def getSTIXObject():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Parity Wallet Hacked"
breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "https://paritytech.io/blog/security-alert.html"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "parity technologies ltd"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "The Multi-sig Hack"
breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
#breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Estimated Loss of $280m in Ether")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "Cappasity"
breach.add_victim(victim)
victim2 = Identity()
victim2.name = "Who else ?"
breach.add_victim(victim2)
# add Information Sources
infoSource = InformationSource();
infoSource.add_description("https://news.ycombinator.com/item?id=15642856")
infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/")
breach.Information_Source = infoSource;
stix_package.add_incident(breach)
return stix_package
def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com": "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def main():
rule = """
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
"""
stix_package = STIXPackage()
indicator = Indicator(title="silent_banker",
description="This is just an example")
tm = YaraTestMechanism()
tm.rule = rule
tm.producer = InformationSource(identity=Identity(name="Yara"))
tm.producer.references = ["http://plusvic.github.io/yara/"]
indicator.test_mechanisms = TestMechanisms([tm])
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign.id_))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp.id_))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print(wrapper.to_xml())
def create_indicator(self, ce1sus_indicator, event_permissions, user):
indicator = Indicator()
indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid)
indicator.title = ce1sus_indicator.title
indicator.description = ce1sus_indicator.description
indicator.short_description = ce1sus_indicator.short_description
if ce1sus_indicator.confidence:
indicator.confidence = ce1sus_indicator.confidence.title()
else:
indicator.confidence = 'Low'
# TODO: handling
# TODO: markings
for type_ in ce1sus_indicator.types:
indicator.add_indicator_type(type_.name)
if ce1sus_indicator.operator:
indicator.observable_composition_operator = ce1sus_indicator.operator
# Todo Add confidence
# indicator_attachment.confidence = "Low"
creator = self.create_stix_identity(ce1sus_indicator)
time = self.cybox_mapper.get_time(
produced_time=ce1sus_indicator.created_at)
info_source = InformationSource(identity=creator, time=time)
indicator.producer = info_source
observables = ce1sus_indicator.get_observables_for_permissions(
event_permissions, user)
for obs in observables:
cybox_obs = self.create_observable(obs, event_permissions, user)
indicator.add_observable(cybox_obs)
valid_time = ValidTime(start_time=ce1sus_indicator.created_at,
end_time=ce1sus_indicator.created_at)
indicator.add_valid_time_position(valid_time)
return indicator
def main():
# Create a new STIXPackage
stix_package = STIXPackage()
# Create a new STIXHeader
stix_header = STIXHeader()
# Add Information Source. This is where we will add the tool information.
stix_header.information_source = InformationSource()
# Create a ToolInformation object. Use the initialization parameters
# to set the tool and vendor names.
#
# Note: This is an instance of cybox.common.ToolInformation and NOT
# stix.common.ToolInformation.
tool = ToolInformation(tool_name="python-stix",
tool_vendor="The MITRE Corporation")
# Set the Information Source "tools" section to a
# cybox.common.ToolInformationList which contains our tool that we
# created above.
stix_header.information_source.tools = ToolInformationList(tool)
# Set the header description
stix_header.description = "Example"
# Set the STIXPackage header
stix_package.stix_header = stix_header
# Print the XML!
print(stix_package.to_xml())
# Print the dictionary!
pprint(stix_package.to_dict())
def to_stix_information_source(obj):
from stix.common import InformationSource, Identity
mySource = InformationSource()
for item in obj.source:
for each in item.instances:
itemSource = InformationSource()
itemSource.time = Time(each.date)
itemSource.identity = Identity(name=item.name)
itemSource.add_description(each.reference)
itemSource.add_description(each.method)
mySource.add_contributing_source(itemSource)
return mySource
def set_received_time(self, received_time):
"""Sets the received time for this :class:`Indicator`.
This is the same as calling
``indicator.producer.time.produced_time = produced_time``.
The `received_time` parameter must be an instance of ``str``,
``datetime.datetime``, or ``cybox.common.DateTimeWithPrecision``.
Args:
received_time: An instance of ``str``,
``datetime.datetime``, or ``cybox.common.DateTimeWithPrecision``.
Note:
If `received_time` is a ``str`` or ``datetime.datetime`` instance
an attempt will be made to convert it into an instance of
``cybox.common.DateTimeWithPrecision``.
