def analyze(observable, results):
links = set()
parts = extract(observable.value)
if parts.subdomain == '':
data = DomainToolsApi.get("/{}/whois/history".format(observable.value), results.settings)
results.update(raw=json.dumps(data, indent=2))
for record in data['response']['history']:
created = datetime.strptime(record['whois']['registration']['created'], "%Y-%m-%d")
expires = datetime.strptime(record['whois']['registration']['expires'], "%Y-%m-%d")
registrar = Company.get_or_create(name=record['whois']['registration']['registrar'])
registrant = Text.get_or_create(value=record['whois']['registrant'])
links.update(observable.link_to(registrar, 'Registrar', 'DomainTools', created, expires))
links.update(observable.link_to(registrant, 'Registrant', 'DomainTools', created, expires))
parsed = parse_raw_whois([record['whois']['record']], normalized=True)
email = get_value_at(parsed, 'contacts.registrant.email')
if email:
email = Email.get_or_create(value=email)
links.update(observable.link_to(email, 'Registrant Email', 'DomainTools', created, expires))
return list(links)
def link_from_data(observable, data, path, klass, description):
data = get_value_at(data, path)
if data is None:
return []
links = set()
for value in iterify(data):
try:
node = klass.get_or_create(value=value)
except FieldDoesNotExist:
node = klass.get_or_create(name=value)
links.update(observable.active_link_to(node, description, 'DomainTools'))
return list(links)
def analyze(observable, results):
links = set()
parts = tldextract_parser(observable.value)
if parts.subdomain == "":
data = DomainToolsApi.get(
"/{}/whois/history".format(observable.value), results.settings
)
results.update(raw=json.dumps(data, indent=2))
for record in data["response"]["history"]:
created = datetime.strptime(
record["whois"]["registration"]["created"], "%Y-%m-%d"
)
expires = datetime.strptime(
record["whois"]["registration"]["expires"], "%Y-%m-%d"
)
registrar = Company.get_or_create(
name=record["whois"]["registration"]["registrar"]
)
registrant = Text.get_or_create(value=record["whois"]["registrant"])
links.update(
observable.link_to(
registrar, "Registrar", "DomainTools", created, expires
)
)
links.update(
observable.link_to(
registrant, "Registrant", "DomainTools", created, expires
)
)
parsed = parse_raw_whois([record["whois"]["record"]], normalized=True)
email = get_value_at(parsed, "contacts.registrant.email")
if email:
email = Email.get_or_create(value=email)
links.update(
observable.link_to(
email, "Registrant Email", "DomainTools", created, expires
)
)
return list(links)
def analyze(observable, results):
links = set()
params = {
'query': observable.value,
'field': 'nameserver'
}
data = PassiveTotalApi.get('/whois/search', results.settings, params)
for record in data['results']:
domain = Hostname.get_or_create(value=record['domain'])
links.update(domain.active_link_to(observable, "NS record", 'PassiveTotal'))
registrant_email = get_value_at(record, 'registrant.email')
if registrant_email:
registrant = Email.get_or_create(value=registrant_email)
links.update(domain.active_link_to(registrant, "Registrant Email", 'PassiveTotal'))
return list(links)