def main(args):
if len(args) < 4:
sys.exit("Invalid parameters")
baseURL = args[1]
if not baseURL:
baseURL = 'https://www.misp-project.org'
orgname = args[2]
orgname = re.sub('[\W]+', '', orgname.replace(" ", "_"))
NS_DICT[baseURL] = orgname
try:
idgen.set_id_namespace(Namespace(baseURL, orgname))
except TypeError:
idgen.set_id_namespace(Namespace(baseURL, orgname, "MISP"))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Export from {} MISP".format(args[2])
stix_header.package_intents = "Threat Report"
stix_package.stix_header = stix_header
stix_package.version = "1.1.1"
stix_package.timestamp = datetime.datetime.now()
if args[3] == 'json':
stix_string = stix_package.to_json()[:-1]
stix_string += ', "related_packages": ['
else:
stix_string = stix_package.to_xml(auto_namespace=False,
ns_dict=NS_DICT,
schemaloc_dict=SCHEMALOC_DICT)
stix_string = stix_string.decode().replace("</stix:STIX_Package>\n",
"")
print(stix_string)
def main(args):
if len(args) < 4:
sys.exit("Invalid parameters")
baseURL = args[1]
if not baseURL:
baseURL = 'https://www.misp-project.org'
orgname = args[2]
namespace = [baseURL, orgname.replace(" ", "_")]
namespace[1] = re.sub('[\W]+', '', namespace[1])
NS_DICT[namespace[0]] = namespace[1]
try:
idgen.set_id_namespace({baseURL: namespace[1]})
except ValueError:
# Some weird stix error that sometimes occurs if the stars
# align and Mixbox is being mean to us
# Glory to STIX, peace and good xmlns be upon it
try:
idgen.set_id_namespace(Namespace(baseURL, namespace[1]))
except TypeError:
# Ok this only occurs if the script is being run under py3
# and if we're running a REALLY weird version of stix
# May as well catch it
idgen.set_id_namespace(Namespace(baseURL, namespace[1], "MISP"))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Export from {} MISP".format(orgname)
stix_header.package_intents = "Threat Report"
stix_package.stix_header = stix_header
stix_package.version = "1.1.1"
stix_package.timestamp = datetime.datetime.now()
if args[3] == 'json':
stix_string = stix_package.to_json()[:-1]
stix_string += ', "related_packages": ['
else:
stix_string = stix_package.to_xml(auto_namespace=False,
ns_dict=NS_DICT,
schemaloc_dict=SCHEMALOC_DICT)
stix_string = stix_string.decode()
stix_string = stix_string.replace("</stix:STIX_Package>\n", "")
print(stix_string)
def main(args):
if len(sys.argv) < 4:
sys.exit("Invalid parameters")
namespace = [sys.argv[1], sys.argv[2].replace(" ", "_")]
namespace[1] = re.sub('[\W]+', '', namespace[1])
NS_DICT[namespace[0]] = namespace[1]
stix.utils.idgen.set_id_namespace({namespace[0]: namespace[1]})
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Export from " + sys.argv[2] + " MISP"
stix_header.package_intents = "Threat Report"
stix_package.stix_header = stix_header
if sys.argv[3] == 'json':
stix_string = stix_package.to_json()[:-1]
stix_string += ', "related_packages": ['
else:
stix_string = stix_package.to_xml(auto_namespace=False,
ns_dict=NS_DICT,
schemaloc_dict=SCHEMALOC_DICT)
stix_string = stix_string.replace("</stix:STIX_Package>\n", "")
print(stix_string)
def stix_framing(*args):
import datetime, re
from stix.core import STIXPackage, STIXHeader
from cybox.utils import Namespace
# As python3 is forced anyway, mixbox is used and we don't need to try to import idgen from stix.utils
from mixbox import idgen
from stix import __version__ as STIXVER
NS_DICT = {
"http://cybox.mitre.org/common-2" : 'cyboxCommon',
"http://cybox.mitre.org/cybox-2" : 'cybox',
"http://cybox.mitre.org/default_vocabularies-2" : 'cyboxVocabs',
"http://cybox.mitre.org/objects#AccountObject-2" : 'AccountObj',
"http://cybox.mitre.org/objects#ASObject-1" : 'ASObj',
"http://cybox.mitre.org/objects#AddressObject-2" : 'AddressObj',
"http://cybox.mitre.org/objects#PortObject-2" : 'PortObj',
"http://cybox.mitre.org/objects#DomainNameObject-1" : 'DomainNameObj',
"http://cybox.mitre.org/objects#EmailMessageObject-2" : 'EmailMessageObj',
"http://cybox.mitre.org/objects#FileObject-2" : 'FileObj',
"http://cybox.mitre.org/objects#HTTPSessionObject-2" : 'HTTPSessionObj',
