Beispiel #1
0
def stix_pkg(config, src, endpoint, payload, title='random test data',
             description='random test data',
             package_intents='Indicators - Watchlist',
             tlp_color='WHITE', dest=None):
    '''package observables'''
    # setup the xmlns...
    xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
    xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = '../../../../descendant-or-self::node()'
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    if isinstance(payload, Observable):
        stix_package.add_observable(payload)
    elif isinstance(payload, Indicator):
        stix_package.add_indicator(payload)
    elif isinstance(payload, Incident):
        stix_package.add_incident(payload)
    return(stix_package)
def main():
    alpha_package = STIXPackage()
    alpha_package.stix_header = STIXHeader()
    alpha_package.stix_header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
    alpha_package.stix_header.package_intents = "Campaign Characterization"
    alpha_package.stix_header.handling = Marking()

    alpha_marking = MarkingSpecification()
    alpha_marking.controlled_structure = "../../../../node()"
    alpha_tlp_marking = TLPMarkingStructure()
    alpha_tlp_marking.color = "AMBER"
    alpha_marking.marking_structures.append(alpha_tlp_marking)
    alpha_package.stix_header.handling.add_marking(alpha_marking)

    rat_package = STIXPackage()
    rat_package.stix_header = STIXHeader()
    rat_package.stix_header.title = "Indicators for Malware DrownedRat"
    rat_package.stix_header.package_intents = "Indicators - Malware Artifacts"
    rat_package.stix_header.handling = Marking()

    rat_marking = MarkingSpecification()
    rat_marking.controlled_structure = "../../../../node()"
    rat_tlp_marking = TLPMarkingStructure()
    rat_tlp_marking.color = "RED"
    alpha_marking.marking_structures.append(rat_tlp_marking)
    rat_package.stix_header.handling.add_marking(rat_marking)

    stix_package = STIXPackage()
    info_src = InformationSource()
    info_src.identity = Identity(name="Government Sharing Program - GSP")
    stix_package.stix_header = STIXHeader(information_source=info_src)
    stix_package.related_packages.append(alpha_package)
    stix_package.related_packages.append(rat_package)

    print stix_package.to_xml()
Beispiel #3
0
def setTLP(target, distribution):
    marking_specification = MarkingSpecification()
    marking_specification.controlled_structure = "../../../descendant-or-self::node()"
    tlp = TLPMarkingStructure()
    colour = TLP_mapping.get(distribution, None)
    if colour is None:
        return target
    tlp.color = colour
    marking_specification.marking_structures.append(tlp)
    handling = Marking()
    handling.add_marking(marking_specification)
    target.handling = handling
Beispiel #4
0
def _marking():
    """Define the TLP marking and the inheritance."""
    marking_specification = MarkingSpecification()
    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = (
        "../../../../descendant" "-or-self::node() | ../../../../descendant-or-self::node()/@*"
    )
    simple = SimpleMarkingStructure()
    simple.statement = HNDL_ST
    marking_specification.marking_structures.append(simple)
    handling = Marking()
    handling.add_marking(marking_specification)
    return handling
Beispiel #5
0
def gen_stix_indicator_sample(
    config,
    target=None,
    datatype=None,
    title="random test data",
    description="random test data",
    package_intents="Indicators - Watchlist",
    tlp_color="WHITE",
    observables_list=None,
):
    """generate sample stix data comprised of indicator_count
    indicators of type datatype"""
    # setup the xmlns...
    xmlns_url = config["edge"]["sites"][target]["stix"]["xmlns_url"]
    xmlns_name = config["edge"]["sites"][target]["stix"]["xmlns_name"]
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = "../../../../descendant-or-self::node()"
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    indicator_ = Indicator()
    indicator_.title = str(uuid.uuid4()) + "_sample_indicator"
    indicator_.confidence = "Unknown"
    indicator_.add_indicator_type("Malware Artifacts")
    observable_composition_ = ObservableComposition()
    observable_composition_.operator = indicator_.observable_composition_operator
    for observable_id in observables_list:
        observable_ = Observable()
        observable_.idref = observable_id
        observable_composition_.add(observable_)
    indicator_.observable = Observable()
    indicator_.observable.observable_composition = observable_composition_
    stix_package.add_indicator(indicator_)
    return stix_package
Beispiel #6
0
def stix_pkg(
    config,
    src,
    endpoint,
    payload,
    title="random test data",
    description="random test data",
    package_intents="Indicators - Watchlist",
    tlp_color="WHITE",
    dest=None,
):
    """package observables"""
    # setup the xmlns...
    xmlns_url = config["edge"]["sites"][dest]["stix"]["xmlns_url"]
    xmlns_name = config["edge"]["sites"][dest]["stix"]["xmlns_name"]
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = "../../../../descendant-or-self::node()"
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    if isinstance(payload, Observable):
        stix_package.add_observable(payload)
    elif isinstance(payload, Indicator):
        stix_package.add_indicator(payload)
    elif isinstance(payload, Incident):
        stix_package.add_incident(payload)
    return stix_package
Beispiel #7
0
    def create_cybox_object(self, jdict, whitelist, config):
        listObservables = []
        NS = cybox.utils.Namespace("cert.siemens.com", "siemens_cert")
        cybox.utils.set_id_namespace(NS)

