~alienagain/Stix_stuff

e0750ded895690db78b3b4a8fb5a333b31e0588c — terceranexus6 8 months ago 152b73c
added a bundle creator based on the basic script
1 files changed, 97 insertions(+), 0 deletions(-)

A bulk_conversion/bundle_creator.py
A bulk_conversion/bundle_creator.py => bulk_conversion/bundle_creator.py +97 -0
@@ 0,0 1,97 @@
from stix2 import Indicator
from stix2 import Malware
from stix2 import Relationship
from stix2 import Bundle
from stix2 import Identity
import copy


# creating identity for the bundle

#myname = input("Name of author: ")
#i_class = input("Type of identity (individual, team, etc): ")
#department = input("Department (default is Threat Hunting): ")

#Identity(name=myname,
#         identity_class=i_class,
#         departament=department)

# reading malware from user prompt

mal_name = input("Malware name: ")
malware = Malware(name=mal_name,
                  is_family=True)

# getting the file with SHA1 hashes
myfile = input("file with SHA1: ")
file1 = open(myfile, 'r')
content = file1.readlines()
 
count = 0



in_name="file hash for " + mal_name

print("Reading hashes for SHA1...")

print("SHA1: ")

# iterating the whole file, for each line it creates a temporary 
# stix object with the sha1 hash and the malware family
# and saves an indicator object with the content. No need to create a
# list because the object is already stored as a permanent identifier during the session
# although a trash-temp-indicator is also stored.

for line in content:

    tmp_indicator = Indicator(name=in_name, 
                          pattern="[file:hashes.sha1 = '"+ line.strip()+"']",
                          pattern_type="stix")
   # print("TEMPORARY, DEBUG:")
   # print(tmp_indicator.serialize(pretty=True))

    count = count + 1

    locals()["indicator_" + str(count)] = copy.deepcopy(tmp_indicator)



print("no more lines to read")


num_lines = sum(1 for _ in open(myfile))

# This prints all the indicators for the SHA1
for i in range(num_lines):
    print("The indicator is:\n")
    print(locals()["indicator_" + str(i+1)].serialize(pretty=True))

    # creating the relationship with the malware
    locals()["relationship_" + str(i+1)] = Relationship(relationship_type='indicates',
                            source_ref=locals()["indicator_" + str(i+1)].id,
                            target_ref=malware.id)
    print("The relationship is:\n")
    print(locals()["relationship_" + str(i+1)].serialize(pretty=True))

print("DONE\n")

print("creating the bundle...")

# create lists for the objects above
my_indicators = []
my_relationships = []

for j in range(num_lines):
    my_indicators.append(locals()["indicator_" + str(j+1)])
    my_relationships.append(locals()["relationship_" + str(j+1)])

# creating a bundle of objects: indicators, relationships, malware
my_bundle = Bundle(my_indicators[:], malware, my_relationships[:])

#print("Bundle:")
print("\nDone!")
print(my_bundle.serialize(pretty=True))