def to_indicator(r):
""" Fungsi untuk mengubah rdd menjadi objek stix indicator dan dijadikan rdd indicator"""
id = str(uuid.uuid4())
created = datetime.datetime.now()
modified = created
valid_from = created
src_type = r['objects']['0']['type']
dst_type = r['objects']['1']['type']
src_ip = r['objects']['0']['value']
dst_ip = r['objects']['1']['value']
indicator = stix2.Indicator(
id="indicator--" + id,
created=created,
modified=modified,
name="Malicious Network Flow",
description="Malicious IP: " + src_ip + " detected.",
labels=["malicious-activity"],
pattern="[network-traffic:src_ref.type = '" + src_type +
"' AND network-traffic:src_ref.value = '" + src_ip +
"'] AND [network-traffic:dst_ref.type = '" + dst_type +
"' AND network-traffic:dst_ref.value = '" + dst_ip + "'] REPEATS " +
str(r['number_observed']) + " TIMES",
valid_from=valid_from)
# di jadikan json
indicator_serialized = indicator.serialize()
indicator_json = json.loads(indicator_serialized)
# dijadikan ke row rdd
return _rowify(indicator_json, prototypes.indicator_prototype)
def test_indicator_revoked_invalid():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Indicator(revoked='no', **INDICATOR_KWARGS)
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.prop_name == "revoked"
assert excinfo.value.reason == "must be a boolean value."
def test_report_example_objects_in_object_refs_with_bad_id():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Report(
id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
created="2015-12-21T19:59:11.000Z",
modified="2015-12-21T19:59:11.000Z",
name="The Black Vine Cyberespionage Group",
description="A simple report with an indicator and campaign",
published="2016-01-20T17:00:00Z",
labels=["campaign"],
object_refs=[
stix2.Indicator(
id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
**INDICATOR_KWARGS),
"campaign-83422c77-904c-4dc1-aff5-5c38f3a2c55c", # the "bad" id, missing a "-"
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
],
)
assert excinfo.value.cls == stix2.Report
assert excinfo.value.prop_name == "object_refs"
assert excinfo.value.reason == "must match <object-type>--<guid>."
assert str(
excinfo.value
) == "Invalid value for Report 'object_refs': must match <object-type>--<guid>."
def test_stix2_indicator():
indicator = stix2.Indicator(
name="File hash for malware variant",
labels=["malicious-activity"],
pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
)
foo = openc2.v10.Args(indicator=indicator, allow_custom=True)
assert '"name": "File hash for malware variant"' in foo.serialize()
assert '"labels": ["malicious-activity"]' in foo.serialize()
assert (
'"pattern": "[file:hashes.md5 = \'d41d8cd98f00b204e9800998ecf8427e\']"'
in foo.serialize()
)
# an indicator isn't a property so we have to embed it
@openc2.v10.args.CustomArgs(
"x-indicator-args",
[("indicator", openc2.properties.EmbeddedObjectProperty(stix2.Indicator))],
)
class CustomIndicatorArgs(object):
pass
foo = CustomIndicatorArgs(indicator=indicator)
assert '"name": "File hash for malware variant"' in foo.serialize()
assert '"labels": ["malicious-activity"]' in foo.serialize()
assert (
'"pattern": "[file:hashes.md5 = \'d41d8cd98f00b204e9800998ecf8427e\']"'
in foo.serialize()
)
def test_indicator_type_must_be_indicator():
with pytest.raises(ValueError) as excinfo:
indicator = stix2.Indicator(type='xxx', **INDICATOR_KWARGS)
assert str(
excinfo.value
) == "Invalid value for Indicator 'type': must equal 'indicator'."
def test_indicator_created_ref_invalid_format():
with pytest.raises(ValueError) as excinfo:
indicator = stix2.Indicator(created_by_ref='myprefix--12345678',
**INDICATOR_KWARGS)
assert str(
excinfo.value
) == "Indicator created_by_ref values must consist of a valid STIX type name and a valid UUID, separated by '--'."
