From b654a9743b19075a6f121aaf27cf1fcf94e03ad9 Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Thu, 11 Aug 2016 16:33:02 +0100
Subject: [PATCH 01/14] Added stix import -- works for IPs/Domains

---
 misp_modules/modules/expansion/stiximport.py | 89 ++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100755 misp_modules/modules/expansion/stiximport.py

diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py
new file mode 100755
index 0000000..4304cef
--- /dev/null
+++ b/misp_modules/modules/expansion/stiximport.py
@@ -0,0 +1,89 @@
+import json
+import stix
+import csv
+from stix.core import STIXPackage
+import re
+import base64
+
+misperrors = {'error': 'Error'}
+userConfig = {}
+inputSource = ['file']
+
+moduleinfo = {'version': '0.1', 'author': 'Hannah Ward',
+              'description': 'Import some stix stuff',
+              'module-type': ['import']}
+
+moduleconfig = []
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    r = {'results': []}
+    q = json.loads(q)
+    #Load the package up
+    package = str(base64.b64decode(q.get("data", None)), 'utf-8')
+    if not package:
+      return json.dumps({"success":0})
+
+    package = loadPackage(package)
+    if package.observables:
+      for obs in package.observables:
+        r["results"].append(buildObservable(obs))
+      
+    return r
+
+ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
+def buildObservable(o):
+  #Life is easier with json
+  o = json.loads(o.to_json())
+  print(o)
+  r = {"values":[]}
+  props = o["object"]["properties"]
+  if props["address_value"]:
+    #We've got ourselves a nice little address
+    value = props["address_value"]
+    #Is it an IP?
+    if ipre.match(value):
+      #Yes!
+      r["values"].append(value)
+      r["types"] = ["ip-src", "ip-dst"]
+    else:
+      #Probably a domain yo
+      r["values"].append(value)
+      r["types"] = ["domain", "hostname"]
+
+  return r
+
+def loadPackage(data):
+  #Write the stix package to a tmp file
+  with open("/tmp/stixdump", "w") as f:
+    f.write(data)
+  try:
+    try:
+      package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
+    except:  
+      package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
+  except:
+    print("Failed to load package")
+    raise ValueError("COULD NOT LOAD STIX PACKAGE!")
+  return package
+
+def introspection():
+    modulesetup = {}
+    try:
+        userConfig
+        modulesetup['userConfig'] = userConfig
+    except NameError:
+        pass
+    try:
+        inputSource
+        modulesetup['inputSource'] = inputSource
+    except NameError:
+        pass
+    return modulesetup
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo

From c106aa662b378b81db83a25b45be2e1db0da6bf3 Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Thu, 11 Aug 2016 16:37:29 +0100
Subject: [PATCH 02/14] Added docs to stiximport

---
 misp_modules/modules/expansion/stiximport.py | 36 ++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py
index 4304cef..ce4ff8f 100755
--- a/misp_modules/modules/expansion/stiximport.py
+++ b/misp_modules/modules/expansion/stiximport.py
@@ -17,38 +17,69 @@ moduleconfig = []
 
 
 def handler(q=False):
+    #Just in case we have no data
     if q is False:
         return False
+
+    #The return value 
     r = {'results': []}
+
+    #Load up that JSON
     q = json.loads(q)
-    #Load the package up
+
+    #It's b64 encoded, so decode that stuff
     package = str(base64.b64decode(q.get("data", None)), 'utf-8')
+     
+    #If something really weird happened
     if not package:
       return json.dumps({"success":0})
 
+    #Load up the package into STIX
     package = loadPackage(package)
+
+    #Build all the observables
     if package.observables:
       for obs in package.observables:
         r["results"].append(buildObservable(obs))
       
     return r
 
+#Quick and dirty regex for IP addresses
 ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
+
 def buildObservable(o):
+  """
+    Take a STIX observable
+    and extract the value
+    and category
+  """
+
   #Life is easier with json
   o = json.loads(o.to_json())
-  print(o)
+   
+  #Make a new record to store values in
   r = {"values":[]}
+
+  #Get the object properties. This contains all the
+  #fun stuff like values
   props = o["object"]["properties"]
+
+  #If it has an address_value field, it's gonna be an address
+
+  #Kinda obvious really
   if props["address_value"]:
+
     #We've got ourselves a nice little address
     value = props["address_value"]
+
     #Is it an IP?
     if ipre.match(value):
+
       #Yes!
       r["values"].append(value)
       r["types"] = ["ip-src", "ip-dst"]
     else:
+
       #Probably a domain yo
       r["values"].append(value)
       r["types"] = ["domain", "hostname"]
@@ -60,6 +91,7 @@ def loadPackage(data):
   with open("/tmp/stixdump", "w") as f:
     f.write(data)
   try:
+    #Try loading it into every format we know of
     try:
       package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
     except:  

From 3f7cdad0c31067988acfd5f3b875a92166735246 Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 10:06:53 +0100
Subject: [PATCH 03/14] Threat actors now get imported by stix

---
 misp_modules/modules/expansion/stiximport.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py
index ce4ff8f..09be362 100755
--- a/misp_modules/modules/expansion/stiximport.py
+++ b/misp_modules/modules/expansion/stiximport.py
@@ -41,12 +41,26 @@ def handler(q=False):
     if package.observables:
       for obs in package.observables:
         r["results"].append(buildObservable(obs))
-      
+
+    if package.threat_actors:
+      for ta in package.threat_actors:
+        r["results"].append(buildActor(ta))      
     return r
 
