def test_autotype(self):
h = Hash()
h.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h.type_, Hash.TYPE_MD5)
h.type_ = Hash.TYPE_OTHER
self.assertEqual(h.type_, Hash.TYPE_OTHER)
h.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h.type_, Hash.TYPE_OTHER)
h2 = Hash()
h2.type_ = Hash.TYPE_OTHER
h2.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h2.type_, Hash.TYPE_OTHER)
def test_autotype(self):
h = Hash()
h.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h.type_, Hash.TYPE_MD5)
h.type_ = Hash.TYPE_OTHER
self.assertEqual(h.type_, Hash.TYPE_OTHER)
h.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h.type_, Hash.TYPE_OTHER)
h2 = Hash()
h2.type_ = Hash.TYPE_OTHER
h2.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h2.type_, Hash.TYPE_OTHER)
def main():
# Create our CybOX Simple Hash Value
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
# Create a CybOX File Object and add the Hash we created above.
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
# Create the STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader()
stix_header.description = "Simple File Hash Observable Example"
stix_package.stix_header = stix_header
# Add the File Hash Observable to the STIX Package. The add() method will
# inspect the input and add it to the top-level stix_package.observables
# collection.
stix_package.add(f)
# Print the XML!
print(stix_package.to_xml())
def _sha256(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('indicator')
f = File()
h = Hash(shv, Hash.TYPE_SHA256)
f.add_hash(h)
return f
def _md5(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('indicator')
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
return f
def _sha256(self, keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('observable')
f = File()
h = Hash(shv, Hash.TYPE_SHA256)
f.add_hash(h)
return f
def _sha256(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('observable')
f = File()
h = Hash(shv, Hash.TYPE_SHA256)
f.add_hash(h)
return f
def _md5(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('observable')
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
return f
def _sha1(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('indicator')
f = File()
h = Hash(shv, Hash.TYPE_SHA1)
f.add_hash(h)
return f
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 03"
stix_package.stix_header = stix_header
stix_package.add_observable(f)
print(stix_package.to_xml())
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 03"
stix_package.stix_header = stix_header
stix_package.add_observable(f)
print(stix_package.to_xml())
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = "An indicator containing a File observable with an associated hash"
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(datetime.now())
indicator.add_object(f)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 02"
stix_package.stix_header = stix_header
stix_package.add_indicator(indicator)
print(stix_package.to_xml())
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = "An indicator containing a File observable with an associated hash"
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(datetime.now())
indicator.add_object(f)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 02"
stix_package.stix_header = stix_header
stix_package.add_indicator(indicator)
print(stix_package.to_xml())
def stix(json):
"""
Created a stix file based on a json file that is being handed over
"""
# Create a new STIXPackage
stix_package = STIXPackage()
# Create a new STIXHeader
stix_header = STIXHeader()
# Add Information Source. This is where we will add the tool information.
stix_header.information_source = InformationSource()
# Create a ToolInformation object. Use the initialization parameters
# to set the tool and vendor names.
#
# Note: This is an instance of cybox.common.ToolInformation and NOT
# stix.common.ToolInformation.
tool = ToolInformation(
tool_name="viper2stix",
tool_vendor="The Viper group http://viper.li - developed by Alexander Jaeger https://github.com/deralexxx/viper2stix"
)
#Adding your identity to the header
identity = Identity()
identity.name = Config.get('stix', 'producer_name')
stix_header.information_source.identity=identity
# Set the Information Source "tools" section to a
# cybox.common.ToolInformationList which contains our tool that we
# created above.
stix_header.information_source.tools = ToolInformationList(tool)
stix_header.title = Config.get('stix', 'title')
# Set the produced time to now
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = Config.get('stix', 'TLP')
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
# Set the header description
stix_header.description = Config.get('stix', 'description')
# Set the STIXPackage header
stix_package.stix_header = stix_header
stix_package.stix_header.handling = handling
try:
pp = pprint.PrettyPrinter(indent=5)
pp.pprint(json['default'])
#for key, value in json['default'].iteritems():
# print key, value
for item in json['default']:
#logger.debug("item %s", item)
indicator = Indicator()
indicator.title = "File Hash"
indicator.description = (
"An indicator containing a File observable with an associated hash"
)
# Create a CyboX File Object
f = File()
sha_value = item['sha256']
if sha_value is not None:
sha256 = Hash()
sha256.simple_hash_value = sha_value
h = Hash(sha256, Hash.TYPE_SHA256)
f.add_hash(h)
sha1_value = item['sha1']
if sha_value is not None:
sha1 = Hash()
sha1.simple_hash_value = sha1_value
h = Hash(sha1, Hash.TYPE_SHA1)
f.add_hash(h)
sha512_value = item['sha512']
if sha_value is not None:
sha512 = Hash()
sha512.simple_hash_value = sha512_value
h = Hash(sha512, Hash.TYPE_SHA512)
f.add_hash(h)
f.add_hash(item['md5'])
#adding the md5 hash to the title as well
stix_header.title+=' '+item['md5']
#print(item['type'])
f.size_in_bytes=item['size']
f.file_format=item['type']
f.file_name = item['name']
indicator.description = "File hash served by a Viper instance"
indicator.add_object(f)
stix_package.add_indicator(indicator)
except Exception, e:
logger.error('Error: %s',format(e))
return False
def createMetaData(stix_package, metadata, strings):
indicator = Indicator()
fl = WinExecutableFile()
if metadata["malfilename"] != "":
fl.file_name = metadata["malfilename"]
if metadata["malmd5"] != "":
fl.md5 = metadata["malmd5"]
if metadata["malsha1"] != "":
fl.sha1 = metadata["malsha1"]
if metadata["malsha256"] != "":
fl.sha256 = metadata["malsha256"]
if metadata["malsha512"] != "":
fl.sha512 = metadata["malsha512"]
if metadata["malmd54k"] != "":
md54k = Hash()
md54k.simple_hash_value = metadata["malmd54k"]
h = Hash(md54k, Hash.TYPE_OTHER)
fl.add_hash(h)
if metadata["malssdeep"] != "":
ssdeep = Hash()
ssdeep.simple_hash_value = metadata["malssdeep"]
h = Hash(ssdeep, Hash.TYPE_SSDEEP)
fl.add_hash(h)
if metadata["malfilesize"] != "":
fl.size_in_bytes = metadata["malfilesize"]
if metadata["malfiletype"] != "":
fl.file_format = metadata["malfiletype"]
# peindicator = Indicator()
peimportlist = PEImportList()
peimport = PEImport()
peimportedfunctions = PEImportedFunctions()
if len(metadata['iocimports']) > 0:
for importfunc in metadata['iocimports']:
peif = PEImportedFunction()
peif.function_name = importfunc
peimportedfunctions.append(peif)
peimport.imported_functions = peimportedfunctions
peimportlist.append(peimport)
peexports = PEExports()
peexportedfunctions = PEExportedFunctions()
if len(metadata['iocexports']) > 0:
for exportfunc in metadata['iocexports']:
peef = PEExportedFunction()
peef.function_name = exportfunc
peexportedfunctions.append(peef)
peexports.exported_functions = peexportedfunctions
pesectionlist = PESectionList()
if len(metadata['badpesections']) > 0:
for section in metadata['badpesections']:
pesection = PESection()
pesectionheader = PESectionHeaderStruct()
entropy = Entropy()
pesectionheader.name = section[0]
if len(section[1]) > 0:
data_size = section[1].replace("0x", "")
if len(data_size) % 2 != 0:
