mirror of https://github.com/mvt-project/mvt.git
Compare commits
3 Commits
55bd9d2a2b
...
4c9c0b8820
Author | SHA1 | Date |
---|---|---|
renini | 4c9c0b8820 | |
renini | b738603911 | |
renini | 98ae2237aa |
|
@ -48,7 +48,7 @@ ideviceinfo
|
|||
This should show many details on the connected iOS device. If you are connecting the device to your laptop for the first time, it will require to unlock and enter the PIN code on the mobile device. If it complains that no device is connected and the mobile device is indeed plugged in through the USB cable, you might need to do this first, although typically the pairing is automatically done when connecting the device:
|
||||
|
||||
```bash
|
||||
sudo usbmuxd -f -d
|
||||
sudo usbmuxd -f -v
|
||||
idevicepair pair
|
||||
```
|
||||
|
||||
|
|
|
@ -13,6 +13,7 @@ import ahocorasick
|
|||
from appdirs import user_data_dir
|
||||
|
||||
from .url import URL
|
||||
import ipaddress
|
||||
|
||||
MVT_DATA_FOLDER = user_data_dir("mvt")
|
||||
MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
|
||||
|
@ -97,6 +98,29 @@ class Indicators:
|
|||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
if key == "ipv4-addr:value":
|
||||
# Check for cidr notation, and add each ip to the domains collection
|
||||
if "/" in value:
|
||||
try:
|
||||
network = ipaddress.ip_network(value.strip("'"), strict=False)
|
||||
for ip in network.hosts():
|
||||
self._add_indicator(
|
||||
ioc="'" + str(ip) + "'",
|
||||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
except ValueError:
|
||||
self.log.critical(
|
||||
"Invalid CIDR notation ipv4-addr:value %s in STIX2 indicator file!", value
|
||||
)
|
||||
return
|
||||
else:
|
||||
# Single IP address, add to domains collection
|
||||
self._add_indicator(
|
||||
ioc=value,
|
||||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
elif key == "process:name":
|
||||
self._add_indicator(
|
||||
ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
|
||||
|
|
|
@ -13,6 +13,7 @@ def generate_test_stix_file(file_path):
|
|||
os.remove(file_path)
|
||||
|
||||
domains = ["example.org"]
|
||||
ip_addresses = ["198.51.100.1"]
|
||||
processes = ["Launch"]
|
||||
emails = ["foobar@example.org"]
|
||||
filenames = ["/var/foobar/txt"]
|
||||
|
@ -30,6 +31,15 @@ def generate_test_stix_file(file_path):
|
|||
res.append(i)
|
||||
res.append(Relationship(i, "indicates", malware))
|
||||
|
||||
for a in ip_addresses:
|
||||
i = Indicator(
|
||||
indicator_types=["malicious-activity"],
|
||||
pattern="[ipv4-addr:value='{}']".format(d),
|
||||
pattern_type="stix",
|
||||
)
|
||||
res.append(i)
|
||||
res.append(Relationship(i, "indicates", malware))
|
||||
|
||||
for p in processes:
|
||||
i = Indicator(
|
||||
indicator_types=["malicious-activity"],
|
||||
|
|
Loading…
Reference in New Issue