From 4eae01756b079e2035c154ef6411249f83b902e4 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Wed, 18 Dec 2024 21:24:43 +0000 Subject: [PATCH 1/2] feat: Remove need for external API for whois lookups --- .../ransomwarelive/src/lib/ransom_conn.py | 38 +++++++------------ .../hygiene/src/requirements.txt | 1 + 2 files changed, 14 insertions(+), 25 deletions(-) diff --git a/external-import/ransomwarelive/src/lib/ransom_conn.py b/external-import/ransomwarelive/src/lib/ransom_conn.py index 7f0df01b19..4e37f35396 100644 --- a/external-import/ransomwarelive/src/lib/ransom_conn.py +++ b/external-import/ransomwarelive/src/lib/ransom_conn.py @@ -24,6 +24,7 @@ ThreatActor, ) +import whois class RansomwareAPIConnector: """Specific external-import connector @@ -174,38 +175,25 @@ def ip_fetcher(self, domain): # Fetches the whois information of a domain def fetch_country_domain(self, domain): - url = f"https://who-dat.as93.net/{domain}" - headers = {"user-agent": "OpenCTI"} try: - response = requests.get(url, headers=headers, timeout=(20000, 20000)) - if response.status_code == 200: - response_json = response.json() - if response_json.get("whoisparser") == "domain is not found": - self.helper.log_info(f"Domain {domain} is not found") - return None - - else: - return None + w = whois.whois(domain) except Exception as e: self.helper.log_error(f"Error fetching WHOIS for domain {domain}") self.helper.log_error(str(e)) return None + try: description = f"Domain:{domain} \n" - if ( - response_json.get("domain") is not None - and response_json.get("administrative") is not None - ): - if response_json.get("administrative").get("country") is not None: - description += f" is registered in {response_json.get('administrative').get('country')} \n" - if response_json.get("registrar") is not None: - description += ( - f"registered with {response_json.get('registrar').get('name')} \n" - ) - if response_json.get("domain").get("created_date") is not None: - description += f" creation_date {response_json.get('domain').get('created_date')} \n" - if response_json.get("domain").get("expiration_date") is not None: - description += f" expiration_date {response_json.get('domain').get('expiration_date')} \n" + # Using whois data from w instead of response_json + if w is not None: + if w.get("country") is not None: + description += f" is registered in {w.get('country')} \n" + if w.get("registrar") is not None: + description += f"registered with {w.get('registrar')} \n" + if w.get("creation_date") is not None: + description += f" creation_date {w.get('creation_date')} \n" + if w.get("expiration_date") is not None: + description += f" expiration_date {w.get('expiration_date')} \n" except Exception as e: self.helper.log_error(f"Error fetching whois for domain {domain}") diff --git a/internal-enrichment/hygiene/src/requirements.txt b/internal-enrichment/hygiene/src/requirements.txt index 20d5e895dd..361611f9d2 100644 --- a/internal-enrichment/hygiene/src/requirements.txt +++ b/internal-enrichment/hygiene/src/requirements.txt @@ -1,3 +1,4 @@ tldextract==5.1.3 pycti==6.4.5 +python-whois git+http://github.com/MISP/PyMISPWarningLists.git@main#egg=pymispwarninglists From 5322463960066b41b79519b81bdadeb7056f2065 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Wed, 18 Dec 2024 21:42:17 +0000 Subject: [PATCH 2/2] ref/Update imports to fix CircleCI lint --- external-import/ransomwarelive/src/lib/ransom_conn.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/external-import/ransomwarelive/src/lib/ransom_conn.py b/external-import/ransomwarelive/src/lib/ransom_conn.py index 4e37f35396..85a0d48000 100644 --- a/external-import/ransomwarelive/src/lib/ransom_conn.py +++ b/external-import/ransomwarelive/src/lib/ransom_conn.py @@ -8,6 +8,7 @@ import requests import tldextract import validators +import whois from pycti import OpenCTIConnectorHelper from stix2 import ( TLP_WHITE, @@ -24,7 +25,6 @@ ThreatActor, ) -import whois class RansomwareAPIConnector: """Specific external-import connector