Added docs to stiximport

misp_modules/modules/expansion/stiximport.py

@@ -17,38 +17,69 @@ moduleconfig = []
 
 
 def handler(q=False):
+    #Just in case we have no data
     if q is False:
         return False
+
+    #The return value 
     r = {'results': []}
+
+    #Load up that JSON
     q = json.loads(q)
-    #Load the package up
+
+    #It's b64 encoded, so decode that stuff
     package = str(base64.b64decode(q.get("data", None)), 'utf-8')
+     
+    #If something really weird happened
     if not package:
       return json.dumps({"success":0})
 
+    #Load up the package into STIX
     package = loadPackage(package)
+
+    #Build all the observables
     if package.observables:
       for obs in package.observables:
         r["results"].append(buildObservable(obs))
       
     return r
 
+#Quick and dirty regex for IP addresses
 ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
+
 def buildObservable(o):
+  """
+    Take a STIX observable
+    and extract the value
+    and category
+  """
+
   #Life is easier with json
   o = json.loads(o.to_json())
-  print(o)
+   
+  #Make a new record to store values in
   r = {"values":[]}
+
+  #Get the object properties. This contains all the
+  #fun stuff like values
   props = o["object"]["properties"]
+
+  #If it has an address_value field, it's gonna be an address
+
+  #Kinda obvious really
   if props["address_value"]:
+
     #We've got ourselves a nice little address
     value = props["address_value"]
+
     #Is it an IP?
     if ipre.match(value):
+
       #Yes!
       r["values"].append(value)
       r["types"] = ["ip-src", "ip-dst"]
     else:
+
       #Probably a domain yo
       r["values"].append(value)
       r["types"] = ["domain", "hostname"]
@@ -60,6 +91,7 @@ def loadPackage(data):
   with open("/tmp/stixdump", "w") as f:
     f.write(data)
   try:
+    #Try loading it into every format we know of
     try:
       package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
     except: