def from_dict(header_dict): header = EmailHeader() header.to = EmailRecipients.from_dict(header_dict.get('to')) header.cc = EmailRecipients.from_dict(header_dict.get('cc')) header.bcc = EmailRecipients.from_dict(header_dict.get('bcc')) header.from_ = Address.from_dict(header_dict.get('from'), Address.CAT_EMAIL) header.subject = String.from_dict(header_dict.get('subject')) header.in_reply_to = String.from_dict(header_dict.get('in_reply_to')) header.date = DateTime.from_dict(header_dict.get('date')) header.message_id = String.from_dict(header_dict.get('message_id')) header.sender = Address.from_dict(header_dict.get('sender'), Address.CAT_EMAIL) header.reply_to = Address.from_dict(header_dict.get('reply_to'), Address.CAT_EMAIL) header.errors_to = String.from_dict(header_dict.get('errors_to')) return header
def create_ipv4_observable(ipv4_address): '''Create a CybOX Observable representing an IPv4 address''' ipv4_object = Address.from_dict({ 'address_value': ipv4_address, 'category': Address.CAT_IPV4 }) return Observable(ipv4_object)
def create_ipv4_observable(ipv4_address): ipv4_object = Address.from_dict({"address_value": ipv4_address, "category": Address.CAT_IPV4}) ipv4_observable = Observable(ipv4_object) ipv4_observable.title = "Malware Artifact - IP" ipv4_observable.description = "IP derived from sandboxed malware sample." ipv4_observable.short_description = "IP from malware." return ipv4_observable
def create_email_address_observable(email_address): '''Create a CybOX Observable representing an IPv4 address''' email_address_object = Address.from_dict({ 'address_value': email_address, 'category': Address.CAT_EMAIL }) return Observable(email_address_object)
def from_dict(socket_address_dict): if not socket_address_dict: return None socket_address_ = SocketAddress() socket_address_.ip_address = Address.from_dict(socket_address_dict.get('ip_address')) socket_address_.port = Port.from_dict(socket_address_dict.get('port')) return socket_address_
def add_ipv4_observable(self, ipv4_address): if ipv4_address in self.__ipv4: return self.__ipv4.add(ipv4_address) ipv4_object = Address.from_dict({'address_value': ipv4_address, 'category': Address.CAT_IPV4}) ipv4_observable = Observable(ipv4_object) ipv4_observable.title = "Malware Artifact - IP" ipv4_observable.description = "IP derived from sandboxed malware sample." ipv4_observable.short_description = "IP from malware." self.ip_indicator.add_observable(ipv4_observable)
def create_ipv4_observable(ipv4_address): ipv4_object = Address.from_dict({ 'address_value': ipv4_address, 'category': Address.CAT_IPV4 }) ipv4_observable = Observable(ipv4_object) ipv4_observable.title = "Malware Artifact - IP" ipv4_observable.description = "IP derived from sandboxed malware sample." ipv4_observable.short_description = "IP from malware." return ipv4_observable
def from_dict(recipients_dict): if not recipients_dict: return None # recipients_dict should really be a list, not a dict r = EmailRecipients() if recipients_dict is not None: r.recipients = [Address.from_dict(a, Address.CAT_EMAIL) for a in recipients_dict] return r
def from_dict(contact_dict, contact=None): if not contact_dict: return None if contact is None: contact = WhoisContact() contact.contact_type = contact_dict.get('contact_type') contact.contact_id = String.from_dict(contact_dict.get('contact_id')) contact.name = String.from_dict(contact_dict.get('name')) contact.email_address = Address.from_dict(contact_dict.get('email_address'), Address.CAT_EMAIL) contact.phone_number = String.from_dict(contact_dict.get('phone_number')) contact.address = String.from_dict(contact_dict.get('address')) return contact
def from_dict(opt_header_dict): if not opt_header_dict: return None opt_header = OptionalHeader() opt_header.boundary = String.from_dict(opt_header_dict.get('boundary')) opt_header.content_type = String.from_dict(opt_header_dict.get('content_type')) opt_header.mime_version = String.from_dict(opt_header_dict.get('mime_version')) opt_header.precedence = String.from_dict(opt_header_dict.get('precedence')) opt_header.x_mailer = String.from_dict(opt_header_dict.get('x_mailer')) opt_header.x_originating_ip = Address.from_dict(opt_header_dict.get('x_originating_ip'), Address.CAT_IPV4) opt_header.x_priority = PositiveInteger.from_dict(opt_header_dict.get('x_priority')) return opt_header