def test_indicator_id_must_start_with_indicator():
with pytest.raises(ValueError) as excinfo:
indicator = stix2.Indicator(id='my-prefix--', **INDICATOR_KWARGS)
assert str(
excinfo.value
) == "Invalid value for Indicator 'id': must start with 'indicator--'."
def test_environment_no_datastore():
env = stix2.Environment(factory=stix2.ObjectFactory())
with pytest.raises(AttributeError) as excinfo:
env.add(stix2.Indicator(**INDICATOR_KWARGS))
assert 'Environment has no data sink to put objects in' in str(excinfo.value)
with pytest.raises(AttributeError) as excinfo:
env.get(INDICATOR_ID)
assert 'Environment has no data source' in str(excinfo.value)
with pytest.raises(AttributeError) as excinfo:
env.all_versions(INDICATOR_ID)
assert 'Environment has no data source' in str(excinfo.value)
with pytest.raises(AttributeError) as excinfo:
env.query(INDICATOR_ID)
assert 'Environment has no data source' in str(excinfo.value)
with pytest.raises(AttributeError) as excinfo:
env.relationships(INDICATOR_ID)
assert 'Environment has no data source' in str(excinfo.value)
with pytest.raises(AttributeError) as excinfo:
env.related_to(INDICATOR_ID)
assert 'Environment has no data source' in str(excinfo.value)
def to_indicator(r):
""" Fungsi untuk mengubah menjadi objek stix indicator """
uid = str(uuid.uuid4())
created = datetime.now()
modified = created
valid_from = created
src_type = "ipv4-addr"
dst_type = "ipv4-addr"
src_ip = r['src_ip']
dst_ip = r['dest_ip']
if type(r["src_ip"]) == list:
indicator = stix2.Indicator(
id="indicator--" + uid,
created=created,
modified=modified,
name="Malicious Network Flow",
description="Malicious IP: " + " ".join(src_ip) + " detected.",
labels=["malicious-activity"],
pattern="[network-traffic:src_ref.type = '"
+ src_type + "' AND network-traffic:src_ref.value = '"
+ " ".join(src_ip) + "'] AND [network-traffic:dst_ref.type = '"
+ dst_type + "' AND network-traffic:dst_ref.value = '"
+ dst_ip + "'] REPEATS " + str(r['number_observed']) + " TIMES",
valid_from=valid_from
)
return indicator
else:
indicator = stix2.Indicator(
id="indicator--" + uid,
created=created,
modified=modified,
name="Malicious Network Flow",
description="Malicious IP: " + src_ip + " detected.",
labels=["malicious-activity"],
pattern="[network-traffic:src_ref.type = '"
+ src_type + "' AND network-traffic:src_ref.value = '"
+ src_ip + "'] AND [network-traffic:dst_ref.type = '"
+ dst_type + "' AND network-traffic:dst_ref.value = '"
+ dst_ip + "'] REPEATS " + str(r['number_observed']) + " TIMES",
valid_from=valid_from
)
return indicator
def test_invalid_kwarg_to_indicator():
with pytest.raises(stix2.exceptions.ExtraFieldsError) as excinfo:
stix2.Indicator(my_custom_property="foo", **INDICATOR_KWARGS)
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.fields == ['my_custom_property']
assert str(excinfo.value
) == "Unexpected field(s) for Indicator: (my_custom_property)."
def test_indicator_required_field_pattern():
with pytest.raises(stix2.exceptions.MissingFieldsError) as excinfo:
stix2.Indicator(labels=['malicious-activity'])
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.fields == ["pattern"]
assert str(
excinfo.value) == "Missing required field(s) for Indicator: (pattern)."
def print_callback(message, context):
logging.debug("Message -> {}".format(message))
if message['message_type'] == "heartbeat":
return
if message['message_type'] == "certificate_update":
all_domains = message['data']['leaf_cert']['all_domains']
if len(all_domains) == 0:
domain = "NULL"
else:
domain = all_domains[0]
if '.org' in domain or '.gouv.fr' in domain:
print(domain)
tmp = (u"[{}] {} (SAN: {})".format(
datetime.datetime.now().strftime('%m/%d/%y %H:%M:%S'), domain,
", ".join(message['data']['leaf_cert']['all_domains'][1:])))
score = lescriptdetest(domain, geoLoc)
ts = time.time()
st = datetime.datetime.fromtimestamp(ts).strftime(
'%Y-%m-%dT%H:%M:%S.%fZ')
print(tmp + " - Score : " + str(score))
if score < 50:
indicator = stix2.Indicator(
labels=["benine site", "score=" + str(score)],
pattern="[url:value = '" + domain + "']")
print(indicator)
elif score < 300:
indicator = stix2.Indicator(
labels=["potential phishing", "score=" + str(score)],
pattern="[url:value = '" + domain + "']")
print(indicator)
elif score < 700:
indicator = stix2.Indicator(
labels=["probable phishing", "score=" + str(score)],
pattern="[url:value = '" + domain + "']")
print(indicator)
else:
indicator = stix2.Indicator(
labels=["highly probable phishing", "score=" + str(score)],
pattern="[url:value = '" + domain + "']")
print(indicator)
def test_invalid_indicator_pattern():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Indicator(
labels=['malicious-activity'],
pattern="file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e'",
)
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.prop_name == 'pattern'
assert 'input is missing square brackets' in excinfo.value.reason
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Indicator(
labels=['malicious-activity'],
pattern='[file:hashes.MD5 = "d41d8cd98f00b204e9800998ecf8427e"]',
)
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.prop_name == 'pattern'
assert 'mismatched input' in excinfo.value.reason
def test_indicator_required_fields():
with pytest.raises(stix2.exceptions.MissingFieldsError) as excinfo:
stix2.Indicator()
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.fields == ["labels", "pattern"]
assert str(
excinfo.value
) == "Missing required field(s) for Indicator: (labels, pattern)."
def test_indicator_required_properties():
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
stix2.Indicator()
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.properties == ["labels", "pattern"]
assert str(
excinfo.value
) == "No values for required properties for Indicator: (labels, pattern)."
def test_create_non_empty_bundle():
indicator1 = stix2.Indicator(
**{
'labels': ['benign'],
'pattern': '[ ipv4-addr:value = \'198.51.100.1/32\' ]'
})
indicator2 = stix2.Indicator(
**{
'labels': ['benign'],
'pattern': '[ ipv4-addr:value = \'203.0.113.33/32\' ]'
})
bundle = stix2_generator.create_stix2_bundle([indicator1, indicator2])
assert isinstance(bundle, stix2.Bundle)
assert bundle.type == 'bundle'
assert bundle.id.startswith('bundle--')
assert bundle.spec_version == '2.0'
assert all(x in bundle.objects for x in (indicator1, indicator2))
def phishing(domain, score):
indicator = stix2.Indicator(
name="Potential phishing website",
description="This website has got a score of " + str(score) + ".",
labels=["phishing"],
pattern="[url:value = '" + domain + "']",
)
with open(logs + indicator.id + '.log', 'w') as f:
print(indicator, file=f)
def ds():
cam = stix2.Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS)
idy = stix2.Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
ind = stix2.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
mal = stix2.Malware(id=MALWARE_ID, **MALWARE_KWARGS)
rel1 = stix2.Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0])
rel2 = stix2.Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1])
rel3 = stix2.Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2])
stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3]
yield stix2.MemoryStore(stix_objs)
def test_indicator_type_must_be_indicator():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Indicator(type='xxx', **INDICATOR_KWARGS)
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.prop_name == "type"
assert excinfo.value.reason == "must equal 'indicator'."
assert str(
excinfo.value
) == "Invalid value for Indicator 'type': must equal 'indicator'."
def test_indicator_id_must_start_with_indicator():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Indicator(id='my-prefix--', **INDICATOR_KWARGS)
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.prop_name == "id"
assert excinfo.value.reason == "must start with 'indicator--'."
assert str(
excinfo.value
) == "Invalid value for Indicator 'id': must start with 'indicator--'."
def test_indicator_created_ref_invalid_format():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Indicator(created_by_ref='myprefix--12345678',
**INDICATOR_KWARGS)
assert excinfo.value.cls == stix2.Indicator
assert excinfo.value.prop_name == "created_by_ref"
assert excinfo.value.reason == "must start with 'identity'."
assert str(
excinfo.value
) == "Invalid value for Indicator 'created_by_ref': must start with 'identity'."
def test_indicator_with_all_required_fields():
now = dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
epoch = dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
indicator = stix2.Indicator(
type="indicator",
id=INDICATOR_ID,
labels=['malicious-activity'],
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
created=now,
modified=now,
valid_from=epoch,
)
assert str(indicator) == EXPECTED_INDICATOR
assert repr(indicator) == EXPECTED_INDICATOR_REPR
def test_indicator_with_all_required_properties():
now = dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
epoch = dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
ind = stix2.Indicator(
type="indicator",
id=INDICATOR_ID,
created=now,
modified=now,
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
valid_from=epoch,
labels=['malicious-activity'],
)
assert str(ind) == EXPECTED_INDICATOR
rep = re.sub(r"(\[|=| )u('|\"|\\\'|\\\")", r"\g<1>\g<2>", repr(ind))
assert rep == EXPECTED_INDICATOR_REPR
def test_EmbeddedObjectProperty():
foo = openc2.properties.EmbeddedObjectProperty(stix2.Indicator)
indicator = stix2.Indicator(
name="File hash for malware variant",
labels=["malicious-activity"],
pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
)
assert foo.clean(indicator).serialize() == indicator.serialize()
assert (
foo.clean(json.loads(indicator.serialize())).serialize()
== indicator.serialize()
)
with pytest.raises(ValueError):
foo.clean("bad").serialize()
def test_report_example_objects_in_object_refs():
report = stix2.Report(
id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
created="2015-12-21T19:59:11.000Z",
modified="2015-12-21T19:59:11.000Z",
name="The Black Vine Cyberespionage Group",
description="A simple report with an indicator and campaign",
published="2016-01-20T17:00:00Z",
labels=["campaign"],
object_refs=[
stix2.Indicator(
id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
**INDICATOR_KWARGS),
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
],
)
assert str(report) == EXPECTED
def fetch_and_send(self):
timestamp = int(time.time())
now = datetime.utcfromtimestamp(timestamp)
friendly_name = "Cyber Threat Coalition run @ " + now.strftime(
"%Y-%m-%d %H:%M:%S"
)
work_id = self.helper.api.work.initiate_work(
self.helper.connect_id, friendly_name
)
bundle_objects = list()
# create an identity for the coalition team
organization = stix2.Identity(
id=OpenCTIStix2Utils.generate_random_stix_id("identity"),
name="Cyber Threat Coalition Team",
identity_class="organization",
description="Team of Experts collecting and sharing pandemic related "
"cyber threat intelligence during the COVID-19 crisis time",
)
# add organization in bundle
bundle_objects.append(organization)
report_object_refs = list()
for collection in ["domain", "ip", "url", "hash"]:
# fetch backlist
url = self.cyber_threat_coalition_base_url + "/" + str(collection) + ".txt"
response = requests.get(url=url)
if response.status_code != 200:
raise Exception(
"Unable to fetch {0} blacklist, server returned status: {1}",
collection,
response.status_code,
)
pattern_type = "stix"
labels = ["COVID-19", "malicious-activity"]
# parse content
for data in response.iter_lines(decode_unicode=True):
observable_type = None
observable_resolver = None
if data and not data.startswith("#"):
if collection == "domain":
observable_resolver = "Domain-Name"
observable_type = "Domain-Name"
elif collection == "ip":
observable_resolver = "IPv4-Addr"
observable_type = "IPv4-Addr"
elif collection == "url":
observable_resolver = "Url"
observable_type = "Url"
data = urllib.parse.quote(data, "/:")
elif collection == "hash":
observable_resolver = self.get_hash_type()
observable_type = "File"
indicator = None
if observable_resolver is None or observable_type is None:
return
if self.cyber_threat_coalition_create_indicators:
indicator = stix2.Indicator(
id=OpenCTIStix2Utils.generate_random_stix_id("indicator"),
name=data,
pattern_type=pattern_type,
pattern=self._INDICATOR_PATTERN[observable_resolver].format(
data
),
labels=labels,
created_by_ref=organization,
object_marking_refs=[stix2.TLP_WHITE],
custom_properties={
"x_opencti_main_observable_type": observable_type,
},
)
bundle_objects.append(indicator)
report_object_refs.append(indicator["id"])
if self.cyber_threat_coalition_create_observables:
observable = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key=observable_type
+ "."
+ ".".join(self._OBSERVABLE_PATH[observable_resolver]),
value=data,
labels=labels,
created_by_ref=organization,
object_marking_refs=[stix2.TLP_WHITE],
)
bundle_objects.append(observable)
report_object_refs.append(observable["id"])
if indicator is not None:
relationship = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
relationship_type="based-on",
created_by_ref=organization,
source_ref=indicator.id,
target_ref=observable.id,
)
bundle_objects.append(relationship)
report_object_refs.append(relationship["id"])
# create a global threat report
report_uuid = "report--552b3ae6-8522-409d-8b72-a739bc1926aa"
report_external_reference = stix2.ExternalReference(
source_name="Cyber Threat Coalition",
url="https://www.cyberthreatcoalition.org",
external_id="COVID19-CTC",
)
if report_object_refs:
stix_report = stix2.Report(
id=report_uuid,
name="COVID-19 Cyber Threat Coalition (CTC) BlackList",
type="report",
description="This report represents the whole COVID-19 CTC blacklist.",
published=datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
created_by_ref=organization,
object_marking_refs=[stix2.TLP_WHITE],
labels=labels,
external_references=[report_external_reference],
object_refs=report_object_refs,
)
# add report in bundle
bundle_objects.append(stix_report)
# create stix bundle
bundle = stix2.Bundle(objects=bundle_objects)
# send data
self.helper.send_stix2_bundle(
bundle=bundle.serialize(), update=self.update_existing_data, work_id=work_id
)
return work_id
def csvtostix(file_type, file_name):
count = 0
data = {}
labels = ""
maldesc = ''
malname = ''
tot_file_path = ''
url = []
domain = []
filename = []
ip = []
md5 = []
registry = []
email = []
indlist = []
rellist = []
sha1 = []
sha256 = []
m = datetime.datetime.now()
c = m.strftime("%Y-%m-%d %H:%M:%S.{}".format(str(m).split('.')[1][:3]) +
"Z")
m = m.strftime("%Y-%m-%d %H:%M:%S.{}".format(str(m).split('.')[1][:3]) +