        """ store information about malware binary that was analyzed """
        if "target" in jdict and "category" in jdict["target"] and jdict["target"]["category"] == "file":
            log.debug("handling File information ...")
            main_file_object = self.__create_cybox_main_file(jdict["target"]["file"])
            file_md5 = jdict["target"]["file"]["md5"]
        elif "target" in jdict and "category" in jdict["target"] and jdict["target"]["category"] == "url":
            log.warning("Not a file analysis report! URL reports not handled")
            return
        else:
            log.error("No target information in report ... skipping")
            return

        """ try to find email that dropped this attachment """
        if config["attachemail"] or config["referenceemail"]:
            log.info("handling email attack vector information ...")
            email_object_properties, email_observables_list, email_stix_path_tuple_list = self.__check_malware_mailing_list(
                file_md5, log, config
            )
            if email_object_properties and len(email_object_properties) > 0:
                for email_object in email_object_properties:
                    main_file_object.add_related(email_object, "Contained_Within", inline=False)
            else:
                log.warning("failed linking mail object (no objects to link)")
                email_stix_path_tuple_list = []
        else:
            email_object = None
            email_observables = []
            email_stix_path_tuple_list = []

        """ store extended information about malware file """
        if "static" in jdict:
            log.debug("handling extended File information ...")
            win_executable_extension = self.__create_cybox_win_executable(jdict["target"]["file"], jdict["static"])
            if win_executable_extension:
                main_file_object.add_related(win_executable_extension, "Characterized_By", inline=False)
            win_executable_extension = [win_executable_extension]
        else:
            log.warning("No extended File information found")
            win_executable_extension = []

        """ store domains connected to """
        if "network" in jdict and "domains" in jdict["network"]:
            log.debug("handling Domain information ...")
            domains, addresses = self.__create_cybox_domains(jdict["network"]["domains"], whitelist)
            for dom in domains:
                main_file_object.add_related(dom, "Connected_To", inline=False)
        else:
            domains = []
            addresses = []

        """ store http session information """
        if "network" in jdict and "http" in jdict["network"]:
            log.debug("handling HTTP information ...")
            http_requests = self.__create_cybox_https(jdict["network"]["http"], whitelist)
            for session in http_requests:
                main_file_object.add_related(session, "Connected_To", inline=False)
        else:
            http_requests = []

        """ store dns queries information about the malware """
        if "network" in jdict and "dns" in jdict["network"]:
            log.debug("handling DNS information ...")
            queries = self.__create_cybox_dns_queries(jdict["network"]["dns"], whitelist)
            for query in queries:
                main_file_object.add_related(query, "Connected_To", inline=False)
        else:
            queries = []

        """ store information about dropped files """
        if "dropped" in jdict:
            log.debug("handling dropped files ...")
            dropped = self.__create_cybox_dropped_files(jdict["dropped"], jdict["target"]["file"]["sha256"])
            for drop in dropped:
                main_file_object.add_related(drop, "Dropped", inline=False)
        else:
            dropped = []

        """ store virustotal information """
        if "virustotal" in jdict and "positives" in jdict["virustotal"]:
            log.debug("handling virustotal information ...")
            vtInformationTools = self.__create_stix_virustotal(jdict["virustotal"], log, config)
            vtFound = True
        else:
            vtInformationTools = []
            vtFound = False

        """ create observables """
        if config["attachemail"] and len(email_observables) > 0:
            obs = Observables(
                [main_file_object]
                + email_observables
                + win_executable_extension
                + domains
                + addresses
                + http_requests
                + dropped
                + queries
            )
        else:
            obs = Observables(
                [main_file_object] + win_executable_extension + domains + addresses + http_requests + dropped + queries
            )
        """ generate stix id with siemens namespace """
        if config:
            stix_id_generator = stix.utils.IDGenerator(namespace={config["xmlns"]: config["namespace"]})
        else:
            stix_id_generator = stix.utils.IDGenerator(namespace={"cert.siemens.com": "siemens_cert"})
        """ create stix package """
        stix_id = stix_id_generator.create_id()
        stix_package = STIXPackage(observables=obs, id_=stix_id)
        stix_header = STIXHeader()
        stix_header.title = "Analysis report: %s" % (
            str(main_file_object.file_name).decode("utf8", errors="xmlcharrefreplace")
        )
        if "info" in jdict and "started" in jdict["info"]:
            sandbox_report_date = dateparser.parse(jdict["info"]["started"] + " CET").isoformat()
        else:
            sandbox_report_date = datetime.datetime.now(pytz.timezone("Europe/Berlin")).isoformat()
        stix_header.description = 'Summarized analysis results for file "%s" with MD5 hash "%s" created on %s.' % (
            str(main_file_object.file_name).decode("utf8", errors="xmlcharrefreplace"),
            main_file_object.hashes.md5,
            sandbox_report_date,
        )
        stix_header.add_package_intent("Malware Characterization")
        """ create markings """
        spec = MarkingSpecification()
        spec.idref = stix_id
        spec.controlled_structure = "//node()"
        tlpmark = TLPMarkingStructure()
        if config:
            if not vtFound:
                tlpmark.color = config["color"]
            else:
                tlpmark.color = "GREEN"
        elif vtFound:
            tlpmark.color = "GREEN"
        else:
            tlpmark.color = "AMBER"
        spec.marking_structure = [tlpmark]
        """ attach to header """
        stix_header.handling = Marking([spec])
        stix_information_source = InformationSource()
        stix_information_source.time = Time(produced_time=sandbox_report_date)
        stix_information_source.tools = ToolInformationList(
            [
                ToolInformation(
                    tool_name="SIEMENS-ANALYSIS-TOOL-ID-12", tool_vendor="ANALYSIS-ID: %s" % (jdict["info"]["id"])
                )
            ]
            + vtInformationTools
        )
        stix_header.information_source = stix_information_source
        stix_package.stix_header = stix_header
        """ write result xml file """
        xml_file_name = "stix-%s-malware-report.xml" % (file_md5)
        xml_report_file_path = os.path.join(self.reports_path, xml_file_name)
        fp = open(xml_report_file_path, "w")
        if config:
            fp.write(stix_package.to_xml(ns_dict={config["xmlns"]: config["namespace"]}))
        else:
            fp.write(stix_package.to_xml(ns_dict={"cert.siemens.com": "siemens_cert"}))
        fp.close()
        if config["copytoshare"]:
            self.__copy_xml_to_ti_share(xml_report_file_path, xml_file_name, config)
            for item in email_stix_path_tuple_list:
                self.__copy_xml_to_ti_share(item[0], item[1], config, "email")
        else:
            log.warning("copy to TI share is disabled: %s" % (config["copytoshare"]))
        return
Beispiel #8
0
def csv2stix(outFormat, inFile):

    # =============
    # Build package metadata
    # =============

    stix_package = STIXPackage()
    stix_package.stix_header = STIXHeader()
    stix_package.stix_header.title = "TG3390"
    stix_package.stix_header.description = "Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"

    marking_specification = MarkingSpecification()
    marking_specification.controlled_structure = "../../../../descendant-or-self::node()"

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)

    handling = Marking()
    handling.add_marking(marking_specification)

    stix_package.stix_header.handling = handling

    # =============
    # Build package structure
    # =============

    ta_tg3390 = ThreatActor(title="TG3390")
    ta_tg3390.identity = Identity(name="TG3390")

    attack_pattern = AttackPattern()
    attack_pattern.description = "Infrastructure Building"
    ttp_infrastructure = TTP(title="Infrastructure Building")
    ttp_infrastructure.behavior = Behavior()
    ttp_infrastructure.behavior.add_attack_pattern(attack_pattern)
    ttp_infrastructure.add_intended_effect("Unauthorized Access")
    infra_domainInd = Indicator(title="Domains associated with TG3390 Infrastructure")
    infra_domainInd.add_indicator_type("Domain Watchlist")
    infra_domainInd.confidence = "High"
    infra_domainInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))

    infra_IPInd = Indicator(title="[H] IP Addresses associated with TG3390 Infrastructure")
    infra_IPInd.add_indicator_type("IP Watchlist")
    infra_IPInd.confidence = "High"
    infra_IPInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))

    infra_IPInd_M = Indicator(title="[M] IP Addresses associated with TG3390 Infrastructure")
    infra_IPInd_M.add_indicator_type("IP Watchlist")
    infra_IPInd_M.confidence = "Medium"
    infra_IPInd_M.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))

    httpBrowserObj = MalwareInstance()
    httpBrowserObj.add_name("HTTP Browser")
    ttp_httpB = TTP(title="HTTP Browser")
    ttp_httpB.behavior = Behavior()
    ttp_httpB.behavior.add_malware_instance(httpBrowserObj)
    ttp_httpB.add_intended_effect("Theft - Intellectual Property")
    httpB_hashInd = Indicator(title="File hashes for HTTP Browser")
    httpB_hashInd.add_indicator_type("File Hash Watchlist")
    httpB_hashInd.confidence = "High"
    httpB_hashInd.add_indicated_ttp(TTP(idref=ttp_httpB.id_))

    httpBrowserDropperObj = MalwareInstance()
    httpBrowserDropperObj.add_name("HTTP Browser Dropper")
    ttp_httpBDpr = TTP(title="HTTP Browser Dropper")
    ttp_httpBDpr.behavior = Behavior()
    ttp_httpBDpr.behavior.add_malware_instance(httpBrowserDropperObj)
    ttp_httpBDpr.add_intended_effect("Theft - Intellectual Property")
    httpBDpr_hashInd = Indicator(title="File hashes for HTTP Browser Dropper")
    httpBDpr_hashInd.add_indicator_type("File Hash Watchlist")
    httpBDpr_hashInd.confidence = "High"
    httpBDpr_hashInd.add_indicated_ttp(TTP(idref=ttp_httpBDpr.id_))

    plugXObj = MalwareInstance()
    plugXObj.add_name("PlugX Dropper")
    ttp_plugX = TTP(title="PlugX Dropper")
    ttp_plugX.behavior = Behavior()
    ttp_plugX.behavior.add_malware_instance(plugXObj)
    ttp_plugX.add_intended_effect("Theft - Intellectual Property")
    plugX_hashInd = Indicator(title="File hashes for PlugX Dropper")
    plugX_hashInd.add_indicator_type("File Hash Watchlist")
    plugX_hashInd.confidence = "High"
    plugX_hashInd.add_indicated_ttp(TTP(idref=ttp_plugX.id_))

    # =============
    # Process content in to structure
    # =============
    ip_rules = []
    ip_rules_M = []
    domain_rules = []
    with open(inFile, "rb") as f:
        reader = csv.reader(f)
        for row in reader:
            obs = row[0]
            obsType = row[1]
            description = row[2]
            confidence = row[3]
            # print obs,obsType,description,confidence
            if description == "TG-3390 infrastructure":
                if obsType == "Domain name":
                    domain_obj = DomainName()
                    domain_obj.value = obs
                    # domain_obj.title = description
                    infra_domainInd.add_object(domain_obj)
                    domain_rule = generate_snort(
                        [obs], "DomainName", str(infra_domainInd.id_).split(":", 1)[1].split("-", 1)[1]
                    )
                    domain_rules.append(domain_rule)
                elif obsType == "IP address":
                    ipv4_obj = Address()
                    ipv4_obj.category = "ipv4-addr"
                    ipv4_obj.address_value = obs
                    ipv4_obj.title = description
                    ind_ref = str(infra_IPInd.id_).split(":", 1)[1].split("-", 1)[1]
                    if confidence == "High":
                        infra_IPInd.add_object(ipv4_obj)
                        ip_rules.append(obs)
                    else:
                        infra_IPInd_M.add_object(ipv4_obj)
                        ip_rules_M.append(obs)
                else:
                    print "TTP Infra: obsType is wrong"
            elif description == "HttpBrowser RAT dropper":
                file_obj = File()
                file_obj.add_hash(Hash(obs))
                file_obj.title = description
                httpBDpr_hashInd.add_observable(file_obj)
            elif description == "HttpBrowser RAT":
                file_obj = File()
                file_obj.add_hash(Hash(obs))
                file_obj.title = description
                httpB_hashInd.add_observable(file_obj)
            elif description == "PlugX RAT dropper":
                file_obj = File()
                file_obj.add_hash(Hash(obs))
                file_obj.title = description
                plugX_hashInd.add_observable(file_obj)
            else:
                print "TTP not found"
                # print ip_rules
    ip_rule = generate_snort(ip_rules, "Address", str(infra_IPInd.id_).split(":", 1)[1].split("-", 1)[1])
    ip_rule_M = generate_snort(ip_rules_M, "Address", str(infra_IPInd_M.id_).split(":", 1)[1].split("-", 1)[1])

    ip_tm = SnortTestMechanism()
    ip_tm.rules = [ip_rule]
    ip_tm.efficacy = "High"
    ip_tm.producer = InformationSource(identity=Identity(name="Auto"))
    infra_IPInd.test_mechanisms = [ip_tm]

    ip_M_tm = SnortTestMechanism()
    ip_M_tm.rules = [ip_rule_M]
    ip_M_tm.efficacy = "Medium"
    ip_M_tm.producer = InformationSource(identity=Identity(name="Auto"))
    infra_IPInd_M.test_mechanisms = [ip_M_tm]

    domain_tm = SnortTestMechanism()
    domain_tm.rules = domain_rules
    domain_tm.efficacy = "High"
    domain_tm.producer = InformationSource(identity=Identity(name="Auto"))
    infra_domainInd.test_mechanisms = [domain_tm]

    # =============
    # Add the composed content to the structure
    # =============

    stix_package.add_indicator(infra_domainInd)
    stix_package.add_indicator(infra_IPInd)
    stix_package.add_indicator(infra_IPInd_M)
    stix_package.add_indicator(httpBDpr_hashInd)
    stix_package.add_indicator(httpB_hashInd)
    stix_package.add_indicator(plugX_hashInd)

    stix_package.add_ttp(ttp_infrastructure)
    stix_package.add_ttp(ttp_httpB)
    stix_package.add_ttp(ttp_httpBDpr)
    stix_package.add_ttp(ttp_plugX)

