Browse Source

Added docs to stiximport

pull/41/head
Hannah Ward 6 years ago
parent
commit
c106aa662b
No known key found for this signature in database
GPG Key ID: BA89E572EE1B4C5F
  1. 36
      misp_modules/modules/expansion/stiximport.py

36
misp_modules/modules/expansion/stiximport.py

@ -17,38 +17,69 @@ moduleconfig = [] @@ -17,38 +17,69 @@ moduleconfig = []
def handler(q=False):
#Just in case we have no data
if q is False:
return False
#The return value
r = {'results': []}
#Load up that JSON
q = json.loads(q)
#Load the package up
#It's b64 encoded, so decode that stuff
package = str(base64.b64decode(q.get("data", None)), 'utf-8')
#If something really weird happened
if not package:
return json.dumps({"success":0})
#Load up the package into STIX
package = loadPackage(package)
#Build all the observables
if package.observables:
for obs in package.observables:
r["results"].append(buildObservable(obs))
return r
#Quick and dirty regex for IP addresses
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
def buildObservable(o):
"""
Take a STIX observable
and extract the value
and category
"""
#Life is easier with json
o = json.loads(o.to_json())
print(o)
#Make a new record to store values in
r = {"values":[]}
#Get the object properties. This contains all the
#fun stuff like values
props = o["object"]["properties"]
#If it has an address_value field, it's gonna be an address
#Kinda obvious really
if props["address_value"]:
#We've got ourselves a nice little address
value = props["address_value"]
#Is it an IP?
if ipre.match(value):
#Yes!
r["values"].append(value)
r["types"] = ["ip-src", "ip-dst"]
else:
#Probably a domain yo
r["values"].append(value)
r["types"] = ["domain", "hostname"]
@ -60,6 +91,7 @@ def loadPackage(data): @@ -60,6 +91,7 @@ def loadPackage(data):
with open("/tmp/stixdump", "w") as f:
f.write(data)
try:
#Try loading it into every format we know of
try:
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
except:

Loading…
Cancel
Save