def from_dict(header_dict):
header = EmailHeader()
header.to = EmailRecipients.from_dict(header_dict.get('to'))
header.cc = EmailRecipients.from_dict(header_dict.get('cc'))
header.bcc = EmailRecipients.from_dict(header_dict.get('bcc'))
header.from_ = Address.from_dict(header_dict.get('from'), Address.CAT_EMAIL)
header.subject = String.from_dict(header_dict.get('subject'))
header.in_reply_to = String.from_dict(header_dict.get('in_reply_to'))
header.date = DateTime.from_dict(header_dict.get('date'))
header.message_id = String.from_dict(header_dict.get('message_id'))
header.sender = Address.from_dict(header_dict.get('sender'), Address.CAT_EMAIL)
header.reply_to = Address.from_dict(header_dict.get('reply_to'), Address.CAT_EMAIL)
header.errors_to = String.from_dict(header_dict.get('errors_to'))
return header
def create_ipv4_observable(ipv4_address):
'''Create a CybOX Observable representing an IPv4 address'''
ipv4_object = Address.from_dict({
'address_value': ipv4_address,
'category': Address.CAT_IPV4
})
return Observable(ipv4_object)
def create_ipv4_observable(ipv4_address):
ipv4_object = Address.from_dict({"address_value": ipv4_address, "category": Address.CAT_IPV4})
ipv4_observable = Observable(ipv4_object)
ipv4_observable.title = "Malware Artifact - IP"
ipv4_observable.description = "IP derived from sandboxed malware sample."
ipv4_observable.short_description = "IP from malware."
return ipv4_observable
def create_email_address_observable(email_address):
'''Create a CybOX Observable representing an IPv4 address'''
email_address_object = Address.from_dict({
'address_value': email_address,
'category': Address.CAT_EMAIL
})
return Observable(email_address_object)
def from_dict(socket_address_dict):
if not socket_address_dict:
return None
socket_address_ = SocketAddress()
socket_address_.ip_address = Address.from_dict(socket_address_dict.get('ip_address'))
socket_address_.port = Port.from_dict(socket_address_dict.get('port'))
return socket_address_
def add_ipv4_observable(self, ipv4_address):
if ipv4_address in self.__ipv4:
return
self.__ipv4.add(ipv4_address)
ipv4_object = Address.from_dict({'address_value': ipv4_address, 'category': Address.CAT_IPV4})
ipv4_observable = Observable(ipv4_object)
ipv4_observable.title = "Malware Artifact - IP"
ipv4_observable.description = "IP derived from sandboxed malware sample."
ipv4_observable.short_description = "IP from malware."
self.ip_indicator.add_observable(ipv4_observable)
def create_ipv4_observable(ipv4_address):
ipv4_object = Address.from_dict({
'address_value': ipv4_address,
'category': Address.CAT_IPV4
})
ipv4_observable = Observable(ipv4_object)
ipv4_observable.title = "Malware Artifact - IP"
ipv4_observable.description = "IP derived from sandboxed malware sample."
ipv4_observable.short_description = "IP from malware."
return ipv4_observable
def from_dict(recipients_dict):
if not recipients_dict:
return None
# recipients_dict should really be a list, not a dict
r = EmailRecipients()
if recipients_dict is not None:
r.recipients = [Address.from_dict(a, Address.CAT_EMAIL)
for a in recipients_dict]
return r
def from_dict(contact_dict, contact=None):
if not contact_dict:
return None
if contact is None:
contact = WhoisContact()
contact.contact_type = contact_dict.get('contact_type')
contact.contact_id = String.from_dict(contact_dict.get('contact_id'))
contact.name = String.from_dict(contact_dict.get('name'))
contact.email_address = Address.from_dict(contact_dict.get('email_address'), Address.CAT_EMAIL)
contact.phone_number = String.from_dict(contact_dict.get('phone_number'))
contact.address = String.from_dict(contact_dict.get('address'))
return contact
def from_dict(opt_header_dict):
if not opt_header_dict:
return None
opt_header = OptionalHeader()
opt_header.boundary = String.from_dict(opt_header_dict.get('boundary'))
opt_header.content_type = String.from_dict(opt_header_dict.get('content_type'))
opt_header.mime_version = String.from_dict(opt_header_dict.get('mime_version'))
opt_header.precedence = String.from_dict(opt_header_dict.get('precedence'))
opt_header.x_mailer = String.from_dict(opt_header_dict.get('x_mailer'))
opt_header.x_originating_ip = Address.from_dict(opt_header_dict.get('x_originating_ip'), Address.CAT_IPV4)
opt_header.x_priority = PositiveInteger.from_dict(opt_header_dict.get('x_priority'))
return opt_header
def from_dict(registrar_dict):
if not registrar_dict:
return None
registrar = WhoisRegistrar()
registrar.registrar_id = String.from_dict(registrar_dict.get('registrar_id'))
registrar.registrar_guid = String.from_dict(registrar_dict.get('registrar_guid'))
registrar.name = String.from_dict(registrar_dict.get('name'))
registrar.address = String.from_dict(registrar_dict.get('address'))
registrar.email_address = Address.from_dict(registrar_dict.get('email_address'), Address.CAT_EMAIL)
registrar.phone_number = String.from_dict(registrar_dict.get('phone_number'))
registrar.whois_server = URI.from_dict(registrar_dict.get('whois_server'))
registrar.referral_url = URI.from_dict(registrar_dict.get('referral_url'))
registrar.contacts = WhoisContacts.from_list(registrar_dict.get('contacts'))
return registrar
def from_dict(dns_record_dict):
if not dns_record_dict:
return None
dns_record_ = DNSRecord()
dns_record_.description = StructuredText.from_dict(dns_record_dict.get('description'))
dns_record_.domain_name = URI.from_dict(dns_record_dict.get('domain_name'))
dns_record_.ip_address = Address.from_dict(dns_record_dict.get('ip_address'))
dns_record_.address_class = String.from_dict(dns_record_dict.get('address_class'))
dns_record_.entry_type = String.from_dict(dns_record_dict.get('entry_type'))
dns_record_.record_name = String.from_dict(dns_record_dict.get('record_name'))
dns_record_.record_type = String.from_dict(dns_record_dict.get('record_type'))
dns_record_.ttl = Integer.from_dict(dns_record_dict.get('record_type'))
dns_record_.flags = HexBinary.from_dict(dns_record_dict.get('flags'))
dns_record_.data_length = Integer.from_dict(dns_record_dict.get('data_length'))
dns_record_.record_data = dns_record_dict.get('record_data')
return dns_record_
def from_dict(whois_dict):
if not whois_dict:
return None
whois = WhoisEntry()
ObjectProperties.from_dict(whois_dict, whois)
whois.domain_name = URI.from_dict(whois_dict.get('domain_name'))
whois.domain_id = String.from_dict(whois_dict.get('domain_id'))
whois.server_name = URI.from_dict(whois_dict.get('server_name'))
whois.ip_address = Address.from_dict(whois_dict.get('ip_address'), Address.CAT_IPV4)
whois.dnssec = whois_dict.get('dnssec')
whois.nameservers = WhoisNameservers.from_list(whois_dict.get('nameservers'))
whois.status = WhoisStatuses.from_list(whois_dict.get('status'))
whois.updated_date = DateTime.from_dict(whois_dict.get('updated_date'))
whois.creation_date = DateTime.from_dict(whois_dict.get('creation_date'))
whois.expiration_date = DateTime.from_dict(whois_dict.get('expiration_date'))
whois.regional_internet_registry = String.from_dict(whois_dict.get('regional_internet_registry'))
whois.sponsoring_registrar = String.from_dict(whois_dict.get('sponsoring_registrar'))
whois.registrar_info = WhoisRegistrar.from_dict(whois_dict.get('registrar_info'))
whois.registrants = WhoisRegistrants.from_list(whois_dict.get('registrants'))
whois.contact_info = WhoisContact.from_dict(whois_dict.get('contact_info'))
return whois
def create_ipv4_observable(ipv4_address):
'''Create a CybOX Observable representing an IPv4 address'''
ipv4_object = Address.from_dict({'address_value': ipv4_address,
'category': Address.CAT_IPV4})
return Observable(ipv4_object)
def create_ipv4_observable(ipv4_address):
"""Create a CybOX Observable representing an IPv4 address"""
ipv4_object = Address.from_dict({"address_value": ipv4_address, "category": Address.CAT_IPV4})
return Observable(ipv4_object)
def create_email_address_observable(email_address):
"""Create a CybOX Observable representing an IPv4 address"""
email_address_object = Address.from_dict({"address_value": email_address, "category": Address.CAT_EMAIL})
return Observable(email_address_object)
def build(self):
self.stix_header.title = self.pulse["name"]
self.stix_header.description = self.pulse["description"]
self.stix_header.short_description = "%spulse/%s" % (PULSE_SERVER_BASE, str(self.pulse["id"]))
self.stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
self.stix_header.information_source = InformationSource()
self.stix_header.information_source.time = Time()
self.stix_header.information_source.description = "Alienvault OTX - https://otx.alienvault.com/"
self.stix_header.information_source.time.produced_time = self.pulse["modified"]
self.stix_header.information_source.identity = Identity()
self.stix_header.information_source.identity.name = "Alienvault OTX"
self.stix_package.stix_header = self.stix_header
hashes = []
addresses = []
domains = []
urls = []
mails = []
for p_indicator in self.pulse["indicators"]:
if p_indicator["type"] in self.hash_translation:
new_ind = Indicator()
new_ind.description = p_indicator["description"]
new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"]))
file_ = File()
hash_ = Hash(p_indicator["indicator"], self.hash_translation[p_indicator["type"]])
file_.add_hash(hash_)
observable_ = Observable(file_)
elif p_indicator["type"] in self.address_translation:
new_ind = Indicator()
new_ind.description = p_indicator["description"]
new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"]))
ipv4_ = Address.from_dict({'address_value': p_indicator["indicator"],
'category': self.address_translation[p_indicator["type"]]})
observable_ = Observable(ipv4_)
elif p_indicator["type"] in self.name_translation:
new_ind = Indicator()
new_ind.description = p_indicator["description"]
new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"]))
domain_ = DomainName.from_dict({'value': p_indicator["indicator"], 'type':'FQDN'})
observable_ = Observable(domain_)
elif p_indicator["type"] == "URL":
new_ind = Indicator()
new_ind.description = p_indicator["description"]
new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"]))
url_ = URI.from_dict({'value': p_indicator["indicator"], 'type': URI.TYPE_URL})
observable_ = Observable(url_)
elif p_indicator["type"] == "email":
email_ = Address.from_dict({'address_value': p_indicator["indicator"], 'category': Address.CAT_EMAIL})
observable_ = Observable(email_)
#elif p_indicator["type"] == "CVE":
# vuln_ = Vulnerability()
# vuln_.cveid = p_indicator["indicator"].upper()
# observable_ = Observable(vuln_)
elif p_indicator["type"] == "Mutex":
mutex_ = Mutex.from_dict({'named': True, 'name': p_indicator["indicator"]})
observable_ = Observable(mutex_)
elif p_indicator["type"] == "CIDR":
nrange = IP(p_indicator["indicator"])
nrange_values = nrange.strNormal(3).replace("-", ",")
ipv4_ = Address.from_dict({'address_value': nrange_values, 'category': Address.CAT_IPV4})
ipv4_.address_value.condition = "InclusiveBetween"
observable_ = Observable(ipv4_)
else:
continue
mind = Indicator()
mind.description = p_indicator["description"]
mind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"]))
observable_.title = "%s - %s" % (p_indicator["type"], p_indicator["indicator"])
mind.add_observable(observable_)
self.stix_package.add_indicator(mind)
def create_email_address_observable(email_address):
'''Create a CybOX Observable representing an IPv4 address'''
email_address_object = Address.from_dict({'address_value': email_address,
'category': Address.CAT_EMAIL})
return Observable(email_address_object)
def build(self):
self.stix_header.title = self.pulse["name"]
self.stix_header.description = self.pulse["description"]
self.stix_header.short_description = "%spulse/%s" % (
PULSE_SERVER_BASE, str(self.pulse["id"]))
self.stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
self.stix_header.information_source = InformationSource()
self.stix_header.information_source.time = Time()
self.stix_header.information_source.description = "Alienvault OTX - https://otx.alienvault.com/"
self.stix_header.information_source.time.produced_time = self.pulse[
"modified"]
self.stix_header.information_source.identity = Identity()
self.stix_header.information_source.identity.name = "Alienvault OTX"
self.stix_package.stix_header = self.stix_header
hashes = []
addresses = []
domains = []
urls = []
mails = []
for p_indicator in self.pulse["indicators"]:
if p_indicator["type"] in self.hash_translation:
new_ind = Indicator()
new_ind.description = p_indicator["description"]
new_ind.title = "%s from %spulse/%s" % (
p_indicator["indicator"], PULSE_SERVER_BASE,
str(self.pulse["id"]))
file_ = File()
hash_ = Hash(p_indicator["indicator"],
self.hash_translation[p_indicator["type"]])
file_.add_hash(hash_)
observable_ = Observable(file_)
elif p_indicator["type"] in self.address_translation:
new_ind = Indicator()
new_ind.description = p_indicator["description"]
new_ind.title = "%s from %spulse/%s" % (
p_indicator["indicator"], PULSE_SERVER_BASE,
str(self.pulse["id"]))
ipv4_ = Address.from_dict({
'address_value':
p_indicator["indicator"],
'category':
self.address_translation[p_indicator["type"]]
})
observable_ = Observable(ipv4_)
elif p_indicator["type"] in self.name_translation:
new_ind = Indicator()
new_ind.description = p_indicator["description"]
new_ind.title = "%s from %spulse/%s" % (
