eris

- Elasticsearch Recon Ingestion Scripts (ERIS) 🔎
git clone git://git.acid.vegas/-c.git
Log | Files | Refs | Archive | README | LICENSE

ingest_massdns.py (2392B)

      1 #!/usr/bin/env python
      2 # Elasticsearch Recon Ingestion Scripts (ERIS) - Developed by Acidvegas (https://git.acid.vegas/eris)
      3 # ingest_massdns.py
      4 
      5 import time
      6 
      7 default_index = 'ptr-records'
      8 
      9 def construct_map() -> dict:
     10     '''Construct the Elasticsearch index mapping for MassDNS records'''
     11 
     12     keyword_mapping = { 'type': 'text',  'fields': { 'keyword': { 'type': 'keyword', 'ignore_above': 256 } } }
     13 
     14     mapping = {
     15     'mappings': {
     16             'properties': {
     17                 'ip':     { 'type': 'ip' },
     18                 'name':   { 'type': 'keyword' },
     19                 'record': keyword_mapping,
     20                 'seen':   { 'type': 'date' }
     21             }
     22         }
     23     }
     24 
     25     return mapping
     26 
     27 
     28 def process_file(file_path: str):
     29     '''
     30     Read and process Massdns records from the log file.
     31 
     32     :param file_path: Path to the Massdns log file
     33     '''
     34 
     35     with open(file_path, 'r') as file:
     36         for line in file:
     37             line = line.strip()
     38 
     39             if not line:
     40                 continue
     41 
     42             parts = line.split()
     43 
     44             if len(parts) < 3:
     45                 raise ValueError(f'Invalid PTR record: {line}')
     46             
     47             name, record_type, data = parts[0].rstrip('.'), parts[1], ' '.join(parts[2:]).rstrip('.')
     48 
     49             if record_type != 'PTR':
     50                 continue
     51 
     52                 #if record_type == 'CNAME':
     53                 #    if data.endswith('.in-addr.arpa'):
     54                 #        continue
     55 
     56             # Let's not index the PTR record if it's the same as the in-addr.arpa domain
     57             if data == name:
     58                 continue
     59                     
     60             ip = '.'.join(name.replace('.in-addr.arpa', '').split('.')[::-1])
     61             
     62             struct = {
     63                 'ip': ip,
     64                 'record': data,
     65                 'seen': time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())
     66             }
     67 
     68             yield struct
     69     
     70     return None # EOF
     71 
     72 
     73 '''
     74 Example PTR record:
     75 0.6.229.47.in-addr.arpa. PTR 047-229-006-000.res.spectrum.com.
     76 0.6.228.75.in-addr.arpa. PTR 0.sub-75-228-6.myvzw.com.
     77 0.6.207.73.in-addr.arpa. PTR c-73-207-6-0.hsd1.ga.comcast.net.
     78 0.6.212.173.in-addr.arpa. PTR 173-212-6-0.cpe.surry.net.
     79 0.6.201.133.in-addr.arpa. PTR flh2-133-201-6-0.tky.mesh.ad.jp.
     80 
     81 Will be indexed as:
     82 {
     83     "ip": "47.229.6.0",
     84     "record": "047-229-006-000.res.spectrum.com.",
     85     "seen": "2021-06-30T18:31:00Z"
     86 }
     87 '''