forked from MISP/misp-modules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ipinfo.py
105 lines (89 loc) · 3.57 KB
/
ipinfo.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
import json
import requests
from . import check_input_attribute, standard_error_message
from pymisp import MISPAttribute, MISPEvent, MISPObject
mispattributes = {
'input': ['ip-src', 'ip-dst'],
'format': 'misp_standard'
}
moduleinfo = {
'version': 1,
'author': 'Christian Studer',
'description': 'An expansion module to query ipinfo.io for additional information on an IP address',
'module-type': ['expansion', 'hover']
}
moduleconfig = ['token']
_GEOLOCATION_OBJECT_MAPPING = {
'city': 'city',
'postal': 'zipcode',
'region': 'region',
'country': 'countrycode'
}
def handler(q=False):
# Input checks
if q is False:
return False
request = json.loads(q)
if not request.get('attribute') or not check_input_attribute(request['attribute']):
return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
attribute = request['attribute']
if attribute.get('type') not in mispattributes['input']:
return {'error': 'Wrong input attribute type.'}
if not request.get('config'):
return {'error': 'Missing ipinfo config.'}
if not request['config'].get('token'):
return {'error': 'Missing ipinfo token.'}
# Query ipinfo.io
query = requests.get(
f"https://ipinfo.io/{attribute['value']}/json?token={request['config']['token']}"
)
if query.status_code != 200:
return {'error': f'Error while querying ipinfo.io - {query.status_code}: {query.reason}'}
ipinfo = query.json()
# Check if the IP address is not reserved for special use
if ipinfo.get('bogon', False):
return {'error': 'The IP address is reserved for special use'}
# Initiate the MISP data structures
misp_event = MISPEvent()
input_attribute = MISPAttribute()
input_attribute.from_dict(**attribute)
misp_event.add_attribute(**input_attribute)
# Parse the geolocation information related to the IP address
geolocation = MISPObject('geolocation')
for field, relation in _GEOLOCATION_OBJECT_MAPPING.items():
geolocation.add_attribute(relation, ipinfo[field])
for relation, value in zip(('latitude', 'longitude'), ipinfo['loc'].split(',')):
geolocation.add_attribute(relation, value)
geolocation.add_reference(input_attribute.uuid, 'locates')
misp_event.add_object(geolocation)
# Parse the domain information
domain_ip = misp_event.add_object(name='domain-ip')
for feature in ('hostname', 'ip'):
domain_ip.add_attribute(feature, ipinfo[feature])
domain_ip.add_reference(input_attribute.uuid, 'resolves')
if ipinfo.get('domain') is not None:
for domain in ipinfo['domain']['domains']:
domain_ip.add_attribute('domain', domain)
# Parse the AS information
asn = MISPObject('asn')
asn.add_reference(input_attribute.uuid, 'includes')
if ipinfo.get('asn') is not None:
asn_info = ipinfo['asn']
asn.add_attribute('asn', asn_info['asn'])
asn.add_attribute('description', asn_info['name'])
misp_event.add_object(asn)
elif ipinfo.get('org'):
as_value, *description = ipinfo['org'].split(' ')
asn.add_attribute('asn', as_value)
asn.add_attribute('description', ' '.join(description))
misp_event.add_object(asn)
# Return the results in MISP format
event = json.loads(misp_event.to_json())
return {
'results': {key: event[key] for key in ('Attribute', 'Object')}
}
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo