Improves STIX2 support and testing (#523)

* Improves STIX2 support and testing * Adds documentation on STIX2 support in MVT --------- Co-authored-by: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
2026-06-06 23:13:55 +02:00 · 2024-10-16 16:47:10 +02:00
parent 821943a859
commit 052c4e207b
26 changed files with 9648 additions and 66 deletions
@@ -17,6 +17,9 @@ def generate_test_stix_file(file_path):
    emails = ["foobar@example.org"]
    filenames = ["/var/foobar/txt"]
    android_property = ["sys.foobar"]
+    sha256 = ["570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6"]
+    sha1 = ["da0611a300a9ce9aa7a09d1212f203fca5856794"]
+    urls = ["http://example.com/thisisbad"]

    res = []
    malware = Malware(name="TestMalware", is_family=False, description="")
@@ -66,6 +69,33 @@ def generate_test_stix_file(file_path):
        res.append(i)
        res.append(Relationship(i, "indicates", malware))

+    for h in sha256:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[file:hashes.sha256='{}']".format(h),
+            pattern_type="stix",
+        )
+        res.append(i)
+        res.append(Relationship(i, "indicates", malware))
+
+    for h in sha1:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[file:hashes.sha1='{}']".format(h),
+            pattern_type="stix",
+        )
+        res.append(i)
+        res.append(Relationship(i, "indicates", malware))
+
+    for u in urls:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[url:value='{}']".format(u),
+            pattern_type="stix",
+        )
+        res.append(i)
+        res.append(Relationship(i, "indicates", malware))
+
    bundle = Bundle(objects=res)
    with open(file_path, "w+", encoding="utf-8") as f:
        f.write(bundle.serialize(pretty=True))