stiximport will now identify file hashes

misp_modules/modules/expansion/stiximport.py

@@ -4,6 +4,7 @@ import csv
 from stix.core import STIXPackage
 import re
 import base64
+import hashlib
 
 misperrors = {'error': 'Error'}
 userConfig = {}
@@ -45,11 +46,49 @@ def handler(q=False):
     if package.threat_actors:
       for ta in package.threat_actors:
         r["results"].append(buildActor(ta))      
+    
+    if package.indicators:
+      for ind in package.indicators:
+        r["results"].append(buildIndicator(ind))
     return r
 
 #Quick and dirty regex for IP addresses
 ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
 
+def identifyHash(hsh):
+  """
+    What's that hash!?
+  """
+
+  possible_hashes = []
+
+  hashes = [x for x in hashlib.algorithms_guaranteed]
+
+  for h in hashes:
+    if len(str(hsh.value)) == len(hashlib.new(h).hexdigest()):
+      possible_hashes.append(h)
+      possible_hashes.append("filename|{}".format(h))
+ 
+  return possible_hashes
+
+def buildIndicator(ind):
+  """
+    Extract hashes
+    and other fun things
+    like that
+   """
+  r = {"values":[], "types":[]}
+
+  #Try to get hashes. I hate stix
+  if ind.observable:
+    if ind.observable.object_:
+      #Get some hashes
+      hashes = ind.observable.object_.properties.hashes
+      for hsh in hashes:
+        r["values"].append(hsh.simple_hash_value.value)
+        r["types"] = identifyHash(hsh.simple_hash_value)
+  return r
+    
 def buildActor(ta):
   """
     Extract the name
@@ -110,7 +149,7 @@ def loadPackage(data):
       package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
     except:  
       package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
-  except:
+  except Exception as ex:
     print("Failed to load package")
     raise ValueError("COULD NOT LOAD STIX PACKAGE!")
   return package