def test_autotype(self): h = Hash() h.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h.type_, Hash.TYPE_MD5) h.type_ = Hash.TYPE_OTHER self.assertEqual(h.type_, Hash.TYPE_OTHER) h.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h.type_, Hash.TYPE_OTHER) h2 = Hash() h2.type_ = Hash.TYPE_OTHER h2.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h2.type_, Hash.TYPE_OTHER)
def test_autotype(self): h = Hash() h.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h.type_, Hash.TYPE_MD5) h.type_ = Hash.TYPE_OTHER self.assertEqual(h.type_, Hash.TYPE_OTHER) h.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h.type_, Hash.TYPE_OTHER) h2 = Hash() h2.type_ = Hash.TYPE_OTHER h2.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h2.type_, Hash.TYPE_OTHER)
def main(): # Create our CybOX Simple Hash Value shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" # Create a CybOX File Object and add the Hash we created above. f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) # Create the STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader() stix_header.description = "Simple File Hash Observable Example" stix_package.stix_header = stix_header # Add the File Hash Observable to the STIX Package. The add() method will # inspect the input and add it to the top-level stix_package.observables # collection. stix_package.add(f) # Print the XML! print(stix_package.to_xml())
def _sha256(keypair): shv = Hash() shv.simple_hash_value = keypair.get('indicator') f = File() h = Hash(shv, Hash.TYPE_SHA256) f.add_hash(h) return f
def _md5(keypair): shv = Hash() shv.simple_hash_value = keypair.get('indicator') f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) return f
def _sha256(self, keypair): shv = Hash() shv.simple_hash_value = keypair.get('observable') f = File() h = Hash(shv, Hash.TYPE_SHA256) f.add_hash(h) return f
def _sha256(keypair): shv = Hash() shv.simple_hash_value = keypair.get('observable') f = File() h = Hash(shv, Hash.TYPE_SHA256) f.add_hash(h) return f
def _md5(keypair): shv = Hash() shv.simple_hash_value = keypair.get('observable') f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) return f
def _sha1(keypair): shv = Hash() shv.simple_hash_value = keypair.get('indicator') f = File() h = Hash(shv, Hash.TYPE_SHA1) f.add_hash(h) return f
def main(): shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example 03" stix_package.stix_header = stix_header stix_package.add_observable(f) print(stix_package.to_xml())
def main(): shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example 03" stix_package.stix_header = stix_header stix_package.add_observable(f) print(stix_package.to_xml())
def main(): shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) indicator = Indicator() indicator.title = "File Hash Example" indicator.description = "An indicator containing a File observable with an associated hash" indicator.set_producer_identity("The MITRE Corporation") indicator.set_produced_time(datetime.now()) indicator.add_object(f) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example 02" stix_package.stix_header = stix_header stix_package.add_indicator(indicator) print(stix_package.to_xml())
def main(): shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) indicator = Indicator() indicator.title = "File Hash Example" indicator.description = "An indicator containing a File observable with an associated hash" indicator.set_producer_identity("The MITRE Corporation") indicator.set_produced_time(datetime.now()) indicator.add_object(f) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example 02" stix_package.stix_header = stix_header stix_package.add_indicator(indicator) print(stix_package.to_xml())
