MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #1779 from RichieB2B/nscs-nl/fuzzyhash 

Use Fuzzy_Hash_Value for ssdeep
pull/1784/head
Andras Iklody 2016-12-21 23:06:16 +01:00 committed by GitHub
parent c14869a35b afd88f3b38
commit 6a3ae15f13
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
app/files/scripts/misp2cybox.py
View File

@ -85,21 +85,27 @@ def generateObservable(indicator, attribute):
def resolveFileObservable(indicator, attribute):
hashValue = ""
filenameValue = ""
fuzzy = False
if (attribute["type"] in hash_type_attributes["composite"]):
values = attribute["value"].split('|')
filenameValue = values[0]
hashValue = values[1]
indicator.add_indicator_type("File Hash Watchlist")
composite = attribute["type"].split('|')
if (composite[1] == "ssdeep"):
fuzzy = True
else:
if (attribute["type"] in ("filename", "attachment")):
filenameValue = attribute["value"]
else:
hashValue = attribute["value"]
indicator.add_indicator_type("File Hash Watchlist")
observable = generateFileObservable(filenameValue, hashValue)
if (attribute["type"] == "ssdeep"):
fuzzy = True
observable = generateFileObservable(filenameValue, hashValue, fuzzy)
return observable
def generateFileObservable(filenameValue, hashValue):
def generateFileObservable(filenameValue, hashValue, fuzzy):
file_object = File()
if (filenameValue != ""):
if (("/" in filenameValue) or ("\\" in filenameValue)):
@ -112,6 +118,12 @@ def generateFileObservable(filenameValue, hashValue):
file_object.file_name.condition = "Equals"
if (hashValue != ""):
file_object.add_hash(Hash(hash_value=hashValue, exact=True))
if (fuzzy):
file_object._fields["Hashes"]._inner[0].simple_hash_value = None
file_object._fields["Hashes"]._inner[0].fuzzy_hash_value = hashValue
file_object._fields["Hashes"]._inner[0].fuzzy_hash_value.condition = "Equals"
file_object._fields["Hashes"]._inner[0].type_ = Hash.TYPE_SSDEEP
file_object._fields["Hashes"]._inner[0].type_.condition = "Equals"
return file_object
def resolveIPType(attribute_value, attribute_type):