'field', 'type']
params = self._cleanup_params(keys, **kwargs)
if not params.get('type'):
return client.get_ssl_certificate_details(**params)
elif params.get('type') == 'history':
return client.get_ssl_certificate_history(**params)
elif params.get('type') == 'search' and params.get('field'):
return client.search_ssl_certificate_by_field(**params)
else:
self.log.error("No SSL field provided.")
return None
def setup_class(self):
self.patcher = patch('passivetotal.api.Client._get', fake_request)
self.patcher.start()
self.client = SslRequest('--No-User--', '--No-Key--')
logger.info("Starting command processing")
input_events, dummyresults, settings = splunk.Intersplunk.getOrganizedResults(
)
keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
query_value = options.get("query", "")
logger.info("Query target: %s" % query_value)
logger.debug("Raw options: %s" % str(options))
configuration = get_config("passivetotal", "api-setup")
username = configuration.get('username', None)
api_key = configuration.get('apikey', None)
output_events = list()
ssl = SslRequest(
username, api_key,
headers=build_headers()).get_ssl_certificate_history(query=query_value)
if 'error' in ssl:
raise Exception(
"Whoa there, looks like you reached your quota for today! Please come back tomorrow to resume your investigation or contact support for details on enterprise plans."
)
for result in ssl.get("results", []):
ip_addresses = result.get('ipAddresses', [])
result.pop('ipAddresses', None)
for ip in ip_addresses:
result['resolve'] = ip
output_events.append(result)
output_events.append(result)
splunk.Intersplunk.outputResults(output_events)
except Exception, e:
def run(self):
data = self.get_data()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username,
api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username,
api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username,
api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username,
api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
print(len(result['results']))
if len(result['results']
) == 1 and result['results'][0]['ipAddresses'] == 'N/A':
print("ok")
self.report({'results': []})
else:
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username,
api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username,
api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
# components service
elif self.service == 'components':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_components(query=data)
self.report(result)
# trackers service
elif self.service == 'trackers':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_trackers(query=data)
self.report(result)
# host pairs service
elif self.service == 'host_pairs':
host_attr_request = HostAttributeRequest(
username=self.username, api_key=self.api_key)
result = host_attr_request.get_host_pairs(query=data,
direction='parents')
children = host_attr_request.get_host_pairs(
query=data, direction='children')
result['totalRecords'] += children['totalRecords']
result['results'] = result['results'] + children['results']
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)