data_size = "0" + data_size
pesectionheader.size_of_raw_data = data_size
entropy.value = float(section[2])
pesection.entropy = entropy
pesection.section_header = pesectionheader
pesectionlist.append(pesection)
peresourcelist = PEResourceList()
peversioninforesource = PEVersionInfoResource()
if len(metadata['versioninfo']) > 0:
peversioninforesource.comments = str(
metadata['versioninfo']['Comments']) if (
metadata['versioninfo']['Comments'] is not None) else ""
peversioninforesource.companyname = str(
metadata['versioninfo']['CompanyName']) if (
metadata['versioninfo']['CompanyName'] is not None) else ""
peversioninforesource.filedescription = str(
metadata['versioninfo']['FileDescription']) if (
metadata['versioninfo']['FileDescription'] is not None) else ""
peversioninforesource.fileversion = str(
metadata['versioninfo']['FileVersion']).replace(", ", ".") if (
metadata['versioninfo']['FileVersion'] is not None) else ""
peversioninforesource.internalname = str(
metadata['versioninfo']['InternalName']) if (
metadata['versioninfo']['InternalName'] is not None) else ""
peversioninforesource.langid = ""
peversioninforesource.legalcopyright = str(
metadata['versioninfo']['LegalCopyright']) if (
metadata['versioninfo']['LegalCopyright'] is not None) else ""
peversioninforesource.originalfilename = str(
metadata['versioninfo']['OriginalFilename']) if (
metadata['versioninfo']['OriginalFilename']
is not None) else ""
peversioninforesource.privatebuild = str(
metadata['versioninfo']['PrivateBuild']) if (
metadata['versioninfo']['PrivateBuild'] is not None) else ""
peversioninforesource.productname = str(
metadata['versioninfo']['ProductName']) if (
metadata['versioninfo']['ProductName'] is not None) else ""
peversioninforesource.productversion = str(
metadata['versioninfo']['ProductVersion']).replace(", ", ".") if (
metadata['versioninfo']['ProductVersion'] is not None) else ""
peversioninforesource.specialbuild = str(
metadata['versioninfo']['SpecialBuild']) if (
metadata['versioninfo']['SpecialBuild'] is not None) else ""
peresourcelist.append(peversioninforesource)
fl.imports = peimportlist
fl.exports = peexports
fl.sections = pesectionlist
fl.resources = peresourcelist
addStrings(fl, strings)
indicator.add_observable(Observable(fl))
stix_package.add_indicator(indicator)
return fl
def main():
# get args
parser = argparse.ArgumentParser ( description = "Parse a given CSV and output STIX XML"
, formatter_class=argparse.ArgumentDefaultsHelpFormatter )
parser.add_argument("--infile","-f", help="input CSV", default = "in.csv")
args = parser.parse_args()
# setup header
contain_pkg = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Indicators"
stix_header.add_package_intent ("Indicators")
# XXX add Information_Source and Handling
contain_pkg.stix_header = stix_header
# create kill chain with three options (pre, post, unknown), relate as needed
pre = KillChainPhase(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee", name="Pre-infection indicator", ordinality=1)
post = KillChainPhase(phase_id="stix:KillChainPhase-d5459305-1a27-4f50-9875-23793d75e4fe", name="Post-infection indicator", ordinality=2)
chain = KillChain(id_="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d", name="Degenerate Cyber Kill Chain" )
chain.definer = "U5"
chain.kill_chain_phases = [pre, post]
contain_pkg.ttps.kill_chains.append(chain)
# read input data
fd = open (args.infile, "rb")
infile = csv.DictReader(fd)
for row in infile:
# create indicator for each row
error = False
ind = Indicator()
ind.add_alternative_id(row['ControlGroupID'])
ind.title = "Indicator with ID " + row['IndicatorID']
ind.description = row['Notes']
ind.producer = InformationSource()
ind.producer.description = row['Reference']
# XXX unknown purpose for 'Malware' field - omitted
# if the field denotes a specific malware family, we might relate as 'Malware TTP' to the indicator
# set chain phase
if 'Pre' in row['Infection Type']:
ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
elif 'Post' in row['Infection Type']:
ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
ind_type = row['Indicator Type']
if 'IP' in ind_type:
ind.add_indicator_type( "IP Watchlist")
ind_obj = SocketAddress()
ind_obj.ip_address = row['Indicator']
ind_obj.ip_address.condition= "Equals"
if row['indValue']:
port = Port()
# pull port out, since it's in form "TCP Port 42"
port.port_value = row['indValue'].split()[-1]
port.layer4_protocol = row['indValue'].split()[0]
port.port_value.condition= "Equals"
ind_obj.port = port
elif 'Domain' in ind_type:
ind.add_indicator_type ("Domain Watchlist")
ind_obj = DomainName()
ind_obj.value = row['Indicator']
ind_obj.value.condition= "Equals"
elif 'Email' in ind_type:
# parse out which part of the email is being
# i.e. "Sender: attach | Subject: whatever"
tag = row['Indicator'].split(':')[0]
val = row['Indicator'].split(':')[1]
ind.add_indicator_type ("Malicious E-mail")
ind_obj = EmailMessage()
if "Subject" in tag:
ind_obj.subject = val
ind_obj.subject.condition= "Equals"
elif "Sender" in tag:
ind_obj.sender = val
ind_obj.sender.condition= "Equals"
elif "Attachment" in tag:
# make inline File to store filename
file_obj = File()
file_obj.id_ = cybox.utils.create_id(prefix="File")
file_obj.file_name = val
file_obj.file_name.condition = "Equals"
ind_obj.add_related(file_obj, "Contains")
attach = Attachments()
attach.append(file_obj.id_)
ind_obj.attachments = attach
elif 'User Agent' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
fields = HTTPRequestHeaderFields()
fields.user_agent = row['Indicator']
fields.user_agent.condition = "Equals"
header = HTTPRequestHeader()
header.parsed_header = fields
thing = HTTPRequestResponse()
thing.http_client_request = HTTPClientRequest()
thing.http_client_request.http_request_header = header
ind_obj = HTTPSession()
ind_obj.http_request_response = [thing]
elif 'URI' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
thing = HTTPRequestResponse()
thing.http_client_request = HTTPClientRequest()
thing.http_client_request.http_request_line = HTTPRequestLine()
thing.http_client_request.http_request_line.http_method = row['Indicator'].split()[0]
thing.http_client_request.http_request_line.http_method.condition = "Equals"
thing.http_client_request.http_request_line.value = row['Indicator'].split()[1]
thing.http_client_request.http_request_line.value.condition = "Equals"
ind_obj = HTTPSession()
ind_obj.http_request_response = [thing]
elif 'File' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
ind_obj = File()
ind_obj.file_name = row['Indicator']
ind_obj.file_name.condition = "Equals"
digest = Hash()
# XXX assumes that hash digests are stored in this field in real data
digest.simple_hash_value = row['indValue'].strip()
digest.simple_hash_value.condition = "Equals"
digest.type_.condition = "Equals"
ind_obj.add_hash(digest)
elif 'Registry' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
ind_obj = WinRegistryKey()
keys = RegistryValues()
key = RegistryValue()
key.name = row['Indicator']
key.name.condition = "Equals"
key.data = row['indValue']
key.data.condition = "Equals"
keys.append(key)
ind_obj.values = keys
elif 'Mutex' in ind_type:
ind.add_indicator_type (VocabString(row['Indicator Type']))
ind_obj = Mutex()
ind_obj.name = row['Indicator']
ind_obj.name.condition= "Equals"
else:
print "ERR type not supported: " + ind_type + " <- will be omitted from output"
error = True
# finalize indicator
if not error:
ind.add_object(ind_obj)
contain_pkg.add_indicator(ind)
# DONE looping
print contain_pkg.to_xml()
