~alienagain/Stix_stuff

bdf6ec47c8744839acd0cd47315f2be7761a07cb — terceranexus6 9 months ago 2038360
adding sha256 and identity
1 files changed, 88 insertions(+), 20 deletions(-)

M bulk_conversion/bundle_creator.py
M bulk_conversion/bundle_creator.py => bulk_conversion/bundle_creator.py +88 -20
@@ 8,14 8,17 @@ import copy

# creating identity for the bundle

#myname = input("Name of author: ")
#i_class = input("Type of identity (individual, team, etc): ")
#department = input("Department (default is Threat Hunting): ")
myname = input("Name of author: ")
i_class = input("Team (f.e. Threat Hunting): ")

#Identity(name=myname,
#         identity_class=i_class,
#         departament=department)
# this is custom and will onl be available with the latest version of stix :( : 
#dep = input("Department (default is Threat Hunting): ")

# Creating the identity object default


my_identity = Identity(name = myname, 
                        identity_class = i_class)
# reading malware from user prompt

mal_name = input("Malware name: ")


@@ 53,7 56,7 @@ for line in content:

    count = count + 1

    locals()["indicator_" + str(count)] = copy.deepcopy(tmp_indicator)
    locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator)





@@ 62,32 65,98 @@ print("no more lines to read")

num_lines = sum(1 for _ in open(myfile))

# This prints all the indicators for the SHA1
# This prints all the indicators for the SHA1 (commented) and creates
# a relationship for each one of them with the malware

for i in range(num_lines):
    print("The indicator is:\n")
    print(locals()["indicator_" + str(i+1)].serialize(pretty=True))
    #print("The indicator SHA1 is:\n")
    #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

    # creating the relationship with the malware
    locals()["relationship_" + str(i+1)] = Relationship(relationship_type='indicates',
                            source_ref=locals()["indicator_" + str(i+1)].id,
    locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type='indicates',
                            source_ref=locals()["indicator_SHA1_" + str(i+1)].id,
                            target_ref=malware.id)
    print("The relationship is:\n")
    print(locals()["relationship_" + str(i+1)].serialize(pretty=True))
    #print("The relationship is:\n")
    #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

print("DONE\n")

# cleaning
num_lines=0
j=0

# getting the file with SHA256 hashes
myfile2 = input("file with SHA256: ")
file2 = open(myfile2, 'r')
content2 = file2.readlines()
 
count = 0



in_name="file hash SHA256 for " + mal_name

print("Reading hashes for SHA256...")

print("SHA256: ")

# iterating the whole file, for each line it creates a temporary 
# stix object with the sha1 hash and the malware family
# and saves an indicator object with the content. No need to create a
# list because the object is already stored as a permanent identifier during the session
# although a trash-temp-indicator is also stored.

for line2 in content2:

    tmp_indicator = Indicator(name=in_name, 
                          pattern="[file:hashes.sha256 = '"+ line2.strip()+"']",
                          pattern_type="stix")
   # print("TEMPORARY, DEBUG:")
   # print(tmp_indicator.serialize(pretty=True))

    count = count + 1

    locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)



print("no more lines to read")


num_lines = sum(1 for _ in open(myfile))

# This prints all the indicators for the SHA1 (commented) and creates
# a relationship for each one of them with the malware

for i in range(num_lines):
    #print("The indicator SHA1 is:\n")
    #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

    # creating the relationship with the malware
    locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type='indicates',
                            source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
                            target_ref=malware.id)
    #print("The relationship is:\n")
    #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

print("DONE\n")

print("creating the bundle...")

# create lists for the objects above
my_indicators = []
my_relationships = []
my_indicators_SHA1 = []
my_relationships_SHA1 = []
my_indicators_SHA256 = []
my_relationships_SHA256 = []

for j in range(num_lines):
    my_indicators.append(locals()["indicator_" + str(j+1)])
    my_relationships.append(locals()["relationship_" + str(j+1)])
    my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)])
    my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)])
    my_indicators_SHA1.append(locals()["indicator_SHA256_" + str(j+1)])
    my_relationships_SHA1.append(locals()["relationship_SHA256_" + str(j+1)])

# creating a bundle of objects: indicators, relationships, malware
my_bundle = Bundle(my_indicators[:], malware, my_relationships[:])
my_bundle = Bundle(my_indicators_SHA1[:], my_relationships_SHA1[:], my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity)

#print("Bundle:")
print("\nDone!")


@@ 101,4 170,3 @@ print("\nWriting the contents into " + output_f + " ...")
f_o.write(my_bundle.serialize(pretty=True))

print("\nDone! enjoy")