p_indicator["indicator"], PULSE_SERVER_BASE,
str(self.pulse["id"]))
domain_ = DomainName.from_dict({
'value':
p_indicator["indicator"],
'type':
'FQDN'
})
observable_ = Observable(domain_)
elif p_indicator["type"] == "URL":
new_ind = Indicator()
new_ind.description = p_indicator["description"]
new_ind.title = "%s from %spulse/%s" % (
p_indicator["indicator"], PULSE_SERVER_BASE,
str(self.pulse["id"]))
url_ = URI.from_dict({
'value': p_indicator["indicator"],
'type': URI.TYPE_URL
})
observable_ = Observable(url_)
elif p_indicator["type"] == "email":
email_ = Address.from_dict({
'address_value':
p_indicator["indicator"],
'category':
Address.CAT_EMAIL
})
observable_ = Observable(email_)
#elif p_indicator["type"] == "CVE":
# vuln_ = Vulnerability()
# vuln_.cveid = p_indicator["indicator"].upper()
# observable_ = Observable(vuln_)
elif p_indicator["type"] == "Mutex":
mutex_ = Mutex.from_dict({
'named': True,
'name': p_indicator["indicator"]
})
observable_ = Observable(mutex_)
elif p_indicator["type"] == "CIDR":
nrange = IP(p_indicator["indicator"])
nrange_values = nrange.strNormal(3).replace("-", ",")
ipv4_ = Address.from_dict({
'address_value': nrange_values,
'category': Address.CAT_IPV4
})
ipv4_.address_value.condition = "InclusiveBetween"
observable_ = Observable(ipv4_)
else:
continue
mind = Indicator()
mind.description = p_indicator["description"]
mind.title = "%s from %spulse/%s" % (p_indicator["indicator"],
PULSE_SERVER_BASE,
str(self.pulse["id"]))
observable_.title = "%s - %s" % (p_indicator["type"],
p_indicator["indicator"])
mind.add_observable(observable_)
self.stix_package.add_indicator(mind)
def transform(self, event):
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot",
"Describes one or more honeypot incidents")
incident = Incident(
id_="%s:%s-%s" %
(CONPOT_NAMESPACE, 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(
VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(
ToolInformation.from_dict({
'name':
"Conpot",
'vendor':
"Conpot Team",
'version':
conpot.__version__,
'description':
textwrap.dedent(
'Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.'
)
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(
title=
"Victim Targeting: Electricity Sector and Industrial Control System Sector"
)
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({
'port_value': event['remote'][1],
'layer4_protocol': 'tcp'
})
dest_port = Port.from_dict({
'port_value':
self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol':
'tcp'
})
source_ip = Address.from_dict({
'address_value': event['remote'][0],
'category': Address.CAT_IPV4
})
dest_ip = Address.from_dict({
'address_value': event['public_ip'],
'category': Address.CAT_IPV4
})
source_address = SocketAddress.from_dict({
'ip_address':
source_ip.to_dict(),
'port':
source_port.to_dict()
})
dest_address = SocketAddress.from_dict({
'ip_address': dest_ip.to_dict(),
'port': dest_port.to_dict()
})
network_connection = NetworkConnection.from_dict({
'source_socket_address':
source_address.to_dict(),
'destination_socket_address':
dest_address.to_dict(),
'layer3_protocol':
"IPv4",
'layer4_protocol':
"TCP",
'layer7_protocol':
event['data_type'],
'source_tcp_state':
"ESTABLISHED",
'destination_tcp_state':
"ESTABLISHED",
})
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
def transform(self, event):
self._set_namespace(self.config['contact_domain'], self.config['contact_name'])
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents")
incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(ToolInformation.from_dict({
'name': "Conpot",
'vendor': "Conpot Team",
'version': conpot.__version__,
'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.')
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'})
dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol': 'tcp'})
source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4})
dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4})
source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()})
dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()})
network_connection = NetworkConnection.from_dict(
{'source_socket_address': source_address.to_dict(),
'destination_socket_address': dest_address.to_dict(),
'layer3_protocol': u"IPv4",
'layer4_protocol': u"TCP",
'layer7_protocol': event['data_type'],
'source_tcp_state': u"ESTABLISHED",
'destination_tcp_state': u"ESTABLISHED",
}
)
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