def stix(json): """ Created a stix file based on a json file that is being handed over """ # Create a new STIXPackage stix_package = STIXPackage() # Create a new STIXHeader stix_header = STIXHeader() # Add Information Source. This is where we will add the tool information. stix_header.information_source = InformationSource() # Create a ToolInformation object. Use the initialization parameters # to set the tool and vendor names. # # Note: This is an instance of cybox.common.ToolInformation and NOT # stix.common.ToolInformation. tool = ToolInformation( tool_name="viper2stix", tool_vendor="The Viper group http://viper.li - developed by Alexander Jaeger https://github.com/deralexxx/viper2stix" ) #Adding your identity to the header identity = Identity() identity.name = Config.get('stix', 'producer_name') stix_header.information_source.identity=identity # Set the Information Source "tools" section to a # cybox.common.ToolInformationList which contains our tool that we # created above. stix_header.information_source.tools = ToolInformationList(tool) stix_header.title = Config.get('stix', 'title') # Set the produced time to now stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() marking_specification = MarkingSpecification() marking_specification.controlled_structure = "../../../descendant-or-self::node()" tlp = TLPMarkingStructure() tlp.color = Config.get('stix', 'TLP') marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) # Set the header description stix_header.description = Config.get('stix', 'description') # Set the STIXPackage header stix_package.stix_header = stix_header stix_package.stix_header.handling = handling try: pp = pprint.PrettyPrinter(indent=5) pp.pprint(json['default']) #for key, value in json['default'].iteritems(): # print key, value for item in json['default']: #logger.debug("item %s", item) indicator = Indicator() indicator.title = "File Hash" indicator.description = ( "An indicator containing a File observable with an associated hash" ) # Create a CyboX File Object f = File() sha_value = item['sha256'] if sha_value is not None: sha256 = Hash() sha256.simple_hash_value = sha_value h = Hash(sha256, Hash.TYPE_SHA256) f.add_hash(h) sha1_value = item['sha1'] if sha_value is not None: sha1 = Hash() sha1.simple_hash_value = sha1_value h = Hash(sha1, Hash.TYPE_SHA1) f.add_hash(h) sha512_value = item['sha512'] if sha_value is not None: sha512 = Hash() sha512.simple_hash_value = sha512_value h = Hash(sha512, Hash.TYPE_SHA512) f.add_hash(h) f.add_hash(item['md5']) #adding the md5 hash to the title as well stix_header.title+=' '+item['md5'] #print(item['type']) f.size_in_bytes=item['size'] f.file_format=item['type'] f.file_name = item['name'] indicator.description = "File hash served by a Viper instance" indicator.add_object(f) stix_package.add_indicator(indicator) except Exception, e: logger.error('Error: %s',format(e)) return False
def createMetaData(stix_package, metadata, strings): indicator = Indicator() fl = WinExecutableFile() if metadata["malfilename"] != "": fl.file_name = metadata["malfilename"] if metadata["malmd5"] != "": fl.md5 = metadata["malmd5"] if metadata["malsha1"] != "": fl.sha1 = metadata["malsha1"] if metadata["malsha256"] != "": fl.sha256 = metadata["malsha256"] if metadata["malsha512"] != "": fl.sha512 = metadata["malsha512"] if metadata["malmd54k"] != "": md54k = Hash() md54k.simple_hash_value = metadata["malmd54k"] h = Hash(md54k, Hash.TYPE_OTHER) fl.add_hash(h) if metadata["malssdeep"] != "": ssdeep = Hash() ssdeep.simple_hash_value = metadata["malssdeep"] h = Hash(ssdeep, Hash.TYPE_SSDEEP) fl.add_hash(h) if metadata["malfilesize"] != "": fl.size_in_bytes = metadata["malfilesize"] if metadata["malfiletype"] != "": fl.file_format = metadata["malfiletype"] # peindicator = Indicator() peimportlist = PEImportList() peimport = PEImport() peimportedfunctions = PEImportedFunctions() if len(metadata['iocimports']) > 0: for importfunc in metadata['iocimports']: peif = PEImportedFunction() peif.function_name = importfunc peimportedfunctions.append(peif) peimport.imported_functions = peimportedfunctions peimportlist.append(peimport) peexports = PEExports() peexportedfunctions = PEExportedFunctions() if len(metadata['iocexports']) > 0: for exportfunc in metadata['iocexports']: peef = PEExportedFunction() peef.function_name = exportfunc peexportedfunctions.append(peef) peexports.exported_functions = peexportedfunctions pesectionlist = PESectionList() if len(metadata['badpesections']) > 0: for section in metadata['badpesections']: pesection = PESection() pesectionheader = PESectionHeaderStruct() entropy = Entropy() pesectionheader.name = section[0] if len(section[1]) > 0: data_size = section[1].replace("0x", "") if len(data_size) % 2 != 0: data_size = "0" + data_size pesectionheader.size_of_raw_data = data_size entropy.value = float(section[2]) pesection.entropy = entropy pesection.section_header = pesectionheader pesectionlist.append(pesection) peresourcelist = PEResourceList() peversioninforesource = PEVersionInfoResource() if len(metadata['versioninfo']) > 0: peversioninforesource.comments = str( metadata['versioninfo']['Comments']) if ( metadata['versioninfo']['Comments'] is not None) else "" peversioninforesource.companyname = str( metadata['versioninfo']['CompanyName']) if ( metadata['versioninfo']['CompanyName'] is not None) else "" peversioninforesource.filedescription = str( metadata['versioninfo']['FileDescription']) if ( metadata['versioninfo']['FileDescription'] is not None) else "" peversioninforesource.fileversion = str( metadata['versioninfo']['FileVersion']).replace(", ", ".") if ( metadata['versioninfo']['FileVersion'] is not None) else "" peversioninforesource.internalname = str( metadata['versioninfo']['InternalName']) if ( metadata['versioninfo']['InternalName'] is not None) else "" peversioninforesource.langid = "" peversioninforesource.legalcopyright = str( metadata['versioninfo']['LegalCopyright']) if ( metadata['versioninfo']['LegalCopyright'] is not None) else "" peversioninforesource.originalfilename = str( metadata['versioninfo']['OriginalFilename']) if ( metadata['versioninfo']['OriginalFilename'] is not None) else "" peversioninforesource.privatebuild = str( metadata['versioninfo']['PrivateBuild']) if ( metadata['versioninfo']['PrivateBuild'] is not None) else "" peversioninforesource.productname = str( metadata['versioninfo']['ProductName']) if ( metadata['versioninfo']['ProductName'] is not None) else "" peversioninforesource.productversion = str( metadata['versioninfo']['ProductVersion']).replace(", ", ".") if ( metadata['versioninfo']['ProductVersion'] is not None) else "" peversioninforesource.specialbuild = str( metadata['versioninfo']['SpecialBuild']) if ( metadata['versioninfo']['SpecialBuild'] is not None) else "" peresourcelist.append(peversioninforesource) fl.imports = peimportlist fl.exports = peexports fl.sections = pesectionlist fl.resources = peresourcelist addStrings(fl, strings) indicator.add_observable(Observable(fl)) stix_package.add_indicator(indicator) return fl
def main(): # get args parser = argparse.ArgumentParser ( description = "Parse a given CSV and output STIX XML" , formatter_class=argparse.ArgumentDefaultsHelpFormatter ) parser.add_argument("--infile","-f", help="input CSV", default = "in.csv") args = parser.parse_args() # setup header contain_pkg = STIXPackage() stix_header = STIXHeader() stix_header.title = "Indicators" stix_header.add_package_intent ("Indicators") # XXX add Information_Source and Handling contain_pkg.stix_header = stix_header # create kill chain with three options (pre, post, unknown), relate as needed pre = KillChainPhase(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee", name="Pre-infection indicator", ordinality=1) post = KillChainPhase(phase_id="stix:KillChainPhase-d5459305-1a27-4f50-9875-23793d75e4fe", name="Post-infection indicator", ordinality=2) chain = KillChain(id_="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d", name="Degenerate Cyber Kill Chain" ) chain.definer = "U5" chain.kill_chain_phases = [pre, post] contain_pkg.ttps.kill_chains.append(chain) # read input data fd = open (args.infile, "rb") infile = csv.DictReader(fd) for row in infile: # create indicator for each row error = False ind = Indicator() ind.add_alternative_id(row['ControlGroupID']) ind.title = "Indicator with ID " + row['IndicatorID'] ind.description = row['Notes'] ind.producer = InformationSource() ind.producer.description = row['Reference'] # XXX unknown purpose for 'Malware' field - omitted # if the field denotes a specific malware family, we might relate as 'Malware TTP' to the indicator # set chain phase if 'Pre' in row['Infection Type']: ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d")) elif 'Post' in row['Infection Type']: ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d")) ind_type = row['Indicator Type'] if 'IP' in ind_type: ind.add_indicator_type( "IP Watchlist") ind_obj = SocketAddress() ind_obj.ip_address = row['Indicator'] ind_obj.ip_address.condition= "Equals" if row['indValue']: port = Port() # pull port out, since it's in form "TCP Port 42" port.port_value = row['indValue'].split()[-1] port.layer4_protocol = row['indValue'].split()[0] port.port_value.condition= "Equals" ind_obj.port = port elif 'Domain' in ind_type: ind.add_indicator_type ("Domain Watchlist") ind_obj = DomainName() ind_obj.value = row['Indicator'] ind_obj.value.condition= "Equals" elif 'Email' in ind_type: # parse out which part of the email is being # i.e. "Sender: attach | Subject: whatever" tag = row['Indicator'].split(':')[0] val = row['Indicator'].split(':')[1] ind.add_indicator_type ("Malicious E-mail") ind_obj = EmailMessage() if "Subject" in tag: ind_obj.subject = val ind_obj.subject.condition= "Equals" elif "Sender" in tag: ind_obj.sender = val ind_obj.sender.condition= "Equals" elif "Attachment" in tag: # make inline File to store filename file_obj = File() file_obj.id_ = cybox.utils.create_id(prefix="File") file_obj.file_name = val file_obj.file_name.condition = "Equals" ind_obj.add_related(file_obj, "Contains") attach = Attachments() attach.append(file_obj.id_) ind_obj.attachments = attach elif 'User Agent' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) fields = HTTPRequestHeaderFields() fields.user_agent = row['Indicator'] fields.user_agent.condition = "Equals" header = HTTPRequestHeader() header.parsed_header = fields thing = HTTPRequestResponse() thing.http_client_request = HTTPClientRequest() thing.http_client_request.http_request_header = header ind_obj = HTTPSession() ind_obj.http_request_response = [thing] elif 'URI' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) thing = HTTPRequestResponse() thing.http_client_request = HTTPClientRequest() thing.http_client_request.http_request_line = HTTPRequestLine() thing.http_client_request.http_request_line.http_method = row['Indicator'].split()[0] thing.http_client_request.http_request_line.http_method.condition = "Equals" thing.http_client_request.http_request_line.value = row['Indicator'].split()[1] thing.http_client_request.http_request_line.value.condition = "Equals" ind_obj = HTTPSession() ind_obj.http_request_response = [thing] elif 'File' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) ind_obj = File() ind_obj.file_name = row['Indicator'] ind_obj.file_name.condition = "Equals" digest = Hash() # XXX assumes that hash digests are stored in this field in real data digest.simple_hash_value = row['indValue'].strip() digest.simple_hash_value.condition = "Equals" digest.type_.condition = "Equals" ind_obj.add_hash(digest) elif 'Registry' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) ind_obj = WinRegistryKey() keys = RegistryValues() key = RegistryValue() key.name = row['Indicator'] key.name.condition = "Equals" key.data = row['indValue'] key.data.condition = "Equals" keys.append(key) ind_obj.values = keys elif 'Mutex' in ind_type: ind.add_indicator_type (VocabString(row['Indicator Type'])) ind_obj = Mutex() ind_obj.name = row['Indicator'] ind_obj.name.condition= "Equals" else: print "ERR type not supported: " + ind_type + " <- will be omitted from output" error = True # finalize indicator if not error: ind.add_object(ind_obj) contain_pkg.add_indicator(ind) # DONE looping print contain_pkg.to_xml()