From a653cb3cfc6441364d5915c47abc253b99309c1f Mon Sep 17 00:00:00 2001 From: tek Date: Fri, 10 Dec 2021 16:11:59 +0100 Subject: [PATCH] Implements loading STIX files from env variable MVT_STIX2 --- docs/iocs.md | 6 ++++++ mvt/common/indicators.py | 13 +++++++++++++ 2 files changed, 19 insertions(+) diff --git a/docs/iocs.md b/docs/iocs.md index b297b98..523c287 100644 --- a/docs/iocs.md +++ b/docs/iocs.md @@ -28,6 +28,12 @@ The `--iocs` option can be invoked multiple times to let MVT import multiple STI mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup ``` +It is also possible to load STIX2 files automatically from the environment variable `MVT_STIX2`: + +```bash +export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2" +``` + ## Known repositories of STIX2 IOCs - The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for: diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py index 6e8b458..e88f317 100644 --- a/mvt/common/indicators.py +++ b/mvt/common/indicators.py @@ -29,12 +29,25 @@ class Indicators: self.ioc_files_sha256 = [] self.ioc_app_ids = [] self.ioc_count = 0 + self._check_env_variable() def _add_indicator(self, ioc, iocs_list): if ioc not in iocs_list: iocs_list.append(ioc) self.ioc_count += 1 + def _check_env_variable(self): + """ + Checks if a variable MVT_STIX2 contains path to STIX Files + """ + if "MVT_STIX2" in os.environ: + paths = os.environ["MVT_STIX2"].split(":") + for path in paths: + if os.path.isfile(path): + self.parse_stix2(path) + else: + self.log.info("Invalid STIX2 path %s in MVT_STIX2 environment variable", path) + def parse_stix2(self, file_path): """Extract indicators from a STIX2 file.