Skip to content

Commit c51dfe7

Browse files
nazargesyknazargesyk
authored
Merge pull request #30 from UncoderIO/iocs_source_ip_support
Added source_ip support for Ioc`s
2 parents c940ca4 + 190db02 commit c51dfe7

File tree

3 files changed

+31
-24
lines changed

3 files changed

+31
-24
lines changed

translator/app/translator/const.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,6 @@
55

66
CTI_MIN_LIMIT_QUERY = 10000
77

8+
CTI_IOCS_PER_QUERY_LIMIT = 25
9+
810
DEFAULT_VALUE_TYPE = Union[Union[int, str, List[int], List[str]]]

translator/app/translator/core/parser_cti.py

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,12 @@ def get_total_count(self) -> int:
2121
hash_len += len(value)
2222
return len(self.ip) + len(self.url) + len(self.domain) + hash_len
2323

24-
def return_iocs(self) -> dict:
24+
def return_iocs(self, include_source_ip: bool = False) -> dict:
2525
if all(not value for value in [self.ip, self.url, self.domain, self.hash_dict]):
2626
raise EmptyIOCSException()
2727
result = {"DestinationIP": self.ip, "URL": self.url, "Domain": self.domain}
28+
if include_source_ip:
29+
result["SourceIP"] = self.ip
2830
for key, value in self.hash_dict.items():
2931
result[HASH_MAP[key]] = value
3032
return result
@@ -33,14 +35,15 @@ def return_iocs(self) -> dict:
3335
class CTIParser:
3436

3537
def get_iocs_from_string(
36-
self,
37-
string: str,
38-
include_ioc_types: Optional[List[IOCType]] = None,
39-
include_hash_types: Optional[List[HashType]] = None,
40-
exceptions: Optional[List[str]] = None,
41-
ioc_parsing_rules: Optional[List[IocParsingRule]] = None,
42-
limit: Optional[int] = None
43-
) -> Iocs:
38+
self,
39+
string: str,
40+
include_ioc_types: Optional[List[IOCType]] = None,
41+
include_hash_types: Optional[List[HashType]] = None,
42+
exceptions: Optional[List[str]] = None,
43+
ioc_parsing_rules: Optional[List[IocParsingRule]] = None,
44+
limit: Optional[int] = None,
45+
include_source_ip: bool = False
46+
) -> dict:
4447
iocs = Iocs()
4548
string = self.replace_dots_hxxp(string, ioc_parsing_rules)
4649
if not include_ioc_types or "ip" in include_ioc_types:
@@ -62,7 +65,7 @@ def get_iocs_from_string(
6265
total_count = iocs.get_total_count()
6366
if total_count > limit:
6467
raise IocsLimitExceededException(f"IOCs count {total_count} exceeds limit {limit}.")
65-
return iocs.return_iocs()
68+
return iocs.return_iocs(include_source_ip)
6669

6770
def replace_dots_hxxp(self, string, ioc_parsing_rules):
6871
if ioc_parsing_rules is None or "replace_dots" in ioc_parsing_rules:

translator/app/translator/cti_translator.py

Lines changed: 16 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
import logging
22
from typing import Dict, List
33

4-
from app.translator.const import CTI_MIN_LIMIT_QUERY
4+
from app.translator.const import CTI_MIN_LIMIT_QUERY, CTI_IOCS_PER_QUERY_LIMIT
55
from app.translator.core.models.iocs import IocsChunkValue
66
from app.translator.core.parser_cti import CTIParser, Iocs
77
from app.translator.core.render_cti import RenderCTI
@@ -17,44 +17,46 @@ def __init__(self):
1717
self.logger = logging.getLogger("cti_converter")
1818
self.parser = CTIParser()
1919

20-
def _get_render_mapping(self, platform: CTIPlatform, include_source_ip: bool = False) -> Dict[str, str]:
21-
return self.renders.get(platform.name).default_mapping
22-
2320
@handle_translation_exceptions
24-
def __parse_iocs_from_string(self, text: str, include_ioc_types: list = None, include_hash_types: list = None,
25-
exceptions: list = None, ioc_parsing_rules: list = None) -> Iocs:
21+
def __parse_iocs_from_string(self, text: str,
22+
include_ioc_types: list = None,
23+
include_hash_types: list = None,
24+
exceptions: list = None,
25+
ioc_parsing_rules: list = None,
26+
include_source_ip: bool = False) -> dict:
2627
return self.parser.get_iocs_from_string(string=text,
2728
include_ioc_types=include_ioc_types,
2829
include_hash_types=include_hash_types,
2930
exceptions=exceptions,
3031
ioc_parsing_rules=ioc_parsing_rules,
31-
limit=CTI_MIN_LIMIT_QUERY)
32+
limit=CTI_MIN_LIMIT_QUERY,
33+
include_source_ip=include_source_ip)
3234

3335
@handle_translation_exceptions
34-
def __render_translation(self, parsed_data: dict, platform_data: CTIPlatform, iocs_per_query: int,
35-
include_source_ip: bool = False) -> List[str]:
36-
mapping = self._get_render_mapping(platform=platform_data, include_source_ip=include_source_ip)
36+
def __render_translation(self, parsed_data: dict, platform_data: CTIPlatform, iocs_per_query: int) -> List[str]:
3737
platform = self.renders.get(platform_data.name)
3838
platform_generation = self.generate(data=parsed_data, platform=platform, iocs_per_query=iocs_per_query,
39-
mapping=mapping)
39+
mapping=platform.default_mapping)
4040
return platform_generation
4141

4242
def convert(self, text: str,
4343
platform_data: CTIPlatform,
44-
iocs_per_query: int = 25,
44+
iocs_per_query: int = None,
4545
include_ioc_types: list = None,
4646
include_hash_types: list = None,
4747
exceptions: list = None,
4848
ioc_parsing_rules: list = None,
4949
include_source_ip: bool = False) -> (bool, List[str]):
50+
if not iocs_per_query:
51+
iocs_per_query = CTI_IOCS_PER_QUERY_LIMIT
5052
status, parsed_data = self.__parse_iocs_from_string(text=text,
5153
include_ioc_types=include_ioc_types,
5254
include_hash_types=include_hash_types,
5355
exceptions=exceptions,
54-
ioc_parsing_rules=ioc_parsing_rules)
56+
ioc_parsing_rules=ioc_parsing_rules,
57+
include_source_ip=include_source_ip)
5558
if status:
5659
return self.__render_translation(parsed_data=parsed_data,
57-
include_source_ip=include_source_ip,
5860
platform_data=platform_data,
5961
iocs_per_query=iocs_per_query
6062
)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy