gis-9379 fix

nazargesyk · nazargesyk · commit 16138fee0dc4 · 2025-01-20T18:51:44.000+02:00
diff --git a/uncoder-core/app/translator/core/parser_cti.py b/uncoder-core/app/translator/core/parser_cti.py
@@ -52,13 +52,20 @@ def get_iocs_from_string(
         include_source_ip: Optional[bool] = False,
     ) -> dict:
         iocs = Iocs()
-        string = self.replace_dots_hxxp(string, ioc_parsing_rules)
         if not include_ioc_types or "ip" in include_ioc_types:
             iocs.ip.extend(self._find_all_str_by_regex(string, IP_IOC_REGEXP_PATTERN))
         if not include_ioc_types or "domain" in include_ioc_types:
-            iocs.domain.extend(self._find_all_str_by_regex(string, DOMAIN_IOC_REGEXP_PATTERN))
+            for domain in self._find_all_str_by_regex(string, DOMAIN_IOC_REGEXP_PATTERN):
+                for domain_val in domain:
+                    if domain_val:
+                        iocs.domain.extend(self.replace_dots_hxxp(domain_val))
         if not include_ioc_types or "url" in include_ioc_types:
-            iocs.url.extend([url.rstrip(".") for url in self._find_all_str_by_regex(string, URL_IOC_REGEXP_PATTERN)])
+            iocs.url.extend(
+                [
+                    self.replace_dots_hxxp(url).rstrip(".")
+                    for url in self._find_all_str_by_regex(string, URL_IOC_REGEXP_PATTERN)
+                ]
+            )
         if not include_ioc_types or "hash" in include_ioc_types:
             if not include_hash_types:
                 include_hash_types = list(hash_regexes.keys())
@@ -74,7 +81,7 @@ def get_iocs_from_string(
                 raise IocsLimitExceededException(f"IOCs count {total_count} exceeds limit {limit}.")
         return iocs.return_iocs(include_source_ip)
 
-    def replace_dots_hxxp(self, string: str, ioc_parsing_rules: Optional[list[IocParsingRule]]) -> str:
+    def replace_dots_hxxp(self, string: str, ioc_parsing_rules: Optional[list[IocParsingRule]] = None) -> str:
         if ioc_parsing_rules is None or "replace_dots" in ioc_parsing_rules:
             string = self._replace_dots(string)
         if ioc_parsing_rules is None or "replace_hxxp" in ioc_parsing_rules:
diff --git a/uncoder-core/app/translator/tools/const.py b/uncoder-core/app/translator/tools/const.py
@@ -6,11 +6,11 @@
 
 IOCType = Literal["ip", "domain", "url", "hash"]
 HashType = Literal["md5", "sha1", "sha256", "sha512"]
-IocParsingRule = Literal["replace_dots", "remove_private_and_reserved_ips", "replace_hxxp"]
+IocParsingRule = Literal["remove_private_and_reserved_ips"]
 
 DefaultIOCType = list(get_args(IOCType))
 DefaultHashType = list(get_args(HashType))
-DefaultIocParsingRule = list(get_args(Literal["remove_private_and_reserved_ips"]))
+DefaultIocParsingRule = list(get_args(IocParsingRule))
 
 HASH_MAP = {"md5": "HashMd5", "sha1": "HashSha1", "sha256": "HashSha256", "sha512": "HashSha512"}
 
@@ -22,10 +22,10 @@
 }
 
 LOGSOURCE_MAP = {
-    "hash": {"category": "process_creation"},
+    "hash": {"category": "file_event"},
     "domain": {"category": "proxy"},
     "url": {"category": "proxy"},
-    "ip": {"category": "proxy"},
+    "ip": {"category": "firewall"},
     "emails": {"category": "mail"},
     "files": {"category": "file_event"},
 }
