From afd88f3b386577dcce1b6c270f39db4c4e4bcd91 Mon Sep 17 00:00:00 2001
From: Richard van den Berg <richard.vandenberg@ncsc.nl>
Date: Wed, 21 Dec 2016 21:32:52 +0100
Subject: [PATCH] Use Fuzzy_Hash_Value for ssdeep

---
 app/files/scripts/misp2cybox.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/app/files/scripts/misp2cybox.py b/app/files/scripts/misp2cybox.py
index 2ff6637bd..9ec5eb70d 100644
--- a/app/files/scripts/misp2cybox.py
+++ b/app/files/scripts/misp2cybox.py
@@ -85,21 +85,27 @@ def generateObservable(indicator, attribute):
 def resolveFileObservable(indicator, attribute):
     hashValue = ""
     filenameValue = ""
+    fuzzy = False
     if (attribute["type"] in hash_type_attributes["composite"]):
         values = attribute["value"].split('|')
         filenameValue = values[0]
         hashValue = values[1]
         indicator.add_indicator_type("File Hash Watchlist")
+        composite = attribute["type"].split('|')
+        if (composite[1] == "ssdeep"):
+          fuzzy = True
     else:
         if (attribute["type"] in ("filename", "attachment")):
             filenameValue = attribute["value"]
         else:
             hashValue = attribute["value"]
             indicator.add_indicator_type("File Hash Watchlist")
-    observable = generateFileObservable(filenameValue, hashValue)
+            if (attribute["type"] == "ssdeep"):
+              fuzzy = True
+    observable = generateFileObservable(filenameValue, hashValue, fuzzy)
     return observable
 
-def generateFileObservable(filenameValue, hashValue):
+def generateFileObservable(filenameValue, hashValue, fuzzy):
     file_object = File()
     if (filenameValue != ""):
         if (("/" in filenameValue) or ("\\" in filenameValue)):
@@ -112,6 +118,12 @@ def generateFileObservable(filenameValue, hashValue):
             file_object.file_name.condition = "Equals"
     if (hashValue != ""):
         file_object.add_hash(Hash(hash_value=hashValue, exact=True))
+        if (fuzzy):
+            file_object._fields["Hashes"]._inner[0].simple_hash_value = None
+            file_object._fields["Hashes"]._inner[0].fuzzy_hash_value = hashValue
+            file_object._fields["Hashes"]._inner[0].fuzzy_hash_value.condition = "Equals"
+            file_object._fields["Hashes"]._inner[0].type_ = Hash.TYPE_SSDEEP
+            file_object._fields["Hashes"]._inner[0].type_.condition = "Equals"
     return file_object
 
 def resolveIPType(attribute_value, attribute_type):