def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print(pkg.to_xml(encoding=None))
def convert_coa(coa20):
coa1x = CourseOfAction(id_=convert_id20(coa20["id"]),
timestamp=text_type(coa20["modified"]))
if "name" in coa20:
coa1x.title = coa20["name"]
if "description" in coa20:
coa1x.add_description(coa20["description"])
if "labels" in coa20:
coa_types = convert_open_vocabs_to_controlled_vocabs(
coa20["labels"], COA_LABEL_MAP)
coa1x.type_ = coa_types[0]
for l in coa_types[1:]:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, "labels", l)
if "object_marking_refs" in coa20:
for m_id in coa20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(coa1x, ms, descendants=True)
if "granular_markings" in coa20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, coa20["id"])
record_id_object_mapping(coa20["id"], coa1x)
return coa1x
def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print pkg.to_xml()
def add_coa_items(corrective_action_item, cost_corrective_action_item, pkg):
coa = CourseOfAction()
if corrective_action_item:
coa.title = corrective_action_item
if cost_corrective_action_item:
cost = Statement()
cost.value = map_cost_corrective_action_item_to_high_medium_low(cost_corrective_action_item)
coa.cost = cost
pkg.coa = coa
def main():
fileIn = open('tor_exit_node_list.txt', 'r')
fileOut = open('coa_tor.xml', 'w')
#print("List of Tor Exit nodes as of 5/4/2018")
ip_addr_list = []
for line in fileIn:
ip_addr = re.search(
'(([2][5][0-5]\.)|([2][0-4][0-9]\.)|([0-1]?[0-9]?[0-9]\.)){3}(([2][5][0-5])|([2][0-4][0-9])|([0-1]?[0-9]?[0-9]))',
line)
if ip_addr:
ip_addr_list.append(ip_addr)
#print(" ", ip_addr.group(0))
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to Tor exit nodes"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication to Tor exit nodes"
obj.applicability_confidence = Confidence("High")
i = 0
observables_list = []
for ip_addr in ip_addr_list:
addr = Address(address_value=ip_addr.group(0),
category=Address.CAT_IPV4)
observables_list.append(addr)
print(i)
i = i + 1
coa.parameter_observables = Observables(observables_list)
pkg.add_course_of_action(coa)
fileOut.write(pkg.to_xml(encoding=None))
def buildCoa(input_dict):
# add incident and confidence
coa = CourseOfAction()
coa.title = input_dict['title']
coa.description = input_dict['description']
if input_dict['stage']:
coa.stage = input_dict['stage']
if input_dict['type']:
coa.type = input_dict['type']
if input_dict['objective']:
coa.objective = Objective(input_dict['objective'])
if input_dict['impact']:
coa.impact = input_dict['impact']
if input_dict['cost']:
coa.cost = input_dict['cost']
if input_dict['efficacy']:
coa.efficacy = input_dict['efficacy']
if input_dict['informationSource']:
coa.information_source = InformationSource(input_dict['informationSource'])
return coa
