This repository has been archived by the owner on Dec 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ioc_converter_legacy.go
122 lines (114 loc) · 2 KB
/
ioc_converter_legacy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
// tie-threatbus-bridge
// Copyright (c) 2021, DCSO GmbH
package main
import (
"crypto/sha256"
"encoding/json"
"fmt"
"time"
)
// taken from ThreatBus code, starts with 1
const (
_ = iota
IPSRC
IPDST
IPSRC_PORT
IPDST_PORT
EMAILSRC
EMAILDST
TARGETEMAIL
EMAILATTACHMENT
FILENAME
HOSTNAME
DOMAIN
DOMAIN_IP
URL
URI
USERAGENT
MD5
MALWARESAMPLE
FILENAME_MD5
SHA1
FILENAME_SHA1
SHA256
FILENAME_SHA256
X509FINGERPRINTSHA1
PDB
AUTHENTIHASH
SSDEEP
IMPHASH
PEHASH
IMPFUZZY
SHA224
SHA384
SHA512
SHA512_224
SHA512_256
TLSH
CDHASH
FILENAME_AUTHENTIHASH
FILENAME_SSDEEP
FILENAME_IMPHASH
FILENAME_PEHASH
FILENAME_IMPFUZZY
FILENAME_SHA224
FILENAME_SHA384
FILENAME_SHA512
FILENAME_SHA512_224
FILENAME_SHA512_256
FILENAME_TLSH
)
func mapTIEtoThreatBus(iocType string) int {
switch iocType {
case "DomainName":
return DOMAIN
case "URLVerbatim":
return URL
case "PEHash":
return PEHASH
case "SSDEEP":
return SSDEEP
case "IMPHash":
return IMPHASH
case "IPv4":
return IPSRC // TODO what to do with this? IPDST?
case "IPv6":
return IPSRC // TODO what to do with this? IPDST?
case "FileName":
return FILENAME
case "EMail":
return EMAILSRC // TODO what to do with this? EMAILDST?
default:
return -1
}
}
type IOCConverterLegacy struct{}
func MakeIOCConverterLegacy() *IOCConverterLegacy {
return &IOCConverterLegacy{}
}
func (c *IOCConverterLegacy) Topic() string {
return "threatbus/intel"
}
func (c *IOCConverterLegacy) FromIOC(ioc *IOC) ([]byte, error) {
tbIOCType := mapTIEtoThreatBus(ioc.DataType)
if tbIOCType < 0 {
return nil, fmt.Errorf("unsupported data type: %s", ioc.DataType)
}
iocJSON := IOCJSON{
TS: time.Now(),
ID: fmt.Sprintf("intel_%x", sha256.Sum256([]byte(ioc.Value))),
Data: struct {
Indicator []string `json:"indicator"`
IntelType int `json:"intel_type"`
}{
Indicator: []string{ioc.Value},
IntelType: tbIOCType,
},
Operation: "ADD",
}
data, err := json.Marshal(iocJSON)
if err != nil {
return nil, err
}
return data, nil
}