MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

add: [stix2 import] Parsing 'valid_until' in indicators as expiration date in Sightings

pull/3609/head
chrisr3d 2018-09-04 11:18:41 +02:00
parent f378e521f1
commit b290713634
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/files/scripts/stix2/stix2misp.py
View File

@ -250,6 +250,10 @@ class StixParser():
else:
if stix_type == 'indicator':
o_date = o.get('valid_from')
if hasattr(o, 'valid_until'):
org_uuid = o['created_by_ref'].split('--')[1]
attribute['Sighting'] = {'type': '2', 'date_sighting': str(self.getTimestampfromDate(o['valid_until'])),
'Organisation': {'uuid': org_uuid, 'name': self.event['identity'][org_uuid]['name']}}
pattern = o.get('pattern').replace('\\\\', '\\')
value = self.parse_pattern_with_data(pattern) if attribute_type in ('malware-sample', 'attachment') else self.parse_pattern(pattern)
attribute['to_ids'] = True