def main():
NAMESPACE = {"https://www.ncsc.gov.uk/": "ncscuk"}
idgen.set_id_namespace(NAMESPACE)
pkg = STIXPackage()
coa = CourseOfAction()
obj = file_to_obj('out.json')
if obj.type == 'bundle':
for _dict in obj.objects:
object = dict_to_obj(_dict)
if object.type == 'indicator':
ind = Indicator()
id_str = object.id.replace('--', '-')
print id_str
#ind.id_ = object.id
pattern_type = object.pattern.split(':')[0]
_value = re.sub("'", '', object.pattern.split(' = ')[1])
if pattern_type == 'ipv4-addr':
obs = Observable(
Address(address_value=_value,
category=Address.CAT_IPV4))
elif pattern_type == 'url':
obs = Observable(URI(value=_value, type_=URI.TYPE_URL))
pkg.add_observable(obs)
obs_ref = Observable()
obs_ref.id_ = None
obs_ref.idref = obs.id_
ind.add_observable(obs_ref)
pkg.add_indicator(ind)
print pkg.to_xml()
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from stix.utils import idgen
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
idgen.set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
# Add the vulnerability object to the package object
expt.add_vulnerability(vulnbuild(data))
# Do some TTP stuff with CAPEC objects
try:
for i in data['capec']:
ttp = TTP()
ttp.title = "CAPEC-" + str(i['id'])
ttp.description = i['summary']
ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
pkg.add_ttp(ttp)
except KeyError:
pass
# Do some weakness stuff
if data['cwe'] != 'Unknown':
weak = Weakness()
weak.cwe_id = data['cwe']
expt.add_weakness(weak)
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
title = pkg.id_.split(':', 1)[-1]
with open(title + ".xml", "w") as text_file:
text_file.write(xml)
return xml
def _custom_namespace(url, alias):
try:
from stix.utils import set_id_namespace
namespace = {url: alias}
set_id_namespace(namespace)
except ImportError:
from mixbox.namespaces import Namespace
from stix.utils import idgen
namespace = Namespace(url, alias, "")
idgen.set_id_namespace(namespace)
def _custom_namespace(url, alias):
try:
from stix.utils import set_id_namespace
namespace = {url: alias}
set_id_namespace(namespace)
except ImportError:
from mixbox.namespaces import Namespace
from stix.utils import idgen
namespace = Namespace(url, alias, "")
idgen.set_id_namespace(namespace)
def __init__(self, args):
self.misp_event = pymisp.MISPEvent()
self.args = args
if len(args) > 3:
namespace[0] = args[3]
if len(args) > 4:
ns = args[4].replace(" ", "_")
namespace[1] = re.sub('[\W]+', '', ns)
if not namespace[0]:
namespace[0] = 'https://www.misp-project.org'
try:
idgen.set_id_namespace({namespace[0]: namespace[1]})
except ValueError:
try:
idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
except TypeError:
idgen.set_id_namespace(Namespace(namespace[0], namespace[1], "MISP"))
self.namespace_prefix = idgen.get_id_namespace_alias()
self.simple_type_to_method = {"port": self.generate_port_observable, "domain|ip": self.generate_domain_ip_observable}
self.simple_type_to_method.update(dict.fromkeys(hash_type_attributes["single"] + hash_type_attributes["composite"] + ["filename"] + ["attachment"], self.resolve_file_observable))
self.simple_type_to_method.update(dict.fromkeys(["ip-src", "ip-dst", "ip-src|port", "ip-dst|port"], self.generate_ip_observable))
self.simple_type_to_method.update(dict.fromkeys(["regkey", "regkey|value"], self.generate_regkey_observable))
self.simple_type_to_method.update(dict.fromkeys(["hostname", "domain", "url", "AS", "mutex", "named pipe", "link"], self.generate_simple_observable))
self.simple_type_to_method.update(dict.fromkeys(["email-src", "email-dst", "email-subject"], self.resolve_email_observable))
self.simple_type_to_method.update(dict.fromkeys(["http-method", "user-agent"], self.resolve_http_observable))
self.simple_type_to_method.update(dict.fromkeys(["pattern-in-file", "pattern-in-traffic", "pattern-in-memory"], self.resolve_pattern_observable))
def main(args):
if len(args) < 4:
sys.exit("Invalid parameters")
baseURL = args[1]
if not baseURL:
baseURL = 'https://www.misp-project.org'
orgname = args[2]
namespace = [baseURL, orgname.replace(" ", "_")]
namespace[1] = re.sub('[\W]+', '', namespace[1])
NS_DICT[namespace[0]] = namespace[1]
try:
idgen.set_id_namespace({baseURL: namespace[1]})
except ValueError:
# Some weird stix error that sometimes occurs if the stars
# align and Mixbox is being mean to us
# Glory to STIX, peace and good xmlns be upon it
try:
idgen.set_id_namespace(Namespace(baseURL, namespace[1]))
except TypeError:
# Ok this only occurs if the script is being run under py3
# and if we're running a REALLY weird version of stix
# May as well catch it
idgen.set_id_namespace(Namespace(baseURL, namespace[1], "MISP"))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Export from {} MISP".format(orgname)
stix_header.package_intents = "Threat Report"
stix_package.stix_header = stix_header
stix_package.version = "1.1.1"
stix_package.timestamp = datetime.datetime.now()
if args[3] == 'json':
stix_string = stix_package.to_json()[:-1]
stix_string += ', "related_packages": ['
else:
stix_string = stix_package.to_xml(auto_namespace=False,
ns_dict=NS_DICT,
schemaloc_dict=SCHEMALOC_DICT)
stix_string = stix_string.decode()
stix_string = stix_string.replace("</stix:STIX_Package>\n", "")
print(stix_string)
def main(args):
pathname = os.path.dirname(sys.argv[0])
if len(sys.argv) > 3:
namespace[0] = sys.argv[3]
if len(sys.argv) > 4:
namespace[1] = sys.argv[4].replace(" ", "_")
namespace[1] = re.sub('[\W]+', '', namespace[1])
try:
idgen.set_id_namespace({namespace[0]: namespace[1]})
except ValueError:
try:
idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
except TypeError:
idgen.set_id_namespace(Namespace(namespace[0], namespace[1], "MISP"))
event = loadEvent(args, pathname)
stix_package = generateEventPackage(event)
saveFile(args, pathname, stix_package)
print(json.dumps({'success' : 1, 'message' : ''}))