Merge 98ae2237aa into b738603911

Usbmuxd debug option changed from -d to -v (#464 )
Co-authored-by: renini <renini@local>
2024-04-08 18:42:58 +02:00 · 2024-04-08 18:34:34 +02:00 · 2024-02-20 21:34:15 +01:00
3 changed files with 35 additions and 1 deletions
--- a/docs/ios/install.md
+++ b/docs/ios/install.md
@ -48,7 +48,7 @@ ideviceinfo
 This should show many details on the connected iOS device. If you are connecting the device to your laptop for the first time, it will require to unlock and enter the PIN code on the mobile device. If it complains that no device is connected and the mobile device is indeed plugged in through the USB cable, you might need to do this first, although typically the pairing is automatically done when connecting the device:

 ```bash
-sudo usbmuxd -f -d
+sudo usbmuxd -f -v
 idevicepair pair
 ```

--- a/mvt/common/indicators.py
+++ b/mvt/common/indicators.py
@ -13,6 +13,7 @@ import ahocorasick
 from appdirs import user_data_dir

 from .url import URL
+import ipaddress

 MVT_DATA_FOLDER = user_data_dir("mvt")
 MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
@ -97,6 +98,29 @@ class Indicators:
                ioc_coll=collection,
                ioc_coll_list=collection["domains"],
            )
+        if key == "ipv4-addr:value":
+            # Check for cidr notation, and add each ip to the domains collection
+            if "/" in value:
+                try:
+                    network = ipaddress.ip_network(value.strip("'"), strict=False)
+                    for ip in network.hosts():
+                        self._add_indicator(
+                            ioc="'" + str(ip) + "'",
+                            ioc_coll=collection,
+                            ioc_coll_list=collection["domains"],
+                        )
+                except ValueError:
+                    self.log.critical(
+                        "Invalid CIDR notation ipv4-addr:value %s in STIX2 indicator file!", value
+                    )
+                    return
+            else:
+                # Single IP address, add to domains collection
+                self._add_indicator(
+                    ioc=value,
+                    ioc_coll=collection,
+                    ioc_coll_list=collection["domains"],
+                )
        elif key == "process:name":
            self._add_indicator(
                ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
--- a/tests/artifacts/generate_stix.py
+++ b/tests/artifacts/generate_stix.py
@ -13,6 +13,7 @@ def generate_test_stix_file(file_path):
        os.remove(file_path)

    domains = ["example.org"]
+    ip_addresses = ["198.51.100.1"]
    processes = ["Launch"]
    emails = ["foobar@example.org"]
    filenames = ["/var/foobar/txt"]
@ -30,6 +31,15 @@ def generate_test_stix_file(file_path):
        res.append(i)
        res.append(Relationship(i, "indicates", malware))

+    for a in ip_addresses:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[ipv4-addr:value='{}']".format(d),
+            pattern_type="stix",
+        )
+        res.append(i)
+        res.append(Relationship(i, "indicates", malware))
+
    for p in processes:
        i = Indicator(
            indicator_types=["malicious-activity"],
Author	SHA1	Message	Date
renini	4c9c0b8820	Merge `98ae2237aa` into `b738603911`	2024-04-08 18:42:58 +02:00
renini	b738603911	Usbmuxd debug option changed from -d to -v (#464 ) Co-authored-by: renini <renini@local>	2024-04-08 18:34:34 +02:00
renini	98ae2237aa	Add prelimary ipv4-addr ioc matching support under collection domains	2024-02-20 21:34:15 +01:00