diff --git a/analyzers/DomainTools/DomainTools_HostingHistory.json b/analyzers/DomainTools/DomainTools_HostingHistory.json
new file mode 100644
index 000000000..75030bb47
--- /dev/null
+++ b/analyzers/DomainTools/DomainTools_HostingHistory.json
@@ -0,0 +1,30 @@
+{
+ "name": "DomainTools_HostingHistory",
+ "version": "2.0",
+ "author": "CERT-BDF",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "license": "AGPL-V3",
+ "description": "Use DomainTools to get a list of historical registrant, name servers and IP addresses for a domain name.",
+ "dataTypeList": ["domain"],
+ "command": "DomainTools/domaintools_analyzer.py",
+ "baseConfig": "DomainTools",
+ "config": {
+ "service": "hosting-history"
+ },
+ "configurationItems": [
+ {
+ "name": "username",
+ "description": "DomainTools API credentials",
+ "type": "string",
+ "multi": false,
+ "required": true
+ },
+ {
+ "name": "key",
+ "description": "DomainTools API credentials",
+ "type": "string",
+ "multi": false,
+ "required": true
+ }
+ ]
+}
diff --git a/analyzers/DomainTools/DomainTools_Reputation.json b/analyzers/DomainTools/DomainTools_Reputation.json
index 681236fa6..242ce2f03 100644
--- a/analyzers/DomainTools/DomainTools_Reputation.json
+++ b/analyzers/DomainTools/DomainTools_Reputation.json
@@ -1,17 +1,17 @@
{
- "name": "DomainTools_Reputation",
- "version": "2.0",
- "author": "CERT-BDF",
- "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
- "license": "AGPL-V3",
- "description": "Use DomainTools to get a reputation score on a domain or fqdn",
- "dataTypeList": ["domain","fqdn"],
- "command": "DomainTools/domaintools_analyzer.py",
- "baseConfig": "DomainTools",
- "config": {
- "service": "reputation"
- },
- "configurationItems": [
+ "name": "DomainTools_Reputation",
+ "version": "2.0",
+ "author": "CERT-BDF",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "license": "AGPL-V3",
+ "description": "Use DomainTools to get a reputation score on a domain or fqdn",
+ "dataTypeList": ["domain","fqdn"],
+ "command": "DomainTools/domaintools_analyzer.py",
+ "baseConfig": "DomainTools",
+ "config": {
+ "service": "reputation"
+ },
+ "configurationItems": [
{
"name": "username",
"description": "DomainTools API credentials",
diff --git a/analyzers/DomainTools/DomainTools_ReverseIP.json b/analyzers/DomainTools/DomainTools_ReverseIP.json
index 5769054e5..22adf72f3 100644
--- a/analyzers/DomainTools/DomainTools_ReverseIP.json
+++ b/analyzers/DomainTools/DomainTools_ReverseIP.json
@@ -1,17 +1,17 @@
{
- "name": "DomainTools_ReverseIP",
- "version": "2.0",
- "author": "CERT-BDF",
- "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
- "license": "AGPL-V3",
- "description": "Use DomainTools to get a list of domain names sharing the same IP address.",
- "dataTypeList": ["ip", "domain","fqdn"],
- "command": "DomainTools/domaintools_analyzer.py",
- "baseConfig": "DomainTools",
- "config": {
- "service": "reverse-ip"
- },
- "configurationItems": [
+ "name": "DomainTools_ReverseIP",
+ "version": "2.0",
+ "author": "CERT-BDF",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "license": "AGPL-V3",
+ "description": "Use DomainTools to get a list of domain names sharing the same IP address.",
+ "dataTypeList": ["ip", "domain","fqdn"],
+ "command": "DomainTools/domaintools_analyzer.py",
+ "baseConfig": "DomainTools",
+ "config": {
+ "service": "reverse-ip"
+ },
+ "configurationItems": [
{
"name": "username",
"description": "DomainTools API credentials",
diff --git a/analyzers/DomainTools/DomainTools_ReverseIPWhois.json b/analyzers/DomainTools/DomainTools_ReverseIPWhois.json
new file mode 100644
index 000000000..1e5422aa6
--- /dev/null
+++ b/analyzers/DomainTools/DomainTools_ReverseIPWhois.json
@@ -0,0 +1,30 @@
+{
+ "name": "DomainTools_ReverseIPWhois",
+ "version": "2.0",
+ "author": "CERT-BDF",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "license": "AGPL-V3",
+ "description": "Use DomainTools to get a list of IP addresses which share the same registrant information.",
+ "dataTypeList": ["mail", "ip", "domain", "other"],
+ "command": "DomainTools/domaintools_analyzer.py",
+ "baseConfig": "DomainTools",
+ "config": {
+ "service": "reverse-ip-whois"
+ },
+ "configurationItems": [
+ {
+ "name": "username",
+ "description": "DomainTools API credentials",
+ "type": "string",
+ "multi": false,
+ "required": true
+ },
+ {
+ "name": "key",
+ "description": "DomainTools API credentials",
+ "type": "string",
+ "multi": false,
+ "required": true
+ }
+ ]
+}
diff --git a/analyzers/DomainTools/DomainTools_Risk.json b/analyzers/DomainTools/DomainTools_Risk.json
index ed1a1a94b..48d6a2a14 100644
--- a/analyzers/DomainTools/DomainTools_Risk.json
+++ b/analyzers/DomainTools/DomainTools_Risk.json
@@ -1,17 +1,17 @@
{
- "name": "DomainTools_Risk",
- "version": "2.0",
- "author": "CERT-BDF",
- "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
- "license": "AGPL-V3",
- "description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn",
- "dataTypeList": ["domain","fqdn"],
- "command": "DomainTools/domaintools_analyzer.py",
- "baseConfig": "DomainTools",
- "config": {
- "service": "risk_evidence"
- },
- "configurationItems": [
+ "name": "DomainTools_Risk",
+ "version": "2.0",
+ "author": "CERT-BDF",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "license": "AGPL-V3",
+ "description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn",
+ "dataTypeList": ["domain","fqdn"],
+ "command": "DomainTools/domaintools_analyzer.py",
+ "baseConfig": "DomainTools",
+ "config": {
+ "service": "risk_evidence"
+ },
+ "configurationItems": [
{
"name": "username",
"description": "DomainTools API credentials",
diff --git a/analyzers/DomainTools/DomainTools_WhoisLookup.json b/analyzers/DomainTools/DomainTools_WhoisLookup.json
index cfbf34097..d53bbdfea 100644
--- a/analyzers/DomainTools/DomainTools_WhoisLookup.json
+++ b/analyzers/DomainTools/DomainTools_WhoisLookup.json
@@ -4,8 +4,8 @@
"author": "CERT-BDF",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
- "description": "Use DomainTools to get the ownership record for a domain with basic registration details.",
- "dataTypeList": ["domain"],
+ "description": "Use DomainTools to get the ownership record for a domain or an IP address with basic registration details parsed.",
+ "dataTypeList": ["domain", "ip"],
"command": "DomainTools/domaintools_analyzer.py",
"baseConfig": "DomainTools",
"config": {
diff --git a/analyzers/DomainTools/DomainTools_WhoisLookupIP.json b/analyzers/DomainTools/DomainTools_WhoisLookupUnparsed.json
similarity index 83%
rename from analyzers/DomainTools/DomainTools_WhoisLookupIP.json
rename to analyzers/DomainTools/DomainTools_WhoisLookupUnparsed.json
index 0a79184e0..2760bd6a0 100644
--- a/analyzers/DomainTools/DomainTools_WhoisLookupIP.json
+++ b/analyzers/DomainTools/DomainTools_WhoisLookupUnparsed.json
@@ -1,11 +1,11 @@
{
- "name": "DomainTools_WhoisLookup_IP",
+ "name": "DomainTools_WhoisLookupUnparsed",
"version": "2.0",
"author": "CERT-BDF",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
- "description": "Use DomainTools to get the ownership record for an IP address with basic registration details.",
- "dataTypeList": ["ip"],
+ "description": "Use DomainTools to get the ownership record for an IP address or a domain without parsing.",
+ "dataTypeList": ["ip", "domain"],
"command": "DomainTools/domaintools_analyzer.py",
"baseConfig": "DomainTools",
"config": {
diff --git a/analyzers/DomainTools/domaintools_analyzer.py b/analyzers/DomainTools/domaintools_analyzer.py
index 635e0647c..dd2362d5d 100755
--- a/analyzers/DomainTools/domaintools_analyzer.py
+++ b/analyzers/DomainTools/domaintools_analyzer.py
@@ -42,9 +42,12 @@ def domaintools(self, data):
elif self.service == 'whois/history' and self.data_type == 'domain':
response = api.whois_history(data).response()
- elif self.service == 'whois/parsed' and self.data_type == 'domain':
+ elif self.service == 'whois/parsed' and self.data_type in ['domain','ip']:
response = api.parsed_whois(data).response()
+ elif self.service == 'hosting-history' and self.data_type == 'domain':
+ response = api.hosting_history(data).response()
+
elif self.service == 'risk_evidence' and self.data_type in ['domain', 'fqdn']:
response = api.risk_evidence(data).response()
@@ -52,20 +55,25 @@ def domaintools(self, data):
response = api.reputation(data, include_reasons=True).response()
elif self.service == 'reverse-whois':
- response = api.reverse_whois(data, mode='purchase').response()
+ scope = self.getParam('parameters.scope', 'current', None)
+ response = api.reverse_whois(data, mode='purchase', scope=scope).response()
- elif self.service == 'whois' and self.data_type == 'ip':
+ elif self.service == 'reverse-ip-whois':
+ response = api.reverse_ip_whois(data).response()
+
+ elif self.service == 'whois' and self.data_type in ['domain', 'ip']:
response = api.whois(data).response()
return response
def summary(self, raw):
+
r = {
"service": self.service,
"dataType": self.data_type
}
-
+
if "ip_addresses" in raw:
if type(raw["ip_addresses"]) == dict:
r["ip"] = {
@@ -87,6 +95,16 @@ def summary(self, raw):
"historic": raw["domain_count"]["historic"]
}
+ if "registrar_history" in raw:
+ r["registrar_history"] = len(raw["registrar_history"])
+ if "ip_history" in raw:
+ r["ip_history"] = len(raw["ip_history"])
+ if "nameserver_history" in raw:
+ r["ns_history"] = len(raw["nameserver_history"])
+
+ if "record_count" in raw:
+ r["record_count"] = raw["record_count"]
+
if "registrant" in raw:
r["registrant"] = raw["registrant"]
elif "response" in raw and "registrant" in raw["response"]:
@@ -94,7 +112,6 @@ def summary(self, raw):
if "parsed_whois" in raw:
r["registrar"] = raw["parsed_whois"]["registrar"]["name"]
- #
if "name_server" in raw:
r["name_server"] = raw["name_server"]["hostname"]
@@ -123,6 +140,16 @@ def summary(self, raw):
r["domain_count"][
"historic"])))
+ if r["service"] == "reverse-ip-whois":
+ taxonomies.append(self.build_taxonomy("info", "DT", "Reverse_IP_Whois",
+ "records:{}".format(r["record_count"])))
+
+ if r["service"] == "hosting-history":
+ taxonomies.append(self.build_taxonomy("info", "DT", "Hosting_History",
+ "registrars:{} / ips:{} / ns:{}".format(r["registrar_history"],
+ r["ip_history"],
+ r["ns_history"])))
+
if r["service"] == "whois/history":
taxonomies.append(self.build_taxonomy("info", "DT", "Whois_History",
"{} {}".format(r["record_count"], "records" if r["record_count"] > 1 else "record")))
diff --git a/thehive-templates/DomainTools_HostingHistory_2_0/long.html b/thehive-templates/DomainTools_HostingHistory_2_0/long.html
new file mode 100644
index 000000000..02da99209
--- /dev/null
+++ b/thehive-templates/DomainTools_HostingHistory_2_0/long.html
@@ -0,0 +1,83 @@
+
+
+ {{artifact.data | fang}}
+
+
+ {{content.errorMessage}}
+
+
+
+ {{artifact.data | fang}}
+
+
+
+ Registrar History
+
+
+
+
+ | domain |
+ registrar |
+ date_created |
+ date_updated |
+ date_expires |
+
+
+
+ {{row.domain}} |
+ {{row.registrar}} |
+ {{row.date_created | shortDate}} |
+ {{row.date_updated | shortDate}} |
+ {{row.date_expires | shortDate}} |
+
+
+
+
+
+ IP History
+
+
+
+
+ | domain |
+ actiondate |
+ action |
+ pre_ip |
+ post_ip |
+
+
+
+ {{row.domain}} |
+ {{row.actiondate | shortDate}} |
+ {{row.action_in_words}} |
+ {{row.pre_ip}} |
+ {{row.post_ip}} |
+
+
+
+
+
+ IP History
+
+
+
+
+ | domain |
+ actiondate |
+ action |
+ pre_mns |
+ post_mns |
+
+
+
+ {{row.domain}} |
+ {{row.actiondate | shortDate}} |
+ {{row.action_in_words}} |
+ {{row.pre_mns}} |
+ {{row.post_mns}} |
+
+
+
+
+
+ {{artifact.data | fang}}
+
-
+
+
+ - Number of records
+ - {{content.record_count}}
+
+
+
+
+
+
+ | range |
+ organization |
+ country |
+ server |
+ record_date |
+
+
+
+ {{row.range}} |
+ {{row.organization}} |
+ {{row.country}} |
+ {{row.server}} |
+ {{row.record_date | shortDate}} |
+
+
+
+
+
+ {{artifact.data | fang}}
+
+
+ {{content.errorMessage}}
+
+