From 98ae2237aa10861e8e6f672d51bf7aa8fb468c43 Mon Sep 17 00:00:00 2001
From: renini <renini@local>
Date: Tue, 20 Feb 2024 21:34:15 +0100
Subject: [PATCH] Add prelimary ipv4-addr ioc matching support under collection
 domains

---
 mvt/common/indicators.py         | 24 ++++++++++++++++++++++++
 tests/artifacts/generate_stix.py | 10 ++++++++++
 2 files changed, 34 insertions(+)

diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py
index 19dc6a2..67bff69 100644
--- a/mvt/common/indicators.py
+++ b/mvt/common/indicators.py
@@ -13,6 +13,7 @@ import ahocorasick
 from appdirs import user_data_dir
 
 from .url import URL
+import ipaddress
 
 MVT_DATA_FOLDER = user_data_dir("mvt")
 MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
@@ -97,6 +98,29 @@ class Indicators:
                 ioc_coll=collection,
                 ioc_coll_list=collection["domains"],
             )
+        if key == "ipv4-addr:value":
+            # Check for cidr notation, and add each ip to the domains collection
+            if "/" in value:
+                try:
+                    network = ipaddress.ip_network(value.strip("'"), strict=False)
+                    for ip in network.hosts():
+                        self._add_indicator(
+                            ioc="'" + str(ip) + "'",
+                            ioc_coll=collection,
+                            ioc_coll_list=collection["domains"],
+                        )
+                except ValueError:
+                    self.log.critical(
+                        "Invalid CIDR notation ipv4-addr:value %s in STIX2 indicator file!", value
+                    )
+                    return
+            else:
+                # Single IP address, add to domains collection
+                self._add_indicator(
+                    ioc=value,
+                    ioc_coll=collection,
+                    ioc_coll_list=collection["domains"],
+                )
         elif key == "process:name":
             self._add_indicator(
                 ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
diff --git a/tests/artifacts/generate_stix.py b/tests/artifacts/generate_stix.py
index 5801025..410110c 100644
--- a/tests/artifacts/generate_stix.py
+++ b/tests/artifacts/generate_stix.py
@@ -13,6 +13,7 @@ def generate_test_stix_file(file_path):
         os.remove(file_path)
 
     domains = ["example.org"]
+    ip_addresses = ["198.51.100.1"]
     processes = ["Launch"]
     emails = ["foobar@example.org"]
     filenames = ["/var/foobar/txt"]
@@ -30,6 +31,15 @@ def generate_test_stix_file(file_path):
         res.append(i)
         res.append(Relationship(i, "indicates", malware))
 
+    for a in ip_addresses:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[ipv4-addr:value='{}']".format(d),
+            pattern_type="stix",
+        )
+        res.append(i)
+        res.append(Relationship(i, "indicates", malware))
+
     for p in processes:
         i = Indicator(
             indicator_types=["malicious-activity"],