    """
	if outFormat =='dict':
		print stix_package.to_dict()
	if outFormat =='json':
		parsed = stix_package.to_json()
		jsonpkg = json.loads(parsed)
		pprint.pprint(jsonpkg)
	if outFormat =='stix':
		print stix_package.to_xml()
	"""
    # if verbose:
    # print stix_package.to_xml()
    # pprint(stix_package.to_json())
    return stix_package
Beispiel #9
0
def index2stix(local_index, orig_stix):
    # =============
    # Build package metadata
    # =============

    new_stix = STIXPackage()
    new_stix.stix_header = STIXHeader()
    new_stix.stix_header.title = "TG3390 - Enrichment"
    new_stix.stix_header.description = "Enrichment stix file to the Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"

    marking_specification = MarkingSpecification()
    marking_specification.controlled_structure = "../../../../descendant-or-self::node()"

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)

    handling = Marking()
    handling.add_marking(marking_specification)

    new_stix.stix_header.handling = handling

    enrich_IPs = Indicator(title="Suspected TG3390 IP Addresses obtained through automated enrichment")
    enrich_IPs.add_indicator_type("IP Watchlist")
    enrich_IPs.confidence = "Low"

    related_IPs = Indicator(title="Related indicator wrapper for source of enrichment")
    related_IPs.add_indicator_type("IP Watchlist")
    related_IPs.confidence = "Medium"

    enrich_Domains = Indicator(title="Suspected TG3390 Domains obtained through automated enrichment")
    enrich_Domains.add_indicator_type("Domain Watchlist")
    enrich_Domains.confidence = "Low"

    related_Domains = Indicator(title="Related indicator wrapper for source of enrichment")
    related_Domains.add_indicator_type("Domain Watchlist")
    related_Domains.confidence = "Medium"

    # START with the ones that already have ids:
    # if verbose:
    # print_chain(local_index)
    new_ref_created = True
    while new_ref_created:
        new_ref_created = False
        for ind_type in local_index:
            for obs in local_index[ind_type]:
                id_tobe_referenced = local_index[ind_type][obs][0]
                # print id_tobe_referenced[:10]
                if id_tobe_referenced[:10] != "{{no_ref}}":
                    ref_obs = Observable()
                    ref_obs.id_ = id_tobe_referenced.replace("{{no_ref}}", "")
                    ref_obs.description = "Source of enrichment for: "
                    create_ref_obs = False
                    for entry in local_index[ind_type][obs]:
                        if type(entry) is list:
                            if len(entry) > 0:
                                for item in entry:
                                    ref, child_ind_type = get_ref_from_obs(item, local_index)
                                    # print item

                                    if ref == "{{no_ref}}" or ref == "":
                                        create_ref_obs = True
                                        new_ref_created = True
                                        # print 'Create new, complete, observable for ' + item
                                        # print child_ind_type
                                        # Create the new observable for item and add as object to appropriate Indicator
                                        if child_ind_type == "DomainName":
                                            append_ind = enrich_Domains
                                            related_ind = related_Domains
                                            new_obj = DomainName()
                                            new_obj.value = item
                                            # enrich_Domains.add_object(domain_obj)
                                        elif child_ind_type == "Address":
                                            append_ind = enrich_IPs
                                            related_ind = related_IPs
                                            new_obj = Address()
                                            new_obj.category = "ipv4-addr"
                                            new_obj.address_value = item
                                            # enrich_IPs.add_object(ipv4_obj)
                                        else:
                                            print "Unsupported indicator type: " + child_ind_type
                                        new_obs = Observable(new_obj)
                                        new_obs_ref = new_obs.id_
                                        append_ind.add_observable(new_obs)
                                        ref = new_obs_ref
                                        # local_index[item][0] = ref
                                        set_obs_ref(item, new_obs_ref, local_index)
                                        # print 'Adding ref to: ' + ref_obs.id_ + ' of ' + ref
                                    ref_obs.description = (
                                        str(ref_obs.description) + ref.replace("{{no_ref}}", "") + ", "
                                    )
                    if create_ref_obs:
                        # Add the new ref obs to Related Indicators
                        related_ind.add_observable(ref_obs)
                        # print related_ind.to_xml()
                        create_ref_obs = False

