StixToIdea.py

import json
from StixObjects import StixGenerator

def generate_sighting_message(data, category):
    stix_gen = StixGenerator()
    print("sighting message")
    identity = stix_gen.identity_object(data.get('Node'))
    print(identity)
    observed_data = stix_gen.observed_data_object(identity['id'], data)
    print(observed_data)
    alert_object = stix_gen.alert_object(category, data.get('Ref'))
    print(alert_object)
    sighting_object = stix_gen.sighting_object(identity['id'], data['ConnCount'], observed_data['id'],
                                                    alert_object['id'])
    print(sighting_object)


def generate_observable_message(data):
    stix_gen = StixGenerator()
    print("observable message")
    identity = stix_gen.identity_object(data.get('Node'))
    print(identity)
    observed_data = stix_gen.observed_data_object(identity['id'], data, True)
    print(observed_data)


def main():
    with open("IdeaLog.txt") as f:
        data = json.load(f)
    if data.get('Source') or data.get('Target'):
        sighting_types = ["Virus", "Worm", "Trojan", "Spyware", "Rootkit", "Exploit", "Bot", "DDoS", "Vulnerability",
                          "DoS"]
        sighting_message = None
        for type in sighting_types:
            if type in data['Category'][0]:
                sighting_message = type
        if sighting_message:
            generate_sighting_message(data, sighting_message)
        else:
            generate_observable_message(data)
    else:
        print("Cannot generate STIX message, because IDEA message does not contain enough information.")


if __name__ == "__main__":
    main()