DomainTools Expert Bot (initial version) #1004
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # Domaintools expert | ||
|
|
||
| This expert bot is an example on how to query domaintools. | ||
|
|
||
| It does require an API from domaintools. | ||
|
|
||
| Documentation on domaintools: https://www.domaintools.com/resources/api-documentation/ | ||
| Specifically, this bot can query a domain for the reputation score in domaintools: https://www.domaintools.com/resources/api-documentation/reputation/ | ||
|
|
||
| It will add the score in the extra field: ``extra.domaintools_score``. | ||
|
|
||
|
|
||
| Authors: Juan Ortega Valiente, Aaron Kaplan |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| domaintools_api==0.1.7 |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| # -*- coding: utf-8 -*- | ||
| """ | ||
| domaintools expert: query domtaintools.com to get a reputation score for a domain name | ||
|
|
||
| """ | ||
| from intelmq.lib.bot import Bot | ||
| try: | ||
| from domaintools import API, exceptions | ||
| except ImportError: | ||
| API = None | ||
|
|
||
|
|
||
| class DomaintoolsExpertBot(Bot): | ||
|
|
||
| def init(self): | ||
| self.logger.info("Loading Domaintools expert.") | ||
| if (not API): | ||
| self.logger.exception("need to have the domaintools API installed. See https://github.com/domaintools/python_api") | ||
| self.stop() | ||
| if (not self.parameters.user): | ||
| self.logger.exception("need to specify user for domaintools expert in runtime.conf. Exiting") | ||
|
There was a problem hiding this comment. Missing dot at end of line. And you can remove the "Exiting", that's done by the bot class. |
||
| self.stop() | ||
| if (not self.parameters.password): | ||
| self.logger.exception("need to specify password for the user for domaintools expert in runtime.conf. Exiting") | ||
| self.stop() | ||
| self.api = API(self.parameters.user, self.parameters.password) | ||
|
|
||
| def domaintools_get_score(self, fqdn): | ||
| score = None | ||
| if fqdn: | ||
|
There was a problem hiding this comment. That's already checked in the |
||
| resp = self.api.reputation(fqdn, include_reasons=False) # don't include a reason in the JSON response | ||
|
|
||
| try: | ||
| score = resp['risk_score'] | ||
| except exceptions.NotFoundException: | ||
|
There was a problem hiding this comment. you can use |
||
| score = None | ||
| except exceptions.BadRequestException: | ||
|
There was a problem hiding this comment. Is a bad request really the same as no result? Just raise the error, so the bot can retry. |
||
| score = None | ||
|
There was a problem hiding this comment. If nothing is returned explicitly, the return value is |
||
| return score | ||
|
|
||
| def process(self): | ||
| event = self.receive_message() | ||
| extra = {} | ||
|
|
||
| for key in ["source.", "destination."]: | ||
| key_fqdn = key + "fqdn" | ||
| if key_fqdn not in event: | ||
| continue # can't query if we don't have a domain name | ||
| score = self.domaintools_get_score(event.get(key_fqdn)) | ||
| if score is not None: | ||
| extra["domaintools_score"] = score | ||
| event.add("extra", extra) | ||
|
There was a problem hiding this comment. This fails if extra is already present, with force it would overwrite existing data |
||
|
|
||
| self.send_message(event) | ||
| self.acknowledge_message() | ||
|
|
||
|
|
||
| BOT = DomaintoolsExpertBot | ||
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # -*- coding: utf-8 -*- | ||
| """ | ||
| Testing GethostbynameExpertBot. | ||
| """ | ||
|
|
||
| import unittest | ||
|
|
||
| import intelmq.lib.test as test | ||
| from intelmq.bots.experts.domaintools.expert import DomaintoolsExpertBot | ||
|
|
||
| EXAMPLE_INPUT = {"__type": "Event", | ||
| "source.fqdn": "google.com", | ||
| "time.observation": "2015-01-01T00:00:00+00:00" | ||
| } | ||
| EXAMPLE_OUTPUT = {"__type": "Event", | ||
| "source.fqdn": "google.com", | ||
| "extra": '{"domaintools_score": 0}', | ||
| "time.observation": "2015-01-01T00:00:00+00:00" | ||
| } | ||
| NONEXISTING_INPUT = {"__type": "Event", | ||
|
There was a problem hiding this comment. Actually the lib raises the |
||
| "source.fqdn": "example.invalid", | ||
| "destination.fqdn": "example.invalid", | ||
| "time.observation": "2015-01-01T00:00:00+00:00" | ||
| } | ||
|
|
||
|
|
||
| @test.skip_internet() | ||
| class TestDomaintoolsExpertBot(test.BotTestCase, unittest.TestCase): | ||
| """ | ||
| A TestCase for DomaintoolsExpertBot. | ||
| """ | ||
|
|
||
| @classmethod | ||
| def set_bot(self): | ||
| self.bot_reference = DomaintoolsExpertBot | ||
| self.sysconfig = {'user': 'mkendrick_first2017', 'password': 'c0e4e-e2527-dc6af-824a4-229d5'} | ||
|
|
||
|
|
||
| def test_existing(self): | ||
| self.input_message = EXAMPLE_INPUT | ||
| self.run_bot() | ||
| self.assertMessageEqual(0, EXAMPLE_OUTPUT) | ||
|
|
||
| def test_non_existing(self): | ||
| self.input_message = NONEXISTING_INPUT | ||
| self.run_bot() | ||
| self.assertMessageEqual(0, NONEXISTING_INPUT) | ||
|
|
||
| if __name__ == '__main__': # pragma: no cover | ||
| unittest.main() | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrong usage of
logger.exception. It prints the traceback of a fromerly catched exception.Replace both lines with
raise ValueError("your error message"). The bot class performs the stop itself.