"Z")
malware = stix2.Malware(created=c,
modified=m,
name=malname,
labels=labels,
description=maldesc)
try:
each_data = []
if file_type == "-f":
each_data = []
with open(file_name, "r") as f:
csv_reader = csv.reader(f, delimiter=',')
fields = csv_reader.next()
tab = -1
for i in fields:
#print(i)
samp = []
tab += 1
with open(file_name, "r") as f:
csv_reader = csv.reader(f, delimiter=',')
for lines in csv_reader:
if lines[tab].strip():
if lines[tab] not in fields:
samp.append(lines[tab].strip())
data[i] = samp
#print(data)
elif file_type == "-F":
each_data = []
indiv_data = []
if os.path.exists(file_name):
for eachfile in os.walk(file_name):
for each_file in eachfile[2]:
with open(file_name + '/' + each_file, "r") as f:
csv_reader = csv.reader(f, delimiter=',')
fields = csv_reader.next()
tab = -1
for i in fields:
samp1 = []
tab += 1
with open(file_name, "r") as f:
csv_reader = csv.reader(f, delimiter=',')
for lines in csv_reader:
if lines[tab].strip():
if lines[tab] not in fields:
samp1.append(
lines[tab].strip())
data[i].extend(samp1)
else:
print(
"please enter a valid folder containing json files with valid folder path"
)
print(
"Usage : python csvtostix.py <-f>/<-F> file_name/folder_name"
)
print(" Example : python csvtostix.py -f APT34.csv")
print(
" Example : python csvtostix.py -F /home/user/Desktop/IOC_files/"
)
print(
"Submit the folder, which does not contain any subfolders")
sys.exit()
else:
print(
"Please enter the command as -f (for file) or -F (for folder) followed by File name or Folder name with sapce"
)
print(
"Usage : python csvtostix.py <-f>/<-F> file_name/folder_name")
print(" Example : python csvtostix.py -f APT34.csv")
print(
" Example : python csvtostix.py -F /home/user/Desktop/IOC_files/"
)
sys.exit()
#print(data)
if data:
domain = data.get("Domain", "")
filepath1 = data.get("FilePath", "")
sha1 = data.get("SHA1", "")
registry = data.get("RegistryPath", "")
filename = data.get("FileName", "")
url = data.get("URL", "")
ip = data.get("IPAddress", "")
filename1 = data.get("FileName", "")
#filename = filename1 + filepath1
filename = filename1
sha256 = data.get("SHA256", "")
md5 = data.get("MD5", "")
for each_ip in ip:
indicator = stix2.Indicator(created=c,
modified=m,
name='IP',
description=" ",
labels=["malicious-activity"],
pattern="[ipv4-addr:value = '" +
each_ip.strip() + "']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_url in url:
indicator = stix2.Indicator(
created=c,
modified=m,
name='url',
description=" ",
labels=["malicious-activity"],
pattern="[url:value = 'http://" +
each_url.split('//')[-1].split('/')[0].strip("'") + "'" +
"]",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_domain in domain:
indicator = stix2.Indicator(
created=c,
modified=m,
name='domain-name',
description=" ",
labels=["malicious-activity"],
pattern="[domain-name:value = '" +
each_domain.split('//')[-1].split('/')[0].strip("'") +
"']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_filename in filename:
tot_file_path = ''
exact_name = each_filename.split('\\')
split_path_name = each_filename.split('\\')[0:-1]
if split_path_name:
for path in split_path_name:
tot_file_path = tot_file_path + '\\\\' + path
if len(exact_name) > 1:
indicator = stix2.Indicator(
created=c,
modified=m,
name='file',
description=" ",
labels=["malicious-activity"],
#pattern="[file:name = '" + each_filename.split('\\')[-1].strip("'") + "']",
pattern="[file:name = '" +
each_filename.split('\\')[-1].strip("'") +
"' AND file:parent_directory_ref.path = '" +
tot_file_path + "']",
valid_from=c)
else:
indicator = stix2.Indicator(created=c,
modified=m,
name='file',
description=" ",
labels=["malicious-activity"],
pattern="[file:name = '" +
each_filename.strip("'") +
"']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_registry in registry:
each_registry = each_registry.replace("\\", "\\\\")
indicator = stix2.Indicator(
created=c,
modified=m,
name='win-registry-key',
description=" ",
labels=["malicious-activity"],
pattern="[windows-registry-key:key = '" + each_registry +
"']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_md5 in md5:
each_md5 = re.sub(r'[^A-Za-z0-9]+', '', each_md5)
indicator = stix2.Indicator(created=c,
modified=m,
name='MD5',
description=" ",
labels=["malicious-activity"],
pattern="[file:hashes.md5 = '" +
each_md5.strip() + "']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_sha1 in sha1:
each_sha1 = re.sub(r'[^A-Za-z0-9]+', '', each_sha1)
indicator = stix2.Indicator(
created=c,
modified=m,
name='MD5',
description=" ",
labels=["malicious-activity"],
pattern="[file:hashes.'SHA-1' = '" + each_sha1.strip() +
"']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_sha256 in sha256:
each_sha256 = re.sub(r'[^A-Za-z0-9]+', '', each_sha256)
indicator = stix2.Indicator(
created=c,
modified=m,
name='MD5',
description=" ",
labels=["malicious-activity"],
pattern="[file:hashes.'SHA-256' = '" +
each_sha256.strip() + "']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
print(len(indlist))
obj_range = int((len(indlist) / 50)) + 1
ind1 = 0
ind2 = 50
print(obj_range)
for num in range(obj_range):
new_list = []
if (ind2 - ind1) != 50:
new_list = indlist[ind1:]
else:
new_list = indlist[ind1:ind2]
for ind in new_list:
print(ind)
count += 1
val = 'relationship' + str(count)
val = stix2.Relationship(ind, 'indicates', malware)
rellist.append(val)
IOC = stix2.Bundle(objects=[malware] + rellist + new_list)
if IOC:
print(type(num))
print(num)
num = str(num)
if sys.argv[1].split("/")[-1]:
with open(
sys.argv[1].split("/")[-1].split(".")[0] +
'_' + str(int(num) + 1) + '.ioc', 'w') as fp:
fp.write(json.dumps(json.loads(str(IOC)),
indent=2))
fp.close()
elif sys.argv[1].split("/")[-2]:
with open(
sys.argv[1].split("/")[-2].split(".")[0] +
'_' + str(int(num) + 1) + '+.ioc', 'w') as fp:
fp.write(json.dumps(json.loads(str(IOC)),
indent=2))
fp.close()
else:
with open(
sys.argv[1].split("/")[0].split(".")[0] + '_' +
str(int(num) + 1) + '+.ioc', 'w') as fp:
fp.write(json.dumps(json.loads(str(IOC)),
indent=2))
fp.close()
else:
pass
ind1 = ind1 + 50
ind2 = ind2 + 50
rellist = []
else:
print(
"please enter a valid file/folder containing json files containing indicator data"
)
print(
"Usage : python csvtostix.py <-f>/<-F> file_name/folder_name")
print(" Example : python csvtostix.py -f APT34.csv")
print(
" Example : python csvtostix.py -F /home/user/Desktop/IOC_files/"
)
except IOError as err:
print(
"please enter a valid folder containing csv files with valid folder path"
)
print("Usage : python csvtostix.py <-f>/<-F> file_name/folder_name")
print(" Example : python csvtostix.py -f APT34.csv")
print(
" Example : python csvtostix.py -F /home/user/Desktop/IOC_files/")
print("Submit the folder, which does not contain any subfolders")
except Exception as e:
print(traceback.format_exc())
print(e)
return
def test_environment_source_and_sink():
ind = stix2.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
env = stix2.Environment(source=stix2.MemorySource([ind]), sink=stix2.MemorySink([ind]))
assert env.get(INDICATOR_ID).labels[0] == 'malicious-activity'
def generate_report():
istihbarat_no = 0
cyber_threads_infos = []
attack_patterns = []
sti_list = []
