def print_match(self, fpath, page, name, match): # Resolve all hashes to single HASH reference to avoid repetition if name == 'MD5' or name == 'SHA1' or name == 'SHA256': name = 'HASH' if name in ind_dict: indicator = ind_dict[name] add_ind_list.append(name) indicator.title = fpath #=========== # Add new object handlers here: if name == 'IP': new_obj = Address(address_value=match, category=Address.CAT_IPV4) elif name == 'HASH': new_obj = File() new_obj.add_hash(Hash(match)) elif name == 'URL': new_obj = URI(type_=URI.TYPE_URL, value=match) elif name == 'Host': new_obj = URI(type_=URI.TYPE_DOMAIN, value=match) elif name == 'Email': new_obj = Address( address_value=match, category=Address.CAT_EMAIL ) ## Not sure if this is right - should this be using the email_message_object? elif name == 'Registry': new_obj = WinRegistryKey(values=match) #=========== new_obs = Observable(new_obj) new_obs.title = "Page Ref: " + str(page) indicator.add_observable(new_obs)
def add_raw_indicator(self , orig_indicator, ts=None): indicator_value = orig_indicator if not self._is_ascii(indicator_value): return False indicator_type, _ = guess_type(indicator_value) # Create a CyboX File Object if indicator_type == StixItemType.IPADDR: title = "Malicious IPv4 - %s" % indicator_value descr = "Malicious IPv4 involved with %s" % self._pkg.stix_header.title cybox = Address(indicator_value , Address.CAT_IPV4) elif indicator_type == StixItemType.DOMAIN: title = "Malicious domain - %s" % indicator_value descr = "Malicious domain involved with %s" % self._pkg.stix_header.title cybox = DomainName() cybox.value = indicator_value elif indicator_type == StixItemType.MD5: title = "Malicious MD5 - %s" % indicator_value descr = "Malicious MD5 involved with %s" % self._pkg.stix_header.title cybox = File() cybox.add_hash(indicator_value ) elif indicator_type == StixItemType.SHA256: title = "Malicious SHA256 - %s" % indicator_value descr = "Malicious SHA256 involved with %s" % self._pkg.stix_header.title cybox = File() cybox.add_hash(indicator_value ) elif indicator_type == StixItemType.SHA1: title = "Malicious SHA1 - %s" % indicator_value descr = "Malicious SHA1 involved with %s" % self._pkg.stix_header.title cybox = File() cybox.add_hash(indicator_value ) elif indicator_type == StixItemType.URL: title = "Malicious URL - %s" % indicator_value descr = "Malicious URL involved with %s" % self._pkg.stix_header.title cybox = URI() cybox.value = indicator_value cybox.type_ = URI.TYPE_URL if indicator_type == StixItemType.UNKNOWN: return False indicator = Indicator() indicator.title = title indicator.description = descr indicator.add_object(cybox) indicator.set_producer_identity(self.__author) if ts: indicator.set_produced_time(ts) else: indicator.set_produced_time(utils.dates.now()) self._add(indicator) return True