Skip to content

Commit

Permalink
Created Mnemonic PDNS public and closed analyzer's
Browse files Browse the repository at this point in the history
  • Loading branch information
michael committed May 28, 2018
1 parent b48ede8 commit 360c004
Show file tree
Hide file tree
Showing 8 changed files with 281 additions and 0 deletions.
24 changes: 24 additions & 0 deletions analyzers/Mnemonic_pdns/mnemonic_pdns_closed.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"name": "Mnemonic_PDNS_closed",
"version": "3.0",
"author": "Michael Stensrud, Nordic Financial CERT",
"url": "https://passivedns.mnemonic.no/search",
"license" : "AGPL-V3",
"description": "Query against Mnemonic pDNS",
"dataTypeList": ["ip", "domain"],
"command": "Mnemonic_pdns/pdns.py",
"baseConfig": "Mnemonic_pDNS",
"config": {
"check_tlp": true,
"service" : "closed"
},
"configurationItems": [
{
"name": "key",
"description": "Define the API Key",
"type": "string",
"multi": false,
"required": true
}
]
}
17 changes: 17 additions & 0 deletions analyzers/Mnemonic_pdns/mnemonic_pdns_public.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"name": "Mnemonic_pDNS_public",
"version": "3.0",
"author": "Michael Stensrud, Nordic Financial CERT",
"url": "https://passivedns.mnemonic.no/search",
"license" : "AGPL-V3",
"description": "Query against Mnemonic pDNS",
"dataTypeList": ["ip", "domain"],
"command": "Mnemonic_pdns/pdns.py",
"baseConfig": "Mnemonic_pDNS",
"config": {
"check_tlp": true,
"service": "public"
},
"configurationItems": [
]
}
90 changes: 90 additions & 0 deletions analyzers/Mnemonic_pdns/pdns.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
#!/usr/bin/env python
# encoding: utf-8

import requests
from cortexutils.analyzer import Analyzer

class pdns_v3(Analyzer):

def __init__(self):
Analyzer.__init__(self)

self.base_url = "https://portal.mnemonic.no/web/api/pdns/v3"
self.apikey = self.get_param("config.key", None)
self.service = self.get_param('config.service', None, 'Service parameter is missing')

self.headers = {
"User-Agent": "Cortex 2",
"Accept" : "application/json"
}
self.params = {
"aggregate": "true",
"limit" : "0"
}


def get_pdns(self, content):

url = '{0}/{1}'.format(self.base_url, content)
r = requests.get(url, params=self.params, headers=self.headers)

content = r.json()

return content


def run(self):

result = {}
content = self.getData()

if self.service == "closed":
# Fetch InHouse PDNS data.
self.predicate = "InHouse"
self.level = "suspicious"
self.params["includeAnonymous"] = "false"

if not self.apikey:
self.error("Missing API key")

self.headers["Argus-API-Key"] = self.apikey


elif self.service == "public":
# Fetch Public PDNS data
self.predicate = "Public"
self.level = "info"
self.params["includeAnonymous"] = "true"

else:
# Did not match any services
self.error("Invalid service")


response = self.get_pdns(content)
self.response = response

result["findings"] = response

return self.report(result)


def summary(self, raw_report):

return {
"count": self.response["count"],
"size": self.response["size"],
"metaData" : self.response["metaData"],
"messages" : self.response["messages"],
"responseCode" : self.response["responseCode"],
"taxonomies":[{
"namespace": "MN_PDNS",
"predicate": self.predicate,
"value": self.response['count'],
"level": self.level
}]
}


if __name__ == '__main__':
pdns_v3().run()
2 changes: 2 additions & 0 deletions analyzers/Mnemonic_pdns/requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
cortexutils
requests
71 changes: 71 additions & 0 deletions thehive-templates/Mnemonic_PDNS_closed_3_0/long.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<div class="panel panel-info">
<style>
table {
table-layout:fixed;
width:100%;
word-break: break-all;
}
</style>


