mirror of https://github.com/mvt-project/mvt.git
Merge 98ae2237aa
into 7a4946e2c6
This commit is contained in:
commit
94fdb59ac7
|
@ -13,6 +13,7 @@ import ahocorasick
|
|||
from appdirs import user_data_dir
|
||||
|
||||
from .url import URL
|
||||
import ipaddress
|
||||
|
||||
MVT_DATA_FOLDER = user_data_dir("mvt")
|
||||
MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
|
||||
|
@ -97,6 +98,29 @@ class Indicators:
|
|||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
if key == "ipv4-addr:value":
|
||||
# Check for cidr notation, and add each ip to the domains collection
|
||||
if "/" in value:
|
||||
try:
|
||||
network = ipaddress.ip_network(value.strip("'"), strict=False)
|
||||
for ip in network.hosts():
|
||||
self._add_indicator(
|
||||
ioc="'" + str(ip) + "'",
|
||||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
except ValueError:
|
||||
self.log.critical(
|
||||
"Invalid CIDR notation ipv4-addr:value %s in STIX2 indicator file!", value
|
||||
)
|
||||
return
|
||||
else:
|
||||
# Single IP address, add to domains collection
|
||||
self._add_indicator(
|
||||
ioc=value,
|
||||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
elif key == "process:name":
|
||||
self._add_indicator(
|
||||
ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
|
||||
|
|
|
@ -13,6 +13,7 @@ def generate_test_stix_file(file_path):
|
|||
os.remove(file_path)
|
||||
|
||||
domains = ["example.org"]
|
||||
ip_addresses = ["198.51.100.1"]
|
||||
processes = ["Launch"]
|
||||
emails = ["foobar@example.org"]
|
||||
filenames = ["/var/foobar/txt"]
|
||||
|
@ -30,6 +31,15 @@ def generate_test_stix_file(file_path):
|
|||
res.append(i)
|
||||
res.append(Relationship(i, "indicates", malware))
|
||||
|
||||
for a in ip_addresses:
|
||||
i = Indicator(
|
||||
indicator_types=["malicious-activity"],
|
||||
pattern="[ipv4-addr:value='{}']".format(d),
|
||||
pattern_type="stix",
|
||||
)
|
||||
res.append(i)
|
||||
res.append(Relationship(i, "indicates", malware))
|
||||
|
||||
for p in processes:
|
||||
i = Indicator(
|
||||
indicator_types=["malicious-activity"],
|
||||
|
|
Loading…
Reference in New Issue