def test_roundtrip_basic(self):
        msg_dict = {
            "header": {"from": "*****@*****.**", "to": ["*****@*****.**"], "subject": "Howdy!"},
            "raw_body": "This is a test. This is only a test.",
        }
        msg_obj = EmailMessage.object_from_dict(msg_dict)
        msg_dict2 = EmailMessage.dict_from_object(msg_obj)

        # Don't want to compare dictionaries directly since email addresses
        # will have been expanded to full dictionaries with "address_value"
        # and "category"
        self.assertEqual(msg_dict2["header"]["from"]["address_value"], msg_dict["header"]["from"])
        self.assertEqual(msg_dict2["header"]["to"][0]["address_value"], msg_dict["header"]["to"][0])
        self.assertEqual(msg_dict2["header"]["subject"], msg_dict["header"]["subject"])
        self.assertEqual(msg_dict2["raw_body"], msg_dict["raw_body"])
        self.assertEqual(msg_dict2["xsi:type"], EmailMessage._XSI_TYPE)

        # Make sure extra keys didn't sneak into the output.
        self.assertFalse("attachments" in msg_dict2)
        self.assertFalse("optional_header" in msg_dict2)
        self.assertFalse("email_server" in msg_dict2)
        self.assertFalse("raw_header" in msg_dict2)
        self.assertFalse("cc" in msg_dict2["header"])
        self.assertFalse("bcc" in msg_dict2["header"])
        self.assertFalse("in_reply_to" in msg_dict2["header"])
        self.assertFalse("date" in msg_dict2["header"])
        self.assertFalse("message_id" in msg_dict2["header"])
        self.assertFalse("sender" in msg_dict2["header"])
        self.assertFalse("reply_to" in msg_dict2["header"])
        self.assertFalse("errors_to" in msg_dict2["header"])
Ejemplo n.º 2
0
 def add_email_observable(self, headers):
     e = EmailMessage()
     h = EmailHeader.from_dict(headers)
     e.header = h
     self.__emails.add(e)
     email_observable = Observable(e)
     self.email_indicator.add_observable(email_observable)
Ejemplo n.º 3
0
def generateEmailAttachmentObject(indicator, filename):
    file_object = File()
    file_object.file_name = filename
    email = EmailMessage()
    email.attachments = Attachments()
    email.add_related(file_object, "Contains", inline=True)
    email.attachments.append(file_object.parent.id_)
    indicator.observable = email
Ejemplo n.º 4
0
def generateEmailAttachmentObject(indicator, filename):
    file_object = File()
    file_object.file_name = filename
    email = EmailMessage()
    email.attachments = Attachments()
    email.add_related(file_object, "Contains", inline=True)
    email.attachments.append(file_object.parent.id_)
    indicator.observable = email
    def test_get_namespaces(self):
        m = EmailMessage()
        m.to = "*****@*****.**"
        m.subject = "Here's a cool picture"
        m.links = Links()
        u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
        m.links.append(u.parent.id_)

        self.assertEqual(5, len(Observables([u, m])._get_namespaces()))
Ejemplo n.º 6
0
def main():
    m = EmailMessage()
    m.from_ = ["*****@*****.**",
               "*****@*****.**",
               "*****@*****.**"]
    m.from_.condition = "Equals"
    m.subject = "New modifications to the specification"
    m.subject.condition = "Equals"

    print(Observables(m).to_xml())
Ejemplo n.º 7
0
    def to_cybox(self, exclude=None):
        """
        Convert an email to a CybOX Observables.

        Pass parameter exclude to specify fields that should not be
        included in the returned object.

        Returns a tuple of (CybOX object, releasability list).

        To get the cybox object as xml or json, call to_xml() or
        to_json(), respectively, on the resulting CybOX object.
        """

        if exclude == None:
            exclude = []

        observables = []

        obj = EmailMessage()
        # Assume there is going to be at least one header
        obj.header = EmailHeader()

        if 'message_id' not in exclude:
            obj.header.message_id = String(self.message_id)

        if 'subject' not in exclude:
            obj.header.subject = String(self.subject)

        if 'sender' not in exclude:
            obj.header.sender = Address(self.reply_to, Address.CAT_EMAIL)

        if 'reply_to' not in exclude:
            obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL)

        if 'x_originating_ip' not in exclude:
            obj.header.x_originating_ip = Address(self.x_originating_ip,
                                                  Address.CAT_IPV4)

        if 'raw_body' not in exclude:
            obj.raw_body = self.raw_body

        if 'raw_header' not in exclude:
            obj.raw_header = self.raw_header

        #copy fields where the names differ between objects
        if 'helo' not in exclude and 'email_server' not in exclude:
            obj.email_server = String(self.helo)
        if ('from_' not in exclude and 'from' not in exclude and
            'from_address' not in exclude):
            obj.header.from_ = EmailAddress(self.from_address)
        if 'date' not in exclude and 'isodate' not in exclude:
            obj.header.date = DateTime(self.isodate)

        observables.append(Observable(obj))
        return (observables, self.releasability)
def main():
    stix_package = STIXPackage()
    ttp = TTP(title="Phishing")
    stix_package.add_ttp(ttp)

    # Create the indicator for just the subject
    email_subject_object = EmailMessage()
    email_subject_object.header = EmailHeader()
    email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
    email_subject_object.header.subject.condition = "StartsWith"
    
    email_subject_indicator = Indicator()
    email_subject_indicator.title = "Malicious E-mail Subject Line"
    email_subject_indicator.add_indicator_type("Malicious E-mail")
    email_subject_indicator.observable = email_subject_object
    email_subject_indicator.confidence = "Low"

    # Create the indicator for just the attachment

    file_attachment_object = EmailMessage()
    file_attachment_object.attachments = Attachments()

    attached_file_object = File()
    attached_file_object.file_name = "Final Report"
    attached_file_object.file_name.condition = "StartsWith"
    attached_file_object.file_extension = "doc.exe"
    attached_file_object.file_extension.condition = "Equals"

    file_attachment_object.add_related(attached_file_object, "Contains", inline=True)
    file_attachment_object.attachments.append(file_attachment_object.parent.id_)
    
    indicator_attachment = Indicator()
    indicator_attachment.title = "Malicious E-mail Attachment"
    indicator_attachment.add_indicator_type("Malicious E-mail")
    indicator_attachment.observable = file_attachment_object
    indicator_attachment.confidence = "Low"

    # Create the combined indicator w/ both subject an attachment
    full_email_object = EmailMessage()
    full_email_object.attachments = Attachments()

    # Add the previously referenced file as another reference rather than define it again:
    full_email_object.attachments.append(file_attachment_object.parent.id_)

    full_email_object.header = EmailHeader()
    full_email_object.header.subject = "[IMPORTANT] Please Review Before"
    full_email_object.header.subject.condition = "StartsWith"

    combined_indicator = Indicator(title="Malicious E-mail")
    combined_indicator.add_indicator_type("Malicious E-mail")
    combined_indicator.confidence = Confidence(value="High")
    combined_indicator.observable = full_email_object
    
    email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
    combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    
    stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment]
    print stix_package.to_xml()
Ejemplo n.º 9
0
def resolveEmailObservable(attribute):
    new_object = EmailMessage()
    email_header = EmailHeader()
    if (attribute["type"] == "email-src"):
        email_header.from_ = attribute["value"]
    elif (attribute["type"] == "email-dst"):
        email_header.to = attribute["value"]
    else:
        email_header.subject = attribute["value"]
    new_object.header = email_header
    return new_object
Ejemplo n.º 10
0
def resolveEmailObservable(attribute):
    new_object = EmailMessage()
    email_header = EmailHeader()
    if (attribute["type"] == "email-src"):
        email_header.from_ = attribute["value"]
    elif(attribute["type"] == "email-dst"):
        email_header.to = attribute["value"]
    else:
        email_header.subject = attribute["value"]
    new_object.header = email_header
    return new_object
Ejemplo n.º 11
0
def resolveEmailObservable(indicator, attribute):
    indicator.add_indicator_type("Malicious E-mail")
    new_object = EmailMessage()
    email_header = EmailHeader()
    if (attribute["type"] == "email-src"):
        email_header.from_ = attribute["value"]
    elif (attribute["type"] == "email-dst"):
        email_header.to = attribute["value"]
    else:
        email_header.subject = attribute["value"]
    new_object.header = email_header
    return new_object
Ejemplo n.º 12
0
def generateEmailAttachmentObject(indicator, attribute):
    file_object = File()
    file_object.file_name = attribute["value"]
    email = EmailMessage()
    email.attachments = Attachments()
    email.add_related(file_object, "Contains", inline=True)
    file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
    email.attachments.append(file_object.parent.id_)
    email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
    observable = Observable(email)
    observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
    indicator.observable = observable
Ejemplo n.º 13
0
def resolveEmailObservable(indicator, attribute):
    indicator.add_indicator_type("Malicious E-mail")
    new_object = EmailMessage()
    email_header = EmailHeader()
    if (attribute["type"] == "email-src"):
        email_header.from_ = attribute["value"]
    elif(attribute["type"] == "email-dst"):
        email_header.to = attribute["value"]
    else:
        email_header.subject = attribute["value"]
    new_object.header = email_header
    return new_object
Ejemplo n.º 14
0
def generateEmailAttachmentObject(indicator, attribute):
    file_object = File()
    file_object.file_name = attribute["value"]
    file_object.file_name.condition = "Equals"
    email = EmailMessage()
    email.attachments = Attachments()
    email.add_related(file_object, "Contains", inline=True)
    file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
    email.attachments.append(file_object.parent.id_)
    email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
    observable = Observable(email)
    observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
    indicator.observable = observable
Ejemplo n.º 15
0
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    m = EmailMessage()
    m.from_ = ["*****@*****.**",
               "*****@*****.**",
               "*****@*****.**"]
    m.from_.condition = "Equals"
    m.subject = "New modifications to the specification"
    m.subject.condition = "Equals"

    print(Observables(m).to_xml())
Ejemplo n.º 16
0
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    m = EmailMessage()
    m.from_ = ["*****@*****.**",
               "*****@*****.**",
               "*****@*****.**"]
    m.from_.condition = "Equals"
    m.subject = "New modifications to the specification"
    m.subject.condition = "Equals"

    print Observables(m).to_xml()
Ejemplo n.º 17
0
 def generate_email_attachment_object(self, indicator, attribute):
     attribute_uuid = attribute.uuid
     file_object = File()
     file_object.file_name = attribute.value
     file_object.file_name.condition = "Equals"
     file_object.parent.id_ = "{}:FileObject-{}".format(self.namespace_prefix, attribute_uuid)
     email = EmailMessage()
     email.attachments = Attachments()
     email.add_related(file_object, "Contains", inline=True)
     email.attachments.append(file_object.parent.id_)
     email.parent.id_ = "{}:EmailMessageObject-{}".format(self.namespace_prefix, attribute_uuid)
     observable = Observable(email)
     observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute_uuid)
     indicator.observable = observable
Ejemplo n.º 18
0
 def __get_inspected_objs(self, source_file):
     email1 = EmailMessage()
     email1.from_ = '*****@*****.**'
     email1.to = '*****@*****.**'
     email1.subject = 'Subject1'
     email1.date = DateTime('21-06-2015T19:52:00')
     email1.add_related(source_file, "Extracted_From", inline=False)
     return [email1]
Ejemplo n.º 19
0
    def test_get_namespaces(self):
        m = EmailMessage()
        m.to = "*****@*****.**"
        m.subject = "Here's a cool picture"
        m.links = Links()
        u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
        m.links.append(u.parent.id_)

        o = Observables([u, m])
        print o.to_xml()
        actual_namespaces = o._get_namespaces()

        print "\n".join([str(x) for x in actual_namespaces])

        self.assertEqual(5, len(actual_namespaces))
Ejemplo n.º 20
0
    def test_get_namespaces(self):
        m = EmailMessage()
        m.to = "*****@*****.**"
        m.subject = "Here's a cool picture"
        m.links = Links()
        u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
        m.links.append(u.parent.id_)

        o = Observables([u, m])
        logger.info(o.to_xml())
        actual_namespaces = o._get_namespaces()

        logger.info("\n".join([str(x) for x in actual_namespaces]))

        self.assertEqual(5, len(actual_namespaces))
Ejemplo n.º 21
0
    def test_from_date(self):
        date_str = "Thu, 14 Feb 2013 11:28:42 -0500"
        isoformat = "2013-02-14T11:28:42-05:00"

        d = {'header': {'date': date_str}}
        msg = EmailMessage.from_dict(d)
        self.assertEqual(msg.date.serialized_value, isoformat)
Ejemplo n.º 22
0
 def resolve_email_observable(indicator, attribute):
     attribute_type = attribute.type
     indicator.add_indicator_type("Malicious E-mail")
     new_object = EmailMessage()
     email_header = EmailHeader()
     if attribute_type == 'email-src':
         email_header.from_ = attribute.value
         email_header.from_.condition = "Equals"
     if attribute_type == 'email-dst':
         email_header.to = attribute.value
         email_header.to.condition = "Equals"
     else:
         email_header.subject = attribute.value
         email_header.subject.condition = "Equals"
     new_object.header = email_header
     return new_object
Ejemplo n.º 23
0
    def test_from_date(self):
        date_str = "Thu, 14 Feb 2013 11:28:42 -0500"
        isoformat = "2013-02-14T11:28:42-05:00"

        d = {'header': {'date': date_str}}
        msg = EmailMessage.from_dict(d)
        self.assertEqual(msg.date.serialized_value, isoformat)
Ejemplo n.º 24
0
def main():
    print '<?xml version="1.0" encoding="UTF-8"?>'

    attachment = File()
    attachment.file_name = "FooBar Specification (critical revision).doc"
    attachment.add_hash(Hash("4EC0027BEF4D7E1786A04D021FA8A67F"))

    email = EmailMessage()
    email.attachments.append(attachment)
    email.subject = String("New modifications to the specification")
    email.to = EmailRecipients(EmailAddress("*****@*****.**"),
                               EmailAddress("*****@*****.**"))
    email.from_ = EmailAddress("*****@*****.**")


    print Observables(email).to_xml()
Ejemplo n.º 25
0
def make_cybox_object(type_, name=None, value=None):
    """
    Converts type_, name, and value to a CybOX object instance.

    :param type_: The object type.
    :type type_: str
    :param name: The object name.
    :type name: str
    :param value: The object value.
    :type value: str
    :returns: CybOX object
    """

    if type_ == "Address":
        return Address(category=name, address_value=value)
    elif type_ == "Email Message":
        e = EmailMessage()
        e.raw_body = value
        return e
    #TODO: Http Request Header Fields not implemented?
    #elif type_ == "Http Request Header Fields":
    #pass
    #TODO: Mutex object type is incomplete
    #elif type_ == "Mutex":
    #return Mutex.object_from_dict({'name': value})
    #TODO: use Byte_Run object?
    #elif type_ == "String":
    #pass
    elif type_ == "URI":
        #return URI(type_=name, value=value)
        r = URI()
        r.type_ = name
        r.value = value
        return r
    #TODO: Win_File incomplete
    #elif type_ == "Win File":
    #TODO: Registry_Key incomplete
    #elif type_ == "Win Handle" and name == "RegistryKey":
    #return Registry_Key.object_from_dict({'key':value})
    raise UnsupportedCybOXObjectTypeError(type_, name)
Ejemplo n.º 26
0
def make_cybox_object(type_, name=None, value=None):
    """
    Converts type_, name, and value to a CybOX object instance.

    :param type_: The object type.
    :type type_: str
    :param name: The object name.
    :type name: str
    :param value: The object value.
    :type value: str
    :returns: CybOX object
    """

    if type_ == "Address":
        return Address(category=name, address_value=value)
    elif type_ == "Email Message":
        e = EmailMessage()
        e.raw_body = value
        return e
    #TODO: Http Request Header Fields not implemented?
    #elif type_ == "Http Request Header Fields":
        #pass
    #TODO: Mutex object type is incomplete
    #elif type_ == "Mutex":
        #return Mutex.object_from_dict({'name': value})
    #TODO: use Byte_Run object?
    #elif type_ == "String":
       #pass
    elif type_ == "URI":
        #return URI(type_=name, value=value)
        r = URI()
        r.type_ = name
        r.value = value
        return r
    #TODO: Win_File incomplete
    #elif type_ == "Win File":
    #TODO: Registry_Key incomplete
    #elif type_ == "Win Handle" and name == "RegistryKey":
        #return Registry_Key.object_from_dict({'key':value})
    raise UnsupportedCybOXObjectTypeError(type_, name)
Ejemplo n.º 27
0
def main():
    m = EmailMessage()
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    a = Address("192.168.1.1", Address.CAT_IPV4)

    m.add_related(a, "Received_From", inline=False)

    print(Observables([m, a]).to_xml(encoding=None))
Ejemplo n.º 28
0
    def test_roundtrip_basic(self):
        msg_dict = {'header': {
                                'from': "*****@*****.**",
                                'to': ["*****@*****.**"],
                                'subject': "Howdy!"
                               },
                     'raw_body': "This is a test. This is only a test.",
                    }
        msg_obj = EmailMessage.object_from_dict(msg_dict)
        msg_dict2 = EmailMessage.dict_from_object(msg_obj)

        # Don't want to compare dictionaries directly since email addresses
        # will have been expanded to full dictionaries with "address_value"
        # and "category"
        self.assertEqual(msg_dict2['header']['from']['address_value'],
                         msg_dict['header']['from'])
        self.assertEqual(msg_dict2['header']['to'][0]['address_value'],
                         msg_dict['header']['to'][0])
        self.assertEqual(msg_dict2['header']['subject'],
                         msg_dict['header']['subject'])
        self.assertEqual(msg_dict2['raw_body'],
                         msg_dict['raw_body'])
        self.assertEqual(msg_dict2['xsi:type'], EmailMessage._XSI_TYPE)

        # Make sure extra keys didn't sneak into the output.
        self.assertFalse('attachments' in msg_dict2)
        self.assertFalse('optional_header' in msg_dict2)
        self.assertFalse('email_server' in msg_dict2)
        self.assertFalse('raw_header' in msg_dict2)
        self.assertFalse('cc' in msg_dict2['header'])
        self.assertFalse('bcc' in msg_dict2['header'])
        self.assertFalse('in_reply_to' in msg_dict2['header'])
        self.assertFalse('date' in msg_dict2['header'])
        self.assertFalse('message_id' in msg_dict2['header'])
        self.assertFalse('sender' in msg_dict2['header'])
        self.assertFalse('reply_to' in msg_dict2['header'])
        self.assertFalse('errors_to' in msg_dict2['header'])
Ejemplo n.º 29
0
    def test_roundtrip_basic(self):
        msg_dict = {
            'header': {
                'from': "*****@*****.**",
                'to': ["*****@*****.**"],
                'subject': "Howdy!"
            },
            'raw_body': "This is a test. This is only a test.",
        }
        msg_obj = EmailMessage.object_from_dict(msg_dict)
        msg_dict2 = EmailMessage.dict_from_object(msg_obj)

        # Don't want to compare dictionaries directly since email addresses
        # will have been expanded to full dictionaries with "address_value"
        # and "category"
        self.assertEqual(msg_dict2['header']['from']['address_value'],
                         msg_dict['header']['from'])
        self.assertEqual(msg_dict2['header']['to'][0]['address_value'],
                         msg_dict['header']['to'][0])
        self.assertEqual(msg_dict2['header']['subject'],
                         msg_dict['header']['subject'])
        self.assertEqual(msg_dict2['raw_body'], msg_dict['raw_body'])
        self.assertEqual(msg_dict2['xsi:type'], EmailMessage._XSI_TYPE)

        # Make sure extra keys didn't sneak into the output.
        self.assertFalse('attachments' in msg_dict2)
        self.assertFalse('optional_header' in msg_dict2)
        self.assertFalse('email_server' in msg_dict2)
        self.assertFalse('raw_header' in msg_dict2)
        self.assertFalse('cc' in msg_dict2['header'])
        self.assertFalse('bcc' in msg_dict2['header'])
        self.assertFalse('in_reply_to' in msg_dict2['header'])
        self.assertFalse('date' in msg_dict2['header'])
        self.assertFalse('message_id' in msg_dict2['header'])
        self.assertFalse('sender' in msg_dict2['header'])
        self.assertFalse('reply_to' in msg_dict2['header'])
        self.assertFalse('errors_to' in msg_dict2['header'])
Ejemplo n.º 30
0
    def to_cybox(self, exclude=None):
        """
        Convert an email to a CybOX Observables.

        Pass parameter exclude to specify fields that should not be
        included in the returned object.

        Returns a tuple of (CybOX object, releasability list).

        To get the cybox object as xml or json, call to_xml() or
        to_json(), respectively, on the resulting CybOX object.
        """

        if exclude == None:
            exclude = []

        observables = []

        obj = EmailMessage()
        # Assume there is going to be at least one header
        obj.header = EmailHeader()

        if 'message_id' not in exclude:
            obj.header.message_id = String(self.message_id)

        if 'subject' not in exclude:
            obj.header.subject = String(self.subject)

        if 'sender' not in exclude:
            obj.header.sender = Address(self.reply_to, Address.CAT_EMAIL)

        if 'reply_to' not in exclude:
            obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL)

        if 'x_originating_ip' not in exclude:
            obj.header.x_originating_ip = Address(self.x_originating_ip,
                                                  Address.CAT_IPV4)

        if 'raw_body' not in exclude:
            obj.raw_body = self.raw_body

        if 'raw_header' not in exclude:
            obj.raw_header = self.raw_header

        #copy fields where the names differ between objects
        if 'helo' not in exclude and 'email_server' not in exclude:
            obj.email_server = String(self.helo)
        if ('from_' not in exclude and 'from' not in exclude
                and 'from_address' not in exclude):
            obj.header.from_ = EmailAddress(self.from_address)
        if 'date' not in exclude and 'isodate' not in exclude:
            obj.header.date = DateTime(self.isodate)

        observables.append(Observable(obj))
        return (observables, self.releasability)
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    m = EmailMessage()
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    a = Address("192.168.1.1", Address.CAT_IPV4)

    m.add_related(a, "Received_From", inline=False)

    print Observables([m, a]).to_xml()
Ejemplo n.º 32
0
def main():
    m = EmailMessage()
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    a = Address("192.168.1.1", Address.CAT_IPV4)

    m.add_related(a, "Received_From", inline=False)

    print(Observables([m, a]).to_xml(encoding=None))
Ejemplo n.º 33
0
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    m = EmailMessage()
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    a = Address("192.168.1.1", Address.CAT_IPV4)

    m.add_related(a, "Received_From", inline=False)

    print(Observables([m, a]).to_xml())
Ejemplo n.º 34
0
    def __parse_email_message(self, msg):
        """ Parses the supplied message
        Returns a map of message parts expressed as cybox objects.

        Keys: 'message', 'files', 'urls'
        """
        
        files       = []
        url_list    = []
        domain_list = []
        message     = EmailMessage()

        # Headers are required (for now)
        message.header = self.__create_cybox_headers(msg)

        if self.include_attachments:
            files = self.__create_cybox_files(msg)
            message.attachments = Attachments()
            for f in files:
                message.attachments.append(f.parent.id_)
                f.add_related(message, "Contained_Within", inline=False)

        if self.include_raw_headers:
            raw_headers_str = self.__get_raw_headers(msg).strip()
            if raw_headers_str:
                message.raw_header = String(raw_headers_str)

        # need this for parsing urls AND raw body text
        raw_body = "\n".join(self.__get_raw_body_text(msg)).strip()

        if self.include_raw_body and raw_body:
            message.raw_body = String(raw_body)

        if self.include_urls:
            (url_list, domain_list) = self.__parse_urls(raw_body)
            if url_list:
                links = Links()
                for u in url_list:
                    links.append(LinkReference(u.parent.id_))
                if links:
                    message.links = links

        # Return a list of all objects we've built
        return [message] + files + url_list + domain_list
Ejemplo n.º 35
0
 def get_observable(self):
     if self.type_ == 'md5':
         o_ = File()
         o_.md5 = self.value
     elif self.type_ == 'sha1':
         o_ = File()
         o_.sha1 = self.value
     elif self.type_ == 'sha256':
         o_ = File()
         o_.sha256 = self.value
     elif self.type_ == 'sha512':
         o_ = File()
         o_.sha256 = self.value
     elif self.type_ == 'url':
         o_ = URI(value=self.value, type_=URI.TYPE_URL)
     elif self.type_ == 'hostname':
         o_ = DomainName()
         o_.value = self.value
         o_.type_ = 'FQDN'
     elif self.type_ == 'domain':
         o_ = DomainName()
         o_.value = self.value
         o_.type_ = 'domain'
     elif self.type_ == 'ip-dst':
         o_ = Address(address_value=self.value, category=Address.CAT_IPV4)
         o_.is_destination = True
         o_.is_Source = False
     elif self.type_ == 'email-src':
         o_ = Address(address_value=self.value, category=Address.CAT_EMAIL)
     elif self.type_ == 'email-subject':
         o_ = EmailMessage()
         o_.subject = self.value
     else:
         # print 'skip>>>>: type_: ' + str(self.type_)
         o_ = None
     return o_
Ejemplo n.º 36
0
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    # �I�u�W�F�N�g�̍쐬�iEmailMesage)
    m = EmailMessage()
    # �I�u�W�F�N�g�Ɋ֘A�t��
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    # �I�u�W�F�N�g�̍쐬�iAdress)
    a = Address("192.168.1.1", Address.CAT_IPV4)

    # �I�u�W�F�N�g�Ԃ̊֘A
    m.add_related(a, "Received_From", inline=False)
    a.add_related(m, "Received_to", inline=False)

    print Observables([m, a]).to_xml()
Ejemplo n.º 37
0
def json2observable(config, src, dest, endpoint, json_, crits_id):
    # TODO split into smaller functions
    '''transform crits observables into cybox'''
    try:
        set_id_method(IDGenerator.METHOD_UUID)
        xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
        xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
        set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
        if endpoint == 'ips':
            crits_types = {
                'Address - cidr': 'cidr',
                'Address - ipv4-addr': 'ipv4-addr',
                'Address - ipv4-net': 'ipv4-net',
                'Address - ipv4-net-mask': 'ipv4-netmask',
                'Address - ipv6-addr': 'ipv6-addr',
                'Address - ipv6-net': 'ipv6-net',
                'Address - ipv6-net-mask': 'ipv6-netmask'
            }
            addr = Address(address_value=json_['ip'],
                           category=crits_types[json_['type']])
            addr.condition = 'Equals'
            observable_ = Observable(addr)
        elif endpoint == 'domains':
            domain = DomainName()
            domain.type_ = 'FQDN'
            domain.value = json_['domain']
            domain.condition = 'Equals'
            observable_ = Observable(domain)
        elif endpoint == 'samples':
            crits_types = {
                'md5': 'MD5',
                'sha1': 'SHA1',
                'sha224': 'SHA224',
                'sha256': 'SHA256',
                'sha384': 'SHA384',
                'sha512': 'SHA512',
                'ssdeep': 'SSDEEP'
            }
            file_object = File()
            file_object.file_name = json_['filename']
            for hash in crits_types.keys():
                if hash in json_:
                    file_object.add_hash(
                        Hash(json_[hash], type_=crits_types[hash]))
            for i in file_object.hashes:
                i.simple_hash_value.condition = "Equals"
            observable_ = Observable(file_object)
        elif endpoint == 'emails':
            crits_types = {
                'subject': 'subject',
                'to': 'to',
                'cc': 'cc',
                'from_address': 'from_',
                'sender': 'sender',
                'date': 'date',
                'message_id': 'message_id',
                'reply_to': 'reply_to',
                'boundary': 'boundary',
                'x_mailer': 'x_mailer',
                'x_originating_ip': 'x_originating_ip'
            }
            email = EmailMessage()
            email.header = EmailHeader()
            for k in crits_types.keys():
                val = json_.get(k, None)
                if val:
                    email.header.__setattr__(crits_types[k], val)
                    email.header.__getattribute__(crits_types[k]).condition = \
                        'Equals'
            observable_ = Observable(email)
        else:
            config['logger'].error(
                log.log_messages['unsupported_object_error'].format(
                    type_='crits', obj_type=endpoint, id_=crits_id))
            return (None)
        observable_.id = xmlns_name + ':observable-' + crits_id
        observable_.id_ = observable_.id
        return (observable_)
    except:
        e = sys.exc_info()[0]
        config['logger'].error(log.log_messages['obj_convert_error'].format(
            src_type='crits',
            src_obj='observable',
            id_=crits_id,
            dest_type='cybox',
            dest_obj='observable'))
        config['logger'].exception(e)
        return (None)
Ejemplo n.º 38
0
def gen_stix_observable_sample(
    config,
    target=None,
    datatype=None,
    title="random test data",
    description="random test data",
    package_intents="Indicators - Watchlist",
    tlp_color="WHITE",
):
    """generate sample stix data comprised of indicator_count
    indicators of type datatype"""
    # setup the xmlns...
    xmlns_url = config["edge"]["sites"][target]["stix"]["xmlns_url"]
    xmlns_name = config["edge"]["sites"][target]["stix"]["xmlns_name"]
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = "../../../../descendant-or-self::node()"
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    # ...and stuff it full of random sample data :-)
    if datatype == "ip":
        addr = Address(address_value=datagen_.generate_random_ip_address(), category="ipv4-addr")
        addr.condition = "Equals"
        stix_package.add_observable(Observable(addr))
    elif datatype == "domain":
        domain = DomainName()
        domain.type_ = "FQDN"
        domain.value = datagen_.generate_random_domain(config)
        domain.condition = "Equals"
        stix_package.add_observable(Observable(domain))
    elif datatype == "filehash":
        file_object = File()
        file_object.file_name = str(uuid.uuid4()) + ".exe"
        hashes = datagen_.generate_random_hashes()
        for hash in hashes.keys():
            file_object.add_hash(Hash(hashes[hash], type_=hash.upper()))
            for i in file_object.hashes:
                i.simple_hash_value.condition = "Equals"
        stix_package.add_observable(Observable(file_object))
    elif datatype == "email":
        try:
            msg = datagen_.get_random_spam_msg(config)
            email = EmailMessage()
            email.header = EmailHeader()
            header_map = {
                "Subject": "subject",
                "To": "to",
                "Cc": "cc",
                "Bcc": "bcc",
                "From": "from_",
                "Sender": "sender",
                "Date": "date",
                "Message-ID": "message_id",
                "Reply-To": "reply_to",
                "In-Reply-To": "in_reply_to",
                "Content-Type": "content_type",
                "Errors-To": "errors_to",
                "Precedence": "precedence",
                "Boundary": "boundary",
                "MIME-Version": "mime_version",
                "X-Mailer": "x_mailer",
                "User-Agent": "user_agent",
                "X-Originating-IP": "x_originating_ip",
                "X-Priority": "x_priority",
            }
            # TODO handle received_lines
            for key in header_map.keys():
                val = msg.get(key, None)
                if val:
                    email.header.__setattr__(header_map[key], val)
                    email.header.__getattribute__(header_map[key]).condition = "Equals"
            # TODO handle email bodies (it's mostly all there except for
            #      handling weird text encoding problems that were making
            #      libcybox stacktrace)
            # body = get_email_payload(random_spam_msg)
            # if body:
            #     email.raw_body = body
            stix_package.add_observable(Observable(email))
        except:
            return None
    observable_id = stix_package.observables.observables[0].id_
    return (observable_id, stix_package)
Ejemplo n.º 39
0
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"):
    """
    Convert a CRITs TLO to a CybOX Observable.

    :param obj: The TLO to convert.
    :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes`
    :param exclude: Attributes to exclude.
    :type exclude: list
    :param bin_fmt: The format for the binary (if applicable).
    :type bin_fmt: str
    """

    type_ = obj._meta['crits_type']
    if type_ == 'Certificate':
        custom_prop = Property(
        )  # make a custom property so CRITs import can identify Certificate exports
        custom_prop.name = "crits_type"
        custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
        custom_prop._value = "Certificate"
        obje = File()  # represent cert information as file
        obje.md5 = obj.md5
        obje.file_name = obj.filename
        obje.file_format = obj.filetype
        obje.size_in_bytes = obj.size
        obje.custom_properties = CustomProperties()
        obje.custom_properties.append(custom_prop)
        obs = Observable(obje)
        obs.description = obj.description
        data = obj.filedata.read()
        if data:  # if cert data available
            a = Artifact(data, Artifact.TYPE_FILE)  # create artifact w/data
            a.packaging.append(Base64Encoding())
            obje.add_related(a, "Child_Of")  # relate artifact to file
        return ([obs], obj.releasability)
    elif type_ == 'Domain':
        obje = DomainName()
        obje.value = obj.domain
        obje.type_ = obj.record_type
        return ([Observable(obje)], obj.releasability)
    elif type_ == 'Email':
        if exclude == None:
            exclude = []

        observables = []

        obje = EmailMessage()
        # Assume there is going to be at least one header
        obje.header = EmailHeader()

        if 'message_id' not in exclude:
            obje.header.message_id = String(obj.message_id)

        if 'subject' not in exclude:
            obje.header.subject = String(obj.subject)

        if 'sender' not in exclude:
            obje.header.sender = Address(obj.sender, Address.CAT_EMAIL)

        if 'reply_to' not in exclude:
            obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL)

        if 'x_originating_ip' not in exclude:
            obje.header.x_originating_ip = Address(obj.x_originating_ip,
                                                   Address.CAT_IPV4)

        if 'x_mailer' not in exclude:
            obje.header.x_mailer = String(obj.x_mailer)

        if 'boundary' not in exclude:
            obje.header.boundary = String(obj.boundary)

        if 'raw_body' not in exclude:
            obje.raw_body = obj.raw_body

        if 'raw_header' not in exclude:
            obje.raw_header = obj.raw_header

        #copy fields where the names differ between objects
        if 'helo' not in exclude and 'email_server' not in exclude:
            obje.email_server = String(obj.helo)
        if ('from_' not in exclude and 'from' not in exclude
                and 'from_address' not in exclude):
            obje.header.from_ = EmailAddress(obj.from_address)
        if 'date' not in exclude and 'isodate' not in exclude:
            obje.header.date = DateTime(obj.isodate)

        obje.attachments = Attachments()

        observables.append(Observable(obje))
        return (observables, obj.releasability)
    elif type_ == 'Indicator':
        observables = []
        obje = make_cybox_object(obj.ind_type, obj.value)
        observables.append(Observable(obje))
        return (observables, obj.releasability)
    elif type_ == 'IP':
        obje = Address()
        obje.address_value = obj.ip
        if obj.ip_type == IPTypes.IPv4_ADDRESS:
            obje.category = "ipv4-addr"
        elif obj.ip_type == IPTypes.IPv6_ADDRESS:
            obje.category = "ipv6-addr"
        elif obj.ip_type == IPTypes.IPv4_SUBNET:
            obje.category = "ipv4-net"
        elif obj.ip_type == IPTypes.IPv6_SUBNET:
            obje.category = "ipv6-subnet"
        return ([Observable(obje)], obj.releasability)
    elif type_ == 'PCAP':
        obje = File()
        obje.md5 = obj.md5
        obje.file_name = obj.filename
        obje.file_format = obj.contentType
        obje.size_in_bytes = obj.length
        obs = Observable(obje)
        obs.description = obj.description
        art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK)
        art.packaging.append(Base64Encoding())
        obje.add_related(art, "Child_Of")  # relate artifact to file
        return ([obs], obj.releasability)
    elif type_ == 'RawData':
        obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE)
        obje.packaging.append(Base64Encoding())
        obs = Observable(obje)
        obs.description = obj.description
        return ([obs], obj.releasability)
    elif type_ == 'Sample':
        if exclude == None:
            exclude = []

        observables = []
        f = File()
        for attr in ['md5', 'sha1', 'sha256']:
            if attr not in exclude:
                val = getattr(obj, attr, None)
                if val:
                    setattr(f, attr, val)
        if obj.ssdeep and 'ssdeep' not in exclude:
            f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP))
        if 'size' not in exclude and 'size_in_bytes' not in exclude:
            f.size_in_bytes = UnsignedLong(obj.size)
        if 'filename' not in exclude and 'file_name' not in exclude:
            f.file_name = obj.filename
        # create an Artifact object for the binary if it exists
        if 'filedata' not in exclude and bin_fmt:
            data = obj.filedata.read()
            if data:  # if sample data available
                a = Artifact(data,
                             Artifact.TYPE_FILE)  # create artifact w/data
                if bin_fmt == "zlib":
                    a.packaging.append(ZlibCompression())
                    a.packaging.append(Base64Encoding())
                elif bin_fmt == "base64":
                    a.packaging.append(Base64Encoding())
                f.add_related(a, "Child_Of")  # relate artifact to file
        if 'filetype' not in exclude and 'file_format' not in exclude:
            #NOTE: this doesn't work because the CybOX File object does not
            #   have any support built in for setting the filetype to a
            #   CybOX-binding friendly object (e.g., calling .to_dict() on
            #   the resulting CybOX object fails on this field.
            f.file_format = obj.filetype
        observables.append(Observable(f))
        return (observables, obj.releasability)
    else:
        return (None, None)
Ejemplo n.º 40
0
def main(iocs=iocs):

    stix_header = STIXHeader(title=iocs['title'],
                             description=iocs['desc'],
                             package_intents=["Indicators - Watchlist"])

    stix_package = STIXPackage(stix_header=stix_header)

    # add indicator - file hash
    if iocs.get('hash'):
        indicator_file_hash = Indicator(title="Malicious File")
        indicator_file_hash.add_indicator_type("File Hash Watchlist")
        for file_hash in iocs['hash']:
            file_object = File()
            file_object.add_hash(Hash(file_hash))
            file_object.hashes[0].simple_hash_value.condition = "Equals"
            file_object.hashes[0].type_.condition = "Equals"
            indicator_file_hash.add_observable(file_object)
        stix_package.add_indicator(indicator_file_hash)

    # add indicator - file name
    if iocs.get('fname'):
        indicator_filename = Indicator(title="Malicious File Name")
        for file in iocs['fname']:
            file_object = File()
            file_object.file_name = file
            indicator_filename.add_observable(file_object)
        stix_package.add_indicator(indicator_filename)

    # add indicator - ip address
    if iocs.get('ips'):
        indicator_ip = Indicator(title="Malicious IP Address")
        indicator_ip.add_indicator_type("IP Watchlist")
        for ip in iocs['ips']:
            addr = Address(address_value=ip, category=Address.CAT_IPV4)
            addr.condition = "Equals"
            indicator_ip.add_observable(addr)
        stix_package.add_indicator(indicator_ip)

    # add indicator - domains
    if iocs.get('domains'):
        indicator_domains = Indicator(title="Malicious Domains")
        indicator_domains.add_indicator_type("Domain Watchlist")
        for domain in iocs['domains']:
            domain_name = DomainName()
            domain_name.value = domain
            indicator_domains.add_observable(domain_name)
        stix_package.add_indicator(indicator_domains)

    # add indicator - url
    if iocs.get('urls'):
        indicator_url = Indicator(title='Malicious URL')
        indicator_url.add_indicator_type("URL Watchlist")
        for _url in iocs['urls']:
            url = URI()
            url.value = _url
            url.type_ = URI.TYPE_URL
            url.value.condition = "Equals"
            # url.value.condition = "Contains"
            indicator_url.add_observable(url)
        stix_package.add_indicator(indicator_url)

    # add indicator - email subject
    if iocs.get('subject'):
        indicator_email_subject = Indicator(title='Malicious E-mail Subject')
        indicator_email_subject.add_indicator_type("Malicious E-mail")
        for subject in iocs['subject']:
            email_subject_object = EmailMessage()
            email_subject_object.header = EmailHeader()
            email_subject_object.header.subject = subject
            email_subject_object.header.subject.condition = "StartsWith"
            indicator_email_subject.add_observable(email_subject_object)
        stix_package.add_indicator(indicator_email_subject)

    # add indicator - email sender
    if iocs.get('senders'):
        indicator_email_sender = Indicator(title='Malicious E-mail Sender')
        indicator_email_sender.add_indicator_type("Malicious E-mail")
        for sender in iocs['senders']:
            email_sender_object = EmailMessage()
            email_sender_object.header = EmailHeader()
            email_sender_object.header.sender = sender
            email_sender_object.header.sender.condition = "Equals"
            indicator_email_sender.add_observable(email_sender_object)
        stix_package.add_indicator(indicator_email_sender)

    # print(stix_package.to_xml(encoding=None))
    # print(type(stix_package.to_xml(encoding=None)))
    return stix_package.to_xml(encoding=None)
Ejemplo n.º 41
0
def home(request):
    """
		Name: home
		Desc: Main GUI view

	"""

    # Forms:Job,target and relay creation
    create_job_form = CreateJob(request=request, prefix="create_job")
    create_target_form = CreateTarget(request=request, prefix="create_target")
    create_relay_form = CreateRelay(request=request, prefix="create_relay")

    if request.method == "POST":

        # Remove a relay
        if "delete_relay_id" in request.POST:

            try:

                Relay.objects.get(pk=request.POST["delete_relay_id"]).delete()

            except ObjectDoesNotExist, e:

                pass

        # Create new relay
        if "create_relay-name" in request.POST:

            # Actuator creation
            create_relay_form = CreateRelay(request.POST,
                                            request=request,
                                            prefix="create_relay")
            if create_relay_form.is_valid():

                host = create_relay_form.save()
                host.save()

            # TODO - Call a sync here

        # Job Creations
        if "create_job-raw_message" in request.POST:

            new_job = Job(capability=Capability.objects.get(
                pk=request.POST["create_job-capability"]),
                          target=Target.objects.get(
                              pk=request.POST["create_job-target"]),
                          raw_message="Pending",
                          status=JobStatus.objects.get(status="Pending"),
                          created_by=request.user)

            new_job.save()

            # Now we have a pk - update the id

            command = json.loads(request.POST["create_job-raw_message"])
            command["modifiers"]["command-ref"] = new_job.id

            logger.info("Job Created\n%s" % json.dumps(command))

            new_job.raw_message = json.dumps(command, sort_keys=True,
                                             indent=4).replace(
                                                 "\t", u'\xa0\xa0\xa0\xa0\xa0')
            new_job.save()

        # Target Creations

        namespace_url = getattr(settings, "NAMESPACE_URL", None)
        namespace_id = getattr(settings, "NAMESPACE_ID", None)

        set_id_namespace(Namespace(namespace_url, namespace_id))

        if "create_target-cybox_type" in request.POST:

            cybox_type = CybOXType.objects.get(
                pk=request.POST["create_target-cybox_type"])

            if cybox_type.identifier == "cybox:NetworkConnectionObjectType":

                obs = NetworkConnection()

                # Source
                sock = SocketAddress()
                sock.ip_address = request.POST["create_target-source_address"]
                sock.ip_address.category = "ipv4-addr"
                sock.ip_address.condition = "Equals"
                sport = Port()
                sport.port_value = int(
                    request.POST["create_target-source_port"])
                sock.port = sport
                obs.source_socket_address = sock

                # Dest
                sock = SocketAddress()
                sock.ip_address = request.POST[
                    "create_target-destination_address"]
                sock.ip_address.category = "ipv4-addr"
                sock.ip_address.condition = "Equals"
                dport = Port()
                dport.port_value = int(
                    request.POST["create_target-destination_port"])
                sock.port = dport
                obs.destination_socket_address = sock

                name = "Network Connection %s:%s -> %s:%s (%s)" % (
                    request.POST["create_target-source_address"],
                    request.POST["create_target-source_port"],
                    request.POST["create_target-destination_address"],
                    request.POST["create_target-destination_port"],
                    request.POST["create_target-protocol"])

                raw_message = Observable(item=obs, title=name).to_json()

            elif cybox_type.identifier == "cybox:AddressObjectType":

                name = "Address %s " % (request.POST["create_target-address"])
                raw_message = Observable(item=Address(
                    address_value=request.POST["create_target-address"],
                    category=Address.CAT_IPV4),
                                         title=name).to_json()

            elif cybox_type.identifier == "cybox:URIObjectType":
                name = "URI %s " % (request.POST["create_target-uri"])
                obs = URI()
                obs.value = request.POST["create_target-uri"]
                obs.type_ = URI.TYPE_URL
                obs.condition = "Equals"
                raw_message = Observable(item=obs, title=name).to_json()

            elif cybox_type.identifier == "cybox:EmailMessageObjectType":
                name = "Email %s " % (
                    request.POST["create_target-email_subject"])
                obs = EmailMessage()
                obs.raw_body = request.POST["create_target-email_message"]
                obs.header = EmailHeader()
                obs.header.subject = request.POST[
                    "create_target-email_subject"]
                obs.header.subject.condition = "StartsWith"
                obs.header.to = request.POST["create_target-email_to"]
                obs.header.from_ = request.POST["create_target-email_from"]
                raw_message = Observable(item=obs, title=name).to_json()
            else:

                # Should never reach here
                raw_message = {}
                name = "Undefined Object"

            create_target_form = CreateTarget(request.POST,
                                              request=request,
                                              prefix="create_target")

            if create_target_form.is_valid():

                target = create_target_form.save(commit=False)

                target.name = name

                target.raw_message = raw_message

                target.save()
Ejemplo n.º 42
0
def gen_stix_observable_sample(config, target=None, datatype=None,
                               title='random test data',
                               description='random test data',
                               package_intents='Indicators - Watchlist',
                               tlp_color='WHITE'):
    '''generate sample stix data comprised of indicator_count
    indicators of type datatype'''
    # setup the xmlns...
    xmlns_url = config['edge']['sites'][target]['stix']['xmlns_url']
    xmlns_name = config['edge']['sites'][target]['stix']['xmlns_name']
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = '../../../../descendant-or-self::node()'
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    # ...and stuff it full of random sample data :-)
    if datatype == 'ip':
        addr = Address(address_value=datagen.generate_random_ip_address(),
                       category='ipv4-addr')
        addr.condition = 'Equals'
        stix_package.add_observable(Observable(addr))
    elif datatype == 'domain':
        domain = DomainName()
        domain.type_ = 'FQDN'
        domain.value = datagen.generate_random_domain(config)
        domain.condition = 'Equals'
        stix_package.add_observable(Observable(domain))
    elif datatype == 'filehash':
        file_object = File()
        file_object.file_name = str(uuid.uuid4()) + '.exe'
        hashes = datagen.generate_random_hashes()
        for hash in hashes.keys():
            file_object.add_hash(Hash(hashes[hash], type_=hash.upper()))
            for i in file_object.hashes:
                i.simple_hash_value.condition = "Equals"
        stix_package.add_observable(Observable(file_object))
    elif datatype == 'email':
        try:
            msg = datagen.get_random_spam_msg(config)
            email = EmailMessage()
            email.header = EmailHeader()
            header_map = {'Subject': 'subject', 'To': 'to', 'Cc':
                          'cc', 'Bcc': 'bcc', 'From': 'from_',
                          'Sender': 'sender', 'Date': 'date',
                          'Message-ID': 'message_id', 'Reply-To':
                          'reply_to', 'In-Reply-To': 'in_reply_to',
                          'Content-Type': 'content_type', 'Errors-To':
                          'errors_to', 'Precedence': 'precedence',
                          'Boundary': 'boundary', 'MIME-Version':
                          'mime_version', 'X-Mailer': 'x_mailer',
                          'User-Agent': 'user_agent',
                          'X-Originating-IP': 'x_originating_ip',
                          'X-Priority': 'x_priority'}
            # TODO handle received_lines
            for key in header_map.keys():
                val = msg.get(key, None)
                if val:
                    email.header.__setattr__(header_map[key], val)
                    email.header.__getattribute__(header_map[key]).condition = \
                        'Equals'
            # TODO handle email bodies (it's mostly all there except for
            #      handling weird text encoding problems that were making
            #      libcybox stacktrace)
            # body = get_email_payload(random_spam_msg)
            # if body:
            #     email.raw_body = body
            stix_package.add_observable(Observable(email))
        except:
            return(None)
    observable_id = stix_package.observables.observables[0].id_
    return(observable_id, stix_package)
Ejemplo n.º 43
0
def main():
    # NOTE: ID values will differ due to being regenerated on each script execution
    pkg = STIXPackage()
    pkg.title = "Examples of Observable Composition"

    # USE CASE: single obj with single condition
    obs = File()
    obs.file_name = "foo.exe"
    obs.file_name.condition = "Contains"
    pkg.add_observable(obs)

    # USE CASE: single obj with multiple conditions
    obs = File()
    obs.file_name = "foo"
    obs.file_name.condition = "Contains"
    obs.size_in_bytes = '1896000'
    obs.size_in_bytes.condition = "Equals"
    pkg.add_observable(obs)

    # USE CASE: multiple obj with individual conditions
    obs = EmailMessage()

    obs.subject = "Syria strategic plans leaked"
    obs.subject.condition = "Equals"
    file_obj = File()
    file_obj.file_name = "bombISIS.pdf"
    file_obj.file_name.condition = "Equals"
    obs.add_related(file_obj, "Contains")

    pkg.add_observable(obs)

    # USE CASE: multiple objects  with complex condition like (A OR B) AND C

    # orcomp = either of a mutex or file are present

    orcomp = ObservableComposition()
    orcomp.operator = "OR"
    obs = Mutex()
    obs.name = 'foo'
    obs.name.condition = "Contains"

    orcomp.add(obs)

    obs = File()
    obs.file_name = "barfoobar"
    obs.file_name.condition = "Equals"

    orcomp.add(obs)

    # andcomp = the above is true AND a network connection is present
    andcomp = ObservableComposition()
    andcomp.operator = "AND"

    andcomp.add(orcomp)

    obs = NetworkConnection()
    sock = SocketAddress()
    sock.ip_address = "46.123.99.25"
    sock.ip_address.category = "ipv4-addr"
    sock.ip_address.condition = "Equals"
    obs.destination_socket_address = sock
    andcomp.add(obs)

    pkg.add_observable(andcomp)

    # USE CASE:  single object, one property with multiple values
    obs = SocketAddress()
    obs.ip_address = ['10.0.0.0', '10.0.0.1', '10.0.0.2']  # comma delimiter automagically added
    obs.ip_address.condition = "Equals"
    obs.ip_address.apply_condition = "ANY"

    pkg.add_observable(obs)

    print pkg.to_xml()
Ejemplo n.º 44
0
def make_cybox_object(type_, name=None, value=None):
    """
    Converts type_, name, and value to a CybOX object instance.

    :param type_: The object type.
    :type type_: str
    :param name: The object name.
    :type name: str
    :param value: The object value.
    :type value: str
    :returns: CybOX object
    """

    if type_ == "Account":
        acct = Account()
        acct.description = value
        return acct
    elif type_ == "Address":
        return Address(category=name, address_value=value)
    elif type_ == "Email Message":
        e = EmailMessage()
        e.raw_body = value
        return e
    elif type_ == "API":
        api = API()
        api.description = value
        return api
    elif type_ == "Artifact":
        if name == "Data Region":
            atype = Artifact.TYPE_GENERIC
        elif name == 'FileSystem Fragment':
            atype = Artifact.TYPE_FILE_SYSTEM
        elif name == 'Memory Region':
            atype = Artifact.TYPE_MEMORY
        else:
            raise UnsupportedCybOXObjectTypeError(type_, name)
        return Artifact(value, atype)
    elif type_ == "Code":
        obj = Code()
        obj.code_segment = value
        obj.type = name
        return obj
    elif type_ == "Disk":
        disk = Disk()
        disk.disk_name = type_
        disk.type = name
        return disk
    elif type_ == "Disk Partition":
        disk = DiskPartition()
        disk.device_name = type_
        disk.type = name
        return disk
    elif type_ == "DNS Query":
        r = URI()
        r.value = value
        dq = DNSQuestion()
        dq.qname = r
        d = DNSQuery()
        d.question = dq
        return d
    elif type_ == "DNS Record":
        # DNS Record indicators in CRITs are just a free form text box, there
        # is no good way to map them into the attributes of a DNSRecord cybox
        # object. So just stuff it in the description until someone tells me
        # otherwise.
        d = StructuredText(value=value)
        dr = DNSRecord()
        dr.description = d
        return dr
    elif type_ == "GUI Dialogbox":
        obj = GUIDialogbox()
        obj.box_text = value
        return obj
    elif type_ == "GUI Window":
        obj = GUIWindow()
        obj.window_display_name = value
        return obj
    elif type_ == "HTTP Request Header Fields" and name and name == "User-Agent":
        # TODO/NOTE: HTTPRequestHeaderFields has a ton of fields for info.
        #    we should revisit this as UI is reworked or CybOX is improved.
        obj = HTTPRequestHeaderFields()
        obj.user_agent = value
        return obj
    elif type_ == "Library":
        obj = Library()
        obj.name = value
        obj.type = name
        return obj
    elif type_ == "Memory":
        obj = Memory()
        obj.memory_source = value
        return obj
    elif type_ == "Mutex":
        m = Mutex()
        m.named = True
        m.name = String(value)
        return m
    elif type_ == "Network Connection":
        obj = NetworkConnection()
        obj.layer7_protocol = value
        return obj
    elif type_ == "Pipe":
        p = Pipe()
        p.named = True
        p.name = String(value)
        return p
    elif type_ == "Port":
        p = Port()
        try:
            p.port_value = PositiveInteger(value)
        except ValueError: # XXX: Raise a better exception...
            raise UnsupportedCybOXObjectTypeError(type_, name)
        return p
    elif type_ == "Process":
        p = Process()
        p.name = String(value)
        return p
    elif type_ == "String":
        c = Custom()
        c.custom_name = "crits:String"
        c.description = ("This is a generic string used as the value of an "
                         "Indicator or Object within CRITs.")
        c.custom_properties = CustomProperties()

        p1 = Property()
        p1.name = "value"
        p1.description = "Generic String"
        p1.value = value
        c.custom_properties.append(p1)
        return c
    elif type_ == "System":
        s = System()
        s.hostname = String(value)
        return s
    elif type_ == "URI":
        r = URI()
        r.type_ = name
        r.value = value
        return r
    elif type_ == "User Account":
        obj = UserAccount()
        obj.username = value
        return obj
    elif type_ == "Volume":
        obj = Volume()
        obj.name = value
        return obj
    elif type_ == "Win Driver":
        w = WinDriver()
        w.driver_name = String(value)
        return w
    elif type_ == "Win Event Log":
        obj = WinEventLog()
        obj.log = value
        return obj
    elif type_ == "Win Event":
        w = WinEvent()
        w.name = String(value)
        return w
    elif type_ == "Win Handle":
        obj = WinHandle()
        obj.type_ = name
        obj.object_address = value
        return obj
    elif type_ == "Win Kernel Hook":
        obj = WinKernelHook()
        obj.description = value
        return obj
    elif type_ == "Win Mailslot":
        obj = WinMailslot()
        obj.name = value
        return obj
    elif type_ == "Win Network Share":
        obj = WinNetworkShare()
        obj.local_path = value
        return obj
    elif type_ == "Win Process":
        obj = WinProcess()
        obj.window_title = value
        return obj
    elif type_ == "Win Registry Key":
        obj = WinRegistryKey()
        obj.key = value
        return obj
    elif type_ == "Win Service":
        obj = WinService()
        obj.service_name = value
        return obj
    elif type_ == "Win System":
        obj = WinSystem()
        obj.product_name = value
        return obj
    elif type_ == "Win Task":
        obj = WinTask()
        obj.name = value
        return obj
    elif type_ == "Win User Account":
        obj = WinUser()
        obj.security_id = value
        return obj
    elif type_ == "Win Volume":
        obj = WinVolume()
        obj.drive_letter = value
        return obj
    elif type_ == "X509 Certificate":
        obj = X509Certificate()
        obj.raw_certificate = value
        return obj
    """
    The following are types that are listed in the 'Indicator Type' box of
    the 'New Indicator' dialog in CRITs. These types, unlike those handled
    above, cannot be written to or read from CybOX at this point.

    The reason for the type being omitted is written as a comment inline.
    This can (and should) be revisited as new versions of CybOX are released.
    NOTE: You will have to update the corresponding make_crits_object function
    with handling for the reverse direction.

    In the mean time, these types will raise unsupported errors.
    """
    #elif type_ == "Device": # No CybOX API
    #elif type_ == "DNS Cache": # No CybOX API
    #elif type_ == "GUI": # revisit when CRITs supports width & height specification
    #elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
    #elif type_ == "Linux Package": # No CybOX API
    #elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
    #elif type_ == "Network Route Entry": # No CybOX API
    #elif type_ == "Network Route": # No CybOX API
    #elif type_ == "Network Subnet": # No CybOX API
    #elif type_ == "Semaphore": # No CybOX API
    #elif type_ == "Socket": # No good mapping between CybOX/CRITs
    #elif type_ == "UNIX File": # No CybOX API
    #elif type_ == "UNIX Network Route Entry": # No CybOX API
    #elif type_ == "UNIX Pipe": # No CybOX API
    #elif type_ == "UNIX Process": # No CybOX API
    #elif type_ == "UNIX User Account": # No CybOX API
    #elif type_ == "UNIX Volume": # No CybOX API
    #elif type_ == "User Session": # No CybOX API
    #elif type_ == "Whois": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Computer Account": # No CybOX API
    #elif type_ == "Win Critical Section": # No CybOX API
    #elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
    #elif type_ == "Win File": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Kernel": # No CybOX API
    #elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Network Route Entry": # No CybOX API
    #elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Prefetch": # No CybOX API
    #elif type_ == "Win Semaphore": # No CybOX API
    #elif type_ == "Win System Restore": # No CybOX API
    #elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Waitable Timer": # No CybOX API
    raise UnsupportedCybOXObjectTypeError(type_, name)
Ejemplo n.º 45
0
def main(argv):
    ######################################################################
    # Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY
    # Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
    TITLE = "Test"

    # La description strutturiamola come segue
    # <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
    DESCRIPTION = "Cyber Saiyan - Test - https://infosharing.cybersaiyan.it"

    # La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community 
    IDENTITY = "Cyber Saiyan Community"

    # File degli IoC
    IOCFILE = "CS-ioc.txt"

    # Prefisso STIX output files STIX 1.2 e STIX 2
    OUTFILEPREFIX = "package"

    # Short Description - UNUSED
    SHORT = "unused"
    ######################################################################

    VERBOSE = 0

    # Parse ARGV[]
    try:
        opts, args = getopt.getopt(argv, "ht:d:i:f:o:v")
    except getopt.GetoptError:
        print(
            "CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
        sys.exit(2)

    for opt, arg in opts:
        if opt == "-h":
            print(
                "CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
            sys.exit()
        elif opt == "-t":
            TITLE = arg
        elif opt == "-d":
            DESCRIPTION = arg
        elif opt == "-i":
            IDENTITY = arg
        elif opt == "-f":
            IOCFILE = arg
        elif opt == "-o":
            OUTFILEPREFIX = arg
        elif opt == "-v":
            VERBOSE = 1

    print("---------------------")
    print("TITLE: " + TITLE)
    print("DESCRIPTION: " + DESCRIPTION)
    print("IDENTITY: " + IDENTITY)
    print("IOC FILE: " + IOCFILE)
    print("---------------------")

    ########################
    # Commond data
    timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S")

    ########################
    # Build STIX 1.2 file
    info_src = InformationSource()
    info_src.identity = Identity(name=IDENTITY)

    NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
    set_id_namespace(NAMESPACE)

    wrapper = STIXPackage()

    marking_specification = MarkingSpecification()
    marking_specification.controlled_structure = "//node() | //@*"
    tlp = TLPMarkingStructure()
    tlp.color = "white"
    marking_specification.marking_structures.append(tlp)

    handling = Marking()
    handling.add_marking(marking_specification)

    wrapper.stix_header = STIXHeader(information_source=info_src,
                                     title=TITLE,
                                     description=DESCRIPTION,
                                     short_description=SHORT)
    wrapper.stix_header.handling = handling

    # HASH indicators
    indicatorHASH = Indicator()
    indicatorHASH.title = TITLE + " - HASH"
    indicatorHASH.add_indicator_type("File Hash Watchlist")

    # DOMAIN indicators
    indiDOMAIN = Indicator()
    indiDOMAIN.title = TITLE + " - DOMAIN"
    indiDOMAIN.add_indicator_type("Domain Watchlist")

    # URL indicators
    indiURL = Indicator()
    indiURL.title = TITLE + " - URL"
    indiURL.add_indicator_type("URL Watchlist")

    # IP indicators
    indiIP = Indicator()
    indiIP.title = TITLE + " - IP"
    indiIP.add_indicator_type("IP Watchlist")

    # EMAIL indicators
    indiEMAIL = Indicator()
    indiEMAIL.title = TITLE + " - EMAIL"
    indiEMAIL.add_indicator_type("Malicious E-mail")

    ########################
    # Build STIX 2 file
    pattern_sha256 = []
    pattern_md5 = []
    pattern_sha1 = []
    pattern_domain = []
    pattern_url = []
    pattern_ip = []
    pattern_email = []

    # Marking
    marking_def_white = stix2.TLP_WHITE

    # campagna
    # [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY)
    campaign_MAIN = stix2.Campaign(
        created=timestamp,
        modified=timestamp,
        name=TITLE,
        description=DESCRIPTION,
        first_seen=timestamp,
        objective="TBD"
    )

    ########################
    # Read IoC file
    loaddata(IOCFILE)

    if (VERBOSE): print("Reading IoC file " + IOCFILE + "...")
    ioccount = 0

    # sha256
    for ioc in listSHA256:
        # STIX 1.2
        filei = File()
        filei.add_hash(Hash(ioc))

        obsi = Observable(filei)
        indicatorHASH.add_observable(obsi)
        if (VERBOSE): print("SHA256: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc + "'] OR ")

    # md5
    for ioc in listMD5:
        # STIX 1.2
        filej = File()
        filej.add_hash(Hash(ioc))

        obsj = Observable(filej)
        indicatorHASH.add_observable(obsj)
        if (VERBOSE): print("MD5: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ")

    # sha1
    for ioc in listSHA1:
        # STIX 1.2
        filek = File()
        filek.add_hash(Hash(ioc))

        obsk = Observable(filek)
        indicatorHASH.add_observable(obsk)
        if (VERBOSE): print("SHA1: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ")

    # domains
    for ioc in listDOMAIN:
        # STIX 1.2
        url = URI()
        url.value = ioc
        url.type_ = URI.TYPE_DOMAIN
        url.condition = "Equals"

        obsu = Observable(url)
        indiDOMAIN.add_observable(obsu)
        if (VERBOSE): print("DOMAIN: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ")

    # url
    for ioc in listURL:
        # STIX 1.2
        url = URI()
        url.value = ioc
        url.type_ = URI.TYPE_URL
        url.condition = "Equals"

        obsu = Observable(url)
        indiURL.add_observable(obsu)
        if (VERBOSE): print("URL: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_url.append("[url:value = '" + ioc + "'] OR ")

    # ip
    for ioc in listIP:
        # STIX 1.2
        ip = Address()
        ip.address_value = ioc

        obsu = Observable(ip)
        indiIP.add_observable(obsu)
        if (VERBOSE): print("IP: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ")

    # email
    for ioc in listEMAIL:
        # STIX 1.2
        email = EmailAddress()
        email.address_value = ioc

        obsu = Observable(email)
        indiEMAIL.add_observable(obsu)

        if (VERBOSE): print("Email: " + ioc)
        ioccount += 1

        # STIX 2
        pattern_email.append("[email-message:from_ref.value = '" + ioc + "'] OR ")

    # subject
    for ioc in listSUBJECT:
        # STIX 1.2
        emailsubject = EmailMessage()
        emailsubject.subject = ioc

        obsu = Observable(emailsubject)
        indiEMAIL.add_observable(obsu)

        if (VERBOSE): print("Subject: " + ioc)
        ioccount += 1

        # STIX 2 (http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html)
        # Replace all quotes in a subject string with escaped quotes
        pattern_email.append("[email-message:subject = '" + ioc.replace("'", "\\'") + "'] OR ")

    ########################
    # add all indicators to STIX 1.2
    wrapper.add_indicator(indicatorHASH)
    wrapper.add_indicator(indiDOMAIN)
    wrapper.add_indicator(indiURL)
    wrapper.add_indicator(indiIP)
    wrapper.add_indicator(indiEMAIL)

    ########################
    # prepare for STIX 2
    bundle_objects = [campaign_MAIN, marking_def_white]

    if len(pattern_sha256) != 0:
        stix2_sha256 = "".join(pattern_sha256)
        stix2_sha256 = stix2_sha256[:-4]

        indicator_SHA256 = stix2.Indicator(
            name=TITLE + " - SHA256",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_sha256,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_SHA256 = stix2.Relationship(indicator_SHA256, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_SHA256)
        bundle_objects.append(relationship_indicator_SHA256)

    if len(pattern_md5) != 0:
        stix2_md5 = "".join(pattern_md5)
        stix2_md5 = stix2_md5[:-4]

        indicator_MD5 = stix2.Indicator(
            name=TITLE + " - MD5",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_md5,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_MD5 = stix2.Relationship(indicator_MD5, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_MD5)
        bundle_objects.append(relationship_indicator_MD5)

    if len(pattern_sha1) != 0:
        stix2_sha1 = "".join(pattern_sha1)
        stix2_sha1 = stix2_sha1[:-4]

        indicator_SHA1 = stix2.Indicator(
            name=TITLE + " - SHA1",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_sha1,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_SHA1 = stix2.Relationship(indicator_SHA1, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_SHA1)
        bundle_objects.append(relationship_indicator_SHA1)

    if len(pattern_domain) != 0:
        stix2_domain = "".join(pattern_domain)
        stix2_domain = stix2_domain[:-4]

        indicator_DOMAINS = stix2.Indicator(
            name=TITLE + " - DOMAINS",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_domain,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_DOMAINS = stix2.Relationship(indicator_DOMAINS, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_DOMAINS)
        bundle_objects.append(relationship_indicator_DOMAINS)

    if len(pattern_url) != 0:
        stix2_url = "".join(pattern_url)
        stix2_url = stix2_url[:-4]

        indicator_URLS = stix2.Indicator(
            name=TITLE + " - URL",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_url,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_URLS = stix2.Relationship(indicator_URLS, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_URLS)
        bundle_objects.append(relationship_indicator_URLS)

    if len(pattern_ip) != 0:
        stix2_ip = "".join(pattern_ip)
        stix2_ip = stix2_ip[:-4]

        indicator_IPS = stix2.Indicator(
            name=TITLE + " - IPS",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_ip,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_IPS = stix2.Relationship(indicator_IPS, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_IPS)
        bundle_objects.append(relationship_indicator_IPS)

    if len(pattern_email) != 0:
        stix2_email = "".join(pattern_email)
        stix2_email = stix2_email[:-4]

        indicator_EMAILS = stix2.Indicator(
            name=TITLE + " - EMAILS",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_email,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_EMAILS = stix2.Relationship(indicator_EMAILS, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_EMAILS)
        bundle_objects.append(relationship_indicator_EMAILS)

    # creo il bunble STIX 2
    bundlestix2 = stix2.Bundle(objects=bundle_objects)

    if (ioccount > 0):
        ########################
        # save to STIX 1.2 file
        print("Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix")
        f = open(OUTFILEPREFIX + ".stix", "wb")
        f.write(wrapper.to_xml())
        f.close()

        ########################
        # save to STIX 2 file
        print("Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2")
        g = open(OUTFILEPREFIX + ".stix2", "w")
        g.write(str(bundlestix2))
        g.close()
    else:
        print("No IoC found")
Ejemplo n.º 46
0
def main():
    stix_package = STIXPackage()
    ttp = TTP(title="Phishing")
    stix_package.add_ttp(ttp)

    # Create the indicator for just the subject
    email_subject_object = EmailMessage()
    email_subject_object.header = EmailHeader()
    email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
    email_subject_object.header.subject.condition = "StartsWith"

    email_subject_indicator = Indicator()
    email_subject_indicator.title = "Malicious E-mail Subject Line"
    email_subject_indicator.add_indicator_type("Malicious E-mail")
    email_subject_indicator.observable = email_subject_object
    email_subject_indicator.confidence = "Low"

    # Create the indicator for just the attachment

    file_attachment_object = EmailMessage()
    file_attachment_object.attachments = Attachments()

    attached_file_object = File()
    attached_file_object.file_name = "Final Report"
    attached_file_object.file_name.condition = "StartsWith"
    attached_file_object.file_extension = "doc.exe"
    attached_file_object.file_extension.condition = "Equals"

    file_attachment_object.add_related(attached_file_object,
                                       "Contains",
                                       inline=True)
    file_attachment_object.attachments.append(attached_file_object.parent.id_)

    indicator_attachment = Indicator()
    indicator_attachment.title = "Malicious E-mail Attachment"
    indicator_attachment.add_indicator_type("Malicious E-mail")
    indicator_attachment.observable = file_attachment_object
    indicator_attachment.confidence = "Low"

    # Create the combined indicator w/ both subject an attachment
    full_email_object = EmailMessage()
    full_email_object.attachments = Attachments()

    # Add the previously referenced file as another reference rather than define it again:
    full_email_object.attachments.append(attached_file_object.parent.id_)

    full_email_object.header = EmailHeader()
    full_email_object.header.subject = "[IMPORTANT] Please Review Before"
    full_email_object.header.subject.condition = "StartsWith"

    combined_indicator = Indicator(title="Malicious E-mail")
    combined_indicator.add_indicator_type("Malicious E-mail")
    combined_indicator.confidence = Confidence(value="High")
    combined_indicator.observable = full_email_object

    email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
    combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))

    stix_package.add_indicator(combined_indicator)
    stix_package.add_indicator(email_subject_indicator)
    stix_package.add_indicator(indicator_attachment)
    print(stix_package.to_xml(encoding=None))
Ejemplo n.º 47
0
    def execute(self, device_info, extracted_data_dir_path):
        original_app_path = '/data/data/com.android.email'
        headers_db_rel_file_path = os.path.join('databases', 'EmailProvider.db')
        bodies_db_rel_file_path = os.path.join('databases', 'EmailProviderBody.db')

        original_headers_db_file_path = os.path.join(original_app_path, headers_db_rel_file_path)
        original_bodies_db_file_path = os.path.join(original_app_path, bodies_db_rel_file_path)
        headers_db_file_path = os.path.join(extracted_data_dir_path, headers_db_rel_file_path)
        bodies_db_file_path = os.path.join(extracted_data_dir_path, bodies_db_rel_file_path)

        source_objects = [
            create_file_object(headers_db_file_path, original_headers_db_file_path),
            create_file_object(bodies_db_file_path, original_bodies_db_file_path)
        ]
        inspected_objects = {}

        cursor, conn = execute_query(headers_db_file_path, 'SELECT * FROM message')
        for row in cursor:
            header = EmailHeader()
            header.to = row['toList']
            header.cc = row['ccList']
            header.bcc = row['bccList']
            header.from_ = row['fromList']
            header.subject = row['subject']
            header.in_reply_to = row['replyToList']
            header.date = datetime.fromtimestamp(row['timeStamp'] / 1000)  # Convert from milliseconds to seconds
            header.message_id = row['messageId']

            email = EmailMessage()
            email.header = header
            email.add_related(source_objects[0], ObjectRelationship.TERM_EXTRACTED_FROM, inline=False)

            # Add the email to the inspected_objects dict using its _id value as key.
            email_id = row['_id']
            inspected_objects[email_id] = email
        cursor.close()
        conn.close()

        # Add full raw body to emails.
        cursor, conn = execute_query(bodies_db_file_path, 'SELECT _id, htmlContent, textContent FROM body')
        for row in cursor:
            email_id = row['_id']
            email = inspected_objects.get(email_id)
            if email is not None:
                if row['htmlContent'] != '':
                    email.raw_body = row['htmlContent']
                    email.header.content_type = 'text/html'
                else:
                    email.raw_body = row['textContent']
                    email.header.content_type = 'text/plain'
                email.add_related(source_objects[1], ObjectRelationship.TERM_EXTRACTED_FROM, inline=False)
        cursor.close()

        # Add attachments to emails.
        cursor, conn = execute_query(headers_db_file_path,
                                     'SELECT messageKey, contentUri FROM attachment')

        # Iteration over attachments
        for row in cursor:
            # Get current attachment email_id.
            email_id = row['messageKey']
            # Find email in inspected_objects.
            email = inspected_objects.get(email_id)

            # If email has non attachments, initialize them.
            if email.attachments is None:
                email.attachments = Attachments()

            # Using contentUri, get attachment folder_prefix and file_name.
            attachment_rel_path_dirs = re.search('.*//.*/(.*)/(.*)/.*', row['contentUri'])

            # Group(1): contains attachment folder.
            # Group(2): contains attachment file_name.
            attachment_rel_file_path = os.path.join('databases', attachment_rel_path_dirs.group(1) + '.db_att',
                                                    attachment_rel_path_dirs.group(2))

            # Build attachment absolute file path in extracted_data.
            attachment_file_path = os.path.join(extracted_data_dir_path, attachment_rel_file_path)

            # Build attachment original file_path in device.
            original_attachment_file_path = os.path.join(original_app_path, attachment_rel_file_path)

            # Create attachment source_file.
            attachment = create_file_object(attachment_file_path, original_attachment_file_path)

            # Add attachment to email's attachments.
            email.attachments.append(attachment.parent.id_)

            # Add relation between attachment and it's email.
            attachment.add_related(email, ObjectRelationship.TERM_CONTAINED_WITHIN, inline=False)

            source_objects.append(attachment)

        cursor.close()
        conn.close()

        return inspected_objects.values(), source_objects
Ejemplo n.º 48
0
def make_cybox_object(type_, name=None, value=None):
    """
    Converts type_, name, and value to a CybOX object instance.

    :param type_: The object type.
    :type type_: str
    :param name: The object name.
    :type name: str
    :param value: The object value.
    :type value: str
    :returns: CybOX object
    """

    if type_ == "Account":
        acct = Account()
        acct.description = value
        return acct
    elif type_ == "Address":
        return Address(category=name, address_value=value)
    elif type_ == "Email Message":
        e = EmailMessage()
        e.raw_body = value
        return e
    elif type_ == "API":
        api = API()
        api.description = value
        return api
    elif type_ == "Artifact":
        if name == "Data Region":
            atype = Artifact.TYPE_GENERIC
        elif name == 'FileSystem Fragment':
            atype = Artifact.TYPE_FILE_SYSTEM
        elif name == 'Memory Region':
            atype = Artifact.TYPE_MEMORY
        else:
            raise UnsupportedCybOXObjectTypeError(type_, name)
        return Artifact(value, atype)
    elif type_ == "Code":
        obj = Code()
        obj.code_segment = value
        obj.type = name
        return obj
    elif type_ == "Disk":
        disk = Disk()
        disk.disk_name = type_
        disk.type = name
        return disk
    elif type_ == "Disk Partition":
        disk = DiskPartition()
        disk.device_name = type_
        disk.type = name
        return disk
    elif type_ == "DNS Query":
        r = URI()
        r.value = value
        dq = DNSQuestion()
        dq.qname = r
        d = DNSQuery()
        d.question = dq
        return d
    elif type_ == "DNS Record":
        # DNS Record indicators in CRITs are just a free form text box, there
        # is no good way to map them into the attributes of a DNSRecord cybox
        # object. So just stuff it in the description until someone tells me
        # otherwise.
        d = StructuredText(value=value)
        dr = DNSRecord()
        dr.description = d
        return dr
    elif type_ == "GUI Dialogbox":
        obj = GUIDialogbox()
        obj.box_text = value
        return obj
    elif type_ == "GUI Window":
        obj = GUIWindow()
        obj.window_display_name = value
        return obj
    elif type_ == "HTTP Request Header Fields" and name and name == "User-Agent":
        # TODO/NOTE: HTTPRequestHeaderFields has a ton of fields for info.
        #    we should revisit this as UI is reworked or CybOX is improved.
        obj = HTTPRequestHeaderFields()
        obj.user_agent = value
        return obj
    elif type_ == "Library":
        obj = Library()
        obj.name = value
        obj.type = name
        return obj
    elif type_ == "Memory":
        obj = Memory()
        obj.memory_source = value
        return obj
    elif type_ == "Mutex":
        m = Mutex()
        m.named = True
        m.name = String(value)
        return m
    elif type_ == "Network Connection":
        obj = NetworkConnection()
        obj.layer7_protocol = value
        return obj
    elif type_ == "Pipe":
        p = Pipe()
        p.named = True
        p.name = String(value)
        return p
    elif type_ == "Port":
        p = Port()
        try:
            p.port_value = PositiveInteger(value)
        except ValueError:  # XXX: Raise a better exception...
            raise UnsupportedCybOXObjectTypeError(type_, name)
        return p
    elif type_ == "Process":
        p = Process()
        p.name = String(value)
        return p
    elif type_ == "String":
        c = Custom()
        c.custom_name = "crits:String"
        c.description = ("This is a generic string used as the value of an "
                         "Indicator or Object within CRITs.")
        c.custom_properties = CustomProperties()

        p1 = Property()
        p1.name = "value"
        p1.description = "Generic String"
        p1.value = value
        c.custom_properties.append(p1)
        return c
    elif type_ == "System":
        s = System()
        s.hostname = String(value)
        return s
    elif type_ == "URI":
        r = URI()
        r.type_ = name
        r.value = value
        return r
    elif type_ == "User Account":
        obj = UserAccount()
        obj.username = value
        return obj
    elif type_ == "Volume":
        obj = Volume()
        obj.name = value
        return obj
    elif type_ == "Win Driver":
        w = WinDriver()
        w.driver_name = String(value)
        return w
    elif type_ == "Win Event Log":
        obj = WinEventLog()
        obj.log = value
        return obj
    elif type_ == "Win Event":
        w = WinEvent()
        w.name = String(value)
        return w
    elif type_ == "Win Handle":
        obj = WinHandle()
        obj.type_ = name
        obj.object_address = value
        return obj
    elif type_ == "Win Kernel Hook":
        obj = WinKernelHook()
        obj.description = value
        return obj
    elif type_ == "Win Mailslot":
        obj = WinMailslot()
        obj.name = value
        return obj
    elif type_ == "Win Network Share":
        obj = WinNetworkShare()
        obj.local_path = value
        return obj
    elif type_ == "Win Process":
        obj = WinProcess()
        obj.window_title = value
        return obj
    elif type_ == "Win Registry Key":
        obj = WinRegistryKey()
        obj.key = value
        return obj
    elif type_ == "Win Service":
        obj = WinService()
        obj.service_name = value
        return obj
    elif type_ == "Win System":
        obj = WinSystem()
        obj.product_name = value
        return obj
    elif type_ == "Win Task":
        obj = WinTask()
        obj.name = value
        return obj
    elif type_ == "Win User Account":
        obj = WinUser()
        obj.security_id = value
        return obj
    elif type_ == "Win Volume":
        obj = WinVolume()
        obj.drive_letter = value
        return obj
    elif type_ == "X509 Certificate":
        obj = X509Certificate()
        obj.raw_certificate = value
        return obj
    """
    The following are types that are listed in the 'Indicator Type' box of
    the 'New Indicator' dialog in CRITs. These types, unlike those handled
    above, cannot be written to or read from CybOX at this point.

    The reason for the type being omitted is written as a comment inline.
    This can (and should) be revisited as new versions of CybOX are released.
    NOTE: You will have to update the corresponding make_crits_object function
    with handling for the reverse direction.

    In the mean time, these types will raise unsupported errors.
    """
    #elif type_ == "Device": # No CybOX API
    #elif type_ == "DNS Cache": # No CybOX API
    #elif type_ == "GUI": # revisit when CRITs supports width & height specification
    #elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
    #elif type_ == "Linux Package": # No CybOX API
    #elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
    #elif type_ == "Network Route Entry": # No CybOX API
    #elif type_ == "Network Route": # No CybOX API
    #elif type_ == "Network Subnet": # No CybOX API
    #elif type_ == "Semaphore": # No CybOX API
    #elif type_ == "Socket": # No good mapping between CybOX/CRITs
    #elif type_ == "UNIX File": # No CybOX API
    #elif type_ == "UNIX Network Route Entry": # No CybOX API
    #elif type_ == "UNIX Pipe": # No CybOX API
    #elif type_ == "UNIX Process": # No CybOX API
    #elif type_ == "UNIX User Account": # No CybOX API
    #elif type_ == "UNIX Volume": # No CybOX API
    #elif type_ == "User Session": # No CybOX API
    #elif type_ == "Whois": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Computer Account": # No CybOX API
    #elif type_ == "Win Critical Section": # No CybOX API
    #elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
    #elif type_ == "Win File": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Kernel": # No CybOX API
    #elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Network Route Entry": # No CybOX API
    #elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Prefetch": # No CybOX API
    #elif type_ == "Win Semaphore": # No CybOX API
    #elif type_ == "Win System Restore": # No CybOX API
    #elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Waitable Timer": # No CybOX API
    raise UnsupportedCybOXObjectTypeError(type_, name)
Ejemplo n.º 49
0
def json2observable(config, src, dest, endpoint, json_, crits_id):
    # TODO split into smaller functions
    '''transform crits observables into cybox'''
    try:
        set_id_method(IDGenerator.METHOD_UUID)
        xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
        xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
        set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
        if endpoint == 'ips':
            crits_types = {'Address - cidr': 'cidr',
                           'Address - ipv4-addr': 'ipv4-addr',
                           'Address - ipv4-net': 'ipv4-net',
                           'Address - ipv4-net-mask': 'ipv4-netmask',
                           'Address - ipv6-addr': 'ipv6-addr',
                           'Address - ipv6-net': 'ipv6-net',
                           'Address - ipv6-net-mask': 'ipv6-netmask'}
            addr = Address(address_value=json_['ip'],
                           category=crits_types[json_['type']])
            addr.condition = 'Equals'
            observable_ = Observable(addr)
        elif endpoint == 'domains':
            domain = DomainName()
            domain.type_ = 'FQDN'
            domain.value = json_['domain']
            domain.condition = 'Equals'
            observable_ = Observable(domain)
        elif endpoint == 'samples':
            crits_types = {'md5': 'MD5',
                           'sha1': 'SHA1',
                           'sha224': 'SHA224',
                           'sha256': 'SHA256',
                           'sha384': 'SHA384',
                           'sha512': 'SHA512',
                           'ssdeep': 'SSDEEP'}
            file_object = File()
            file_object.file_name = json_['filename']
            for hash in crits_types.keys():
                if hash in json_:
                    file_object.add_hash(Hash(json_[hash],
                                              type_=crits_types[hash]))
            for i in file_object.hashes:
                i.simple_hash_value.condition = "Equals"
            observable_ = Observable(file_object)
        elif endpoint == 'emails':
            crits_types = {'subject': 'subject', 'to': 'to', 'cc': 'cc',
                           'from_address': 'from_', 'sender': 'sender',
                           'date': 'date', 'message_id': 'message_id',
                           'reply_to': 'reply_to', 'boundary': 'boundary',
                           'x_mailer': 'x_mailer',
                           'x_originating_ip': 'x_originating_ip'}
            email = EmailMessage()
            email.header = EmailHeader()
            for k in crits_types.keys():
                val = json_.get(k, None)
                if val:
                    email.header.__setattr__(crits_types[k], val)
                    email.header.__getattribute__(crits_types[k]).condition = \
                        'Equals'
            observable_ = Observable(email)
        else:
            config['logger'].error(
                log.log_messages['unsupported_object_error'].format(
                    type_='crits', obj_type=endpoint, id_=crits_id))
            return(None)
        observable_.id = xmlns_name + ':observable-' + crits_id
        observable_.id_ = observable_.id
        return(observable_)
    except:
        e = sys.exc_info()[0]
        config['logger'].error(
            log.log_messages['obj_convert_error'].format(
                src_type='crits', src_obj='observable', id_=crits_id,
                dest_type='cybox', dest_obj='observable'))
        config['logger'].exception(e)
        return(None)
Ejemplo n.º 50
0
 def object_from_dict(cls, task_attributes):
     task_obj = win_task_binding.WindowsTaskObjectType()
     task_obj.set_anyAttributes_({'xsi:type' : 'WinTaskObj:WindowsTaskObjectType'})
     