def from_dict(registrar_dict): if not registrar_dict: return None registrar = WhoisRegistrar() registrar.registrar_id = String.from_dict(registrar_dict.get('registrar_id')) registrar.registrar_guid = String.from_dict(registrar_dict.get('registrar_guid')) registrar.name = String.from_dict(registrar_dict.get('name')) registrar.address = String.from_dict(registrar_dict.get('address')) registrar.email_address = Address.from_dict(registrar_dict.get('email_address'), Address.CAT_EMAIL) registrar.phone_number = String.from_dict(registrar_dict.get('phone_number')) registrar.whois_server = URI.from_dict(registrar_dict.get('whois_server')) registrar.referral_url = URI.from_dict(registrar_dict.get('referral_url')) registrar.contacts = WhoisContacts.from_list(registrar_dict.get('contacts')) return registrar
def from_dict(dns_record_dict): if not dns_record_dict: return None dns_record_ = DNSRecord() dns_record_.description = StructuredText.from_dict(dns_record_dict.get('description')) dns_record_.domain_name = URI.from_dict(dns_record_dict.get('domain_name')) dns_record_.ip_address = Address.from_dict(dns_record_dict.get('ip_address')) dns_record_.address_class = String.from_dict(dns_record_dict.get('address_class')) dns_record_.entry_type = String.from_dict(dns_record_dict.get('entry_type')) dns_record_.record_name = String.from_dict(dns_record_dict.get('record_name')) dns_record_.record_type = String.from_dict(dns_record_dict.get('record_type')) dns_record_.ttl = Integer.from_dict(dns_record_dict.get('record_type')) dns_record_.flags = HexBinary.from_dict(dns_record_dict.get('flags')) dns_record_.data_length = Integer.from_dict(dns_record_dict.get('data_length')) dns_record_.record_data = dns_record_dict.get('record_data') return dns_record_
def from_dict(whois_dict): if not whois_dict: return None whois = WhoisEntry() ObjectProperties.from_dict(whois_dict, whois) whois.domain_name = URI.from_dict(whois_dict.get('domain_name')) whois.domain_id = String.from_dict(whois_dict.get('domain_id')) whois.server_name = URI.from_dict(whois_dict.get('server_name')) whois.ip_address = Address.from_dict(whois_dict.get('ip_address'), Address.CAT_IPV4) whois.dnssec = whois_dict.get('dnssec') whois.nameservers = WhoisNameservers.from_list(whois_dict.get('nameservers')) whois.status = WhoisStatuses.from_list(whois_dict.get('status')) whois.updated_date = DateTime.from_dict(whois_dict.get('updated_date')) whois.creation_date = DateTime.from_dict(whois_dict.get('creation_date')) whois.expiration_date = DateTime.from_dict(whois_dict.get('expiration_date')) whois.regional_internet_registry = String.from_dict(whois_dict.get('regional_internet_registry')) whois.sponsoring_registrar = String.from_dict(whois_dict.get('sponsoring_registrar')) whois.registrar_info = WhoisRegistrar.from_dict(whois_dict.get('registrar_info')) whois.registrants = WhoisRegistrants.from_list(whois_dict.get('registrants')) whois.contact_info = WhoisContact.from_dict(whois_dict.get('contact_info')) return whois
def create_ipv4_observable(ipv4_address): '''Create a CybOX Observable representing an IPv4 address''' ipv4_object = Address.from_dict({'address_value': ipv4_address, 'category': Address.CAT_IPV4}) return Observable(ipv4_object)
def create_ipv4_observable(ipv4_address): """Create a CybOX Observable representing an IPv4 address""" ipv4_object = Address.from_dict({"address_value": ipv4_address, "category": Address.CAT_IPV4}) return Observable(ipv4_object)
def create_email_address_observable(email_address): """Create a CybOX Observable representing an IPv4 address""" email_address_object = Address.from_dict({"address_value": email_address, "category": Address.CAT_EMAIL}) return Observable(email_address_object)