 #Quick and dirty regex for IP addresses
 ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
 
+def buildActor(ta):
+  """
+    Extract the name
+    and comment of a 
+    threat actor
+  """
+  
+  r = {"values":[ta.title], "types":["threat-actor"]}
+ 
+  return r
+
 def buildObservable(o):
   """
     Take a STIX observable

From 46f8141071cd370033cbd7ed20a29ff8e5cc6314 Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 10:10:19 +0100
Subject: [PATCH 04/14] Added STIXImport to readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index deaeec2..d042635 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 * [IPASN](misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
 * [passivetotal](misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.
 * [sourcecache](misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance.
-
+* [stiximport](misp_modules/moduls/expansion/stiximport.py) - An import module to process STIX xml/json
 ## How to install and start MISP modules?
 
 ~~~~bash

From 29b57258abc19942c18ed188909680271afc540f Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 10:11:13 +0100
Subject: [PATCH 05/14] I can't spell

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d042635..927766a 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 * [IPASN](misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
 * [passivetotal](misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.
 * [sourcecache](misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance.
-* [stiximport](misp_modules/moduls/expansion/stiximport.py) - An import module to process STIX xml/json
+* [stiximport](misp_modules/modules/expansion/stiximport.py) - An import module to process STIX xml/json
 ## How to install and start MISP modules?
 
 ~~~~bash

From 598a030962135005136cb226e4b2b4d3e25b781f Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 11:22:42 +0100
Subject: [PATCH 06/14] stiximport will now identify file hashes

---
 misp_modules/modules/expansion/stiximport.py | 41 +++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py
index 09be362..04d0c07 100755
--- a/misp_modules/modules/expansion/stiximport.py
+++ b/misp_modules/modules/expansion/stiximport.py
@@ -4,6 +4,7 @@ import csv
 from stix.core import STIXPackage
 import re
 import base64
+import hashlib
 
 misperrors = {'error': 'Error'}
 userConfig = {}
@@ -45,11 +46,49 @@ def handler(q=False):
     if package.threat_actors:
       for ta in package.threat_actors:
         r["results"].append(buildActor(ta))      
+    
+    if package.indicators:
+      for ind in package.indicators:
+        r["results"].append(buildIndicator(ind))
     return r
 
 #Quick and dirty regex for IP addresses
 ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
 
+def identifyHash(hsh):
+  """
+    What's that hash!?
+  """
+
+  possible_hashes = []
+
+  hashes = [x for x in hashlib.algorithms_guaranteed]
+
+  for h in hashes:
+    if len(str(hsh.value)) == len(hashlib.new(h).hexdigest()):
+      possible_hashes.append(h)
+      possible_hashes.append("filename|{}".format(h))
+ 
+  return possible_hashes
+
+def buildIndicator(ind):
+  """
+    Extract hashes
+    and other fun things
+    like that
+   """
+  r = {"values":[], "types":[]}
+
+  #Try to get hashes. I hate stix
+  if ind.observable:
+    if ind.observable.object_:
+      #Get some hashes
+      hashes = ind.observable.object_.properties.hashes
+      for hsh in hashes:
+        r["values"].append(hsh.simple_hash_value.value)
+        r["types"] = identifyHash(hsh.simple_hash_value)
+  return r
+    
 def buildActor(ta):
   """
     Extract the name
@@ -110,7 +149,7 @@ def loadPackage(data):
       package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
     except:  
       package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
-  except:
+  except Exception as ex:
     print("Failed to load package")
     raise ValueError("COULD NOT LOAD STIX PACKAGE!")
   return package

From faddf8378eabc3903abdf5302ddc2b49200a78f8 Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 11:34:43 +0100
Subject: [PATCH 07/14] Stiximport will now consume campaigns

---
 misp_modules/modules/expansion/stiximport.py | 32 ++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py
index 04d0c07..909981f 100755
--- a/misp_modules/modules/expansion/stiximport.py
+++ b/misp_modules/modules/expansion/stiximport.py
@@ -50,11 +50,43 @@ def handler(q=False):
     if package.indicators:
       for ind in package.indicators:
         r["results"].append(buildIndicator(ind))
+
+    if package.exploit_targets:
+      for et in package.exploit_targets:
+        r["results"].append(buildExploitTarget(et))
+
+    if package.campaigns:
+      for cpn in package.campaigns:
+        r["results"].append(buildCampaign(cpn))
+    #Clean up results
+    #Don't send on anything that didn't have a value
+    r["results"] = [x for x in r["results"] if len(x["values"]) != 0]
     return r
 
 #Quick and dirty regex for IP addresses
 ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
 
+def buildCampaign(cpn):
+  """
+    Extract a campaign name
+  """
+  
+  return {"values":[cpn.title], "types":["campaign-name"]}
+
+def buildExploitTarget(et):
+  """
+    Extract CVEs from exploit targets
+  """
+
+  r = {"values":[], "types":["vulnerability"]}
+
+  if et.vulnerabilities:
+    for v in et.vulnerabilities:
+      if v.cve_id:
+        r["values"].append(v.cve_id)
+
+  return r
+
 def identifyHash(hsh):
   """
     What's that hash!?

