From b654a9743b19075a6f121aaf27cf1fcf94e03ad9 Mon Sep 17 00:00:00 2001
From: Hannah Ward <Hannah.ward9001@gmail.com>
Date: Thu, 11 Aug 2016 16:33:02 +0100
Subject: [PATCH] Added stix import -- works for IPs/Domains

---
 misp_modules/modules/expansion/stiximport.py | 89 ++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100755 misp_modules/modules/expansion/stiximport.py

diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py
new file mode 100755
index 0000000..4304cef
--- /dev/null
+++ b/misp_modules/modules/expansion/stiximport.py
@@ -0,0 +1,89 @@
+import json
+import stix
+import csv
+from stix.core import STIXPackage
+import re
+import base64
+
+misperrors = {'error': 'Error'}
+userConfig = {}
+inputSource = ['file']
+
+moduleinfo = {'version': '0.1', 'author': 'Hannah Ward',
+              'description': 'Import some stix stuff',
+              'module-type': ['import']}
+
+moduleconfig = []
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    r = {'results': []}
+    q = json.loads(q)
+    #Load the package up
+    package = str(base64.b64decode(q.get("data", None)), 'utf-8')
+    if not package:
+      return json.dumps({"success":0})
+
+    package = loadPackage(package)
+    if package.observables:
+      for obs in package.observables:
+        r["results"].append(buildObservable(obs))
+      
+    return r
+
+ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
+def buildObservable(o):
+  #Life is easier with json
+  o = json.loads(o.to_json())
+  print(o)
+  r = {"values":[]}
+  props = o["object"]["properties"]
+  if props["address_value"]:
+    #We've got ourselves a nice little address
+    value = props["address_value"]
+    #Is it an IP?
+    if ipre.match(value):
+      #Yes!
+      r["values"].append(value)
+      r["types"] = ["ip-src", "ip-dst"]
+    else:
+      #Probably a domain yo
+      r["values"].append(value)
+      r["types"] = ["domain", "hostname"]
+
+  return r
+
+def loadPackage(data):
+  #Write the stix package to a tmp file
+  with open("/tmp/stixdump", "w") as f:
+    f.write(data)
+  try:
+    try:
+      package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
+    except:  
+      package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
+  except:
+    print("Failed to load package")
+    raise ValueError("COULD NOT LOAD STIX PACKAGE!")
+  return package
+
+def introspection():
+    modulesetup = {}
+    try:
+        userConfig
+        modulesetup['userConfig'] = userConfig
+    except NameError:
+        pass
+    try:
+        inputSource
+        modulesetup['inputSource'] = inputSource
+    except NameError:
+        pass
+    return modulesetup
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo