def _make_information_source(self):
# Tool情報作成
tool = ToolInformation()
tool.name = const.SNS_TOOL_NAME
tool.vendor = const.SNS_TOOL_VENDOR
tools = ToolInformationList()
tools.append(tool)
# Identity 作成
identity = Identity(name=SNSConfig.get_sns_identity_name())
# Information Source 作成
information_source = InformationSource()
information_source.tools = tools
information_source.identity = identity
return information_source
def from_obj(av_classification_obj):
if not av_classification_obj:
return None
av_classification_ = ToolInformation.from_obj(av_classification_obj, AVClassification())
av_classification_.engine_version = av_classification_obj.get_Engine_Version()
av_classification_.definition_version = av_classification_obj.get_Definition_Version()
av_classification_.classification_name = av_classification_obj.get_Classification_Name()
return av_classification_
def from_dict(av_classification_dict):
if not av_classification_dict:
return None
av_classification_ = ToolInformation.from_dict(av_classification_dict, AVClassification())
av_classification_.engine_version = av_classification_dict.get('engine_version')
av_classification_.definition_version = av_classification_dict.get('definition_version')
av_classification_.classification_name = av_classification_dict.get('classification_name')
return av_classification_
def generate_analysis(self, static_bundle):
analysis = Analysis()
analysis.type = 'triage'
analysis.method = 'static'
analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"),
'vendor': 'Ero Carrera',
'name': 'pefile'}))
findings_bundle_reference = []
if self.bundle_has_content(static_bundle):
findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_}))
analysis.findings_bundle_reference = findings_bundle_reference
return analysis
def generate_analysis(self, static_bundle):
analysis = Analysis()
analysis.type = 'triage'
analysis.method = 'static'
analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"),
'vendor': 'Ero Carrera',
'name': 'pefile'}))
findings_bundle_reference = []
if self.bundle_has_content(static_bundle):
findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_}))
analysis.findings_bundle_reference = findings_bundle_reference
return analysis
def add_information_source_items(reference_item, source_id_item, schema_version_item, incident):
insrc = InformationSource()
if reference_item:
for item in reference_item.split(';'):
insrc.add_reference(item.strip())
if source_id_item or schema_version_item:
insrc.tools = ToolInformationList()
if source_id_item:
insrc.identity = Identity()
insrc.identity.name = source_id_item
tool = ToolInformation()
tool.name = "veris2stix"
tool.vendor = "MITRE"
tool.version = __version__
insrc.tools.append(tool)
if schema_version_item:
tool = ToolInformation()
tool.name = "VERIS schema"
tool.vendor = "Verizon"
tool.version = schema_version_item
insrc.tools.append(tool)
incident.information_source = insrc
def create_discovery_method_tool(self,name=None,type=None,description=None,vendor=None,version=None,service_pack=None,hashes=None):
tool = ToolInformation()
tool.name=name
if type is not None:
for typename in type :
tool.type_.append(String(value=typename))
if description is not None:
tool.description = StructuredText()
tool.description.value=description
tool.vendor =vendor
tool.version =version
tool.service_pack =service_pack
if hashes is not None:
for hashob in hashes:
tool.tool_hashes._set_hash(hashob[0],hashob[1])
return tool
obfuscation = ms.createconfigurationdetailsobfuscation(is_encoded=True,is_encrypted=True,algorithm_details=[alg1,alg2])
malware_binary = ms.createconfigurationdetailsstoragemalwarebinary(section_offset=hex(12345),section_name='Test section name',file_offset=hex(1111111))
from cybox.objects.file_object import File
from cybox.objects.uri_object import URI
file = File()
file.file_name ='Test filename'
url = URI()
url.value ='http://testurl'
storage = ms.createconfigurationdetailsstorage(malware_binary=malware_binary,url=url,file=file)
conf_details =ms.createconfigurationdetails(configuration_parameter=[conf_par1,conf_par2],obfuscation=obfuscation,storage=storage)
ms.addconfigurationdeatails(conf_details)
####################################################################################################################
#Add development environment
from cybox.common.tools import ToolInformation
from cybox.common import String
tool2 = ToolInformation()
tool2.name='test tool name'
tool2.type_.append(String('compiler'))
debug_file =File()
debug_file.file_name="test debug file"
development_env = ms.createdevelopmentenvironment(debugging_file=debug_file,tools=tool2)
ms.adddevelopmentenvironment(development_environment=development_env)
####################################################################################################################
#Add minor variants
mv1 = CyboxObject()
mv1.objecttype.file_name='Test minor variant 1'
mv2 = CyboxObject()
mv2.objecttype.file_name='Test minor variant 2'
ms.addminorvariant(mv1.objecttype)
ms.addminorvariant(mv2.objecttype)
####################################################################################################################
def vt_report_to_maec_package(vt_report_input, options = None):
"""Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object."""
NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC")
maec.utils.set_id_namespace(NS)
package = Package()
# if only one result, make it a list of one result
if type(vt_report_input) != list:
vt_report_list = [vt_report_input]
else:
vt_report_list = vt_report_input
for idx, vt_report in enumerate(vt_report_list):
# if VirusTotal has never seen this MD5
if vt_report["response_code"] == 0:
sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n")
sys.stderr.flush();
continue
if vt_report["response_code"] == -1:
sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " +
vt_report.get("verbose_message", "no message provided") + "\n")
sys.stderr.flush();
continue
malware_subject = MalwareSubject()
# create the file object and add hashes
file_dict = {}
file_dict['xsi:type'] = 'WindowsExecutableFileObjectType'
file_dict['hashes'] = [
{'type' : 'MD5', 'simple_hash_value': vt_report["md5"] },
{'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] },
{'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] }
]
# set the object as the defined object
object_dict = {}
object_dict['id'] = maec.utils.idgen.create_id(prefix="object")
object_dict['properties'] = file_dict
# bind the object to the malware subject object
malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict))
# create the analysis and add it to the subject
analysis = Analysis()
analysis.type_ = 'triage'
analysis.method = 'static'
analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T")
analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"),
'vendor' : 'VirusTotal',
'name' : 'VirusTotal' }))
malware_subject.add_analysis(analysis)
bundle_obj = Bundle()
for vendor, scan in vt_report["scans"].items():
if scan["result"] is not None:
bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor }))
# add bundle to subject, bundle to analysis, and subject to package
malware_subject.add_findings_bundle(bundle_obj)
analysis.set_findings_bundle(bundle_obj.id_)
package.add_malware_subject(malware_subject)
package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC"
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
return package