"http://cybox.mitre.org/objects#HostnameObject-1" : 'HostnameObj',
"http://cybox.mitre.org/objects#MutexObject-2" : 'MutexObj',
"http://cybox.mitre.org/objects#PipeObject-2" : 'PipeObj',
"http://cybox.mitre.org/objects#URIObject-2" : 'URIObj',
"http://cybox.mitre.org/objects#WinRegistryKeyObject-2" : 'WinRegistryKeyObj',
'http://cybox.mitre.org/objects#WinServiceObject-2' : 'WinServiceObj',
"http://cybox.mitre.org/objects#NetworkConnectionObject-2" : 'NetworkConnectionObj',
"http://cybox.mitre.org/objects#NetworkSocketObject-2" : 'NetworkSocketObj',
"http://cybox.mitre.org/objects#SocketAddressObject-1" : 'SocketAddressObj',
"http://cybox.mitre.org/objects#SystemObject-2" : 'SystemObj',
"http://cybox.mitre.org/objects#ProcessObject-2" : 'ProcessObj',
"http://cybox.mitre.org/objects#X509CertificateObject-2" : 'X509CertificateObj',
"http://cybox.mitre.org/objects#WhoisObject-2" : 'WhoisObj',
"http://cybox.mitre.org/objects#WinExecutableFileObject-2" : 'WinExecutableFileObj',
"http://data-marking.mitre.org/Marking-1" : 'marking',
"http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" : 'tlpMarking',
"http://stix.mitre.org/ExploitTarget-1" : 'et',
"http://stix.mitre.org/Incident-1" : 'incident',
"http://stix.mitre.org/Indicator-2" : 'indicator',
"http://stix.mitre.org/TTP-1" : 'ttp',
"http://stix.mitre.org/ThreatActor-1" : 'ta',
"http://stix.mitre.org/common-1" : 'stixCommon',
"http://stix.mitre.org/default_vocabularies-1" : 'stixVocabs',
"http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1" : 'ciqIdentity',
"http://stix.mitre.org/extensions/TestMechanism#Snort-1" : 'snortTM',
"http://stix.mitre.org/stix-1" : 'stix',
"http://www.w3.org/2001/XMLSchema-instance" : 'xsi',
"urn:oasis:names:tc:ciq:xal:3" : 'xal',
"urn:oasis:names:tc:ciq:xnl:3" : 'xnl',
"urn:oasis:names:tc:ciq:xpil:3" : 'xpil',
}
SCHEMALOC_DICT = {
'http://cybox.mitre.org/common-2': 'http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd',
'http://cybox.mitre.org/cybox-2': 'http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd',
'http://cybox.mitre.org/default_vocabularies-2': 'http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd',
'http://cybox.mitre.org/objects#AccountObject-2': ' http://cybox.mitre.org/XMLSchema/objects/Account/2.1/Account_Object.xsd',
'http://cybox.mitre.org/objects#ASObject-1': 'http://cybox.mitre.org/XMLSchema/objects/AS/1.0/AS_Object.xsd',
'http://cybox.mitre.org/objects#AddressObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd',
'http://cybox.mitre.org/objects#PortObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Port/2.1/Port_Object.xsd',
'http://cybox.mitre.org/objects#DomainNameObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd',
'http://cybox.mitre.org/objects#EmailMessageObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd',
'http://cybox.mitre.org/objects#FileObject-2': 'http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd',
'http://cybox.mitre.org/objects#HTTPSessionObject-2': 'http://cybox.mitre.org/XMLSchema/objects/HTTP_Session/2.1/HTTP_Session_Object.xsd',
'http://cybox.mitre.org/objects#HostnameObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Hostname/1.0/Hostname_Object.xsd',
'http://cybox.mitre.org/objects#MutexObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Mutex/2.1/Mutex_Object.xsd',
'http://cybox.mitre.org/objects#PipeObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Pipe/2.1/Pipe_Object.xsd',
'http://cybox.mitre.org/objects#URIObject-2': 'http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd',
'http://cybox.mitre.org/objects#WinServiceObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Service/2.1/Win_Service_Object.xsd',
'http://cybox.mitre.org/objects#WinRegistryKeyObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Registry_Key/2.1/Win_Registry_Key_Object.xsd',
'http://cybox.mitre.org/objects#NetworkConnectionObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.0.1/Network_Connection_Object.xsd',
'http://cybox.mitre.org/objects#NetworkSocketObject-2': 'https://cybox.mitre.org/XMLSchema/objects/Network_Socket/2.1/Network_Socket_Object.xsd',
