diff --git a/intelmq/bots/BOTS b/intelmq/bots/BOTS index b73fd7910..0b2f23246 100644 --- a/intelmq/bots/BOTS +++ b/intelmq/bots/BOTS @@ -476,6 +476,14 @@ "redis_cache_ttl": "86400" } }, + "Domaintools": { + "description": "Domaintools expert is a bot which queries domaintools.com for a scoring of a domain name", + "module": "intelmq.bots.experts.domaintools.expert", + "parameters": { + "user": "", + "password": "" + } + }, "Field Reducer": { "description": "The field reducer bot is capable of removing fields from events.", "module": "intelmq.bots.experts.field_reducer.expert", diff --git a/intelmq/bots/experts/domaintools/expert.py b/intelmq/bots/experts/domaintools/expert.py index 687e20aac..52741b542 100644 --- a/intelmq/bots/experts/domaintools/expert.py +++ b/intelmq/bots/experts/domaintools/expert.py @@ -26,27 +26,30 @@ def init(self): self.api = API(self.parameters.user, self.parameters.password) def domaintools_get_score(self, fqdn): - + score = None if fqdn: - resp = self.api.reputation(fqdn, include_reason=False) # don't include a reason in the JSON response + resp = self.api.reputation(fqdn, include_reasons=False) # don't include a reason in the JSON response + try: score = resp['risk_score'] except exceptions.NotFoundException: - score = None + score = None except exceptions.BadRequestException: - score = None + score = None return score def process(self): event = self.receive_message() + extra = {} for key in ["source.", "destination."]: key_fqdn = key + "fqdn" if key_fqdn not in event: continue # can't query if we don't have a domain name - score = self.domaintools_get_score(key_fqdn) - if score: - event.add("extra.domaintools_score", score, raise_failure=False) + score = self.domaintools_get_score(event.get(key_fqdn)) + if score is not None: + extra["domaintools_score"] = score + event.add("extra", extra) self.send_message(event) self.acknowledge_message() diff --git a/intelmq/tests/bots/experts/domaintools/__init__.py b/intelmq/tests/bots/experts/domaintools/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/intelmq/tests/bots/experts/domaintools/test_expert.py b/intelmq/tests/bots/experts/domaintools/test_expert.py index 08a8f7c5c..9d214d142 100644 --- a/intelmq/tests/bots/experts/domaintools/test_expert.py +++ b/intelmq/tests/bots/experts/domaintools/test_expert.py @@ -6,15 +6,15 @@ import unittest import intelmq.lib.test as test -from intelmq.bots.experts.gethostbyname.expert import DomaintoolsExpertBot +from intelmq.bots.experts.domaintools.expert import DomaintoolsExpertBot EXAMPLE_INPUT = {"__type": "Event", "source.fqdn": "google.com", "time.observation": "2015-01-01T00:00:00+00:00" } EXAMPLE_OUTPUT = {"__type": "Event", - "source.fqdn": "example.com", - "extra.domaintools_score": 0, + "source.fqdn": "google.com", + "extra": '{"domaintools_score": 0}', "time.observation": "2015-01-01T00:00:00+00:00" } NONEXISTING_INPUT = {"__type": "Event", @@ -33,6 +33,7 @@ class TestDomaintoolsExpertBot(test.BotTestCase, unittest.TestCase): @classmethod def set_bot(self): self.bot_reference = DomaintoolsExpertBot + self.sysconfig = {'user': 'mkendrick_first2017', 'password': 'c0e4e-e2527-dc6af-824a4-229d5'} def test_existing(self): self.input_message = EXAMPLE_INPUT