def validatefile(self, filename):
"""
Validate a STIX 2 file ensuring its authenticity
:param filename:
"""
results = validate_file(filename)
print_results(results)
args = parser.parse_args()
if args.input:
filenames = (f'test_json_{args.input}.json',
f'test_stix2_{args.input}.json.stix2')
query_import(f'test_stix2_{args.input}.json', args.externalise)
else:
if not args.output:
sys.exit('Please provide an output name for the test files.')
output = args.output
filenames = []
for return_type in ('json', 'stix2'):
args.output = f"test_{return_type}_{output}.json"
args.returnFormat = return_type
query_misp(args)
filenames.append(args.output)
to_delete = [filename for filename in filenames]
stix_analyse = validate_file(filenames[1])
print_results(stix_analyse)
query_import(filenames[1], args.externalise)
filenames[1] = f'{filenames[1]}.stix2'
to_delete.append(filenames[1])
comparer = Comparer(*filenames)
comparer.compare_attributes()
comparer.compare_objects()
comparer.compare_tags()
comparer.compare_galaxies()
comparer.compare_references()
if args.delete and not args.input:
for filename in to_delete:
os.remove(filename)
def check_stix_file(path):
#check the integrity of a stix file
results = validate_file(path)
print_results(results)
def validate_stix(self, pathlist):
for path in pathlist:
results = validate_file(str(path), self.validation_options)
with self.subTest(str(path)):
print_results([results])
self.assertTrue(results.is_valid)
def main():
gs_cam = Campaign(
name='GRIZZLY STEPPE',
created_by_ref=default_creator.id,
object_marking_refs=[default_tlp.id],
first_seen=datetime.datetime(2015, 6, 1, 0, 0, 0).isoformat('T') + 'Z',
description=
'Cyber-enabled operations alleged by US Government to originate from Russian activity against US Political targets'
)
# Attribution Objects and linkages (pivoting off Campaign)
ris_ta = ThreatActor(
name='RIS',
description='Russian civilian and military intelligence Services (RIS)',
created_by_ref=default_creator.id,
object_marking_refs=[default_tlp.id],
labels=['nation-state'])
apt28_is = IntrusionSet(name='APT28',
created_by_ref=default_creator.id,
object_marking_refs=[default_tlp.id])
apt29_is = IntrusionSet(name='APT29',
created_by_ref=default_creator.id,
object_marking_refs=[default_tlp.id])
apt28_ris_rel = Relationship(relationship_type='attributed-to',
source_ref=apt28_is.id,
target_ref=ris_ta.id)
apt29_ris_rel = Relationship(relationship_type='attributed-to',
source_ref=apt29_is.id,
target_ref=ris_ta.id)
gs_apt28_rel = Relationship(relationship_type='attributed-to',
source_ref=gs_cam.id,
target_ref=apt28_is.id)
gs_apt29_rel = Relationship(relationship_type='attributed-to',
source_ref=gs_cam.id,
target_ref=apt29_is.id)
attribution = [
gs_cam, ris_ta, apt28_is, apt29_is, apt28_ris_rel, apt29_ris_rel,
gs_apt28_rel, gs_apt29_rel
]
data = []
with open('test.csv', 'rb') as csvfile:
reader = csv.reader(csvfile)
for row in reader:
if row[0] is not '' and row[1] is not '':
data.append([row[0], row[1]])
list_length = len(data)
uri_inds = [[] for j in range(list_length)]
ip_inds = [[] for j in range(list_length)]
mal_inds = [[] for j in range(list_length)]
for i in range(list_length):
is_file = False
pattern_type = None
pattern_value = data[i][0]
desc = 'Suspected GRIZZLY STEPPE comms'
if data[i][1] == 'IPV4ADDR':
pattern_type = "ipv4-addr:value"
elif data[i][1] == 'FQDN':
pattern_type = "domain-name:value"
