mirror of https://github.com/MISP/MISP
Merge pull request #2536 from RichieB2B/stix-mispobjects
Add MISP objects to STIX exportpull/2539/head
commit
bdb7afa06f
|
@ -25,6 +25,7 @@ hash_type_attributes = {"single":["md5", "sha1", "sha224", "sha256", "sha384", "
|
|||
simple_type_to_method = {}
|
||||
simple_type_to_method.update(dict.fromkeys(hash_type_attributes["single"] + hash_type_attributes["composite"] + ["attachment"], "resolveFileObservable"))
|
||||
simple_type_to_method.update(dict.fromkeys(["ip-src", "ip-dst", "ip-src|port", "ip-dst|port"], "generateIPObservable"))
|
||||
simple_type_to_method.update(dict.fromkeys(["port"], "generatePortObservable"))
|
||||
simple_type_to_method.update(dict.fromkeys(["domain|ip"], "generateDomainIPObservable"))
|
||||
simple_type_to_method.update(dict.fromkeys(["regkey", "regkey|value"], "generateRegkeyObservable"))
|
||||
simple_type_to_method.update(dict.fromkeys(["hostname", "domain", "url", "AS", "mutex", "named pipe", "link"], "generateSimpleObservable"))
|
||||
|
@ -202,6 +203,13 @@ def generateIPObservable(indicator, attribute):
|
|||
else:
|
||||
return address_object
|
||||
|
||||
def generatePortObservable(indicator, attribute):
|
||||
port_object = Port()
|
||||
port_object.port_value = attribute["value"]
|
||||
port_object.port_value.condition = "Equals"
|
||||
port_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":PortObject-" + attribute["uuid"]
|
||||
return port_object
|
||||
|
||||
def generateRegkeyObservable(indicator, attribute):
|
||||
indicator.add_indicator_type("Host Characteristics")
|
||||
regkey = ""
|
||||
|
|
|
@ -99,6 +99,7 @@ def generateSTIXObjects(event):
|
|||
setOrg(incident, event["Org"]["name"])
|
||||
setTag(incident, event["Tag"])
|
||||
resolveAttributes(incident, ttps, event["Attribute"])
|
||||
resolveObjects(incident, ttps, event["Object"])
|
||||
return [incident, ttps]
|
||||
|
||||
|
||||
|
@ -111,6 +112,26 @@ def setDates(incident, date, published):
|
|||
incident_time.incident_reported = timestamp
|
||||
incident.time = incident_time
|
||||
|
||||
# decide what to do with the objects, as not all of them will become indicators
|
||||
def resolveObjects(incident, ttps, objects):
|
||||
for obj in objects:
|
||||
tmp_incident = Incident()
|
||||
resolveAttributes(tmp_incident, ttps, obj["Attribute"])
|
||||
indicator = Indicator(timestamp=getDateFromTimestamp(int(obj["timestamp"])))
|
||||
indicator.id_= namespace[1] + ":MispObject-" + obj["uuid"]
|
||||
if obj["comment"] != "":
|
||||
indicator.description = obj["comment"]
|
||||
setTLP(indicator, obj["distribution"])
|
||||
indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")"
|
||||
indicator.description = indicator.title
|
||||
indicator.add_indicator_type("Malware Artifacts")
|
||||
indicator.add_valid_time_position(ValidTime())
|
||||
indicator.observable_composition_operator = "AND"
|
||||
for rindicator in tmp_incident.related_indicators:
|
||||
indicator.add_observable(rindicator.item.observable)
|
||||
relatedIndicator = RelatedIndicator(indicator, relationship=obj["meta-category"])
|
||||
incident.related_indicators.append(relatedIndicator)
|
||||
|
||||
# decide what to do with the attribute, as not all of them will become indicators
|
||||
def resolveAttributes(incident, ttps, attributes):
|
||||
for attribute in attributes:
|
||||
|
|
Loading…
Reference in New Issue