After too long away from the project I have been trying to implement some additional functionality to my submissions2stats script for parsing Nepenthes log files. Something that I’ve had in mind for a while is utilising Whois data to better analyse the source of the malware submissions.
I had assumed that this would be relatively simple, after all the ability to port any required functionality is an integral part of geek humour. This wasn’t to be the case this time as I was unable to find anything this time around (although I didn’t discover giskismet until after I’d wrote my kistmet2gmapstatic scripts). To cover the functionality I have written a short python class that queries a 3rd party whois service for a provided IP address and provides metods to access the returned data.
The script can be accessed here. Hopefully others will find this of some use. Example output from the script’s .out() method targetting www.bcc.co.uk:
Whois information for 212.58.253.67
Origin: AS2818
Inetnum: 212.58.224.0 – 212.58.255.255
Netname: UK-BBC-991005
descr: BBC
Country: GB
N.B. Text is tab delimeted in actual usage
I’ve started adding the class’ functionality into my submissions2stats script. So far things are progressing well and hopefully I should be able to have an updated script available shortly.
Leave a comment