From a34014e245c064505a439c46f3f8cae4813e10ab Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 11:56:48 +0100
Subject: [PATCH 08/14] Fixed observables within an indicator not being added

---
 misp_modules/modules/expansion/stiximport.py | 25 +++++++++++---------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py
index 909981f..e3e9f20 100755
--- a/misp_modules/modules/expansion/stiximport.py
+++ b/misp_modules/modules/expansion/stiximport.py
@@ -97,7 +97,7 @@ def identifyHash(hsh):
   hashes = [x for x in hashlib.algorithms_guaranteed]
 
   for h in hashes:
-    if len(str(hsh.value)) == len(hashlib.new(h).hexdigest()):
+    if len(str(hsh)) == len(hashlib.new(h).hexdigest()):
       possible_hashes.append(h)
       possible_hashes.append("filename|{}".format(h))
  
@@ -113,12 +113,7 @@ def buildIndicator(ind):
 
   #Try to get hashes. I hate stix
   if ind.observable:
-    if ind.observable.object_:
-      #Get some hashes
-      hashes = ind.observable.object_.properties.hashes
-      for hsh in hashes:
-        r["values"].append(hsh.simple_hash_value.value)
-        r["types"] = identifyHash(hsh.simple_hash_value)
+    return buildObservable(ind.observable)
   return r
     
 def buildActor(ta):
@@ -150,15 +145,19 @@ def buildObservable(o):
   props = o["object"]["properties"]
 
   #If it has an address_value field, it's gonna be an address
-
+  print(props)
   #Kinda obvious really
-  if props["address_value"]:
-
+  if "address_value" in props:
+    
     #We've got ourselves a nice little address
     value = props["address_value"]
 
+    if isinstance(value, dict):
+      #Sometimes it's embedded in a dictionary
+      value = value["value"]
+
     #Is it an IP?
-    if ipre.match(value):
+    if ipre.match(str(value)):
 
       #Yes!
       r["values"].append(value)
@@ -169,6 +168,10 @@ def buildObservable(o):
       r["values"].append(value)
       r["types"] = ["domain", "hostname"]
 
+  if "hashes" in props:
+    for hsh in props["hashes"]:
+      r["values"].append(hsh["simple_hash_value"]["value"])
+      r["types"] = identifyHash(hsh["simple_hash_value"]["value"])
   return r
 
 def loadPackage(data):

From c02a452c05f17219ad19b42f069e79d1c54083f4 Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 12:16:49 +0100
Subject: [PATCH 09/14] added tests, also disregards related_observables.
 Because they're useless

---
 misp_modules/modules/expansion/stiximport.py |   8 +-
 tests/stix.xml                               | 331 +++++++++++++++++++
 tests/test.py                                |  21 +-
 3 files changed, 354 insertions(+), 6 deletions(-)
 create mode 100644 tests/stix.xml

diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py
index e3e9f20..5ea0010 100755
--- a/misp_modules/modules/expansion/stiximport.py
+++ b/misp_modules/modules/expansion/stiximport.py
@@ -135,13 +135,17 @@ def buildObservable(o):
   """
 
   #Life is easier with json
-  o = json.loads(o.to_json())
-   
+  if not isinstance(o, dict):
+    o = json.loads(o.to_json())
   #Make a new record to store values in
   r = {"values":[]}
 
   #Get the object properties. This contains all the
   #fun stuff like values
+  if "observable_composition" in o:
+    #May as well be useless
+    return r 
+ 
   props = o["object"]["properties"]
 
   #If it has an address_value field, it's gonna be an address
diff --git a/tests/stix.xml b/tests/stix.xml
new file mode 100644
index 0000000..a4a60d8
--- /dev/null
+++ b/tests/stix.xml
@@ -0,0 +1,331 @@
+<stix:STIX_Package 
+	xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
+	xmlns:campaign="http://stix.mitre.org/Campaign-1"
+	xmlns:ciqIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
+	xmlns:cybox="http://cybox.mitre.org/cybox-2"
+	xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
+	xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
+	xmlns:et="http://stix.mitre.org/ExploitTarget-1"
+	xmlns:bae="http://bae.com"
+	xmlns:indicator="http://stix.mitre.org/Indicator-2"
+	xmlns:stix="http://stix.mitre.org/stix-1"
+	xmlns:stixCommon="http://stix.mitre.org/common-1"
+	xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
+	xmlns:ta="http://stix.mitre.org/ThreatActor-1"
+	xmlns:ttp="http://stix.mitre.org/TTP-1"
+	xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
+	xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
+	xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="bae:Package-f0b927dd-9356-49ba-8f56-6d9f3d42fe25" version="1.1.1">
+    <stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
+        <cybox:Observable id="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
+            <cybox:Title>CNC Server 1</cybox:Title>
+            <cybox:Object id="bae:Address-6e6990d8-20b6-4482-97a2-55732c993982">
+                <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
+                    <AddressObj:Address_Value>82.146.166.56</AddressObj:Address_Value>
+                </cybox:Properties>
+            </cybox:Object>
+        </cybox:Observable>
+        <cybox:Observable id="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
+            <cybox:Title>CNC Server 2</cybox:Title>
+            <cybox:Object id="bae:Address-00dc7361-ca55-48ef-8529-72a3ac9c58d7">
+                <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
+                    <AddressObj:Address_Value>209.239.79.47</AddressObj:Address_Value>
+                </cybox:Properties>
+            </cybox:Object>
+        </cybox:Observable>
+        <cybox:Observable id="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
+            <cybox:Title>CNC Server 3</cybox:Title>
+            <cybox:Object id="bae:Address-bbbbdcad-e8f5-449d-99d3-264de0ed512e">
+                <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
+                    <AddressObj:Address_Value>41.213.121.180</AddressObj:Address_Value>
+                </cybox:Properties>
+            </cybox:Object>
+        </cybox:Observable>
+        <cybox:Observable id="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
+            <cybox:Title>Watering Hole Wordpress</cybox:Title>
+            <cybox:Object id="bae:Address-c0e85056-de10-44f7-a600-73144514e7a1">
+                <cybox:Properties xsi:type="AddressObj:AddressObjectType">
+                    <AddressObj:Address_Value>eu-society.com</AddressObj:Address_Value>
+                </cybox:Properties>
+            </cybox:Object>
+        </cybox:Observable>
+        <cybox:Observable id="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
+            <cybox:Title>Watering Hole Wordpress</cybox:Title>
+            <cybox:Object id="bae:Address-ae972731-3b33-4fb1-bab6-053b0056deb5">
+                <cybox:Properties xsi:type="AddressObj:AddressObjectType">
+                    <AddressObj:Address_Value>aromatravel.org</AddressObj:Address_Value>
+                </cybox:Properties>
+            </cybox:Object>
+        </cybox:Observable>
+        <cybox:Observable id="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
+            <cybox:Title>Watering Hole Wordpress</cybox:Title>
+            <cybox:Object id="bae:Address-f0d9ef90-af2d-462d-aa69-bfd55da9e65c">
+                <cybox:Properties xsi:type="AddressObj:AddressObjectType">
+                    <AddressObj:Address_Value>bss.servebbs.com</AddressObj:Address_Value>
+                </cybox:Properties>
+            </cybox:Object>
+        </cybox:Observable>
+    </stix:Observables>
+    <stix:Indicators>
+        <stix:Indicator id="bae:indicator-1c3fc03e-86dc-4440-9e95-8b9964f03b92" timestamp="2016-07-04T15:17:14.479542+00:00" xsi:type='indicator:IndicatorType'>
+            <indicator:Title>Watering Hole Detected</indicator:Title>
+            <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
+            <indicator:Observable id="bae:Observable-4e173154-e739-4917-86e8-8b30e4cf39e5">
+                <cybox:Observable_Composition operator="OR">
+                    <cybox:Observable idref="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
+                        <cybox:Title>C2 List</cybox:Title>
+                    </cybox:Observable>
+                    <cybox:Observable idref="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
+                        <cybox:Title>C2 List</cybox:Title>
+                    </cybox:Observable>
+                    <cybox:Observable idref="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
+                        <cybox:Title>C2 List</cybox:Title>
+                    </cybox:Observable>
+                </cybox:Observable_Composition>
+            </indicator:Observable>
+        </stix:Indicator>
+        <stix:Indicator id="bae:indicator-e5ff413f-074e-41fe-ab20-6d0e0bf10f9c" timestamp="2016-07-04T15:17:14.480747+00:00" xsi:type='indicator:IndicatorType'>
+            <indicator:Title>CnC Beaconing Detected</indicator:Title>
+            <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">C2</indicator:Type>
+            <indicator:Observable id="bae:Observable-f4695e3e-5a27-4889-ba48-456b14146911">
+                <cybox:Observable_Composition operator="OR">
+                    <cybox:Observable idref="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
+                    </cybox:Observable>
+                    <cybox:Observable idref="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
+                    </cybox:Observable>
+                    <cybox:Observable idref="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
+                    </cybox:Observable>
+                </cybox:Observable_Composition>
+            </indicator:Observable>
+        </stix:Indicator>
+    </stix:Indicators>
+    <stix:TTPs>
+        <stix:TTP id="bae:ttp-801d59e9-28c2-4016-976e-011dcab22cfd" timestamp="2016-07-04T15:17:14.479244+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Malware CnC Channels</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.479332+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Resources>
+                <ttp:Infrastructure>
+                    <ttp:Type xsi:type="stixVocabs:AttackerInfrastructureTypeVocab-1.0">Hosting</ttp:Type>
+                    <ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
+                        <cybox:Observable idref="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
+                        </cybox:Observable>
+                        <cybox:Observable idref="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
+                        </cybox:Observable>
+                        <cybox:Observable idref="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
+                        </cybox:Observable>
+                    </ttp:Observable_Characterization>
+                </ttp:Infrastructure>
+            </ttp:Resources>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-62c59e28-9480-4080-ad20-6b4092cb118d" timestamp="2016-07-04T15:17:14.476428+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Fingerprinting and whitelisting during watering-hole operations</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477552+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Resources>
+                <ttp:Infrastructure>
+                    <ttp:Type xsi:type="stixVocabs:AttackerInfrastructureTypeVocab-1.0">Domain Registration</ttp:Type>
+                    <ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
+                        <cybox:Observable idref="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
+                            <cybox:Title>C2 List</cybox:Title>
+                        </cybox:Observable>
+                        <cybox:Observable idref="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
+                            <cybox:Title>C2 List</cybox:Title>
+                        </cybox:Observable>
+                        <cybox:Observable idref="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
+                            <cybox:Title>C2 List</cybox:Title>
+                        </cybox:Observable>
+                    </ttp:Observable_Characterization>
+                </ttp:Infrastructure>
