stiximport will now identify file hashes

pull/41/head
Hannah Ward 2016-08-12 11:22:42 +01:00
parent 29b57258ab
commit 598a030962
No known key found for this signature in database
GPG Key ID: BA89E572EE1B4C5F
1 changed files with 40 additions and 1 deletions

View File

@ -4,6 +4,7 @@ import csv
from stix.core import STIXPackage from stix.core import STIXPackage
import re import re
import base64 import base64
import hashlib
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
userConfig = {} userConfig = {}
@ -45,11 +46,49 @@ def handler(q=False):
if package.threat_actors: if package.threat_actors:
for ta in package.threat_actors: for ta in package.threat_actors:
r["results"].append(buildActor(ta)) r["results"].append(buildActor(ta))
if package.indicators:
for ind in package.indicators:
r["results"].append(buildIndicator(ind))
return r return r
#Quick and dirty regex for IP addresses #Quick and dirty regex for IP addresses
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}") ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
def identifyHash(hsh):
"""
What's that hash!?
"""
possible_hashes = []
hashes = [x for x in hashlib.algorithms_guaranteed]
for h in hashes:
if len(str(hsh.value)) == len(hashlib.new(h).hexdigest()):
possible_hashes.append(h)
possible_hashes.append("filename|{}".format(h))
return possible_hashes
def buildIndicator(ind):
"""
Extract hashes
and other fun things
like that
"""
r = {"values":[], "types":[]}
#Try to get hashes. I hate stix
if ind.observable:
if ind.observable.object_:
#Get some hashes
hashes = ind.observable.object_.properties.hashes
for hsh in hashes:
r["values"].append(hsh.simple_hash_value.value)
r["types"] = identifyHash(hsh.simple_hash_value)
return r
def buildActor(ta): def buildActor(ta):
""" """
Extract the name Extract the name
@ -110,7 +149,7 @@ def loadPackage(data):
package = STIXPackage().from_xml(open("/tmp/stixdump", "r")) package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
except: except:
package = STIXPackage().from_json(open("/tmp/stixdump", "r")) package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
except: except Exception as ex:
print("Failed to load package") print("Failed to load package")
raise ValueError("COULD NOT LOAD STIX PACKAGE!") raise ValueError("COULD NOT LOAD STIX PACKAGE!")
return package return package