mirror of
https://github.com/mvt-project/mvt.git
synced 2024-07-01 00:19:02 +00:00
Added ability to import multiple STIX2 indicators files
This commit is contained in:
parent
07cf14a921
commit
6a63256b5c
|
@ -17,32 +17,30 @@ class Indicators:
|
||||||
functions to compare extracted artifacts to the indicators.
|
functions to compare extracted artifacts to the indicators.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, file_path, log=None):
|
def __init__(self, log=None):
|
||||||
self.file_path = file_path
|
|
||||||
with open(self.file_path, "r") as handle:
|
|
||||||
try:
|
|
||||||
self.data = json.load(handle)
|
|
||||||
except json.decoder.JSONDecodeError:
|
|
||||||
raise IndicatorsFileBadFormat("Unable to parse STIX2 indicators file, the file seems malformed or in the wrong format")
|
|
||||||
|
|
||||||
self.log = log
|
self.log = log
|
||||||
self.ioc_domains = []
|
self.ioc_domains = []
|
||||||
self.ioc_processes = []
|
self.ioc_processes = []
|
||||||
self.ioc_emails = []
|
self.ioc_emails = []
|
||||||
self.ioc_files = []
|
self.ioc_files = []
|
||||||
self._parse_stix_file()
|
|
||||||
|
|
||||||
def _parse_stix_file(self):
|
def parse_stix2(self, file_path):
|
||||||
"""Extract IOCs of given type from STIX2 definitions.
|
"""Extract indicators from a STIX2 file.
|
||||||
"""
|
"""
|
||||||
for entry in self.data["objects"]:
|
self.log.info("Parsing STIX2 indicators file at path %s",
|
||||||
|
file_path)
|
||||||
|
|
||||||
|
with open(file_path, "r") as handle:
|
||||||
try:
|
try:
|
||||||
if entry["type"] != "indicator":
|
data = json.load(handle)
|
||||||
continue
|
except json.decoder.JSONDecodeError:
|
||||||
except KeyError:
|
raise IndicatorsFileBadFormat("Unable to parse STIX2 indicators file, the file seems malformed or in the wrong format")
|
||||||
|
|
||||||
|
for entry in data.get("objects", []):
|
||||||
|
if entry.get("type", "") != "indicator":
|
||||||
continue
|
continue
|
||||||
|
|
||||||
key, value = entry["pattern"].strip("[]").split("=")
|
key, value = entry.get("pattern", "").strip("[]").split("=")
|
||||||
value = value.strip("'")
|
value = value.strip("'")
|
||||||
|
|
||||||
if key == "domain-name:value":
|
if key == "domain-name:value":
|
||||||
|
|
|
@ -121,7 +121,8 @@ def extract_key(password, backup_path, key_file):
|
||||||
# Command: check-backup
|
# Command: check-backup
|
||||||
#==============================================================================
|
#==============================================================================
|
||||||
@cli.command("check-backup", help="Extract artifacts from an iTunes backup")
|
@cli.command("check-backup", help="Extract artifacts from an iTunes backup")
|
||||||
@click.option("--iocs", "-i", type=click.Path(exists=True), help="Path to indicators file")
|
@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
|
||||||
|
default=[], help="Path to indicators file")
|
||||||
@click.option("--output", "-o", type=click.Path(exists=False), help=OUTPUT_HELP_MESSAGE)
|
@click.option("--output", "-o", type=click.Path(exists=False), help=OUTPUT_HELP_MESSAGE)
|
||||||
@click.option("--fast", "-f", is_flag=True, help="Avoid running time/resource consuming features")
|
@click.option("--fast", "-f", is_flag=True, help="Avoid running time/resource consuming features")
|
||||||
@click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
|
@click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
|
||||||
|
@ -145,11 +146,11 @@ def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module):
|
||||||
log.critical("Unable to create output folder %s: %s", output, e)
|
log.critical("Unable to create output folder %s: %s", output, e)
|
||||||
ctx.exit(1)
|
ctx.exit(1)
|
||||||
|
|
||||||
if iocs:
|
for ioc_path in iocs:
|
||||||
# Pre-load indicators for performance reasons.
|
|
||||||
log.info("Loading indicators from provided file at: %s", iocs)
|
|
||||||
try:
|
try:
|
||||||
indicators = Indicators(iocs)
|
indicators = Indicators()
|
||||||
|
indicators.log = log
|
||||||
|
indicators.parse_stix2(ioc_path)
|
||||||
except IndicatorsFileBadFormat as e:
|
except IndicatorsFileBadFormat as e:
|
||||||
log.critical(e)
|
log.critical(e)
|
||||||
ctx.exit(1)
|
ctx.exit(1)
|
||||||
|
@ -183,7 +184,8 @@ def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module):
|
||||||
# Command: check-fs
|
# Command: check-fs
|
||||||
#==============================================================================
|
#==============================================================================
|
||||||
@cli.command("check-fs", help="Extract artifacts from a full filesystem dump")
|
@cli.command("check-fs", help="Extract artifacts from a full filesystem dump")
|
||||||
@click.option("--iocs", "-i", type=click.Path(exists=True), help="Path to indicators file")
|
@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
|
||||||
|
default=[], help="Path to indicators file")
|
||||||
@click.option("--output", "-o", type=click.Path(exists=False), help=OUTPUT_HELP_MESSAGE)
|
@click.option("--output", "-o", type=click.Path(exists=False), help=OUTPUT_HELP_MESSAGE)
|
||||||
@click.option("--fast", "-f", is_flag=True, help="Avoid running time/resource consuming features")
|
@click.option("--fast", "-f", is_flag=True, help="Avoid running time/resource consuming features")
|
||||||
@click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
|
@click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
|
||||||
|
@ -207,11 +209,11 @@ def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module):
|
||||||
log.critical("Unable to create output folder %s: %s", output, e)
|
log.critical("Unable to create output folder %s: %s", output, e)
|
||||||
ctx.exit(1)
|
ctx.exit(1)
|
||||||
|
|
||||||
if iocs:
|
for ioc_path in iocs:
|
||||||
# Pre-load indicators for performance reasons.
|
|
||||||
log.info("Loading indicators from provided file at: %s", iocs)
|
|
||||||
try:
|
try:
|
||||||
indicators = Indicators(iocs)
|
indicators = Indicators()
|
||||||
|
indicators.log = log
|
||||||
|
indicators.parse_stix2(ioc_path)
|
||||||
except IndicatorsFileBadFormat as e:
|
except IndicatorsFileBadFormat as e:
|
||||||
log.critical(e)
|
log.critical(e)
|
||||||
ctx.exit(1)
|
ctx.exit(1)
|
||||||
|
@ -246,8 +248,8 @@ def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module):
|
||||||
# Command: check-iocs
|
# Command: check-iocs
|
||||||
#==============================================================================
|
#==============================================================================
|
||||||
@cli.command("check-iocs", help="Compare stored JSON results to provided indicators")
|
@cli.command("check-iocs", help="Compare stored JSON results to provided indicators")
|
||||||
@click.option("--iocs", "-i", required=True, type=click.Path(exists=True),
|
@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
|
||||||
help="Path to indicators file")
|
default=[], required=True, help="Path to indicators file")
|
||||||
@click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
|
@click.option("--list-modules", "-l", is_flag=True, help="Print list of available modules and exit")
|
||||||
@click.option("--module", "-m", help="Name of a single module you would like to run instead of all")
|
@click.option("--module", "-m", help="Name of a single module you would like to run instead of all")
|
||||||
@click.argument("FOLDER", type=click.Path(exists=True))
|
@click.argument("FOLDER", type=click.Path(exists=True))
|
||||||
|
@ -267,14 +269,14 @@ def check_iocs(ctx, iocs, list_modules, module, folder):
|
||||||
|
|
||||||
log.info("Checking stored results against provided indicators...")
|
log.info("Checking stored results against provided indicators...")
|
||||||
|
|
||||||
# Pre-load indicators for performance reasons.
|
for ioc_path in iocs:
|
||||||
log.info("Loading indicators from provided file at: %s", iocs)
|
try:
|
||||||
|
indicators = Indicators()
|
||||||
try:
|
indicators.log = log
|
||||||
indicators = Indicators(iocs)
|
indicators.parse_stix2(ioc_path)
|
||||||
except IndicatorsFileBadFormat as e:
|
except IndicatorsFileBadFormat as e:
|
||||||
log.critical(e)
|
log.critical(e)
|
||||||
ctx.exit(1)
|
ctx.exit(1)
|
||||||
|
|
||||||
for file_name in os.listdir(folder):
|
for file_name in os.listdir(folder):
|
||||||
name_only, ext = os.path.splitext(file_name)
|
name_only, ext = os.path.splitext(file_name)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user