+            </ttp:Resources>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-7ffb9e3d-688a-4ec4-8919-f8ccb91d4b59" timestamp="2016-07-04T15:17:14.476589+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Spear-phishing in tandem with 0-day exploits</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477592+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-f13297d6-0963-4a74-89dc-12745db39845" timestamp="2016-07-04T15:17:14.476707+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Infiltration of organisations via third party supplier/partner</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477629+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-78aef1ee-8c7d-4a6e-87cc-a4471b29ac45" timestamp="2016-07-04T15:17:14.476822+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Custom recon tool to compromise and identify credentials of the network</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477665+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-3a5f9a19-fa56-4b7d-ad7f-df64b7efdf98" timestamp="2016-07-04T15:17:14.476932+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Multiple means of C2 communications given the diversity of the attacker toolset</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477708+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-e08d9d94-0294-4fa7-9e1d-8f1e087e3dc0" timestamp="2016-07-04T15:17:14.477046+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>rootkit communicates during the same time as network activity, encoded with an XOR key</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477744+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-898d58cd-369c-4b76-892b-2f5ced35cf0e" timestamp="2016-07-04T15:17:14.477159+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Kernel-centric rootkit waits for network trigger before launching</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477779+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-fb1ac371-8e28-48d9-8905-03f54bd546ee" timestamp="2016-07-04T15:17:14.477269+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Kernel centric exfiltration over TCP/UDP/DNS/ICMP/HTTP</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477814+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-27872de0-c3ce-425d-9348-8f1439645398" timestamp="2016-07-04T15:17:14.477382+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Exfiltration over HTTP/HTTPS</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477849+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft</stixCommon:Value>
+            </ttp:Intended_Effect>
+            <ttp:Kill_Chain_Phases>
+                <stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
+            </ttp:Kill_Chain_Phases>
+        </stix:TTP>
+        <stix:TTP id="bae:ttp-c3a4fec7-00b7-4efb-adf9-a38feee005fe" timestamp="2016-07-04T15:17:14.477499+00:00" xsi:type='ttp:TTPType'>
+            <ttp:Title>Use of previously undocumented functions in their Kernel centric attacks</ttp:Title>
+            <ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477888+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
+            </ttp:Intended_Effect>
+        </stix:TTP>
+        <stix:Kill_Chains>
+            <stixCommon:Kill_Chain id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" definer="LMCO" name="LM Cyber Kill Chain">
+                <stixCommon:Kill_Chain_Phase ordinality="1" name="Reconnaissance" phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a"/>
+                <stixCommon:Kill_Chain_Phase ordinality="2" name="Weaponization" phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16"/>
+                <stixCommon:Kill_Chain_Phase ordinality="3" name="Delivery" phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d"/>
+                <stixCommon:Kill_Chain_Phase ordinality="4" name="Exploitation" phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0"/>
+                <stixCommon:Kill_Chain_Phase ordinality="5" name="Installation" phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f"/>
+                <stixCommon:Kill_Chain_Phase ordinality="6" name="Command and Control" phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2"/>
+                <stixCommon:Kill_Chain_Phase ordinality="7" name="Actions on Objectives" phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6"/>
+            </stixCommon:Kill_Chain>
+        </stix:Kill_Chains>
+    </stix:TTPs>
+    <stix:Exploit_Targets>
+        <stixCommon:Exploit_Target id="bae:et-ca916690-1221-46b3-8e69-dabd46018892" timestamp="2016-07-04T15:17:14.480615+00:00" xsi:type='et:ExploitTargetType'>
+            <et:Title>Privilage Escalation Vulnerability</et:Title>
+            <et:Vulnerability>
+                <et:CVE_ID>CVE-2013-5065</et:CVE_ID>
+            </et:Vulnerability>
+        </stixCommon:Exploit_Target>
+    </stix:Exploit_Targets>
+    <stix:Campaigns>
+        <stix:Campaign id="bae:campaign-2b81268f-c0f0-4bd4-aa63-a880dc05ed82" timestamp="2016-07-04T15:17:14.478248+00:00" xsi:type='campaign:CampaignType'>
+            <campaign:Title>The Epic Turla Campaign</campaign:Title>
+            <campaign:Description>The Epic Turla Campaign</campaign:Description>
+            <campaign:Intended_Effect timestamp="2016-07-04T15:17:14.478460+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
+            </campaign:Intended_Effect>
+            <campaign:Attribution>
+                <campaign:Attributed_Threat_Actor>
+                    <stixCommon:Threat_Actor idref="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type='ta:ThreatActorType'>
+                    </stixCommon:Threat_Actor>
+                </campaign:Attributed_Threat_Actor>
+            </campaign:Attribution>
+        </stix:Campaign>
+        <stix:Campaign id="bae:campaign-53a0ca81-b065-431a-b043-0457b0bcfffa" timestamp="2016-07-04T15:17:14.478394+00:00" xsi:type='campaign:CampaignType'>
+            <campaign:Title>SNAKE Campaign</campaign:Title>
+            <campaign:Description>The SNAKE Campaign</campaign:Description>
+            <campaign:Intended_Effect timestamp="2016-07-04T15:17:14.478500+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
+            </campaign:Intended_Effect>
+            <campaign:Attribution>
+                <campaign:Attributed_Threat_Actor>
+                    <stixCommon:Threat_Actor idref="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type='ta:ThreatActorType'>
+                    </stixCommon:Threat_Actor>
+                </campaign:Attributed_Threat_Actor>
+            </campaign:Attribution>
+        </stix:Campaign>
+    </stix:Campaigns>
+    <stix:Threat_Actors>
+        <stix:Threat_Actor id="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" timestamp="2016-07-04T15:17:14.454074+00:00" xsi:type='ta:ThreatActorType'>
+            <ta:Title>SNAKE</ta:Title>
+            <ta:Description>
+The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits – virtually undetectable by conventional security products.
+This threat actor group has been operating continuously for over a decade, infiltrating governments and strategic private sector networks in that time. The most notorious of their early campaigns led to a breach of classified US military systems, an extensive clean-up called ‘Operation Buckshot Yankee’, and led to the creation of the US Cyber Command.
+Whilst the sophisticated rootkit is used for persistent access to networks, the group also leverage more straight-forward capabilities for gaining an initial toe-hold on targets. This includes the use of watering-hole attacks and basic remote access tools.
+</ta:Description>
+            <ta:Short_Description>
+The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits – virtually undetectable by conventional security products.
+</ta:Short_Description>
+            <ta:Identity xsi:type="ciqIdentity:CIQIdentity3.0InstanceType">
+                <ExtSch:Specification xmlns:ExtSch="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1">
+  <xpil:PartyName xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
+    <xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="OfficialName">
+      <xnl:NameElement>SNAKE</xnl:NameElement>
+    </xnl:OrganisationName>
+    <xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="OfficialName">
+      <xnl:NameElement>Turla</xnl:NameElement>
+    </xnl:OrganisationName>
+    <xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="UnofficialName">
+      <xnl:NameElement>WRAITH</xnl:NameElement>
+    </xnl:OrganisationName>
+  </xpil:PartyName>
+  <xpil:Addresses xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
+    <xpil:Address>
+      <xal:Country xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
+        <xal:NameElement>Russia</xal:NameElement>
+      </xal:Country>
+      <xal:AdministrativeArea xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
+        <xal:NameElement>Moscow</xal:NameElement>
+      </xal:AdministrativeArea>
+    </xpil:Address>
+  </xpil:Addresses>
+  <xpil:ElectronicAddressIdentifiers xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
+    <xpil:ElectronicAddressIdentifier>snake@gmail.com</xpil:ElectronicAddressIdentifier>
+    <xpil:ElectronicAddressIdentifier>twitter.com/snake</xpil:ElectronicAddressIdentifier>
+  </xpil:ElectronicAddressIdentifiers>
+  <xpil:Languages xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
+    <xpil:Language>Russian</xpil:Language>
+  </xpil:Languages>
+</ExtSch:Specification>
+            </ta:Identity>
+            <ta:Motivation timestamp="2016-07-04T15:17:14.475968+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:MotivationVocab-1.1">Political</stixCommon:Value>
+            </ta:Motivation>
+            <ta:Sophistication timestamp="2016-07-04T15:17:14.454350+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:ThreatActorSophisticationVocab-1.0">Expert</stixCommon:Value>
+            </ta:Sophistication>
+            <ta:Intended_Effect timestamp="2016-07-04T15:17:14.476056+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
+            </ta:Intended_Effect>
+            <ta:Intended_Effect timestamp="2016-07-04T15:17:14.476095+00:00">
+                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Intellectual Property</stixCommon:Value>
+            </ta:Intended_Effect>
+        </stix:Threat_Actor>
+    </stix:Threat_Actors>
+</stix:STIX_Package>
diff --git a/tests/test.py b/tests/test.py
index 4732358..c2f2fb0 100755
--- a/tests/test.py
+++ b/tests/test.py
@@ -3,24 +3,37 @@
 
