mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-01 18:55:31 +00:00
Add prelimary ipv4-addr ioc matching support under collection domains
This commit is contained in:
parent
4ea53d707b
commit
98ae2237aa
|
@ -13,6 +13,7 @@ import ahocorasick
|
||||||
from appdirs import user_data_dir
|
from appdirs import user_data_dir
|
||||||
|
|
||||||
from .url import URL
|
from .url import URL
|
||||||
|
import ipaddress
|
||||||
|
|
||||||
MVT_DATA_FOLDER = user_data_dir("mvt")
|
MVT_DATA_FOLDER = user_data_dir("mvt")
|
||||||
MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
|
MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
|
||||||
|
@ -97,6 +98,29 @@ class Indicators:
|
||||||
ioc_coll=collection,
|
ioc_coll=collection,
|
||||||
ioc_coll_list=collection["domains"],
|
ioc_coll_list=collection["domains"],
|
||||||
)
|
)
|
||||||
|
if key == "ipv4-addr:value":
|
||||||
|
# Check for cidr notation, and add each ip to the domains collection
|
||||||
|
if "/" in value:
|
||||||
|
try:
|
||||||
|
network = ipaddress.ip_network(value.strip("'"), strict=False)
|
||||||
|
for ip in network.hosts():
|
||||||
|
self._add_indicator(
|
||||||
|
ioc="'" + str(ip) + "'",
|
||||||
|
ioc_coll=collection,
|
||||||
|
ioc_coll_list=collection["domains"],
|
||||||
|
)
|
||||||
|
except ValueError:
|
||||||
|
self.log.critical(
|
||||||
|
"Invalid CIDR notation ipv4-addr:value %s in STIX2 indicator file!", value
|
||||||
|
)
|
||||||
|
return
|
||||||
|
else:
|
||||||
|
# Single IP address, add to domains collection
|
||||||
|
self._add_indicator(
|
||||||
|
ioc=value,
|
||||||
|
ioc_coll=collection,
|
||||||
|
ioc_coll_list=collection["domains"],
|
||||||
|
)
|
||||||
elif key == "process:name":
|
elif key == "process:name":
|
||||||
self._add_indicator(
|
self._add_indicator(
|
||||||
ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
|
ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
|
||||||
|
|
|
@ -13,6 +13,7 @@ def generate_test_stix_file(file_path):
|
||||||
os.remove(file_path)
|
os.remove(file_path)
|
||||||
|
|
||||||
domains = ["example.org"]
|
domains = ["example.org"]
|
||||||
|
ip_addresses = ["198.51.100.1"]
|
||||||
processes = ["Launch"]
|
processes = ["Launch"]
|
||||||
emails = ["foobar@example.org"]
|
emails = ["foobar@example.org"]
|
||||||
filenames = ["/var/foobar/txt"]
|
filenames = ["/var/foobar/txt"]
|
||||||
|
@ -30,6 +31,15 @@ def generate_test_stix_file(file_path):
|
||||||
res.append(i)
|
res.append(i)
|
||||||
res.append(Relationship(i, "indicates", malware))
|
res.append(Relationship(i, "indicates", malware))
|
||||||
|
|
||||||
|
for a in ip_addresses:
|
||||||
|
i = Indicator(
|
||||||
|
indicator_types=["malicious-activity"],
|
||||||
|
pattern="[ipv4-addr:value='{}']".format(d),
|
||||||
|
pattern_type="stix",
|
||||||
|
)
|
||||||
|
res.append(i)
|
||||||
|
res.append(Relationship(i, "indicates", malware))
|
||||||
|
|
||||||
for p in processes:
|
for p in processes:
|
||||||
i = Indicator(
|
i = Indicator(
|
||||||
indicator_types=["malicious-activity"],
|
indicator_types=["malicious-activity"],
|
||||||
|
|
Loading…
Reference in New Issue
Block a user