<div class="panel-heading">
<strong>Summary</strong>
</div>

<div class="panel-body">
<dl class="dl-horizontal">
<dt>PDNS - Public</dt>
<dd>
<span>
<i class="fa fa-search"></i>
<a ng-href="https://passivedns.mnemonic.no/search/{{artifact.data}}/" target="_blank">
View Full Report
</a>
</span>
</dd>
<dt>Count</dt>
<dd>
<span>
{{content.findings.count}}
</span>
</dd>
</dl>
</div>

<div class="panel panel-info" ng-if="content.findings.count !== 0">
<div class="panel-heading">
<strong>Mnemonic PDNS - Public</strong>
</div>
<div class="panel-body">

<table class="table table-hover">

<tr>
<th>Times</th>
<th>TLP</th>
<th>Answer</th>
<th>LastSeen</th>
<th>FirstSeen</th>
<th ng-style="max-width:80%;">Query</th>
<th>RRType</th>
<th>max TTL</th>
</tr>
<tr ng-repeat="res in content.findings.data">
<td>{{res.times}}</td>
<td>
<span class="label" ng-class="{'white': 'label-info', 'green': 'label-success', 'amber': 'label-warning', 'red':'label-danger'}[res.tlp]">
{{res.tlp}}
</span>
</td>
<td>{{res.answer}}</td>
<td>{{res.lastSeenTimestamp | amDateFormat:'MM.DD.YYYY HH:mm:ss'}}</td>
<td>{{res.firstSeenTimestamp | amDateFormat:'MM.DD.YYYY HH:mm:ss'}}</td>
<td ng-style="max-width:80%;">{{res.query}}</td>
<td>{{res.rrtype}}</td>
<td>{{res.maxTtl}}</td>
</tr>
</table>
</div>
</div>

</div>
3 changes: 3 additions & 0 deletions thehive-templates/Mnemonic_PDNS_closed_3_0/short.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
{{t.namespace}}:{{t.predicate}}={{t.value}}
</span>
71 changes: 71 additions & 0 deletions thehive-templates/Mnemonic_pDNS_public_3_0/long.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<div class="panel panel-info">
<style>
table {
table-layout:fixed;
width:100%;
word-break: break-all;
}
</style>


<div class="panel-heading">
<strong>Summary</strong>
</div>

<div class="panel-body">
<dl class="dl-horizontal">
<dt>PDNS - Public</dt>
<dd>
<span>
<i class="fa fa-search"></i>
<a ng-href="https://passivedns.mnemonic.no/search/{{artifact.data}}/" target="_blank">
View Full Report
</a>
</span>
</dd>
<dt>Count</dt>
<dd>
<span>
{{content.findings.count}}
</span>
</dd>
</dl>
</div>

<div class="panel panel-info" ng-if="content.findings.count !== 0">
<div class="panel-heading">
<strong>Mnemonic PDNS - Public</strong>
</div>
<div class="panel-body">

<table class="table table-hover">

<tr>
<th ng-style="width:10%;">Times</th>
<th>TLP</th>
<th>Answer</th>
<th>LastSeen</th>
<th>FirstSeen</th>
<th ng-style="max-width:80%;">Query</th>
<th>RRType</th>
<th>max TTL</th>
</tr>
<tr ng-repeat="res in content.findings.data">
<td>{{res.times}}</td>
<td>
<span class="label" ng-class="{'white': 'label-info', 'green': 'label-success', 'amber': 'label-warning', 'red':'label-danger'}[res.tlp]">
{{res.tlp}}
</span>
</td>
<td>{{res.answer}}</td>
<td>{{res.lastSeenTimestamp | amDateFormat:'MM.DD.YYYY HH:mm:ss'}}</td>
<td>{{res.firstSeenTimestamp | amDateFormat:'MM.DD.YYYY HH:mm:ss'}}</td>
<td ng-style="max-width:80%;">{{res.query}}</td>
<td>{{res.rrtype}}</td>
<td>{{res.maxTtl}}</td>
</tr>
</table>
</div>
</div>

</div>
3 changes: 3 additions & 0 deletions thehive-templates/Mnemonic_pDNS_public_3_0/short.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
{{t.namespace}}:{{t.predicate}}={{t.value}}
</span>

0 comments on commit 360c004

Please sign in to comment.