mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-29 07:39:00 +00:00
Compare commits
3 Commits
55bd9d2a2b
...
4c9c0b8820
Author | SHA1 | Date | |
---|---|---|---|
|
4c9c0b8820 | ||
|
b738603911 | ||
|
98ae2237aa |
|
@ -48,7 +48,7 @@ ideviceinfo
|
||||||
This should show many details on the connected iOS device. If you are connecting the device to your laptop for the first time, it will require to unlock and enter the PIN code on the mobile device. If it complains that no device is connected and the mobile device is indeed plugged in through the USB cable, you might need to do this first, although typically the pairing is automatically done when connecting the device:
|
This should show many details on the connected iOS device. If you are connecting the device to your laptop for the first time, it will require to unlock and enter the PIN code on the mobile device. If it complains that no device is connected and the mobile device is indeed plugged in through the USB cable, you might need to do this first, although typically the pairing is automatically done when connecting the device:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo usbmuxd -f -d
|
sudo usbmuxd -f -v
|
||||||
idevicepair pair
|
idevicepair pair
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,7 @@ import ahocorasick
|
||||||
from appdirs import user_data_dir
|
from appdirs import user_data_dir
|
||||||
|
|
||||||
from .url import URL
|
from .url import URL
|
||||||
|
import ipaddress
|
||||||
|
|
||||||
MVT_DATA_FOLDER = user_data_dir("mvt")
|
MVT_DATA_FOLDER = user_data_dir("mvt")
|
||||||
MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
|
MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
|
||||||
|
@ -97,6 +98,29 @@ class Indicators:
|
||||||
ioc_coll=collection,
|
ioc_coll=collection,
|
||||||
ioc_coll_list=collection["domains"],
|
ioc_coll_list=collection["domains"],
|
||||||
)
|
)
|
||||||
|
if key == "ipv4-addr:value":
|
||||||
|
# Check for cidr notation, and add each ip to the domains collection
|
||||||
|
if "/" in value:
|
||||||
|
try:
|
||||||
|
network = ipaddress.ip_network(value.strip("'"), strict=False)
|
||||||
|
for ip in network.hosts():
|
||||||
|
self._add_indicator(
|
||||||
|
ioc="'" + str(ip) + "'",
|
||||||
|
ioc_coll=collection,
|
||||||
|
ioc_coll_list=collection["domains"],
|
||||||
|
)
|
||||||
|
except ValueError:
|
||||||
|
self.log.critical(
|
||||||
|
"Invalid CIDR notation ipv4-addr:value %s in STIX2 indicator file!", value
|
||||||
|
)
|
||||||
|
return
|
||||||
|
else:
|
||||||
|
# Single IP address, add to domains collection
|
||||||
|
self._add_indicator(
|
||||||
|
ioc=value,
|
||||||
|
ioc_coll=collection,
|
||||||
|
ioc_coll_list=collection["domains"],
|
||||||
|
)
|
||||||
elif key == "process:name":
|
elif key == "process:name":
|
||||||
self._add_indicator(
|
self._add_indicator(
|
||||||
ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
|
ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
|
||||||
|
|
|
@ -13,6 +13,7 @@ def generate_test_stix_file(file_path):
|
||||||
os.remove(file_path)
|
os.remove(file_path)
|
||||||
|
|
||||||
domains = ["example.org"]
|
domains = ["example.org"]
|
||||||
|
ip_addresses = ["198.51.100.1"]
|
||||||
processes = ["Launch"]
|
processes = ["Launch"]
|
||||||
emails = ["foobar@example.org"]
|
emails = ["foobar@example.org"]
|
||||||
filenames = ["/var/foobar/txt"]
|
filenames = ["/var/foobar/txt"]
|
||||||
|
@ -30,6 +31,15 @@ def generate_test_stix_file(file_path):
|
||||||
res.append(i)
|
res.append(i)
|
||||||
res.append(Relationship(i, "indicates", malware))
|
res.append(Relationship(i, "indicates", malware))
|
||||||
|
|
||||||
|
for a in ip_addresses:
|
||||||
|
i = Indicator(
|
||||||
|
indicator_types=["malicious-activity"],
|
||||||
|
pattern="[ipv4-addr:value='{}']".format(d),
|
||||||
|
pattern_type="stix",
|
||||||
|
)
|
||||||
|
res.append(i)
|
||||||
|
res.append(Relationship(i, "indicates", malware))
|
||||||
|
|
||||||
for p in processes:
|
for p in processes:
|
||||||
i = Indicator(
|
i = Indicator(
|
||||||
indicator_types=["malicious-activity"],
|
indicator_types=["malicious-activity"],
|
||||||
|
|
Loading…
Reference in New Issue
Block a user