records = get_all_records(settings.traffic_table_name,
settings.prediction_column_name)
unique_records = unique_lists_from_multidimensional_array(records)
identity = stiv.Identity(
name=
"Veri Madenciligi Temelli Siber Tehdit Istihbarati Tez Calismasi Onerilen Sistemin Uygulamasi - Suleyman Muhammed ARIKAN",
identity_class="individual")
sti_list.append(identity)
predictions = [record[1] for record in unique_records]
unique_predictions = set(predictions)
for attack in unique_predictions:
attact_pattern = stiv.AttackPattern(name=attack,
created_by_ref=identity.id)
attack_patterns.append(attact_pattern)
sti_list.append(attact_pattern)
cyber_threads_infos.append(
"intelligence_id-prediction-source_host-source_port-destination_port-protocol"
+ "\n")
for record in records:
if str(record[1]) != settings.unknown_class_value:
cyber_thread_info = str(record[1]) + "-" + str(
record[5]) + "-" + str(int(float(record[3]))) + "-" + str(
int(float(record[4]))) + "-" + settings.protocols_list[
int(record[8]) - 1] + "\n"
cyber_threads_infos.append(cyber_thread_info)
istihbarat_no = istihbarat_no + 1
indicator_name = str(
istihbarat_no) + " numaralı istihbarat - " + str(record[5])
indicator_label = ["malicious-activity"]
indicator_pattern = "[network-traffic:src_ref.type = 'ipv4-addr' AND "
indicator_pattern = indicator_pattern + "network-traffic:src_ref.value = '" + str(
record[5]) + "' AND "
indicator_pattern = indicator_pattern + "network-traffic:src_port = " + str(
int(float(record[3]))) + " AND "
indicator_pattern = indicator_pattern + "network-traffic:dst_port = " + str(
int(float(record[4]))) + " AND "
indicator_pattern = indicator_pattern + "network-traffic:protocols[*] = '" + settings.protocols_list[
int(record[8]) - 1] + "']"
indicator = stiv.Indicator(name=indicator_name,
labels=indicator_label,
pattern=indicator_pattern,
created_by_ref=identity.id)
sti_list.append(indicator)
attack_pattern = get_attack_pattern(attack_patterns,
str(record[1]))
relationship = stiv.Relationship(relationship_type='indicates',
source_ref=indicator.id,
target_ref=attack_pattern.id)
sti_list.append(relationship)
stiv_bundle = stiv.Bundle(sti_list)
file_name = datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S-%f")
fo = open("raporlar/" + file_name + ".txt", "x")
istihbarat_no = 0
for cti in cyber_threads_infos:
if (istihbarat_no != 0):
cti = str(istihbarat_no) + "-" + cti
fo.write(cti)
istihbarat_no = istihbarat_no + 1
fo.close()
fo_stiv = open("raporlar/" + file_name + ".json", "x")
fo_stiv.write(stiv_bundle.serialize())
fo_stiv.close()
return file_name
import stix2
indicator = stix2.Indicator(
id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
created="2014-06-29T13:49:37.079Z",
modified="2014-06-29T13:49:37.079Z",
name="Malicious site hosting downloader",
description=
"This organized threat actor group operates to create profit from all types of crime.",
labels=["malicious-activity"],
pattern="[url:value = 'http://x4z9arb.cn/4712/']",
valid_from="2014-06-29T13:49:37.079000Z")
foothold = stix2.KillChainPhase(
kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="establish-foothold")
malware = stix2.Malware(
id="malware--162d917e-766f-4611-b5d6-652791454fca",
created="2014-06-30T09:15:17.182Z",
modified="2014-06-30T09:15:17.182Z",
name="x4z9arb backdoor",
labels=["backdoor", "remote-access-trojan"],
description=
"This malware attempts to download remote files after establishing a foothold as a backdoor.",
kill_chain_phases=[foothold])
relationship = stix2.Relationship(indicator, 'indicates', malware)
bundle = stix2.Bundle(objects=[indicator, malware, relationship])
