mirror of https://github.com/MISP/misp-modules
Added docs to stiximport
parent
b654a9743b
commit
c106aa662b
|
@ -17,38 +17,69 @@ moduleconfig = []
|
||||||
|
|
||||||
|
|
||||||
def handler(q=False):
|
def handler(q=False):
|
||||||
|
#Just in case we have no data
|
||||||
if q is False:
|
if q is False:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
#The return value
|
||||||
r = {'results': []}
|
r = {'results': []}
|
||||||
|
|
||||||
|
#Load up that JSON
|
||||||
q = json.loads(q)
|
q = json.loads(q)
|
||||||
#Load the package up
|
|
||||||
|
#It's b64 encoded, so decode that stuff
|
||||||
package = str(base64.b64decode(q.get("data", None)), 'utf-8')
|
package = str(base64.b64decode(q.get("data", None)), 'utf-8')
|
||||||
|
|
||||||
|
#If something really weird happened
|
||||||
if not package:
|
if not package:
|
||||||
return json.dumps({"success":0})
|
return json.dumps({"success":0})
|
||||||
|
|
||||||
|
#Load up the package into STIX
|
||||||
package = loadPackage(package)
|
package = loadPackage(package)
|
||||||
|
|
||||||
|
#Build all the observables
|
||||||
if package.observables:
|
if package.observables:
|
||||||
for obs in package.observables:
|
for obs in package.observables:
|
||||||
r["results"].append(buildObservable(obs))
|
r["results"].append(buildObservable(obs))
|
||||||
|
|
||||||
return r
|
return r
|
||||||
|
|
||||||
|
#Quick and dirty regex for IP addresses
|
||||||
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
|
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
|
||||||
|
|
||||||
def buildObservable(o):
|
def buildObservable(o):
|
||||||
|
"""
|
||||||
|
Take a STIX observable
|
||||||
|
and extract the value
|
||||||
|
and category
|
||||||
|
"""
|
||||||
|
|
||||||
#Life is easier with json
|
#Life is easier with json
|
||||||
o = json.loads(o.to_json())
|
o = json.loads(o.to_json())
|
||||||
print(o)
|
|
||||||
|
#Make a new record to store values in
|
||||||
r = {"values":[]}
|
r = {"values":[]}
|
||||||
|
|
||||||
|
#Get the object properties. This contains all the
|
||||||
|
#fun stuff like values
|
||||||
props = o["object"]["properties"]
|
props = o["object"]["properties"]
|
||||||
|
|
||||||
|
#If it has an address_value field, it's gonna be an address
|
||||||
|
|
||||||
|
#Kinda obvious really
|
||||||
if props["address_value"]:
|
if props["address_value"]:
|
||||||
|
|
||||||
#We've got ourselves a nice little address
|
#We've got ourselves a nice little address
|
||||||
value = props["address_value"]
|
value = props["address_value"]
|
||||||
|
|
||||||
#Is it an IP?
|
#Is it an IP?
|
||||||
if ipre.match(value):
|
if ipre.match(value):
|
||||||
|
|
||||||
#Yes!
|
#Yes!
|
||||||
r["values"].append(value)
|
r["values"].append(value)
|
||||||
r["types"] = ["ip-src", "ip-dst"]
|
r["types"] = ["ip-src", "ip-dst"]
|
||||||
else:
|
else:
|
||||||
|
|
||||||
#Probably a domain yo
|
#Probably a domain yo
|
||||||
r["values"].append(value)
|
r["values"].append(value)
|
||||||
r["types"] = ["domain", "hostname"]
|
r["types"] = ["domain", "hostname"]
|
||||||
|
@ -60,6 +91,7 @@ def loadPackage(data):
|
||||||
with open("/tmp/stixdump", "w") as f:
|
with open("/tmp/stixdump", "w") as f:
|
||||||
f.write(data)
|
f.write(data)
|
||||||
try:
|
try:
|
||||||
|
#Try loading it into every format we know of
|
||||||
try:
|
try:
|
||||||
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
|
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
|
||||||
except:
|
except:
|
||||||
|
|
Loading…
Reference in New Issue