def build(self): self.stix_header.title = self.pulse["name"] self.stix_header.description = self.pulse["description"] self.stix_header.short_description = "%spulse/%s" % (PULSE_SERVER_BASE, str(self.pulse["id"])) self.stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) self.stix_header.information_source = InformationSource() self.stix_header.information_source.time = Time() self.stix_header.information_source.description = "Alienvault OTX - https://otx.alienvault.com/" self.stix_header.information_source.time.produced_time = self.pulse["modified"] self.stix_header.information_source.identity = Identity() self.stix_header.information_source.identity.name = "Alienvault OTX" self.stix_package.stix_header = self.stix_header hashes = [] addresses = [] domains = [] urls = [] mails = [] for p_indicator in self.pulse["indicators"]: if p_indicator["type"] in self.hash_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) file_ = File() hash_ = Hash(p_indicator["indicator"], self.hash_translation[p_indicator["type"]]) file_.add_hash(hash_) observable_ = Observable(file_) elif p_indicator["type"] in self.address_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) ipv4_ = Address.from_dict({'address_value': p_indicator["indicator"], 'category': self.address_translation[p_indicator["type"]]}) observable_ = Observable(ipv4_) elif p_indicator["type"] in self.name_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) domain_ = DomainName.from_dict({'value': p_indicator["indicator"], 'type':'FQDN'}) observable_ = Observable(domain_) elif p_indicator["type"] == "URL": new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) url_ = URI.from_dict({'value': p_indicator["indicator"], 'type': URI.TYPE_URL}) observable_ = Observable(url_) elif p_indicator["type"] == "email": email_ = Address.from_dict({'address_value': p_indicator["indicator"], 'category': Address.CAT_EMAIL}) observable_ = Observable(email_) #elif p_indicator["type"] == "CVE": # vuln_ = Vulnerability() # vuln_.cveid = p_indicator["indicator"].upper() # observable_ = Observable(vuln_) elif p_indicator["type"] == "Mutex": mutex_ = Mutex.from_dict({'named': True, 'name': p_indicator["indicator"]}) observable_ = Observable(mutex_) elif p_indicator["type"] == "CIDR": nrange = IP(p_indicator["indicator"]) nrange_values = nrange.strNormal(3).replace("-", ",") ipv4_ = Address.from_dict({'address_value': nrange_values, 'category': Address.CAT_IPV4}) ipv4_.address_value.condition = "InclusiveBetween" observable_ = Observable(ipv4_) else: continue mind = Indicator() mind.description = p_indicator["description"] mind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) observable_.title = "%s - %s" % (p_indicator["type"], p_indicator["indicator"]) mind.add_observable(observable_) self.stix_package.add_indicator(mind)
def create_email_address_observable(email_address): '''Create a CybOX Observable representing an IPv4 address''' email_address_object = Address.from_dict({'address_value': email_address, 'category': Address.CAT_EMAIL}) return Observable(email_address_object)
def build(self): self.stix_header.title = self.pulse["name"] self.stix_header.description = self.pulse["description"] self.stix_header.short_description = "%spulse/%s" % ( PULSE_SERVER_BASE, str(self.pulse["id"])) self.stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) self.stix_header.information_source = InformationSource() self.stix_header.information_source.time = Time() self.stix_header.information_source.description = "Alienvault OTX - https://otx.alienvault.com/" self.stix_header.information_source.time.produced_time = self.pulse[ "modified"] self.stix_header.information_source.identity = Identity() self.stix_header.information_source.identity.name = "Alienvault OTX" self.stix_package.stix_header = self.stix_header hashes = [] addresses = [] domains = [] urls = [] mails = [] for p_indicator in self.pulse["indicators"]: if p_indicator["type"] in self.hash_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % ( p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) file_ = File() hash_ = Hash(p_indicator["indicator"], self.hash_translation[p_indicator["type"]]) file_.add_hash(hash_) observable_ = Observable(file_) elif p_indicator["type"] in self.address_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % ( p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) ipv4_ = Address.from_dict({ 'address_value': p_indicator["indicator"], 'category': self.address_translation[p_indicator["type"]] }) observable_ = Observable(ipv4_) elif p_indicator["type"] in self.name_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % ( p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) domain_ = DomainName.from_dict({ 'value': p_indicator["indicator"], 'type': 'FQDN' }) observable_ = Observable(domain_) elif p_indicator["type"] == "URL": new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % ( p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) url_ = URI.from_dict({ 'value': p_indicator["indicator"], 'type': URI.TYPE_URL }) observable_ = Observable(url_) elif p_indicator["type"] == "email": email_ = Address.from_dict({ 'address_value': p_indicator["indicator"], 'category': Address.CAT_EMAIL }) observable_ = Observable(email_) #elif p_indicator["type"] == "CVE": # vuln_ = Vulnerability() # vuln_.cveid = p_indicator["indicator"].upper() # observable_ = Observable(vuln_) elif p_indicator["type"] == "Mutex": mutex_ = Mutex.from_dict({ 'named': True, 'name': p_indicator["indicator"] }) observable_ = Observable(mutex_) elif p_indicator["type"] == "CIDR": nrange = IP(p_indicator["indicator"]) nrange_values = nrange.strNormal(3).replace("-", ",") ipv4_ = Address.from_dict({ 'address_value': nrange_values, 'category': Address.CAT_IPV4 }) ipv4_.address_value.condition = "InclusiveBetween" observable_ = Observable(ipv4_) else: continue mind = Indicator() mind.description = p_indicator["description"] mind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) observable_.title = "%s - %s" % (p_indicator["type"], p_indicator["indicator"]) mind.add_observable(observable_) self.stix_package.add_indicator(mind)
def transform(self, event): stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident( id_="%s:%s-%s" % (CONPOT_NAMESPACE, 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category( VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append( ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent( 'Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.' ) })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({ 'port_value': event['remote'][1], 'layer4_protocol': 'tcp' }) dest_port = Port.from_dict({ 'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp' }) source_ip = Address.from_dict({ 'address_value': event['remote'][0], 'category': Address.CAT_IPV4 }) dest_ip = Address.from_dict({ 'address_value': event['public_ip'], 'category': Address.CAT_IPV4 }) source_address = SocketAddress.from_dict({ 'ip_address': source_ip.to_dict(), 'port': source_port.to_dict() }) dest_address = SocketAddress.from_dict({ 'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict() }) network_connection = NetworkConnection.from_dict({ 'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': "IPv4", 'layer4_protocol': "TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': "ESTABLISHED", 'destination_tcp_state': "ESTABLISHED", }) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
def transform(self, event): self._set_namespace(self.config['contact_domain'], self.config['contact_name']) stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category(VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append(ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.') })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector") ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'}) dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp'}) source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4}) dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4}) source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()}) dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()}) network_connection = NetworkConnection.from_dict( {'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': u"IPv4", 'layer4_protocol': u"TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': u"ESTABLISHED", 'destination_tcp_state': u"ESTABLISHED", } ) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml