mnemonic-no/act-workers

Whois Worker

Closed this issue · 3 comments

WesWrench commented

Hello,

To begin, thank you very much for this enormous work.
I wanted to know why is there no feature to do an automated "whois" when handling the IOCs on the graph and thus benefit from the correlations on the whois-registrant-email and whois-registrant-phone .
I looked at the workers' codes, and in fact it is only possible to retrieve this kind of information from the MISP worker. Do you assume that the whois will be done by a worker on the MISP side? I think it would be interesting to be able to investigate dynamically with this kind of feature.

Best regards,

frbor commented

Hi Wes,

we appreciate your interest in the ACT platform. We have been discussing a whois worker, which definitely would be nice to have in the platform. To develop a worker like this we would need access to an API that supports structured response so it can be mapped to the correct types in the platform. We know there are some commercial offerings for this, but if you know any free to use, with good quality data (preferably free, at least with low data volumes), please let us know and we can look into it.

best regards,

Fredrik
WesWrench commented

Hello Frederick,

Thank you for this quick response !
Truth be told, I have a bunch of APIs in mind that retrieve WHOIS data.
Workers for IoT mapping services such as Shodan / Censys / ZoomEye provide this information for a number of IPs.

RIPE provides a free API with few limitations, however RIPE will not cover all domain names, and other Internet registry does not provide such an API.

You have a list of APIs here: https://github.com/jivoi/awesome-osint

With a google search, I found this site: https://hexillion.com/whois

Although this one has no limitation (2400 queries per minute, no more than 10 concurrent queries), they consider APIs such as SecurityTrails, DNSDumpster, domaintools to be more reliable over time (less likely than API support. stops) and richer in data.

Tools such as TheHarvester or recon-ng can give you ideas for future workers.

Have a good day,

frbor commented

Closing this issue.
We know that there are APIs available here, which are rate limited, where you can also pay for a higher rate. I someone else want to look into this we will be happy to review a PR.