def convert(filename, output='output.json'):
count = 0
with open(filename) as json_file:
vList = []
data = json.load(json_file)
print("Loaded the file")
for cves in data['CVE_Items']:
count += 1
# Getting the different fields
name = cves['cve']['CVE_data_meta']['ID']
description = cves['cve']['description']['description_data'][0]["value"]
cdate = cves['publishedDate']
mdate = cves['lastModifiedDate']
creator = cves['cve']['CVE_data_meta']['ASSIGNER']
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(name=name, created=cdate, modified=mdate, description=description)
# Adding the vulnerability to the list of vulnerabilities
vList.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vList)
# Creating a MemoryStore object from the bundle
memorystore = MemoryStore(bundle)
# Dumping this object to a file
memorystore.save_to_file(output)
print("Successfully converted " + str(count) + " vulnerabilities")
def create_vulnerability(
name: str,
author: Identity,
external_references: List[ExternalReference],
object_marking_refs: List[MarkingDefinition],
) -> Vulnerability:
"""Create a vulnerability."""
return Vulnerability(
created_by_ref=author,
name=name,
labels=["vulnerability"],
external_references=external_references,
object_marking_refs=object_marking_refs,
)
def convert(filename, output='output.json'):
# Create the default author
author = Identity(name='The MITRE Corporation',
identity_class='organization')
count = 0
with open(filename) as json_file:
vulnerabilities_bundle = [author]
data = json.load(json_file)
print("Loaded the file")
for cves in data['CVE_Items']:
count += 1
# Get the name
name = cves['cve']['CVE_data_meta']['ID']
# Create external references
external_reference = ExternalReference(
source_name='NIST NVD',
url='https://nvd.nist.gov/vuln/detail/' + name)
external_references = [external_reference]
for reference in cves['cve']['references']['reference_data']:
external_reference = ExternalReference(
source_name=reference['refsource'], url=reference['url'])
external_references.append(external_reference)
# Getting the different fields
description = cves['cve']['description']['description_data'][0][
"value"]
cdate = cves['publishedDate']
mdate = cves['lastModifiedDate']
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(name=name,
created=cdate,
modified=mdate,
description=description,
created_by_ref=author,
external_references=external_references)
# Adding the vulnerability to the list of vulnerabilities
vulnerabilities_bundle.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vulnerabilities_bundle)
# Creating a MemoryStore object from the bundle
memorystore = MemoryStore(bundle)
# Dumping this object to a file
memorystore.save_to_file(output)
print("Successfully converted " + str(count) + " vulnerabilities")
def create_vulnerability(
name: str,
created_by: Identity,
confidence: int,
external_references: List[ExternalReference],
object_markings: List[MarkingDefinition],
) -> Vulnerability:
"""Create a vulnerability."""
return Vulnerability(
id=_create_random_identifier("vulnerability"),
created_by_ref=created_by,
name=name,
confidence=confidence,
external_references=external_references,
object_marking_refs=object_markings,
)
def convert(parse_data, output='output.json'):
# Create the default author
author = Identity(name='The MS Bulletin Corporation', identity_class='organization')
print(author)
count = 0
vulnerabilities_bundle = [author]
# Getting modified date
mdate = parse_data["rss"]["channel"]["lastBuildDate"]
for msb in parse_data["rss"]["channel"]["item"]:
count += 1
# Get the name
name = msb["title"]
# Getting the create date
cdate = msb["pubDate"]
# Getting description
description = msb["description"]
# Create external references
external_references = ExternalReference(
source_name="Microsoft Security Bulletin",
url=msb["link"]
)
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(
name=name,
created=cdate,
modified=mdate,
description=description,
created_by_ref=author,
external_references=external_references
)
# Adding the vulnerability to the list of vulnerabilities
vulnerabilities_bundle.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vulnerabilities_bundle)
# Creating a MemoryStore object from the bundle
memorystore = MemoryStore(bundle)