    related_ind1 = RelatedIndicator(related_IPs, relationship="Source of enrichment for IPs")
    related_ind2 = RelatedIndicator(related_Domains, relationship="Source of enrichment for Domains")
    enrich_IPs.related_indicators.append(related_ind1)
    enrich_Domains.related_indicators.append(related_ind2)

    new_stix.add_indicator(enrich_IPs)
    new_stix.add_indicator(enrich_Domains)

    # new_stix_json = json.loads(new_stix.to_json())
    # new_stix_xml = new_stix.to_xml()
    # if verbose:
    # print new_stix.to_xml()

    return new_stix
Beispiel #10
0
def gen_stix_observable_sample(
    config,
    target=None,
    datatype=None,
    title="random test data",
    description="random test data",
    package_intents="Indicators - Watchlist",
    tlp_color="WHITE",
):
    """generate sample stix data comprised of indicator_count
    indicators of type datatype"""
    # setup the xmlns...
    xmlns_url = config["edge"]["sites"][target]["stix"]["xmlns_url"]
    xmlns_name = config["edge"]["sites"][target]["stix"]["xmlns_name"]
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = "../../../../descendant-or-self::node()"
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    # ...and stuff it full of random sample data :-)
    if datatype == "ip":
        addr = Address(address_value=datagen_.generate_random_ip_address(), category="ipv4-addr")
        addr.condition = "Equals"
        stix_package.add_observable(Observable(addr))
    elif datatype == "domain":
        domain = DomainName()
        domain.type_ = "FQDN"
        domain.value = datagen_.generate_random_domain(config)
        domain.condition = "Equals"
        stix_package.add_observable(Observable(domain))
    elif datatype == "filehash":
        file_object = File()
        file_object.file_name = str(uuid.uuid4()) + ".exe"
        hashes = datagen_.generate_random_hashes()
        for hash in hashes.keys():
            file_object.add_hash(Hash(hashes[hash], type_=hash.upper()))
            for i in file_object.hashes:
                i.simple_hash_value.condition = "Equals"
        stix_package.add_observable(Observable(file_object))
    elif datatype == "email":
        try:
            msg = datagen_.get_random_spam_msg(config)
            email = EmailMessage()
            email.header = EmailHeader()
            header_map = {
                "Subject": "subject",
                "To": "to",
                "Cc": "cc",
                "Bcc": "bcc",
                "From": "from_",
                "Sender": "sender",
                "Date": "date",
                "Message-ID": "message_id",
                "Reply-To": "reply_to",
                "In-Reply-To": "in_reply_to",
                "Content-Type": "content_type",
                "Errors-To": "errors_to",
                "Precedence": "precedence",
                "Boundary": "boundary",
                "MIME-Version": "mime_version",
                "X-Mailer": "x_mailer",
                "User-Agent": "user_agent",
                "X-Originating-IP": "x_originating_ip",
                "X-Priority": "x_priority",
            }
            # TODO handle received_lines
            for key in header_map.keys():
                val = msg.get(key, None)
                if val:
                    email.header.__setattr__(header_map[key], val)
                    email.header.__getattribute__(header_map[key]).condition = "Equals"
            # TODO handle email bodies (it's mostly all there except for
            #      handling weird text encoding problems that were making
            #      libcybox stacktrace)
            # body = get_email_payload(random_spam_msg)
            # if body:
            #     email.raw_body = body
            stix_package.add_observable(Observable(email))
        except:
            return None
    observable_id = stix_package.observables.observables[0].id_
    return (observable_id, stix_package)