Basic Domain Report Example

This sample invokes and displays the results of a VirusTotal "domain report" via DXL.

For more information see:

https://www.virustotal.com/en/documentation/public-api/#getting-domain-reports

Prerequisites

• The samples configuration step has been completed (see Samples Configuration)
• The VirusTotal API DXL service is running and available on the DXL fabric (see VirusTotal API DXL Service)

Running

To run this sample execute the sample/basic/basic_domain_report_example.py script as follows:

python sample/basic/basic_domain_report_example.py

The output should appear similar to the following:

{
    "BitDefender category": "parked",
    "Dr.Web category": "known infection source",
    "Websense ThreatSeeker category": "uncategorized",
    "Webutation domain info": {
        "Adult content": "yes",
        "Safety score": 40,
        "Verdict": "malicious"
    },
    "categories": [
        "parked",
        "uncategorized"
    ],
    "detected_downloaded_samples": [
        {
            "date": "2013-06-20 18:51:30",
            "positives": 2,
            "sha256": "cd8553d9b24574467f381d13c7e0e1eb1e58d677b9484bd05b9c690377813e54",
            "total": 46
        }
    ],
    "detected_urls": [
        {
            "positives": 1,
            "scan_date": "2017-03-31 00:16:29",
            "total": 64,
            "url": "http://027.ru/"
        },

        ...

        {
            "positives": 2,
            "scan_date": "2015-02-18 08:54:52",
            "total": 62,
            "url": "http://027.ru/index.html"
        }
    ],
    "domain_siblings": [],
    "resolutions": [
        {
            "ip_address": "185.53.177.31",
            "last_resolved": "2017-02-02 00:00:00"
        },

        ...

        {
            "ip_address": "90.156.201.97",
            "last_resolved": "2013-06-20 00:00:00"
        }
    ],
    "response_code": 1,
    "subdomains": [
        "www.027.ru"
    ],
    "undetected_referrer_samples": [
        {
            "positives": 0,
            "sha256": "b8f5db667431d02291eeec61cf9f0c3d7af00798d0c2d676fde0efb0cedb7741",
            "total": 53
        }
    ],

    ...
}

The received results are displayed.

Details

The majority of the sample code is shown below:

# Create the client
with DxlClient(config) as dxl_client:

    # Connect to the fabric
    dxl_client.connect()

    logger.info("Connected to DXL fabric.")

    # Create client wrapper
    client = VirusTotalApiClient(dxl_client)

    # Invoke 'domain report' method on service
    resp_dict = client.domain_report("027.ru")

    # Print out the response (convert dictionary to JSON for pretty printing)
    print("Response:\n{0}".format(
        MessageUtils.dict_to_json(resp_dict, pretty_print=True)))

Once a connection is established to the DXL fabric, a dxlvtapiclient.client.VirusTotalApiClient instance is created which will be used to invoke remote commands on the VirusTotal API DXL service.

Next, the dxlvtapiclient.client.VirusTotalApiClient.domain_report() method is invoked with the domain to report on.

The final step is to display the contents of the returned dictionary (dict) which contains the results of the domain report.