add: STIX2 pattern syntax validator

README.md

@@ -40,6 +40,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 * [shodan](misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module.
 * [Sigma syntax validator](misp_modules/modules/expansion/sigma_syntax_validator.py) - Sigma syntax validator.
 * [sourcecache](misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance.
+* [STIX2 pattern syntax validator](misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax.
 * [ThreatCrowd](misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/).
 * [threatminer](misp_modules/modules/expansion/threatminer.py) - an expansion module to expand from [ThreatMiner](https://www.threatminer.org/).
 * [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to pull known resolutions and malware samples related with an IP/Domain from virusTotal (this modules require a VirusTotal private API key)
@@ -380,7 +381,7 @@ Recommended     Plugin.Import_ocr_enabled       true   Enable or disable the ocr
 In this same menu set any other plugin settings that are required for testing.
 
 ## Install misp-module on an offline instance.
-First, you need to grab all necessery packages for example like this : 
+First, you need to grab all necessary packages for example like this :
 
 Use pip wheel to create an archive
 ~~~

misp_modules/modules/expansion/__init__.py

@@ -1,3 +1,3 @@
 from . import _vmray
 
-__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator']
+__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator']

misp_modules/modules/expansion/stix2_pattern_syntax_validator.py

@@ -0,0 +1,39 @@
+import json
+from stix2patterns.validator import run_validator
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['stix2-pattern'], 'output': ['text']}
+moduleinfo = {'version': '0.1', 'author': 'Christian Studer', 'module-type': ['expansion', 'hover'],
+              'description': 'An expansion hover module to perform a syntax check on stix2 patterns.'}
+moduleconfig = []
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    if not request.get('stix2-pattern'):
+        misperrors['error'] = 'STIX2 pattern missing'
+        return misperrors
+    pattern = request.get('stix2-pattern')
+    syntax_errors = []
+    for p in pattern[2:-2].split(' AND '):
+        syntax_validator = run_validator("[{}]".format(p))
+        if syntax_validator:
+            for error in syntax_validator:
+                syntax_errors.append(error)
+    if syntax_errors:
+        s = 's' if len(syntax_errors) > 1 else ''
+        s_errors = ""
+        for error in  syntax_errors:
+            s_errors += "{}\n".format(error[6:])
+        result = "Syntax error{}: \n{}".format(s, s_errors[:-1])
+    else:
+        result = "Syntax valid"
+    return {'results': [{'types': mispattributes['output'], 'values': result}]}
+
+def introspection():
+    return mispattributes
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo