Skip to content

Add RDAP expansion module#785

Merged
adulau merged 1 commit into
MISP:mainfrom
thunderstornX:rdap-expansion-module
Jun 26, 2026
Merged

Add RDAP expansion module#785
adulau merged 1 commit into
MISP:mainfrom
thunderstornX:rdap-expansion-module

Conversation

@thunderstornX

Copy link
Copy Markdown
Contributor

Summary

Adds an RDAP expansion module. RDAP (Registration Data Access Protocol, RFC 9082/9083) is the IETF-standard, free and unauthenticated successor to WHOIS, returning structured JSON. misp-modules has whois, whoisfreaks and passive-DNS modules, but no RDAP one, so this fills that gap with a no-config, no-API-key enrichment source.

What it does

  • Input: domain, hostname, ip-src, ip-dst, url (a URL is resolved to its host).
  • Queries the rdap.org bootstrap, which redirects to the authoritative RDAP server for the object, using the correct domain/ or ip/ endpoint.
  • Parses the RDAP response into a MISP whois object: registrar, creation/expiration/modification dates (from RDAP events), name servers, status, and registrant name/org/email (from the entity vcardArray).
  • Output format: misp_standard. No configuration required.

Testing

  • tests/test_rdap.py: 6 tests covering the domain whois-object mapping, the IP endpoint + ip-address relation, URL-to-host resolution, the not-found and wrong-input paths, and introspection/version. Uses mocked responses, no network needed.
  • Verified live against rdap.org:
    • domain python.org -> registrar Gandi SAS, expiration 2033-03-28, four AWS name servers, status.
    • ip-src 1.1.1.1 -> registrant APNIC Research and Development, dates, status.
    • ip-src 8.8.8.8 -> registrant Google LLC.
  • black, isort and flake8 are clean.

Adds an expansion module that queries the public RDAP bootstrap (rdap.org) for the registration data of a domain, hostname, IP address or URL. RDAP (RFC 9082/9083) is the free, unauthenticated, structured successor to WHOIS; misp-modules has whois and passive-DNS modules but no RDAP one. The registrar, registration/expiration/modification dates, name servers, status and registrant details are parsed into a MISP whois object. No configuration or API key is required.
@adulau adulau merged commit 01ac8c6 into MISP:main Jun 26, 2026
7 checks passed
@adulau

adulau commented Jun 26, 2026

Copy link
Copy Markdown
Member

Thank you for the contribution!

@thunderstornX

Copy link
Copy Markdown
Contributor Author

O captain my captain 🫡

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants