def to_attack_pattern(r):
""" Fungsi untuk mengubah menjadi objek stix attack-pattern """
uid = str(uuid.uuid4())
created = datetime.now()
modified = created
if type(r["src_ip"]) == list:
name = r['alert_msg']
desc = 'attack from ' + " ".join(r['src_ip']) + ' to ' + r['dest_ip']
else:
name = r['alert_msg']
desc = 'attack from ' + r['src_ip'] + ' to ' + r['dest_ip']
attack_pattern = stix2.AttackPattern(
id="attack-pattern--" + uid,
created=created,
modified=modified,
name=name,
description=desc
)
return attack_pattern
def test_attack_pattern_invalid_labels():
with pytest.raises(stix2.exceptions.InvalidValueError):
stix2.AttackPattern(
id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
created="2016-05-12T08:17:27Z",
modified="2016-05-12T08:17:27Z",
name="Spear Phishing",
labels=1)
def test_attack_pattern_example():
ap = stix2.AttackPattern(
id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
created="2016-05-12T08:17:27.000Z",
modified="2016-05-12T08:17:27.000Z",
name="Spear Phishing",
external_references=[{
"source_name": "capec",
"id": "CAPEC-163"
}],
description="...",
)
assert str(ap) == EXPECTED
malware = stix2.Malware(id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4",
created="2015-04-23T11:12:34.760Z",
modified="2015-04-23T11:12:34.760Z",
name="Poison Ivy Variant d1c6",
labels=["remote-access-trojan"],
kill_chain_phases=[init_comp])
ref = stix2.ExternalReference(
source_name="capec",
description="phishing",
url="https://capec.mitre.org/data/definitions/98.html",
external_id="CAPEC-98")
attack_pattern = stix2.AttackPattern(
id="attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5",
created="2015-05-07T14:22:14.760Z",
modified="2015-05-07T14:22:14.760Z",
name="Phishing",
description="Spear phishing used as a delivery mechanism for malware.",
kill_chain_phases=[init_comp],
external_references=[ref])
relationship1 = stix2.Relationship(threat_actor, 'uses', malware)
relationship2 = stix2.Relationship(threat_actor, 'uses', attack_pattern)
relationship3 = stix2.Relationship(threat_actor, 'attributed-to', identity)
bundle = stix2.Bundle(objects=[
threat_actor, malware, attack_pattern, identity, relationship1,
relationship2, relationship3
])
def generate_report():
istihbarat_no = 0
cyber_threads_infos = []
attack_patterns = []
sti_list = []
records = get_all_records(settings.traffic_table_name,
settings.prediction_column_name)
unique_records = unique_lists_from_multidimensional_array(records)
identity = stiv.Identity(
name=
"Veri Madenciligi Temelli Siber Tehdit Istihbarati Tez Calismasi Onerilen Sistemin Uygulamasi - Suleyman Muhammed ARIKAN",
identity_class="individual")
sti_list.append(identity)
predictions = [record[1] for record in unique_records]
unique_predictions = set(predictions)
for attack in unique_predictions:
attact_pattern = stiv.AttackPattern(name=attack,
created_by_ref=identity.id)
attack_patterns.append(attact_pattern)
sti_list.append(attact_pattern)
cyber_threads_infos.append(
"intelligence_id-prediction-source_host-source_port-destination_port-protocol"
+ "\n")
for record in records:
if str(record[1]) != settings.unknown_class_value:
cyber_thread_info = str(record[1]) + "-" + str(
record[5]) + "-" + str(int(float(record[3]))) + "-" + str(
int(float(record[4]))) + "-" + settings.protocols_list[
int(record[8]) - 1] + "\n"
cyber_threads_infos.append(cyber_thread_info)
istihbarat_no = istihbarat_no + 1
indicator_name = str(
istihbarat_no) + " numaralı istihbarat - " + str(record[5])
indicator_label = ["malicious-activity"]
indicator_pattern = "[network-traffic:src_ref.type = 'ipv4-addr' AND "
indicator_pattern = indicator_pattern + "network-traffic:src_ref.value = '" + str(
record[5]) + "' AND "
indicator_pattern = indicator_pattern + "network-traffic:src_port = " + str(
int(float(record[3]))) + " AND "
indicator_pattern = indicator_pattern + "network-traffic:dst_port = " + str(
int(float(record[4]))) + " AND "
indicator_pattern = indicator_pattern + "network-traffic:protocols[*] = '" + settings.protocols_list[
int(record[8]) - 1] + "']"
indicator = stiv.Indicator(name=indicator_name,
labels=indicator_label,
pattern=indicator_pattern,
created_by_ref=identity.id)
sti_list.append(indicator)
attack_pattern = get_attack_pattern(attack_patterns,
str(record[1]))
relationship = stiv.Relationship(relationship_type='indicates',
source_ref=indicator.id,
target_ref=attack_pattern.id)
sti_list.append(relationship)
stiv_bundle = stiv.Bundle(sti_list)
file_name = datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S-%f")
fo = open("raporlar/" + file_name + ".txt", "x")
istihbarat_no = 0
for cti in cyber_threads_infos:
if (istihbarat_no != 0):
cti = str(istihbarat_no) + "-" + cti
fo.write(cti)
istihbarat_no = istihbarat_no + 1
fo.close()
fo_stiv = open("raporlar/" + file_name + ".json", "x")
fo_stiv.write(stiv_bundle.serialize())
fo_stiv.close()
return file_name
def attack_pattern_maker(**kwargs):
attack_pattern = stix2.AttackPattern(**kwargs)
flag = itemtofile(attack_pattern)
return flag, attack_pattern
def stix_bundle(objs, rel=True, sight=True):
objects = ()
ids = []
for o in objs:
if not o.object_id.id in ids:
ids.append(o.object_id.id)
if o.object_type.name == "report":
r = Report.objects.get(id=o.id)
for i in r.object_refs.all().values_list("id", flat=True):
if i in ids:
ids.append(i)
if rel:
rels = Relationship.objects.filter(
Q(source_ref=o.object_id)\
|Q(target_ref=o.object_id)\
)
lists = list(rels.values_list("object_id", flat=True)) + \
list(rels.values_list("source_ref", flat=True)) + \
list(rels.values_list("target_ref", flat=True))
for i in lists:
if not i in ids:
ids.append(i)
if sight:
sights = Sighting.objects.filter(
Q(where_sighted_refs=o.object_id)\
|Q(sighting_of_ref=o.object_id)\
)
lists = list(sights.values_list("object_id", flat=True)) + \
list(sights.values_list("sighting_of_ref", flat=True))
for i in lists:
if not i in ids:
ids += i
oids = STIXObjectID.objects.filter(id__in=ids)
for oid in oids:
obj = myforms.get_obj_from_id(oid)
if obj.object_type.name == 'identity':
i = stix2.Identity(
id=obj.object_id.object_id,
name=obj.name,
identity_class=obj.identity_class,
description=obj.description,
#sectors=[str(s.value) for s in obj.sectors.all()],
sectors=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
created=obj.created,
modified=obj.modified,
)
objects += (a, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (m, )
elif obj.object_type.name == 'indicator':
i = stix2.Indicator(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
pattern=[str(p.value) for p in obj.pattern.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=obj.object_id.object_id,
relationship_type=obj.relationship_type.name,
description=obj.description,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=obj.object_id.object_id,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id) for w in obj.where_sighted_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
elif obj.object_type.name == 'report':
r = stix2.Report(
id=obj.object_id.object_id,
labels=[str(l.value) for l in obj.labels.all()],
name=obj.name,
description=obj.description,
published=obj.published,
object_refs=[str(r.object_id) for r in obj.object_refs.all()],
created=obj.created,
modified=obj.modified,
)
objects += (r, )
bundle = stix2.Bundle(*objects)
return bundle
def addAttackPattern():
attackPattern2 = stix2.AttackPattern(created = str(datetime.now()),modified = str(datetime.now()),name = "Compromised Account")
return attackPattern2
created_by_ref=IDENTITY_ID)
TOOL_KWARGS = dict(type='tool',
id=TOOL_ID,
labels=["remote-access"],
name="VNC",
created_by_ref=IDENTITY_ID,
interoperability=True)
VULNERABILITY_KWARGS = dict(type='vulnerability',
id=VULNERABILITY_ID,
name="Heartbleed",
created_by_ref=IDENTITY_ID)
if __name__ == '__main__':
attack_pattern = stix2.AttackPattern(**ATTACK_PATTERN_KWARGS,
interoperability=True)
campaign = stix2.Campaign(**CAMPAIGN_KWARGS, interoperability=True)
course_of_action = stix2.CourseOfAction(**COURSE_OF_ACTION_KWARGS,
interoperability=True)
identity = stix2.Identity(**IDENTITY_KWARGS, interoperability=True)
indicator = stix2.Indicator(**INDICATOR_KWARGS, interoperability=True)
intrusion_set = stix2.IntrusionSet(**INTRUSION_SET_KWARGS,
interoperability=True)
malware = stix2.Malware(**MALWARE_KWARGS, interoperability=True)
marking_definition = stix2.MarkingDefinition(**MARKING_DEFINITION_KWARGS,
interoperability=True)
observed_data = stix2.ObservedData(**OBSERVED_DATA_KWARGS,
interoperability=True)
relationship = stix2.Relationship(**RELATIONSHIP_KWARGS,
interoperability=True)
sighting = stix2.Sighting(**SIGHTING_KWARGS, interoperability=True)
ref_capec1 = stix2.ExternalReference(
source_name="capec",
url="https://capec.mitre.org/data/definitions/148.html",
external_id="CAPEC-148"
)
ref_capec2 = stix2.ExternalReference(
source_name="capec",
url="https://capec.mitre.org/data/definitions/488.html",
external_id="CAPEC-488"
)
attack_pattern1 = stix2.AttackPattern(
id="attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a",
created="2016-08-08T15:50:10.983Z",
modified="2017-01-30T21:15:04.127Z",
name="Content Spoofing",
external_references=[ref_capec1]
)
attack_pattern2 = stix2.AttackPattern(
id="attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c",
created="2016-08-08T15:50:10.983Z",
modified="2017-01-30T21:15:04.127Z",
name="HTTP Flood",
external_references=[ref_capec2]
)
campaign1 = stix2.Campaign(
id="campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
created="2016-08-08T15:50:10.983Z",
def stix_bundle(rep):
objects = ()
for ref in rep.object_refs.all():
obj = myforms.get_obj_from_id(ref)
if obj.object_type.name == 'identity':
i = stix2.Identity(
id=obj.object_id.object_id,
name=obj.name,
identity_class=obj.identity_class,
description=obj.description,
#sectors=[str(s.value) for s in obj.sectors.all()],
sectors=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
created=obj.created,
modified=obj.modified,
)
objects += (a, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (m, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=obj.object_id.object_id,
relationship_type=obj.relationship_type.name,
description=obj.description,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=obj.object_id.object_id,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id) for w in obj.where_sighted_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
report = stix2.Report(
id=rep.object_id.object_id,
labels=[str(l.value) for l in rep.labels.all()],
name=rep.name,
description=rep.description,
published=rep.published,
object_refs=[str(r.object_id) for r in rep.object_refs.all()],
created=obj.created,
modified=obj.modified,
)
objects += (report, )
bundle = stix2.Bundle(*objects)
return bundle
def stix_bundle(objs, mask=True):
objects = ()
for obj in objs:
oid = obj.object_id.object_id
dscr = ""
if not mask and hasattr(obj, "description"):
dscr = obj.description
if obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (a, )
elif obj.object_type.name == 'campaign':
c = stix2.Campaign(
id=oid,
name=obj.name,
description=dscr,
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
first_seen=obj.first_seen,
last_seen=obj.last_seen,
)
objects += (c, )
elif obj.object_type.name == 'course-of-action':
c = stix2.CourseOfAction(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
)
objects += (c, )
elif obj.object_type.name == 'identity':
name = obj.name
if mask:
name = oid
label = obj.labels.all()
if label.count() >= 1:
name = str(obj.id)
if label[0].alias:
name += '-' + label[0].alias
else:
name += '-' + label[0].value
i = stix2.Identity(
id=oid,
name=name,
identity_class=obj.identity_class,
description=dscr,
sectors=[str(s.value) for s in obj.sectors.all()],
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'indicator':
pattern = "[]"
if not mask and obj.pattern:
pattern = obj.pattern.pattern
i = stix2.Indicator(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
pattern=pattern,
created=obj.created,
modified=obj.modified,
valid_from=obj.valid_from,
valid_until=obj.valid_until,
)
objects += (i, )
elif obj.object_type.name == 'intrusion-set':
i = stix2.IntrusionSet(
id=oid,
name=obj.name,
description=dscr,
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
first_seen=obj.first_seen,
#last_seen=obj.last_seen,
)
objects += (i, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (m, )
elif obj.object_type.name == 'observed-data':
obs = {}
for o in obj.observable_objects.all():
ob = None
if o.type.name == "file":
f = FileObject.objects.get(id=o.id)
ob = stix2.File(name=f.name)
elif o.type.name == "ipv4-addr":
i = IPv4AddressObject.objects.get(id=o.id)
ob = stix2.IPv4Address(value=i.value)
elif o.type.name == "url":
u = URLObject.objects.get(id=o.id)
ob = stix2.URL(value=u.value)
elif o.type.name == "domain-name":
dn = DomainNameObject.objects.get(id=o.id)
ob = stix2.DomainName(value=dn.value)
if ob and not mask:
obs[str(o.id)] = json.loads(str(ob))
od = stix2.ObservedData(
id=oid,
created=obj.created,
modified=obj.modified,
first_observed=obj.first_observed,
last_observed=obj.last_observed,
number_observed=obj.number_observed,
objects=obs,
)
objects += (od, )
elif obj.object_type.name == 'report':
created_by = None
if obj.created_by_ref:
created_by = obj.created_by_ref.object_id
r = stix2.Report(
id=oid,
labels=[str(l.value) for l in obj.labels.all()],
name=obj.name,
description=dscr,
published=obj.published,
object_refs=[str(r.object_id) for r in obj.object_refs.all()],
created_by_ref=created_by,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'tool':
t = stix2.Tool(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (t, )
elif obj.object_type.name == 'vulnerability':
v = stix2.Vulnerability(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
)
objects += (v, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=oid,
relationship_type=obj.relationship_type.name,
description=dscr,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=oid,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id.object_id)
for w in obj.where_sighted_refs.all()
],
observed_data_refs=[
str(od.object_id.object_id)
for od in obj.observed_data_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
bundle = stix2.Bundle(*objects)
return bundle
