diff --git a/misp_modules/modules/expansion/stiximport.py b/misp_modules/modules/expansion/stiximport.py index 4304cef..ce4ff8f 100755 --- a/misp_modules/modules/expansion/stiximport.py +++ b/misp_modules/modules/expansion/stiximport.py @@ -17,38 +17,69 @@ moduleconfig = [] def handler(q=False): + #Just in case we have no data if q is False: return False + + #The return value r = {'results': []} + + #Load up that JSON q = json.loads(q) - #Load the package up + + #It's b64 encoded, so decode that stuff package = str(base64.b64decode(q.get("data", None)), 'utf-8') + + #If something really weird happened if not package: return json.dumps({"success":0}) + #Load up the package into STIX package = loadPackage(package) + + #Build all the observables if package.observables: for obs in package.observables: r["results"].append(buildObservable(obs)) return r +#Quick and dirty regex for IP addresses ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}") + def buildObservable(o): + """ + Take a STIX observable + and extract the value + and category + """ + #Life is easier with json o = json.loads(o.to_json()) - print(o) + + #Make a new record to store values in r = {"values":[]} + + #Get the object properties. This contains all the + #fun stuff like values props = o["object"]["properties"] + + #If it has an address_value field, it's gonna be an address + + #Kinda obvious really if props["address_value"]: + #We've got ourselves a nice little address value = props["address_value"] + #Is it an IP? if ipre.match(value): + #Yes! r["values"].append(value) r["types"] = ["ip-src", "ip-dst"] else: + #Probably a domain yo r["values"].append(value) r["types"] = ["domain", "hostname"] @@ -60,6 +91,7 @@ def loadPackage(data): with open("/tmp/stixdump", "w") as f: f.write(data) try: + #Try loading it into every format we know of try: package = STIXPackage().from_xml(open("/tmp/stixdump", "r")) except: