mirror of https://github.com/MISP/misp-modules
stiximport will now identify file hashes
parent
29b57258ab
commit
598a030962
|
@ -4,6 +4,7 @@ import csv
|
||||||
from stix.core import STIXPackage
|
from stix.core import STIXPackage
|
||||||
import re
|
import re
|
||||||
import base64
|
import base64
|
||||||
|
import hashlib
|
||||||
|
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
userConfig = {}
|
userConfig = {}
|
||||||
|
@ -45,11 +46,49 @@ def handler(q=False):
|
||||||
if package.threat_actors:
|
if package.threat_actors:
|
||||||
for ta in package.threat_actors:
|
for ta in package.threat_actors:
|
||||||
r["results"].append(buildActor(ta))
|
r["results"].append(buildActor(ta))
|
||||||
|
|
||||||
|
if package.indicators:
|
||||||
|
for ind in package.indicators:
|
||||||
|
r["results"].append(buildIndicator(ind))
|
||||||
return r
|
return r
|
||||||
|
|
||||||
#Quick and dirty regex for IP addresses
|
#Quick and dirty regex for IP addresses
|
||||||
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
|
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
|
||||||
|
|
||||||
|
def identifyHash(hsh):
|
||||||
|
"""
|
||||||
|
What's that hash!?
|
||||||
|
"""
|
||||||
|
|
||||||
|
possible_hashes = []
|
||||||
|
|
||||||
|
hashes = [x for x in hashlib.algorithms_guaranteed]
|
||||||
|
|
||||||
|
for h in hashes:
|
||||||
|
if len(str(hsh.value)) == len(hashlib.new(h).hexdigest()):
|
||||||
|
possible_hashes.append(h)
|
||||||
|
possible_hashes.append("filename|{}".format(h))
|
||||||
|
|
||||||
|
return possible_hashes
|
||||||
|
|
||||||
|
def buildIndicator(ind):
|
||||||
|
"""
|
||||||
|
Extract hashes
|
||||||
|
and other fun things
|
||||||
|
like that
|
||||||
|
"""
|
||||||
|
r = {"values":[], "types":[]}
|
||||||
|
|
||||||
|
#Try to get hashes. I hate stix
|
||||||
|
if ind.observable:
|
||||||
|
if ind.observable.object_:
|
||||||
|
#Get some hashes
|
||||||
|
hashes = ind.observable.object_.properties.hashes
|
||||||
|
for hsh in hashes:
|
||||||
|
r["values"].append(hsh.simple_hash_value.value)
|
||||||
|
r["types"] = identifyHash(hsh.simple_hash_value)
|
||||||
|
return r
|
||||||
|
|
||||||
def buildActor(ta):
|
def buildActor(ta):
|
||||||
"""
|
"""
|
||||||
Extract the name
|
Extract the name
|
||||||
|
@ -110,7 +149,7 @@ def loadPackage(data):
|
||||||
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
|
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
|
||||||
except:
|
except:
|
||||||
package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
|
package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
|
||||||
except:
|
except Exception as ex:
|
||||||
print("Failed to load package")
|
print("Failed to load package")
|
||||||
raise ValueError("COULD NOT LOAD STIX PACKAGE!")
|
raise ValueError("COULD NOT LOAD STIX PACKAGE!")
|
||||||
return package
|
return package
|
||||||
|
|
Loading…
Reference in New Issue