 import unittest
 import requests
-
+import base64
+import json
 
 class TestModules(unittest.TestCase):
 
     def setUp(self):
         self.maxDiff = None
         self.headers = {'Content-Type': 'application/json'}
+        self.url = "http://127.0.0.1:6666/"
 
     def test_introspection(self):
-        response = requests.get('http://127.0.0.1:6666/modules')
+        response = requests.get(self.url + "modules")
         print(response.json())
 
     def test_cve(self):
         with open('tests/bodycve.json', 'r') as f:
-            response = requests.post('http://127.0.0.1:6666/query', data=f.read())
+            response = requests.post(self.url + "query", data=f.read())
             print(response.json())
 
     def test_dns(self):
         with open('tests/body.json', 'r') as f:
-            response = requests.post('http://127.0.0.1:6666/query', data=f.read())
+            response = requests.post(self.url + "query", data=f.read())
             print(response.json())
+
+    def test_stix(self):
+        with open("tests/stix.xml", "r") as f:
+            data = json.dumps({"module":"stiximport",
+                    "data":str(base64.b64encode(bytes(f.read(), 'utf-8')), 'utf-8')
+                   })
+            response = requests.post(self.url + "query", data=data)
+            print(response.json())
+
+if __name__ == '__main__':
+  unittest.main()

From 4a4c4ab9a7c9d15e978355f3d2e8a49913d13fca Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 12:26:52 +0100
Subject: [PATCH 10/14] Added STIX to reqs

---
 REQUIREMENTS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/REQUIREMENTS b/REQUIREMENTS
index 7656078..063978b 100644
--- a/REQUIREMENTS
+++ b/REQUIREMENTS
@@ -1,3 +1,5 @@
+stix
+cybox
 tornado
 dnspython3
 requests

From 38205910df6b9ecad54176483751be483d6ca8aa Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 12:33:08 +0100
Subject: [PATCH 11/14] Added STIX to setup.py

---
 setup.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/setup.py b/setup.py
index 1628cba..241f689 100644
--- a/setup.py
+++ b/setup.py
@@ -33,5 +33,7 @@ setup(
         'pyeupi',
         'ipasn-redis',
         'asnhistory',
+        'stix',
+        'cybox'
     ]
 )

From af8fc70883b1d663def22dc10b65648d14958fcc Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Fri, 12 Aug 2016 12:37:16 +0100
Subject: [PATCH 12/14] There was a missing comma

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index ec30f92..d48e13e 100644
--- a/setup.py
+++ b/setup.py
@@ -34,7 +34,7 @@ setup(
         'ipasn-redis',
         'asnhistory',
         'stix',
-        'cybox'
+        'cybox',
         'pillow',
         'pytesseract',
     ]

From 91675a635c73264eb1e1ad81ebd292c2dbf440b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Fri, 12 Aug 2016 14:08:47 +0200
Subject: [PATCH 13/14] Move stiximport.py to misp_modules/modules/import_mod/

---
 misp_modules/modules/import_mod/__init__.py                  | 2 +-
 misp_modules/modules/{expansion => import_mod}/stiximport.py | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename misp_modules/modules/{expansion => import_mod}/stiximport.py (100%)

diff --git a/misp_modules/modules/import_mod/__init__.py b/misp_modules/modules/import_mod/__init__.py
index 5716751..b53259e 100644
--- a/misp_modules/modules/import_mod/__init__.py
+++ b/misp_modules/modules/import_mod/__init__.py
@@ -1 +1 @@
-__all__ = ['testimport', 'ocr']
+__all__ = ['testimport', 'ocr', 'stiximport']
diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/import_mod/stiximport.py
similarity index 100%
rename from misp_modules/modules/expansion/stiximport.py
rename to misp_modules/modules/import_mod/stiximport.py

From c6fccf1b7e2808e6f6c39155473f004c737eb0f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Fri, 12 Aug 2016 14:09:59 +0200
Subject: [PATCH 14/14] Make PEP8 happy \o/

---
 misp_modules/modules/import_mod/stiximport.py | 249 +++++++++---------
 1 file changed, 125 insertions(+), 124 deletions(-)

diff --git a/misp_modules/modules/import_mod/stiximport.py b/misp_modules/modules/import_mod/stiximport.py
index 5ea0010..a701ba5 100755
--- a/misp_modules/modules/import_mod/stiximport.py
+++ b/misp_modules/modules/import_mod/stiximport.py
@@ -1,6 +1,4 @@
 import json
-import stix
-import csv
 from stix.core import STIXPackage
 import re
 import base64
@@ -18,180 +16,183 @@ moduleconfig = []
 
 
 def handler(q=False):
-    #Just in case we have no data
+    # Just in case we have no data
     if q is False:
         return False
 
-    #The return value 
+    # The return value
     r = {'results': []}
 
-    #Load up that JSON
+    # Load up that JSON
     q = json.loads(q)
 
-    #It's b64 encoded, so decode that stuff
+    # It's b64 encoded, so decode that stuff
     package = str(base64.b64decode(q.get("data", None)), 'utf-8')
-     
-    #If something really weird happened
-    if not package:
-      return json.dumps({"success":0})
 
-    #Load up the package into STIX
+    # If something really weird happened
+    if not package:
+        return json.dumps({"success": 0})
+
+    # Load up the package into STIX
     package = loadPackage(package)
 
-    #Build all the observables
+    # Build all the observables
     if package.observables:
-      for obs in package.observables:
-        r["results"].append(buildObservable(obs))
+        for obs in package.observables:
+            r["results"].append(buildObservable(obs))
 
     if package.threat_actors:
-      for ta in package.threat_actors:
-        r["results"].append(buildActor(ta))      
-    
+        for ta in package.threat_actors:
+            r["results"].append(buildActor(ta))
+
     if package.indicators:
-      for ind in package.indicators:
-        r["results"].append(buildIndicator(ind))
+        for ind in package.indicators:
+            r["results"].append(buildIndicator(ind))
 
     if package.exploit_targets:
-      for et in package.exploit_targets:
-        r["results"].append(buildExploitTarget(et))
+        for et in package.exploit_targets:
+            r["results"].append(buildExploitTarget(et))
 
     if package.campaigns:
-      for cpn in package.campaigns:
-        r["results"].append(buildCampaign(cpn))
-    #Clean up results
-    #Don't send on anything that didn't have a value
+        for cpn in package.campaigns:
+            r["results"].append(buildCampaign(cpn))
+    # Clean up results
+    # Don't send on anything that didn't have a value
     r["results"] = [x for x in r["results"] if len(x["values"]) != 0]
     return r
 
-#Quick and dirty regex for IP addresses
+# Quick and dirty regex for IP addresses
 ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
 
+
 def buildCampaign(cpn):
-  """
-    Extract a campaign name
-  """
-  
-  return {"values":[cpn.title], "types":["campaign-name"]}
+    """
+        Extract a campaign name
+    """
+    return {"values": [cpn.title], "types": ["campaign-name"]}
+
 
 def buildExploitTarget(et):
-  """
-    Extract CVEs from exploit targets
-  """
+    """
+        Extract CVEs from exploit targets
+    """
 
-  r = {"values":[], "types":["vulnerability"]}
+    r = {"values": [], "types": ["vulnerability"]}
 