# Dumping this object to a file
memorystore.save_to_file(output)
print("Successfully converted " + str(count) + " vulnerabilities")
def stixer(vulns, path):
for vuln in vulns:
timestamp = datetime.now()
vuln_name = vuln['name']
vuln_description = vuln['description']
if args.mitigations:
mitigation_description = get_mitigation(vuln['name'])
else:
mitigation_description = ""
snippet_android = vuln['code']
coa_name = vuln_name + "_coa"
file_path = PurePath(vuln['file'])
target = f"{str(file_path)}:{vuln['line']}"
coa = CourseOfAction(type="course-of-action",
name=coa_name,
description=mitigation_description,
x_actions=[{
"mitigation_android":
"No snippet avaliable"
}],
allow_custom=True)
vuln = Vulnerability(type="vulnerability",
name=vuln_name,
description=vuln_description,
vulnerable_snippet=snippet_android,
allow_custom=True)
mitigates = Relationship(coa, 'mitigates', vuln)
observed_object = File(name=target)
observed_data = ObservedData(first_observed=timestamp,
last_observed=timestamp,
number_observed=1,
objects={0: observed_object})
sight = Sighting(vuln, observed_data_refs=[observed_data])
bundle = Bundle(coa, mitigates, vuln, sight, observed_data,
observed_object)
with open(f"{path}/{vuln_name}.json", "w") as f:
f.write(str(bundle) + "\n")
def convert(filename, output="output.json"):
# Create the default author
author = Identity(name="The MITRE Corporation",
identity_class="organization")
count = 0
with open(filename) as json_file:
vulnerabilities_bundle = [author]
data = json.load(json_file)
for cves in data["CVE_Items"]:
count += 1
# Get the name
name = cves["cve"]["CVE_data_meta"]["ID"]
# Create external references
external_reference = ExternalReference(
source_name="NIST NVD",
url="https://nvd.nist.gov/vuln/detail/" + name)
external_references = [external_reference]
for reference in cves["cve"]["references"]["reference_data"]:
external_reference = ExternalReference(
source_name=reference["refsource"], url=reference["url"])
external_references.append(external_reference)
# Getting the different fields
description = cves["cve"]["description"]["description_data"][0][
"value"]
base_score = (cves["impact"]["baseMetricV3"]["cvssV3"]["baseScore"]
if "baseMetricV3" in cves["impact"] else None)
base_severity = (
cves["impact"]["baseMetricV3"]["cvssV3"]["baseSeverity"]
if "baseMetricV3" in cves["impact"] else None)
attack_vector = (
cves["impact"]["baseMetricV3"]["cvssV3"]["attackVector"]
if "baseMetricV3" in cves["impact"] else None)
integrity_impact = (
cves["impact"]["baseMetricV3"]["cvssV3"]["integrityImpact"]
if "baseMetricV3" in cves["impact"] else None)
availability_impact = (
cves["impact"]["baseMetricV3"]["cvssV3"]["availabilityImpact"]
if "baseMetricV3" in cves["impact"] else None)
cdate = datetime.datetime.strptime(cves["publishedDate"],
"%Y-%m-%dT%H:%MZ")
mdate = datetime.datetime.strptime(cves["lastModifiedDate"],
"%Y-%m-%dT%H:%MZ")
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(
id=OpenCTIStix2Utils.generate_random_stix_id("vulnerability"),
name=name,
created=cdate,
modified=mdate,
description=description,
created_by_ref=author,
external_references=external_references,
custom_properties={
"x_opencti_base_score": base_score,
"x_opencti_base_severity": base_severity,
"x_opencti_attack_vector": attack_vector,
"x_opencti_integrity_impact": integrity_impact,
"x_opencti_availability_impact": availability_impact,
},
)
# Adding the vulnerability to the list of vulnerabilities
vulnerabilities_bundle.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vulnerabilities_bundle)
bundle_json = bundle.serialize()
# Write to file
with open(output, "w") as f:
f.write(bundle_json)
filename = sys.argv[1]
count = 0
with open(filename) as json_file:
vList = []
data = json.load(json_file)
print("Loaded the file")
for cves in data['CVE_Items']:
count += 1
# Getting the different fields
name = cves['cve']['CVE_data_meta']['ID']
description = cves['cve']['description']['description_data'][0]["value"]
cdate = cves['publishedDate']
mdate = cves['lastModifiedDate']
creator = cves['cve']['CVE_data_meta']['ASSIGNER']
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(name=name, created=cdate, modified=mdate, description=description)
# Adding the vulnerability to the list of vulnerabilities
vList.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vList)