'http://cybox.mitre.org/objects#SystemObject-2': 'http://cybox.mitre.org/XMLSchema/objects/System/2.1/System_Object.xsd',
'http://cybox.mitre.org/objects#SocketAddressObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd',
'http://cybox.mitre.org/objects#ProcessObject-2': 'https://cybox.mitre.org/XMLSchema/objects/Process/2.1/Process_Object.xsd',
'http://cybox.mitre.org/objects#X509CertificateObject-2': 'http://cybox.mitre.org/XMLSchema/objects/X509_Certificate/2.1/X509_Certificate_Object.xsd',
'http://cybox.mitre.org/objects#WhoisObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Whois/2.1/Whois_Object.xsd',
'http://cybox.mitre.org/objects#WinExecutableFileObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Executable_File/2.1/Win_Executable_File_Object.xsd',
'http://data-marking.mitre.org/Marking-1': 'http://stix.mitre.org/XMLSchema/data_marking/1.1.1/data_marking.xsd',
'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1': 'http://stix.mitre.org/XMLSchema/extensions/marking/tlp/1.1.1/tlp_marking.xsd',
'http://stix.mitre.org/ExploitTarget-1': 'http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd',
'http://stix.mitre.org/Incident-1': 'http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd',
'http://stix.mitre.org/Indicator-2': 'http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd',
'http://stix.mitre.org/TTP-1': 'http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd',
'http://stix.mitre.org/ThreatActor-1': 'http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd',
'http://stix.mitre.org/common-1': 'http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd',
'http://stix.mitre.org/default_vocabularies-1': 'http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd',
'http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1': 'http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd',
'http://stix.mitre.org/extensions/TestMechanism#Snort-1': 'http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd',
'http://stix.mitre.org/stix-1': 'http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd',
'urn:oasis:names:tc:ciq:xal:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xAL.xsd',
'urn:oasis:names:tc:ciq:xnl:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xNL.xsd',
'urn:oasis:names:tc:ciq:xpil:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd',
}
baseurl, orgname, return_type = args
if not baseurl:
baseurl = 'https://www.misp-project.org'
orgname = real_orgname = args[2]
orgname = re.sub('[\W]+', '', orgname.replace(" ", "_"))
NS_DICT[baseurl] = orgname
try:
idgen.set_id_namespace(Namespace(baseurl, orgname))
except TypeError:
idgen.set_id_namespace(Namespace(baseurl, orgname, "MISP"))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title="Export from {} MISP".format(real_orgname)
stix_header.package_intents="Threat Report"
stix_package.stix_header = stix_header
stix_package.version = "1.1.1"
stix_package.timestamp = datetime.datetime.now()
if return_type == 'json':
header = '{}, "related_packages": ['.format(stix_package.to_json()[:-1])
footer = json_footer
else:
s_stix_package = "</stix:STIX_Package>\n"
header = stix_package.to_xml(auto_namespace=False, ns_dict=NS_DICT, schemaloc_dict=SCHEMALOC_DICT)
header = header.decode().replace(s_stix_package, "");
footer = " </stix:Related_Packages>\n{}".format(s_stix_package)
return header, ',', footer
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "The Multi-sig Hack"
breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
#breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Estimated Loss of $280m in Ether")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "Cappasity"
breach.add_victim(victim)
victim2 = Identity()
victim2.name = "Who else ?"
breach.add_victim(victim2)
# add Information Sources
infoSource = InformationSource();
infoSource.add_description("https://news.ycombinator.com/item?id=15642856")
infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/")
breach.Information_Source = infoSource;
stix_package.add_incident(breach)
print(stix_package.to_json())
