Implements loading STIX files from env variable MVT_STIX2

2021-12-10 16:11:59 +01:00 · 2021-12-10 16:11:59 +01:00 · a653cb3cfc
parent b25cc48be0
commit a653cb3cfc
2 changed files with 19 additions and 0 deletions
--- a/docs/iocs.md
+++ b/docs/iocs.md
@ -28,6 +28,12 @@ The `--iocs` option can be invoked multiple times to let MVT import multiple STI
 mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup
 ```

+It is also possible to load STIX2 files automatically from the environment variable `MVT_STIX2`:
+
+```bash
+export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
+```
+
 ## Known repositories of STIX2 IOCs

 - The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
--- a/mvt/common/indicators.py
+++ b/mvt/common/indicators.py
@ -29,12 +29,25 @@ class Indicators:
        self.ioc_files_sha256 = []
        self.ioc_app_ids = []
        self.ioc_count = 0
+        self._check_env_variable()

    def _add_indicator(self, ioc, iocs_list):
        if ioc not in iocs_list:
            iocs_list.append(ioc)
            self.ioc_count += 1

+    def _check_env_variable(self):
+        """
+        Checks if a variable MVT_STIX2 contains path to STIX Files
+        """
+        if "MVT_STIX2" in os.environ:
+            paths = os.environ["MVT_STIX2"].split(":")
+            for path in paths:
+                if os.path.isfile(path):
+                    self.parse_stix2(path)
+                else:
+                    self.log.info("Invalid STIX2 path %s in MVT_STIX2 environment variable", path)
+
    def parse_stix2(self, file_path):
        """Extract indicators from a STIX2 file.