Ejemplo n.º 1
0
def main():
    fn = 'ex_01.xml'
    stix_package = STIXPackage.from_xml(fn)
    stix_dict = stix_package.to_dict() # parse to dictionary
    pprint(stix_dict)

    stix_package_two = STIXPackage.from_dict(stix_dict) # create python-stix object from dictionary
    xml = stix_package_two.to_xml() # generate xml from python-stix object
    print(xml)
Ejemplo n.º 2
0
def main():
    fn = 'ex_01.xml'
    stix_package = STIXPackage.from_xml(fn)
    stix_dict = stix_package.to_dict()  # parse to dictionary
    pprint(stix_dict)

    stix_package_two = STIXPackage.from_dict(
        stix_dict)  # create python-stix object from dictionary
    xml = stix_package_two.to_xml()  # generate xml from python-stix object
    print(xml)
Ejemplo n.º 3
0
    def test_all_versions_in_single_package(self):
        package = STIXPackage.from_xml(StringIO(XML_GLOBAL))

        self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[0], stix_edh.isa_markings.ISAMarkings))
        self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[1], stix_edh.isa_markings_assertions.ISAMarkingsAssertion))

        print(package.to_xml())

        package = STIXPackage.from_dict(package.to_dict())

        self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[0], stix_edh.isa_markings.ISAMarkings))
        self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[1], stix_edh.isa_markings_assertions.ISAMarkingsAssertion))

        json_string = json.dumps(package.to_dict())

        print(json_string)
        print("-" * 40)
Ejemplo n.º 4
0
def test(files):
    '''Parses each file in the list of files and performs a to_obj(), from_obj()
    to_dict(), from_dict(), and to_xml() on each STIXPackage
    '''
    info("testing [%s] files" % (len(files)))
    
    for fn in files:
        with open(fn, 'rb') as f:
            try:
                sp = STIXPackage.from_xml(f)
                o = sp.to_obj()
                sp2 = STIXPackage.from_obj(o)
                d = sp.to_dict()
                sp3 = STIXPackage.from_dict(d)
                xml = sp.to_xml()
                print "[+] Sucessfully tested %s" % fn
            except Exception as ex:
                tb = traceback.format_exc()
                print "[!] Error with %s : %s" % (fn, str(ex))
                print tb
Ejemplo n.º 5
0
def main():
    FILENAME = 'sample.xml'

    # Parse input file
    stix_package = STIXPackage.from_xml(FILENAME)

    # Convert STIXPackage to a Python dictionary via the to_dict() method.
    stix_dict = stix_package.to_dict()

    # Print the dictionary!
    pprint(stix_dict)

    # Convert the first STIXPackage dictionary into another STIXPackage via
    # the from_dict() method.
    stix_package_two = STIXPackage.from_dict(stix_dict)

    # Serialize the new STIXPackage object to XML
    xml = stix_package_two.to_xml()

    # Print the XML!
    print(xml)
Ejemplo n.º 6
0
def main():
    FILENAME = 'sample.xml'

    # Parse input file
    stix_package = STIXPackage.from_xml(FILENAME)

    # Convert STIXPackage to a Python dictionary via the to_dict() method.
    stix_dict = stix_package.to_dict()

    # Print the dictionary!
    pprint(stix_dict)

    # Convert the first STIXPackage dictionary into another STIXPackage via
    # the from_dict() method.
    stix_package_two = STIXPackage.from_dict(stix_dict)

    # Serialize the new STIXPackage object to XML
    xml = stix_package_two.to_xml()

    # Print the XML!
    print(xml)
Ejemplo n.º 7
0
    def toStixXml(self, confidence, efficacy):
        """
        This method converts a list of FASGuard generated Snort rules  into a STIX
        compliant XML string ready for output. It first converts the object
        into a hash of the right format and then converts it into XML using
        STIXPackage.from_dict and to_xml on the resulting object.

        Arguments:

        confidence - High, Medium or Low. High means low false alarm rate.
        efficacy - High, Medium or Low. High means a low missed detection rate.

        Returns:

        Reference to string containing STIX/CybOX XML file.
        """
        logger = logging.getLogger('simple_example')
        self.logger = logger
        self.logger.debug('In asg.fasguardStixRule')
        stix_package = STIXPackage()

        # Build the Exploit Target
        vuln = Vulnerability()
        vuln.cve_id = "Unknown"

        et = ExploitTarget(title="From FASGuard")
        et.add_vulnerability(vuln)

        stix_package.add_exploit_target(et)

        # Build the TTP
        ttp = TTP(title="FASGuard Produced Signatures")
        ttp.exploit_targets.append(ExploitTarget(idref=et.id_))

        stix_package.add_ttp(ttp)

        # Build the indicator
        indicator = Indicator(title="Snort Signature from FASGuard")
        indicator.confidence = Confidence(confidence)

        tm = SnortTestMechanism()
        tm.rules = self.ruleList
        tm.efficacy = efficacy
        tm.producer = InformationSource(identity=Identity(name="FASGuard"))
        tm.producer.references = ["http://fasguard.github.io/"]
        indicator.test_mechanisms = [tm]
        indicator.add_indicated_ttp(TTP(idref=ttp.id_))

        stix_package.add_indicator(indicator)

        return stix_package.to_xml()

        # stixDict = {'campaigns': [{}],
        #             'courses_of_action': [{}],
        #             'exploit_targets': [{}],
        #             'id': 'INSERT_PACKAGE_ID_HERE'}
        # stixDict['indicators'] = [{'indicator':
        #                            {'title':
        #                             'Automatically Generated FASGuard Signatures',
        #                             'test_mechanisms':
        #                             {'test_mechanism':
        #                              {'efficacy':'Low',
        #                               'producer':
        #                               {'Identity':'FASGuard'},
        #                               'rule':'xyz'}}}}
        # ]
        stix_package = STIXPackage.from_dict(stixDict)
        stix_xml = stix_package.to_xml()
        return stix_xml
Ejemplo n.º 8
0
    def toStixXml(self):
        """
        This method converts a DetectorEvent object into a STIX compliant XML
        string ready for output. It first converts the object into a hash of the
        right format and then converts it into XML using STIXPackage.from_dict
        and to_xml on the resulting object.

        Returns:

        Reference to string containing STIX/CybOX XML file.
        """
        self.logger.debug('In toStixXml')
        stixDict = {'campaigns': [{}],
         'courses_of_action': [{}],
         'exploit_targets': [{}],
         'id': 'INSERT_PACKAGE_ID_HERE'}
        stixDict['incidents'] = []
        stixDict['indicators'] = [{}]
        stixDict['observables'] = {'major_version': 2,
                                   'minor_version': 1,
                                   'observables': [{}],
                                   'update_version': 0}
        stixDict['stix_header'] =  {'description': 'DESCRIPTION',
                                    # 'handling':
                                    # [{'controlled_structure':
                                    #   '//node()',
                                    #   'marking_structures':
                                    #   [{'color': 'WHITE',
                                    #     'xsi:type':
                                    #     'tlpMarking:TLPMarkingStructureType'}]},
                                    #  {'controlled_structure':
                                    #   '//node()',
                                    #   'marking_structures':
                                    #   [{'xsi:type':
                                    #     'simpleMarking:SimpleMarkingStructureType'}]},
                                    #  {'controlled_structure': '//node()',
                                    #   'marking_structures':
                                    #   [{'xsi:type':
                                    #     'TOUMarking:TermsOfUseMarkingStructureType'}]}],
                                    'information_source': {'identity': {},
                                                           'time':
                                                           {'produced_time':
                                                            '2014-12-31T08:00:00+00:00'},
                                                           'tools': [{}]},
                                    'package_intents': [{'value': 'Incident',
                                                         'xsi:type':
                                                         'stixVocabs:PackageIntentVocab-1.0'}],
                                    'title': 'TITLE'}
        stixDict['threat_actors'] = [{}]
        # stixDict['ttps'] = {'kill_chains':
        #                     {'kill_chains': [{'kill_chain_phases': [{}]}]},
        #                     'ttps': [{}]}
        stixDict['version'] = '1.1.1'
        if (((not self.multiAttackFlag) or (not self.attackBoundaryFlag))
            and
            len(self.attackInstanceList) != 1):
            self.logger.error('For non-multiple attack or non-boundary attack '+
                              'had more than one attack instance')
            sys.exit(-1)
        description_string = '\n\t\t\t\tMultipleAttack = '
        description_string += 'TRUE' if self.multiAttackFlag else 'FALSE'
        description_string += '\n\t\t\t\tAttackBoundaries = '
        description_string += 'TRUE' if self.attackBoundaryFlag else 'FALSE'
        description_string += '\n\t\t\t'
        for attack_instance in self.attackInstanceList:
            related_observables_hash = {'description' : description_string,
                                        'related_observables':
                                        {'observables': [],
                                         'scope':'exclusive'}}
            observables_list = (related_observables_hash['related_observables']
                                ['observables'])
            stixDict['incidents'].append(related_observables_hash)
            for packet in attack_instance.packetList:
                f_sec,sec = math.modf(packet.timeStamp)
                self.logger.debug('%f %f',sec,f_sec)
                dtime = datetime.datetime.fromtimestamp(
                    int(sec)).strftime('%Y-%m-%dT%H:%M:%S')+'.'+(
                        str(int(f_sec*1000000)))
                #dtime = '2014-10-13T14:08:00.002000+00:00'
                self.logger.debug('dtime = '+dtime)
                observable_dict = {}
                data_dict = {}
                properties_dict = {}
                packet_dict = {}
                observable_dict['observable'] = data_dict
                data_dict['keywords'] = ['LinkType=ethernet',
                                         u'ProbAttack=' +
                                         str(packet.probAttack)]
                data_dict['object'] = properties_dict
                properties_dict['properties'] = packet_dict
                packet_dict['packaging'] = [{'algorithm': 'Base64',
                  'packaging_type': 'encoding'}]
                packet_dict['raw_artifact'] = base64.b64encode(
                    str(packet.packet))
                eth = dpkt.ethernet.Ethernet(str(packet.packet))
                self.logger.debug('eth as string: %s',pformat(eth))
                b64_decode = base64.b64decode(base64.b64encode(packet.packet))
                v1 = pformat(packet.packet)
                self.logger.debug('First version: %s',str(packet.packet).encode('hex'))

                v2 = pformat(packet.packet)
                self.logger.debug('Second version: %s',b64_decode.encode('hex'))
                pprint(b64_decode)
                # if b64_decode != packet.packet:
                #     self.logger.debug('Round trip failed')
                #     self.logger.debug('Types: %s, %s',type(b64_decode),
                #                       type(packet.packet))
                #     self.logger.debug('Length %d -> %d',
                #                       len(b64_decode),len(packet.packet))

                #     packet_list = list(packet.packet)
                #     b64_list = list(b64_decode)
                #     for i in range(len(packet.packet)):
                #         if packet_list[i] != b64_list[i]:
                #             self.logger.debug('%s != %s',packet_list[i],
                #                               b64_list[i])

                #     # for i in list(packet.packet):
                #     #     self.logger.debug('Orig: %s',i)

                #     # for i in list(b64_decode):
                #     #     self.logger.debug('Decode: %s',i)

                #     sys.exit(-1)
                packet_dict['type'] = 'Network Traffic'
                packet_dict['xsi:type'] = 'ArtifactObjectType'
                data_dict['observable_source'] = [
                    {'time':{'received_time':dtime}
                        }
                    ]
                observables_list.append(observable_dict)

        ofh = open('stix_dict.out', 'w')
        ofh.write(pformat(stixDict))
        self.logger.debug('Wrote stix dictionary to stix_dict.out')
        stix_package = STIXPackage.from_dict(stixDict)
        self.logger.debug('After constructor')
        stix_xml = stix_package.to_xml()
        return stix_xml
Ejemplo n.º 9
0
    def toStixXml(self, confidence, efficacy):
        """
        This method converts a list of FASGuard generated Snort rules  into a STIX
        compliant XML string ready for output. It first converts the object
        into a hash of the right format and then converts it into XML using
        STIXPackage.from_dict and to_xml on the resulting object.

        Arguments:

        confidence - High, Medium or Low. High means low false alarm rate.
        efficacy - High, Medium or Low. High means a low missed detection rate.

        Returns:

        Reference to string containing STIX/CybOX XML file.
        """
        logger = logging.getLogger('simple_example')
        self.logger = logger
        self.logger.debug('In asg.fasguardStixRule')
        stix_package = STIXPackage()

        # Build the Exploit Target
        vuln = Vulnerability()
        vuln.cve_id = "Unknown"

        et = ExploitTarget(title="From FASGuard")
        et.add_vulnerability(vuln)

        stix_package.add_exploit_target(et)

        # Build the TTP
        ttp = TTP(title="FASGuard Produced Signatures")
        ttp.exploit_targets.append(ExploitTarget(idref=et.id_))

        stix_package.add_ttp(ttp)

        # Build the indicator
        indicator = Indicator(title = "Snort Signature from FASGuard")
        indicator.confidence = Confidence(confidence)

        tm = SnortTestMechanism()
        tm.rules = self.ruleList
        tm.efficacy = efficacy
        tm.producer = InformationSource(identity=Identity(name="FASGuard"))
        tm.producer.references = ["http://fasguard.github.io/"]
        indicator.test_mechanisms = [tm]
        indicator.add_indicated_ttp(TTP(idref=ttp.id_))

        stix_package.add_indicator(indicator)

        return stix_package.to_xml()

        # stixDict = {'campaigns': [{}],
        #             'courses_of_action': [{}],
        #             'exploit_targets': [{}],
        #             'id': 'INSERT_PACKAGE_ID_HERE'}
        # stixDict['indicators'] = [{'indicator':
        #                            {'title':
        #                             'Automatically Generated FASGuard Signatures',
        #                             'test_mechanisms':
        #                             {'test_mechanism':
        #                              {'efficacy':'Low',
        #                               'producer':
        #                               {'Identity':'FASGuard'},
        #                               'rule':'xyz'}}}}
        # ]
        stix_package = STIXPackage.from_dict(stixDict)
        stix_xml = stix_package.to_xml()
        return stix_xml