     for key, value in task_attributes.items():
         if key == 'name' and utils.test_value(value):
             task_obj.set_Name(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'status' and utils.test_value(value):
             task_obj.set_Status(Base_Object_Attribute.object_from_dict(win_task_binding.TaskStatusType(), value))
         if key == 'priority' and utils.test_value(value):
             task_obj.set_Priority(Base_Object_Attribute.object_from_dict(win_task_binding.TaskPriorityType(), value))
         if key == 'flags' and utils.test_value(value):
             task_obj.set_Flags(Base_Object_Attribute.object_from_dict(win_task_binding.TaskFlagType(), value))
         if key == 'application_type' and utils.test_value(value):
             task_obj.set_Application_Name(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'paramters' and utils.test_value(value):
             task_obj.set_Parameters(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'account_name' and utils.test_value(value):
             tdfasd;fask_obj.set_Account_Name(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'account_run_level' and utils.test_value(value):
             task_obj.set_Account_Run_Level(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'account_Logon_Type' and utils.test_value(value):
             task_obj.set_Account_Logon_Type(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'account_name' and utils.test_value(value):
             task_obj.set_Account_Name(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'creator' and utils.test_value(value):
             task_obj.set_Creator(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'comment' and utils.test_value(value):
             task_obj.set_Comment(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'working_directory' and utils.test_value(value):
             task_obj.set_Working_Directory(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value))
         if key == 'creation_date' and utils.test_value(value):
             task_obj.set_Creation_Date(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'), value))
         if key == 'most_recent_run_time' and utils.test_value(value):
             task_obj.set_Most_Recent_Run_Time(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'), value))
         if key == 'next_run_time' and utils.test_value(value):
             task_obj.set_Next_Run_Time(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'), value))
         if key == 'exit_code' and utils.test_value(value):
             task_obj.set_Exit_Code(Base_Object_Attribute.object_from_dict(common_types_binding.LongObjectAttributeType(datatype='Long'), value))
         if key == 'max_run_time' and utils.test_value(value):
             task_obj.set_Max_Run_Time(Base_Object_Attribute.object_from_dict(common_types_binding.UnsignedLongObjectAttributeType(datatype='UnsignedLong'), value))
         if key == 'work_item_data' and utils.test_value(value):
             task_obj.set_Work_Item_Data(Base_Object_Attribute.object_from_dict(common_types_binding.Base64BinaryObjectAttributeType(datatype='Base64Binary'), value))
         if key == 'action_list' and utils.test_value(value):
             action_list = win_task_binding.TaskActionListType()
             for action in value:
                 action_obj = win_task_binding.TaskActionType()
                 for action_key, action_value in action.items():
                     if action_key == 'action_type' and utils.test_value(action_value):
                         action_obj.set_Action_Type(Base_Object_Attribute.object_from_dict(win_task_binding.TaskActionTypeType(), action_value))
                     if action_key == 'action_id' and utils.test_value(action_value):
                         action_obj.set_Action_ID(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), action_value))
                     if action_key == 'iemailaction' and utils.test_value(action_value):
                         action_obj.set_IEmailAction(EmailMessage.object_from_dict(action_value))
                     if action_key == 'icomhandleraction' and utils.test_value(action_value):
                         icom_obj = win_task_binding.IComHandlerActionType()
                         for icom_key, icom_value in action_value.items():
                             if icom_key == 'com_data' and utils.test_value(icom_value):
                                 icom_obj.set_COM_Data(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), icom_value))
                             if icom_key == 'com_class_id' and utils.test_value(icom_value):
                                 icom_obj.set_COM_Class_ID(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), icom_value))
                         action_obj.set_IComHandlerAction(icom_obj)
                     if action_key == 'iexecaction' and utils.test_value(action_value):
                         iexec_obj = win_task_binding.IExecActionType()
                         for iexec_key, iexec_value in action_value.items():
                             if iexec_key == 'exec_arguments' and utils.test_value(iexec_value):
                                 iexec_obj.set_Exec_Arguments(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), iexec_value))
                             if iexec_key == 'exec_program_path' and utils.test_value(iexec_value):
                                 iexec_obj.set_Exec_Program_Path(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), iexec_value))
                             if iexec_key == 'exec_working_directorys' and utils.test_value(iexec_value):
                                 iexec_obj.set_Exec_Working_Directory(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), iexec_value))
                             if iexec_key == 'exec_program_hashes' and utils.test_value(iexec_value):
                                 iexec_obj.set_Exec_Arguments(HashList.object_from_dict(iexec_value))
                         action_obj.set_IExecAction(iexec_obj)
                     if action_key == 'ishowmessageaction' and utils.test_value(action_value):
                         ishow_obj = win_task_binding.IShowMessageActionType()
                         for ishow_key, ishow_value in action_value.items():
                             if ishow_key == 'show_message_body' and utils.test_value(ishow_value):
                                 ishow_obj.set_Show_Message_Body(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), ishow_value))
                             if ishow_key == 'show_message_title' and utils.test_value(ishow_value):
                                 ishow_obj.set_Show_Message_Title(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), ishow_value))
                         action_obj.set_IShowMessageAction(ishow_obj)
                 action_list.add_Action(action_obj)
             task_obj.set_Action_List(action_list)
         if key == 'trigger_list' and utils.test_value(value):           
             trigger_list = win_task_binding.TriggerListType()
             for trigger in value:
                 trigger_obj = win_task_binding.TriggerType()
                 for trigger_key, trigger_value in trigger.items():
                     if trigger_key == 'trigger_begin' and utils.test_value(trigger_value):
                         trigger_obj.set_Trigger_Begin(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'), trigger_value)
                     if trigger_key == 'trigger_end' and utils.test_value(trigger_value):
                         trigger_obj.set_Trigger_End(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'), trigger_value)
                     if trigger_key == 'trigger_delay' and utils.test_value(trigger_value):
                         trigger_obj.set_Trigger_Begin(common_types_binding.DurationObjectAttributeType(datatype='Duration'), trigger_value)
                     if trigger_key == 'trigger_max_run_time' and utils.test_value(trigger_value):
                         trigger_obj.set_Max_Run_Time(common_types_binding.DurationObjectAttributeType(datatype='Duration'), trigger_value)
                     if trigger_key == 'trigger_session_change_type' and utils.test_value(trigger_value):
                         trigger_obj.set_Trigger_Session_Change_Type(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), trigger_value))
                     if trigger_key == 'trigger_type' and utils.test_value(trigger_value):
                         trigger_obj.set_Trigger_Type(Base_Object_Attribute.object_from_dict(win_task_binding.TaskTriggerType(), trigger_value))
                     if trigger_key == 'enabled' and utils.test_value(trigger_value):
                         trigger_obj.set_enabled(trigger_value)
                     if trigger_key == 'trigger_frequency' and utils.test_value(trigger_value):
                         trigger_obj.set_Trigger_Frequency(Base_Object_Attribute.object_from_dict(win_task_binding.TaskTriggerFrequencyType(), trigger_value))
                 trigger_list.add_Trigger(trigger_obj)
             task_obj.set_Trigger_List(trigger_list)
                   
     return task_obj
Ejemplo n.º 51
0
def cybox_object_email(obj):
    e = EmailMessage()
    e.raw_body = obj.raw_body
    e.raw_header = obj.raw_header
    # Links
    e.links = Links()
    for link in obj.links.all():
        pass
    # Attachments
    e.attachments = Attachments()
    attachment_objects = []
    for att in obj.attachments.all():
        for meta in att.file_meta.all():
            fobj = cybox_object_file(att, meta)
            e.attachments.append(fobj.parent.id_)
            fobj.add_related(e, "Contained_Within", inline=False)
            attachment_objects.append(fobj)
    # construct header information
    h = EmailHeader()
    h.subject = obj.subject
    h.date = obj.email_date
    h.message_id = obj.message_id
    h.content_type = obj.content_type
    h.mime_version = obj.mime_version
    h.user_agent = obj.user_agent
    h.x_mailer = obj.x_mailer
    # From
    for from_ in obj.from_string.all():
        from_address = EmailAddress(from_.sender)
        from_address.is_spoofed = from_.is_spoofed
        from_address.condition = from_.condition
        h.from_ = from_address
    # Sender
    for sender in obj.sender.all():
        sender_address = EmailAddress(sender.sender)
        sender_address.is_spoofed = sender.is_spoofed
        sender_address.condition = sender.condition
        h.sender.add(sender_address)
    # To
    recipients = EmailRecipients()
    for recipient in obj.recipients.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.to = recipients
    # CC
    recipients = EmailRecipients()
    for recipient in obj.recipients_cc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.cc = recipients
    # BCC
    recipients = EmailRecipients()
    for recipient in obj.recipients_bcc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.bcc = recipients
    e.header = h
    return e, attachment_objects
Ejemplo n.º 52
0
def gen_stix_observable_sample(config,
                               target=None,
                               datatype=None,
                               title='random test data',
                               description='random test data',
                               package_intents='Indicators - Watchlist',
                               tlp_color='WHITE'):
    '''generate sample stix data comprised of indicator_count
    indicators of type datatype'''
    # setup the xmlns...
    xmlns_url = config['edge']['sites'][target]['stix']['xmlns_url']
    xmlns_name = config['edge']['sites'][target]['stix']['xmlns_name']
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = '../../../../descendant-or-self::node()'
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    # ...and stuff it full of random sample data :-)
    if datatype == 'ip':
        addr = Address(address_value=datagen.generate_random_ip_address(),
                       category='ipv4-addr')
        addr.condition = 'Equals'
        stix_package.add_observable(Observable(addr))
    elif datatype == 'domain':
        domain = DomainName()
        domain.type_ = 'FQDN'
        domain.value = datagen.generate_random_domain(config)
        domain.condition = 'Equals'
        stix_package.add_observable(Observable(domain))
    elif datatype == 'filehash':
        file_object = File()
        file_object.file_name = str(uuid.uuid4()) + '.exe'
        hashes = datagen.generate_random_hashes()
        for hash in hashes.keys():
            file_object.add_hash(Hash(hashes[hash], type_=hash.upper()))
            for i in file_object.hashes:
                i.simple_hash_value.condition = "Equals"
        stix_package.add_observable(Observable(file_object))
    elif datatype == 'email':
        try:
            msg = datagen.get_random_spam_msg(config)
            email = EmailMessage()
            email.header = EmailHeader()
            header_map = {
                'Subject': 'subject',
                'To': 'to',
                'Cc': 'cc',
                'Bcc': 'bcc',
                'From': 'from_',
                'Sender': 'sender',
                'Date': 'date',
                'Message-ID': 'message_id',
                'Reply-To': 'reply_to',
                'In-Reply-To': 'in_reply_to',
                'Content-Type': 'content_type',
                'Errors-To': 'errors_to',
                'Precedence': 'precedence',
                'Boundary': 'boundary',
                'MIME-Version': 'mime_version',
                'X-Mailer': 'x_mailer',
                'User-Agent': 'user_agent',
                'X-Originating-IP': 'x_originating_ip',
                'X-Priority': 'x_priority'
            }
            # TODO handle received_lines
            for key in header_map.keys():
                val = msg.get(key, None)
                if val:
                    email.header.__setattr__(header_map[key], val)
                    email.header.__getattribute__(header_map[key]).condition = \
                        'Equals'
            # TODO handle email bodies (it's mostly all there except for
            #      handling weird text encoding problems that were making
            #      libcybox stacktrace)
            # body = get_email_payload(random_spam_msg)
            # if body:
            #     email.raw_body = body
            stix_package.add_observable(Observable(email))
        except:
            return (None)
    observable_id = stix_package.observables.observables[0].id_
    return (observable_id, stix_package)
Ejemplo n.º 53
0
def cybox_object_email(obj):
    e = EmailMessage()
    e.raw_body = obj.raw_body
    e.raw_header = obj.raw_header
    # Links
    e.links = Links()
    for link in obj.links.all():
        pass
    # Attachments
    e.attachments = Attachments()
    attachment_objects = []
    for att in obj.attachments.all():
        for meta in att.file_meta.all():
            fobj = cybox_object_file(att, meta)
            e.attachments.append(fobj.parent.id_)
            fobj.add_related(e, "Contained_Within", inline=False)
            attachment_objects.append(fobj)
    # construct header information
    h = EmailHeader()
    h.subject = obj.subject
    h.date = obj.email_date
    h.message_id = obj.message_id
    h.content_type = obj.content_type
    h.mime_version = obj.mime_version
    h.user_agent = obj.user_agent
    h.x_mailer = obj.x_mailer
    # From
    for from_ in obj.from_string.all():
        from_address = EmailAddress(from_.sender)
        from_address.is_spoofed = from_.is_spoofed
        from_address.condition = from_.condition
        h.from_ = from_address
    # Sender
    for sender in obj.sender.all():
        sender_address = EmailAddress(sender.sender)
        sender_address.is_spoofed = sender.is_spoofed
        sender_address.condition = sender.condition
        h.sender.add(sender_address)
    # To
    recipients = EmailRecipients()
    for recipient in obj.recipients.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.to = recipients
    # CC
    recipients = EmailRecipients()
    for recipient in obj.recipients_cc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.cc = recipients
    # BCC
    recipients = EmailRecipients()
    for recipient in obj.recipients_bcc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.bcc = recipients
    e.header = h
    return e, attachment_objects
Ejemplo n.º 54
0
    def create_object(self, ce1sus_object, event_permissions, user):
        definition_name = ce1sus_object.definition.name
        obj = Object()
        identifier = 'ce1sus:Object-{0}'.format(ce1sus_object.uuid)
        obj.id_ = identifier
        # try to find automatic the object container
        try:
            clazz = get_class(
                'cybox.objects.{0}_object'.format(definition_name.lower()),
                definition_name)
            instance = clazz()
            if definition_name == 'Disk':
                # TODO: check why this must be set stix bug?
                setattr(instance, 'type_', None)
        except ImportError:
            if definition_name == 'WinEventLog':
                instance = WinEventLog()
                # TODO: check why this must be set stix bug?
                setattr(instance, 'type_', None)
            elif definition_name == 'UserAccount':
                instance = UserAccount()
            elif definition_name == 'WinService':
                instance = WinService()
            elif definition_name == 'WindowsRegistryKey':
                instance = WinRegistryKey()
            elif definition_name == 'NetworkConnection':
                instance = NetworkConnection()
            elif definition_name == 'WinVolume':
                instance = WinVolume()
                # TODO: check why this must be set stix bug?
                setattr(instance, 'drive_type', None)
            elif definition_name == 'WinKernelHook':
                instance = WinKernelHook()
            elif definition_name == 'WinDriver':
                instance = WinDriver()
            elif definition_name == 'DomainName':
                instance = DomainName()
            # TODO: try to map it manually
            elif definition_name == 'email':
                instance = EmailMessage()
            else:
                raise Ce1susStixMapperException(
                    'Required to map manually {0}'.format(definition_name))

        obj.properties = instance

        attributes = ce1sus_object.get_attributes_for_permissions(
            event_permissions, user)
        for attribute in attributes:
            self.map_attribtue(instance, attribute)

        rel_objects = ce1sus_object.get_related_objects_for_permissions(
            event_permissions, user)
        for rel_object in rel_objects:
            ob = self.create_object(rel_object.object, event_permissions, user)
            if ob:
                rel_obj = self.create_related_object(rel_object,
                                                     event_permissions, user)

                # cybox_rel_object = RelatedObject(properties=ob.properties, relationship=rel_object.relation)

                obj.related_objects.append(rel_obj)
        return obj