misp-modules icon indicating copy to clipboard operation
misp-modules copied to clipboard
verified publisher icon MISP

ipinfo.io to add

Open adulau opened this issue 2 years ago • 3 comments

adulau avatar Feb 09 '23 14:02 adulau

I looked at the API responses and noticed there are some fields we cannot really parse.

Here are fields we could integrate, when it makes sense, with additions to MISP object templates or contextual data:

  • the abuse field -> provide information about the point of contact to report an abuse on the given IP address
  • the privacy field -> give information on the methods used to mask a user's true IP address

The full response for the highest paid plan looks like the following:

{
    "ip": "8.8.8.8",
    "hostname": "dns.google",
    "city": "Mountain View",
    "region": "California",
    "country": "US",
    "loc": "37.4056,-122.0775",
    "postal": "94043",
    "timezone": "America/Los_Angeles",
    "asn": {
        "asn": "AS15169",
        "name": "Google LLC",
        "domain": "google.com",
        "route": "8.8.8.0/24",
        "type": "business"
    },
    "company": {
        "name": "Google LLC",
        "domain": "google.com",
        "type": "business"
    },
    "privacy": {
        "vpn": false,
        "proxy": false,
        "tor": false,
        "relay": false,
        "hosting": false,
        "service": ""
    },
    "abuse": {
        "address": "US, CA, Mountain View, 1600 Amphitheatre Parkway, 94043",
        "country": "US",
        "email": "[email protected]",
        "name": "Abuse",
        "network": "8.8.8.0/24",
        "phone": "+1-650-253-0000"
    },
    "domains": {
        "ip": "8.8.8.8",
        "total": 10524,
        "domains": [
            "41.cn",
            "mcqs.az",
            "etempurl.com",
            "ftempurl.com",
            "proxyie.cn"
        ]
    }
}

There are also additional API endpoints that could be used to extend even further the enrichment information on the given initial IP address, like:

Ultimately, there are 2 additional API endpoints that could be interesting (?):

Besides domain-ip, asn and geolocation objects which we can already extract from the standard API response in a pretty straight forward way, let me know what you think of the additional points mentioned above, and if you see something else we could add that I did not mention above, or if there is already things we can use with existing templates or contextual data that I missed here

chrisr3d avatar Feb 21 '23 10:02 chrisr3d

Oh cool! the domains key is interesting it seems like a weak passive dns.

adulau avatar Feb 21 '23 18:02 adulau

So we could create a new abuse object template (we could review it with @rommelfs). Maybe we could also add the company information? with ftm-company https://www.misp-project.org/objects.html#_ftm_company ? The privacy one is also interesting. Should we go for a new object template or a taxonomy?

adulau avatar Feb 22 '23 05:02 adulau