Add stix-extract tool #48
Conversation
felddy
added
documentation
felddy
force-pushed
the
improvement/stix-extract
branch
3 times, most recently
from
205b2a0 to
65f6c34
Compare
felddy
force-pushed
the
improvement/stix-extract
branch
from
65f6c34 to
62afafc
Compare
felddy
force-pushed
the
improvement/stix-extract
branch
from
62afafc to
5320414
Compare
jsf9k
added
the
test
|
I think adding this script may warrant a bump of the patch portion of the version as well. |
Bumped in: 1654c50 |
|
Also please note for the future that we generally add a co-author for commits created in response to reviewer suggestion by appending a line like this to the commit comment: |
| #!/usr/bin/env python3 | ||
|
|
||
| """ |
There was a problem hiding this comment.
This should not be included in a file that is part of a package. The ioc_scanner.py file is an unpleasant hacky thing that does not conform to our general Python package guidelines and I see no rationale for this module to be configured similarly.
| #!/usr/bin/env python3 | |
| """ | |
| """ |
There was a problem hiding this comment.
Hi @mcdonnnj , Is the suggested change being made? I still notice in the file stix_extract.py the first line reads as #!/usr/bin/env python3.
|
|
||
| if __name__ == "__main__": | ||
| sys.exit(main()) |
There was a problem hiding this comment.
Same rationale as the shebang comment.
| if __name__ == "__main__": | |
| sys.exit(main()) |
| print(f"\n{'#' * 20}\n# IP Addresses\n{'#' * 20}\n") | ||
| for ip in ip_addresses: | ||
| print(ip) |
There was a problem hiding this comment.
If we're going to have four instances of the same logic I think we should DRY this out into a function. All four data sources are iterables and we're printing the headers with identical formatting.
| best_priority = hash_priority[h.type_.value] | ||
| if best_hash is not None: | ||
| hashes.append(best_hash) | ||
| elif object_type == "DomainNameObjectType": |
There was a problem hiding this comment.
Minor but would you adjust this elif so that the elif checks are alphabetical? I think that would improve maintainability since we're just checking a bunch of strings.
There was a problem hiding this comment.
Not sure if you'd want to make those lists alphabetical or not considering we've done this before. LGTM tho
There was a problem hiding this comment.
It would be nice if this file had typehints.
There was a problem hiding this comment.
With all of the mocking and patching there is no true end-to-end test of this module's functionality. I would almost prefer crafted STIX documents that would naturally be parsed to provide the expected results instead. Using so much intentionally crafted data runs the risk of missing breaking changes in the dependency package (especially since there is no version pin around the package). Additionally there is nothing to test providing the STIX document through stdin that I see.
There was a problem hiding this comment.
Code looks good, most of the "errors" relate to long lines.
|
@felddy Are you planning to return to this PR any time soon? |
Add stix-extract tool
🗣 Description
This PR introduces a new tool,
stix-extract, to theioc-scannerproject. This tool extracts indicators of compromise (IoCs) from STIX files and outputs them in a format that can be used by the existingioc-scantool. Additionally the tool can extract IPs, FQDNs, and URLs for use in other parts of the IoC scanning process.💭 Motivation and Context
The motivation for adding this tool is to allow for the use of STIX files as a source of IoCs. STIX files are a widely-adopted standard for threat intelligence sharing, and by adding the ability to directly process these files, we increase the utility and flexibility of the
ioc-scannerproject.🧪 Testing
Testing for this change included manual usage of the tool to verify its functionality. The tool was used with different STIX files and combined with
ioc-scanin various ways to ensure compatibility and functionality. Further automated testing can be added in the future to verify the robustness of this addition.✅ Pre-approval Checklist