Add RDAP expansion module#785
Merged
Merged
Conversation
Adds an expansion module that queries the public RDAP bootstrap (rdap.org) for the registration data of a domain, hostname, IP address or URL. RDAP (RFC 9082/9083) is the free, unauthenticated, structured successor to WHOIS; misp-modules has whois and passive-DNS modules but no RDAP one. The registrar, registration/expiration/modification dates, name servers, status and registrant details are parsed into a MISP whois object. No configuration or API key is required.
Member
|
Thank you for the contribution! |
Contributor
Author
|
O captain my captain 🫡 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an RDAP expansion module. RDAP (Registration Data Access Protocol, RFC 9082/9083) is the IETF-standard, free and unauthenticated successor to WHOIS, returning structured JSON. misp-modules has
whois,whoisfreaksand passive-DNS modules, but no RDAP one, so this fills that gap with a no-config, no-API-key enrichment source.What it does
domain,hostname,ip-src,ip-dst,url(a URL is resolved to its host).rdap.orgbootstrap, which redirects to the authoritative RDAP server for the object, using the correctdomain/orip/endpoint.events), name servers, status, and registrant name/org/email (from the entityvcardArray).misp_standard. No configuration required.Testing
tests/test_rdap.py: 6 tests covering the domain whois-object mapping, the IP endpoint +ip-addressrelation, URL-to-host resolution, the not-found and wrong-input paths, and introspection/version. Uses mocked responses, no network needed.rdap.org:domain python.org-> registrarGandi SAS, expiration2033-03-28, four AWS name servers, status.ip-src 1.1.1.1-> registrantAPNIC Research and Development, dates, status.ip-src 8.8.8.8-> registrantGoogle LLC.black,isortandflake8are clean.