-  if et.vulnerabilities:
-    for v in et.vulnerabilities:
-      if v.cve_id:
-        r["values"].append(v.cve_id)
+    if et.vulnerabilities:
+        for v in et.vulnerabilities:
+            if v.cve_id:
+                r["values"].append(v.cve_id)
+    return r
 
-  return r
 
 def identifyHash(hsh):
-  """
-    What's that hash!?
-  """
+    """
+        What's that hash!?
+    """
 
-  possible_hashes = []
+    possible_hashes = []
 
-  hashes = [x for x in hashlib.algorithms_guaranteed]
+    hashes = [x for x in hashlib.algorithms_guaranteed]
+
+    for h in hashes:
+        if len(str(hsh)) == len(hashlib.new(h).hexdigest()):
+            possible_hashes.append(h)
+            possible_hashes.append("filename|{}".format(h))
+    return possible_hashes
 
-  for h in hashes:
-    if len(str(hsh)) == len(hashlib.new(h).hexdigest()):
-      possible_hashes.append(h)
-      possible_hashes.append("filename|{}".format(h))
- 
-  return possible_hashes
 
 def buildIndicator(ind):
-  """
-    Extract hashes
-    and other fun things
-    like that
-   """
-  r = {"values":[], "types":[]}
+    """
+        Extract hashes
+        and other fun things
+        like that
+    """
+    r = {"values": [], "types": []}
+
+    # Try to get hashes. I hate stix
+    if ind.observable:
+        return buildObservable(ind.observable)
+    return r
+
 
-  #Try to get hashes. I hate stix
-  if ind.observable:
-    return buildObservable(ind.observable)
-  return r
-    
 def buildActor(ta):
-  """
-    Extract the name
-    and comment of a 
-    threat actor
-  """
-  
-  r = {"values":[ta.title], "types":["threat-actor"]}
- 
-  return r
+    """
+        Extract the name
+        and comment of a
+        threat actor
+    """
+
+    r = {"values": [ta.title], "types": ["threat-actor"]}
+
+    return r
+
 
 def buildObservable(o):
-  """
-    Take a STIX observable
-    and extract the value
-    and category
-  """
+    """
+        Take a STIX observable
+        and extract the value
+        and category
+    """
 
-  #Life is easier with json
-  if not isinstance(o, dict):
-    o = json.loads(o.to_json())
-  #Make a new record to store values in
-  r = {"values":[]}
+    # Life is easier with json
+    if not isinstance(o, dict):
+        o = json.loads(o.to_json())
+    # Make a new record to store values in
+    r = {"values": []}
 
-  #Get the object properties. This contains all the
-  #fun stuff like values
-  if "observable_composition" in o:
-    #May as well be useless
-    return r 
- 
-  props = o["object"]["properties"]
+    # Get the object properties. This contains all the
+    # fun stuff like values
+    if "observable_composition" in o:
+        # May as well be useless
+        return r
 
-  #If it has an address_value field, it's gonna be an address
-  print(props)
-  #Kinda obvious really
-  if "address_value" in props:
-    
-    #We've got ourselves a nice little address
-    value = props["address_value"]
+    props = o["object"]["properties"]
 
-    if isinstance(value, dict):
-      #Sometimes it's embedded in a dictionary
-      value = value["value"]
+    # If it has an address_value field, it's gonna be an address
+    # print(props)
+    # Kinda obvious really
+    if "address_value" in props:
 
-    #Is it an IP?
-    if ipre.match(str(value)):
+        # We've got ourselves a nice little address
+        value = props["address_value"]
 
-      #Yes!
-      r["values"].append(value)
-      r["types"] = ["ip-src", "ip-dst"]
-    else:
+        if isinstance(value, dict):
+            # Sometimes it's embedded in a dictionary
+            value = value["value"]
 
-      #Probably a domain yo
-      r["values"].append(value)
-      r["types"] = ["domain", "hostname"]
+        # Is it an IP?
+        if ipre.match(str(value)):
+            # Yes!
+            r["values"].append(value)
+            r["types"] = ["ip-src", "ip-dst"]
+        else:
+            # Probably a domain yo
+            r["values"].append(value)
+            r["types"] = ["domain", "hostname"]
+
+        if "hashes" in props:
+            for hsh in props["hashes"]:
+                r["values"].append(hsh["simple_hash_value"]["value"])
+                r["types"] = identifyHash(hsh["simple_hash_value"]["value"])
+        return r
 
-  if "hashes" in props:
-    for hsh in props["hashes"]:
-      r["values"].append(hsh["simple_hash_value"]["value"])
-      r["types"] = identifyHash(hsh["simple_hash_value"]["value"])
-  return r
 
 def loadPackage(data):
-  #Write the stix package to a tmp file
-  with open("/tmp/stixdump", "w") as f:
-    f.write(data)
-  try:
-    #Try loading it into every format we know of
+    # Write the stix package to a tmp file
+    with open("/tmp/stixdump", "w") as f:
+        f.write(data)
     try:
-      package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
-    except:  
-      package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
-  except Exception as ex:
-    print("Failed to load package")
-    raise ValueError("COULD NOT LOAD STIX PACKAGE!")
-  return package
+        # Try loading it into every format we know of
+        try:
+            package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
+        except:
+            package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
+    except Exception:
+        print("Failed to load package")
+        raise ValueError("COULD NOT LOAD STIX PACKAGE!")
+    return package
+
 
 def introspection():
     modulesetup = {}