From 81b647beac4ec56e4462d504b48a6aa06c09d4b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?= Date: Thu, 17 Oct 2024 18:20:17 +0200 Subject: [PATCH] Add basic support for IP indicators in MVT (#556) * Add prelimary ipv4-addr ioc matching support under collection domains * Add IP addresses as a valid IOC type This currently just supports IPv4 addresses which are treated as domains internally in MVT. --------- Co-authored-by: renini --- src/mvt/common/indicators.py | 7 +++++++ tests/artifacts/generate_stix.py | 10 ++++++++++ tests/common/test_indicators.py | 10 +++++++--- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/src/mvt/common/indicators.py b/src/mvt/common/indicators.py index dd05aab..c3c3f28 100644 --- a/src/mvt/common/indicators.py +++ b/src/mvt/common/indicators.py @@ -107,6 +107,13 @@ class Indicators: ioc_coll=collection, ioc_coll_list=collection["domains"], ) + if key == "ipv4-addr:value": + # We treat IP addresses as simple domains here to ease checks. + self._add_indicator( + ioc=value.strip(), + ioc_coll=collection, + ioc_coll_list=collection["domains"], + ) elif key == "process:name": self._add_indicator( ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"] diff --git a/tests/artifacts/generate_stix.py b/tests/artifacts/generate_stix.py index dbbfc64..174f0dd 100644 --- a/tests/artifacts/generate_stix.py +++ b/tests/artifacts/generate_stix.py @@ -13,6 +13,7 @@ def generate_test_stix_file(file_path): os.remove(file_path) domains = ["example.org"] + ip_addresses = ["198.51.100.1"] processes = ["Launch"] emails = ["foobar@example.org"] filenames = ["/var/foobar/txt"] @@ -33,6 +34,15 @@ def generate_test_stix_file(file_path): res.append(i) res.append(Relationship(i, "indicates", malware)) + for a in ip_addresses: + i = Indicator( + indicator_types=["malicious-activity"], + pattern="[ipv4-addr:value='{}']".format(a), + pattern_type="stix", + ) + res.append(i) + res.append(Relationship(i, "indicates", malware)) + for p in processes: i = Indicator( indicator_types=["malicious-activity"], diff --git a/tests/common/test_indicators.py b/tests/common/test_indicators.py index 7f386de..9a687c0 100644 --- a/tests/common/test_indicators.py +++ b/tests/common/test_indicators.py @@ -15,8 +15,8 @@ class TestIndicators: ind = Indicators(log=logging) ind.load_indicators_files([indicator_file], load_default=False) assert len(ind.ioc_collections) == 1 - assert ind.ioc_collections[0]["count"] == 8 - assert len(ind.ioc_collections[0]["domains"]) == 1 + assert ind.ioc_collections[0]["count"] == 9 + assert len(ind.ioc_collections[0]["domains"]) == 2 assert len(ind.ioc_collections[0]["emails"]) == 1 assert len(ind.ioc_collections[0]["file_names"]) == 1 assert len(ind.ioc_collections[0]["processes"]) == 1 @@ -74,6 +74,10 @@ class TestIndicators: assert ind.check_url("https://github.com") is None assert ind.check_url("https://example.com/") is None + # Test detecting IP address indicators from STIX. + assert ind.check_url("https://198.51.100.1:8080/") + assert ind.check_url("https://1.1.1.1/") is None + def test_check_file_hash(self, indicator_file): ind = Indicators(log=logging) ind.load_indicators_files([indicator_file], load_default=False) @@ -98,4 +102,4 @@ class TestIndicators: os.environ["MVT_STIX2"] = indicator_file ind = Indicators(log=logging) ind.load_indicators_files([], load_default=False) - assert ind.total_ioc_count == 8 + assert ind.total_ioc_count == 9