elif data[i][1] == 'URL':
pattern_type = "url:value"
elif data[i][1] == 'MD5':
is_file = True
pattern_type = "file:hashes.MD5"
if ENRICH:
vt_results = get_behavior_VT(pattern_value)
if vt_results:
for netloc in vt_results['netlocs']:
uri_ind = Indicator(
name='GRIZZLY STEPPE URI',
created_by_ref=vt_ident.id,
object_marking_refs=[default_tlp.id],
labels=['malicious-activity'],
pattern="[domain-name:value = '%s']" % str(netloc))
uri_inds[i].append(uri_ind)
for ip in vt_results['ips']:
ip_ind = Indicator(
name='GRIZZLY STEPPE IP',
created_by_ref=vt_ident.id,
object_marking_refs=[default_tlp.id],
labels=['malicious-activity'],
pattern="[ipv4-addr:value = '%s']" % str(ip))
ip_inds[i].append(ip_ind)
if pattern_type is not None:
ind = Indicator(name='GRIZZLY STEPPE',
created_by_ref=default_creator.id,
object_marking_refs=[default_tlp.id],
description=desc,
labels=['malicious-activity'],
pattern="[%s = '%s']" %
(pattern_type, pattern_value))
data[i].append(ind)
if uri_inds[i] or ip_inds[i]:
gs_mal = Malware(
name='OnionDuke',
created_by_ref=default_creator.id,
object_marking_refs=[default_tlp.id],
description='Malware identified as OnionDuke C2 software',
labels=['remote-access-trojan'])
data[i].append(gs_mal)
cam_mal_rel = Relationship(relationship_type='uses',
source_ref=gs_cam.id,
target_ref=gs_mal.id)
data[i].append(cam_mal_rel)
ind_mal_rel = Relationship(relationship_type='indicates',
source_ref=ind.id,
target_ref=gs_mal.id)
data[i].append(ind_mal_rel)
if uri_inds[i]:
for uri in uri_inds[i]:
uri_malind_rel = Relationship(
relationship_type='indicates',
source_ref=uri.id,
target_ref=gs_mal.id)
data[i].append(uri_malind_rel)
if ip_inds[i]:
for ip in ip_inds[i]:
ip_malind_rel = Relationship(
relationship_type='indicates',
source_ref=ip.id,
target_ref=gs_mal.id)
data[i].append(ip_malind_rel)
else:
ind_cam_rel = Relationship(relationship_type='indicates',
source_ref=ind.id,
target_ref=gs_cam.id)
data[i].append(ind_cam_rel)
all_sdo = get_all_SDO()
orig_report = []
enrich_inds = []
ind_cam_rels = []
relationships = []
malwarez = []
for sdo in all_sdo:
if sdo.type == 'indicator':
# Just the report
if sdo.name == 'GRIZZLY STEPPE':
orig_report.append(sdo)
else:
# Extra stuff from enrichment (if any)
enrich_inds.append(sdo)
# All of the other stuff I added!
if sdo.type == 'relationship':
relationships.append(sdo)
if sdo.target_ref == gs_cam.id:
ind_cam_rels.append(sdo)
if sdo.type == 'malware':
malwarez.append(sdo)
bun_ind = Bundle(objects=orig_report)
attr_context = orig_report + attribution + ind_cam_rels
bun_attr = Bundle(objects=attr_context)
full_context = attr_context + malwarez + enrich_inds + relationships
bun_full = Bundle(objects=full_context)
trusted = attribution + malwarez + enrich_inds + relationships
bun_trust = Bundle(objects=trusted)
with open('./out/1_orig_report.json', 'wb') as f:
f.write(str(bun_ind))
with open('./out/2_with_attribution.json', 'wb') as f:
f.write(str(bun_attr))
with open('./out/3_all_enriched.json', 'wb') as f:
f.write(str(bun_full))
with open('./out/4_trusted.json', 'wb') as f:
f.write(str(bun_trust))
results = validate_file('./out/1_orig_report.json')
print_results(results)
results = validate_file('./out/2_with_attribution.json')
print_results(results)
results = validate_file('./out/3_all_enriched.json')
print_results(results)
results = validate_file('./out/4_trusted.json')
print_results(results)
results = put_elk(*trusted)