# Creating a MemoryStore object from the bundle
memorystore = MemoryStore(bundle)
# Dumping this object to a file
memorystore.save_to_file('output.json')
print("Successfully converted " + str(count) + " vulnerabilities")
score=demisto_score,
allow_custom=True,
pattern_type='stix')
except Exception as ex:
demisto.info(
"Indicator type: {}, with the value: {} is not STIX compatible"
.format(demisto_indicator_type, value))
demisto.info("Export failure excpetion: {}".format(ex))
continue
indicators.append(indicator)
else:
try:
vulnerability = Vulnerability(
name=stix_type_and_value,
description=label_as_type,
labels=[label_as_type],
external_references=[
ExternalReference(source_name="cve",
external_id=stix_type_and_value)
])
except Exception as ex:
demisto.info(
"Indicator type: {}, with the value: {} is not STIX compatible"
.format(demisto_indicator_type, value))
demisto.info("Export failure excpetion: {}".format(ex))
continue
indicators.append(vulnerability)
counter += 1
if counter > 1:
bundle = Bundle(indicators)
context = {
'StixExportedIndicators(val.pattern && val.pattern == obj.pattern)':
def _process_message(self, data):
file_fetch = data["file_fetch"]
file_uri = self.helper.opencti_url + file_fetch
file_name = os.path.basename(file_fetch)
entity_id = data.get("entity_id", None)
self.helper.log_info(entity_id)
# Get context
is_context = entity_id is not None and len(entity_id) > 0
self.helper.log_info("Context: {}".format(is_context))
self.helper.log_info(
"get_only_contextual: {}".format(self.helper.get_only_contextual())
)
if self.helper.get_only_contextual() and not is_context:
raise ValueError(
"No context defined, connector is get_only_contextual true"
)
self.helper.log_info("Importing the file " + file_uri)
# Get the file
file_content = self.helper.api.fetch_opencti_file(file_uri, True)
# Write the file
f = open(file_name, "wb")
f.write(file_content)
f.close()
# Parse
bundle_objects = []
stix_objects = set()
i = 0
custom_indicators = self._get_entities()
mime_type = self._get_mime_type(file_name)
print(mime_type)
if mime_type is None:
raise ValueError("Invalid file format of {}".format(file_name))
parser = iocp.IOC_Parser(
None,
mime_type,
True,
"pdfminer",
"json",
custom_indicators=custom_indicators,
)
parsed = parser.parse(file_name)
os.remove(file_name)
if parsed != []:
for file in parsed:
if file != None:
for page in file:
if page != []:
for match in page:
resolved_match = self._resolve_match(match)
if resolved_match:
# For the creation of relationships
if resolved_match[
"type"
] not in self.types.values() and self._is_uuid(
resolved_match["value"]
):
stix_objects.add(resolved_match["value"])
# For CVEs since SimpleObservable doesn't support Vulnerabilities yet
elif resolved_match["type"] == "Vulnerability.name":
vulnerability = Vulnerability(
name=resolved_match["value"]
)
bundle_objects.append(vulnerability)
# Other observables
elif resolved_match["type"] in self.types.values():
observable = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key=resolved_match["type"],
value=resolved_match["value"],
x_opencti_create_indicator=self.create_indicator,
)
bundle_objects.append(observable)
else:
self.helper.log_info(
"Odd data received: {}".format(
resolved_match
)
)
i += 1
else:
self.helper.log_error("Could not parse the report!")
if is_context:
entity = self.helper.api.stix_domain_object.read(id=entity_id)
if entity is not None:
if entity["entity_type"] == "Report" and len(bundle_objects) > 0:
report = Report(
id=entity["standard_id"],
name=entity["name"],
description=entity["description"],
published=self.helper.api.stix2.format_date(entity["created"]),
report_types=entity["report_types"],
object_refs=bundle_objects,
)
bundle_objects.append(report)
bundles_sent = []
if len(bundle_objects) > 0:
bundle = Bundle(objects=bundle_objects).serialize()
bundles_sent = self.helper.send_stix2_bundle(bundle)
if len(stix_objects) > 0 and entity_id is not None:
report = self.helper.api.report.read(id=entity_id)
if report:
for stix_object in stix_objects:
self.helper.log_info(stix_object)
self.helper.api.report.add_stix_object_or_stix_relationship(
id=report["id"], stixObjectOrStixRelationshipId=stix_object
)
return "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import"