def print_match(self, fpath, page, name, match):
# Resolve all hashes to single HASH reference to avoid repetition
if name == 'MD5' or name == 'SHA1' or name == 'SHA256':
name = 'HASH'
if name in ind_dict:
indicator = ind_dict[name]
add_ind_list.append(name)
indicator.title = fpath
#===========
# Add new object handlers here:
if name == 'IP':
new_obj = Address(address_value=match,
category=Address.CAT_IPV4)
elif name == 'HASH':
new_obj = File()
new_obj.add_hash(Hash(match))
elif name == 'URL':
new_obj = URI(type_=URI.TYPE_URL, value=match)
elif name == 'Host':
new_obj = URI(type_=URI.TYPE_DOMAIN, value=match)
elif name == 'Email':
new_obj = Address(
address_value=match, category=Address.CAT_EMAIL
) ## Not sure if this is right - should this be using the email_message_object?
elif name == 'Registry':
new_obj = WinRegistryKey(values=match)
#===========
new_obs = Observable(new_obj)
new_obs.title = "Page Ref: " + str(page)
indicator.add_observable(new_obs)
def add_raw_indicator(self , orig_indicator, ts=None):
indicator_value = orig_indicator
if not self._is_ascii(indicator_value):
return False
indicator_type, _ = guess_type(indicator_value)
# Create a CyboX File Object
if indicator_type == StixItemType.IPADDR:
title = "Malicious IPv4 - %s" % indicator_value
descr = "Malicious IPv4 involved with %s" % self._pkg.stix_header.title
cybox = Address(indicator_value , Address.CAT_IPV4)
elif indicator_type == StixItemType.DOMAIN:
title = "Malicious domain - %s" % indicator_value
descr = "Malicious domain involved with %s" % self._pkg.stix_header.title
cybox = DomainName()
cybox.value = indicator_value
elif indicator_type == StixItemType.MD5:
title = "Malicious MD5 - %s" % indicator_value
descr = "Malicious MD5 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.SHA256:
title = "Malicious SHA256 - %s" % indicator_value
descr = "Malicious SHA256 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.SHA1:
title = "Malicious SHA1 - %s" % indicator_value
descr = "Malicious SHA1 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.URL:
title = "Malicious URL - %s" % indicator_value
descr = "Malicious URL involved with %s" % self._pkg.stix_header.title
cybox = URI()
cybox.value = indicator_value
cybox.type_ = URI.TYPE_URL
if indicator_type == StixItemType.UNKNOWN:
return False
indicator = Indicator()
indicator.title = title
indicator.description = descr
indicator.add_object(cybox)
indicator.set_producer_identity(self.__author)
if ts:
indicator.set_produced_time(ts)
else:
indicator.set_produced_time(utils.dates.now())
self._add(indicator)
return True
