mentat.plugin.enricher.passivedns module

Enricher plugins performing DNS lookup of all Source/IPx addresses using CESNET PassiveDNS service.

The implementation consists of PassiveDNS connector and its Enricher plugin. The connector provides information about domains linked to a user defined IP address. Each domain record provides at least information when the domain name in combination with the IP address was seen for the first and the last time from the point of a DNS sniffer.

Warning

Still a work in progress and alpha code.

class mentat.plugin.enricher.passivedns.PassiveDNSCESNETEnricherPlugin[source]

Bases: EnricherPlugin

Enricher plugin performing PassiveDNS lookup of all Source/IPx addresses using CESNET PassiveDNS service.

SOURCE_ID = 'https://passivedns.cesnet.cz/'
process(daemon, message_id, message)[source]

Process and enrich given message.

setup(daemon, config_updates=None)[source]

Process configuration parameters and prepare PassiveDNS connector

class mentat.plugin.enricher.passivedns.PassiveDNSConnectorBase(api_timeout=0.5, rec_validity=168)[source]

Bases: object

The abstract base class for PassiveDNS connectors.

The class provides common interface and basic record caching.

query(ip_addr, timeout=None)[source]

Get domains of an IP address based on PassiveDNS

A new query is sent to the remote server and results are successfully processed and returned.

Parameters
  • ip_addr (str) – IP address to query

  • timeout (int) – Query timeout in seconds (if None, default timeout is used)

Returns

Parsed domains as a list of internal records (can be empty)

Return type

list of dict

query_multi(ip_addrs, timeout=None)[source]

Get domains of multiple IP addresses based on PassiveDNS

Similar to the casual query, however, results of multiple IP addresses are returned as dictionary where keys are IP addresses and values are lists of parsed domains. IP addresses without known domain records are not present in the result.

Parameters
  • ip_addrs (list of str) – List of IP addresses to query

  • timeout (int) – Single query timeout in seconds (if None, default timeout is used)

Returns

IP addresses and their domains (can be empty)

Return type

dict [str, list of dict]

status()[source]

Determine and return the status of configuration

Returns

Dictionary containing various subkeys

Return type

dict

class mentat.plugin.enricher.passivedns.PassiveDNSConnectorCESNET(api_limit=100, **kwargs)[source]

Bases: PassiveDNSConnectorBase

PassiveDNS connector for ‘CESNET’ PassiveDNS API

API_SERVER = 'https://passivedns.cesnet.cz'
API_URL = '/pdns/ip/{ip_address}?from={start}&to={end}'
exception mentat.plugin.enricher.passivedns.PassiveDNSConnectorError[source]

Bases: RuntimeError

Custom error of the PassiveDNSConnector