Beispiel #1
0
def genObject_MarkingSpecification(data=None):

    from stix.extensions.marking.terms_of_use_marking import TermsOfUseMarkingStructure
    objTOU = TermsOfUseMarkingStructure()
    try:
        objTOU.terms_of_use = open('tou.txt').read()
    except:
        objTOU.terms_of_use = None

    from stix.extensions.marking.simple_marking import SimpleMarkingStructure
    objSimpleMarkingStructure = SimpleMarkingStructure()
    objSimpleMarkingStructure.statement = data['source'][
        "stix.extensions.marking.simple_marking.SimpleMarkingStructure.statement"]

    from stix.extensions.marking.tlp import TLPMarkingStructure
    objTLP = TLPMarkingStructure()
    objTLP.color = data['source'][
        'stix.extensions.marking.tlp.TLPMarkingStructure.color']

    from stix.data_marking import MarkingSpecification
    objMarkingSpecification = MarkingSpecification()
    objMarkingSpecification.idref = None
    objMarkingSpecification.version = None
    objMarkingSpecification.marking_structures = []

    objMarkingSpecification.marking_structures.append(
        objSimpleMarkingStructure)
    objMarkingSpecification.marking_structures.append(objTLP)
    objMarkingSpecification.marking_structures.append(objTOU)

    ### Externally Modified
    # objMarkingSpecification.controlled_structure = None

    return (objMarkingSpecification)
Beispiel #2
0
    def create_cybox_object(self, jdict, whitelist, config):
        listObservables = []
        NS = cybox.utils.Namespace("cert.siemens.com", "siemens_cert")
        cybox.utils.set_id_namespace(NS)

        """ store information about malware binary that was analyzed """
        if 'target' in jdict and 'category' in jdict['target'] and jdict['target']['category'] == 'file':
            log.debug("handling File information ...")
            main_file_object = self.__create_cybox_main_file(jdict['target']['file'])
            file_md5 = jdict['target']['file']['md5']
        elif 'target' in jdict and 'category' in jdict['target'] and jdict['target']['category'] == 'url':
            log.warning("Not a file analysis report! URL reports not handled")
            return
        else:
            log.error("No target information in report ... skipping")
            return

        """ try to find email that dropped this attachment """
        if config["attachemail"] or config["referenceemail"]:
            log.info("handling email attack vector information ...")
            email_object_properties, email_observables_list, email_stix_path_tuple_list = self.__check_malware_mailing_list(file_md5, log, config)
            if email_object_properties and len(email_object_properties)>0:
                for email_object in email_object_properties:
                    main_file_object.add_related(email_object, "Contained_Within", inline=False)
            else:
                log.warning("failed linking mail object (no objects to link)")
                email_stix_path_tuple_list = []
        else:
            email_object = None
            email_observables = []
            email_stix_path_tuple_list = []

        """ store extended information about malware file """
        if 'static' in jdict:
            log.debug("handling extended File information ...")
            win_executable_extension = self.__create_cybox_win_executable(jdict['target']['file'], jdict['static'])
            if win_executable_extension:
                main_file_object.add_related(win_executable_extension, "Characterized_By", inline=False)
            win_executable_extension = [win_executable_extension]
        else:
            log.warning("No extended File information found")
            win_executable_extension = []

        """ store domains connected to """
        if 'network' in jdict and 'domains' in jdict['network']:
            log.debug("handling Domain information ...")
            domains, addresses = self.__create_cybox_domains(jdict['network']['domains'], whitelist)
            for dom in domains:
                main_file_object.add_related(dom, 'Connected_To', inline=False)
        else:
            domains = []
            addresses = []

        """ store http session information """
        if 'network' in jdict and 'http' in jdict['network']:
            log.debug("handling HTTP information ...")
            http_requests = self.__create_cybox_https(jdict['network']['http'], whitelist)
            for session in http_requests:
                main_file_object.add_related(session, 'Connected_To', inline=False)
        else:
            http_requests = []

        """ store dns queries information about the malware """
        if 'network' in jdict and 'dns' in jdict['network']:
            log.debug("handling DNS information ...")
            queries = self.__create_cybox_dns_queries(jdict['network']['dns'], whitelist)
            for query in queries:
                main_file_object.add_related(query, 'Connected_To', inline=False)
        else:
            queries = []

        """ store information about dropped files """
        if 'dropped' in jdict:
            log.debug('handling dropped files ...')
            dropped = self.__create_cybox_dropped_files(jdict['dropped'], jdict['target']['file']['sha256'])
            for drop in dropped:
                main_file_object.add_related(drop, 'Dropped', inline=False)
        else:
            dropped = []

        """ store virustotal information """
        if 'virustotal' in jdict and 'positives' in jdict['virustotal']:
            log.debug('handling virustotal information ...')
            vtInformationTools = self.__create_stix_virustotal(jdict['virustotal'], log, config)
            vtFound = True
        else:
            vtInformationTools = []
            vtFound = False

        """ create observables """
        if config["attachemail"] and len(email_observables)>0:
            obs = Observables([main_file_object]+email_observables+win_executable_extension+domains+addresses+http_requests+dropped+queries)
        else:
            obs = Observables([main_file_object]+win_executable_extension+domains+addresses+http_requests+dropped+queries)
        """ generate stix id with siemens namespace """
        if config:
            stix_id_generator = stix.utils.IDGenerator(namespace={config["xmlns"]: config["namespace"]})
        else:
            stix_id_generator = stix.utils.IDGenerator(namespace={"cert.siemens.com": "siemens_cert"})
        """ create stix package """
        stix_id = stix_id_generator.create_id()
        stix_package = STIXPackage(observables=obs, id_=stix_id)
        stix_header = STIXHeader()
        stix_header.title = "Analysis report: %s" % (str(main_file_object.file_name).decode('utf8', errors='xmlcharrefreplace'))
        if 'info' in jdict and 'started' in jdict['info']:
            sandbox_report_date = dateparser.parse(jdict['info']['started']+' CET').isoformat()
        else:
            sandbox_report_date = datetime.datetime.now(pytz.timezone('Europe/Berlin')).isoformat()
        stix_header.description = 'Summarized analysis results for file "%s" with MD5 hash "%s" created on %s.' % (str(main_file_object.file_name).decode('utf8', errors='xmlcharrefreplace'), main_file_object.hashes.md5, sandbox_report_date)
        stix_header.add_package_intent("Malware Characterization")
        """ create markings """
        spec = MarkingSpecification()
        spec.idref = stix_id
        spec.controlled_structure = "//node()"
        tlpmark = TLPMarkingStructure()
        if config:
            if not vtFound:
                tlpmark.color = config["color"]
            else:
                tlpmark.color = "GREEN"
        elif vtFound:
            tlpmark.color = "GREEN"
        else:
            tlpmark.color = "AMBER"
        spec.marking_structure = [tlpmark]
        """ attach to header """
        stix_header.handling = Marking([spec])
        stix_information_source = InformationSource()
        stix_information_source.time = Time(produced_time=sandbox_report_date)
        stix_information_source.tools = ToolInformationList([ToolInformation(tool_name="SIEMENS-ANALYSIS-TOOL-ID-12", tool_vendor="ANALYSIS-ID: %s" % (jdict['info']['id']))]+vtInformationTools)
        stix_header.information_source = stix_information_source
        stix_package.stix_header = stix_header
        """ write result xml file """
        xml_file_name = "stix-%s-malware-report.xml" % (file_md5)
        xml_report_file_path = os.path.join(self.reports_path, xml_file_name)
        fp = open(xml_report_file_path, 'w')
        if config:
            fp.write(stix_package.to_xml(ns_dict={config["xmlns"]: config["namespace"]}))
        else:
            fp.write(stix_package.to_xml(ns_dict={'cert.siemens.com': 'siemens_cert'}))
        fp.close()
        if config["copytoshare"]:
            self.__copy_xml_to_ti_share(xml_report_file_path, xml_file_name, config)
            for item in email_stix_path_tuple_list:
                self.__copy_xml_to_ti_share(item[0], item[1], config, "email")
        else:
            log.warning("copy to TI share is disabled: %s" % (config["copytoshare"]))
        return