"""
if not self.producer:
self.producer = InformationSource()
if not self.producer.time:
self.producer.time = Time()
self.producer.time.received_time = received_time
def main():
ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc')
stix_package = STIXPackage()
ttp = TTP()
malware_instance = MalwareInstance()
malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos']
ttp = TTP(title="Zeus")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware_instance)
indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos")
tm = OpenIOCTestMechanism()
tm.ioc = ioc
tm.producer = InformationSource(identity=Identity(name="Yara"))
time = Time()
time.produced_time = "0001-01-01T00:00:00"
tm.producer.time = time
tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
stix_package.add_ttp(ttp)
print stix_package.to_xml()
def to_source(obj):
from stix.common import InformationSource, Identity
mySource = InformationSource()
mySource.time = Time(obj.request.date)
mySource.description = obj.request.rfi
mySource.identity = Identity(name=obj.request.source)
for item in obj.response:
itemSource = InformationSource()
itemSource.time = Time(item.date)
itemSource.identity = Identity(name=item.source)
itemSource.description = item.rfi
mySource.add_contributing_source(itemSource)
return mySource
def _add_header(self, stix_package, title, desc):
stix_header = STIXHeader()
stix_header.title = title
stix_header.description = desc
stix_header.information_source = InformationSource()
stix_header.information_source.time = CyboxTime()
stix_header.information_source.time.produced_time = datetime.now().isoformat()
stix_package.stix_header = stix_header
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("IP Watchlist")
for key in mydata["IOC"].keys():
myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4)
myip.condition = "Equals"
obsu = Observable(myip)
#if mydata[key].size:
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
myip.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(identity=Identity(
name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(idref=coa['id'], timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def to_stix_sightings(obj):
from stix.indicator.sightings import Sighting
from stix.common import InformationSource, Identity
mySighting = Sighting()
mySighting.source = InformationSource()
if obj.sightings.sighting:
itemSighting = InformationSource()
itemSighting.time = Time(obj.sightings.date)
itemSighting.identity = Identity(name=settings.COMPANY_NAME)
mySighting.source.add_contributing_source(itemSighting)
for each in obj.sightings.instances:
itemSighting = InformationSource()
itemSighting.time = Time(each.date)
itemSighting.identity = Identity(name=each.name)
mySighting.source.add_contributing_source(itemSighting)
return mySighting
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
print("confidence set to %s"%(str(breach.confidence.value)))
breach._binding_class.xml_type = typeIncident
print("incident set to %s"%(str(breach._binding_class.xml_type)))
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of Company Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def build_stix():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime(
"2014-03-11", "%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30",
"%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10",
"%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime(
"2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Unintended Access")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "CyberTech Dynamics"
breach.add_victim(victim)
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Financial Loss")
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def main():
stix_package = STIXPackage()
stix_header = STIXHeader()
# Add tool information
stix_header.information_source = InformationSource()
stix_header.information_source.tools = ToolInformationList()
stix_header.information_source.tools.append(
ToolInformation("python-stix ex_04.py", "The MITRE Corporation"))
stix_header.description = "Example 04"
stix_package.stix_header = stix_header
print(stix_package.to_xml())
print(stix_package.to_dict())
def _buildttp(data):
ttp = TTP()
ttp.title = data['name']
ttp.description = data['description']
attack_pattern = AttackPattern()
attack_pattern.capec_id = "CAPEC-" + str(data['id'])
attack_pattern.title = data['name']
attack_pattern.description = data['description']
ttp.behavior = Behavior()
ttp.behavior.add_attack_pattern(attack_pattern)
ttp.information_source = InformationSource()
ttp.information_source.identity = Identity()
ttp.information_source.identity.name = "The MITRE Corporation"
ttp.information_source.references = data['references']
return ttp
def set_producer_identity(self, identity):
'''
Sets the name of the producer of this indicator.
The identity param can be a string (name) or an Identity
instance.
'''
if not self.producer:
self.producer = InformationSource()
if isinstance(identity, Identity):
self.producer.identity = identity
else:
if not self.producer.identity:
self.producer.identity = Identity()
self.producer.identity.name = identity # assume it's a string
def set_producer_identity(self, identity):
"""Sets the name of the producer of this indicator.
This is the same as calling
``indicator.producer.identity.name = identity``.
If the ``producer`` property is ``None``, it will be initialized to
an instance of
:class:`stix.common.information_source.InformationSource`.
If the ``identity`` property of the ``producer`` instance is ``None``,
it will be initialized to an instance of
:class:`stix.common.identity.Identity`.
Note:
if the `identity` parameter is not an instance
:class:`stix.common.identity.Identity` an attempt will be made
to convert it to one.
Args:
identity: An instance of ``str`` or
``stix.common.identity.Identity``.
"""
def unset_producer_identity():
try:
self.producer.identity.name = None
except AttributeError:
pass
if not identity:
unset_producer_identity()
return
if not self.producer:
self.producer = InformationSource()
if isinstance(identity, Identity):
self.producer.identity = identity
return
if not self.producer.identity:
self.producer.identity = Identity()
self.producer.identity.name = str(identity)
def convert(self, stix_id_prefix='', published_only=True, **kw_arg):
self.parse(**kw_arg)
stix_packages = []
for event in self.events:
if published_only:
if not event.published:
continue
# id generator
package_id = self.get_misp_pacakge_id(stix_id_prefix, event)
stix_package = STIXPackage(timestamp=event.dt, id_=package_id)
stix_header = STIXHeader()
# set identity information
identity = Identity(name=self.identity_name)
information_source = InformationSource(identity=identity)
stix_header.information_source = information_source
tlp = None
for tag in event.tags:
if tag.tlp is not None:
tlp = tag.tlp
break
if tlp is not None:
# TLP for Generic format
tlp_marking_structure = TLPMarkingStructure()
tlp_marking_structure.color = tlp
marking_specification = MarkingSpecification()
marking_specification.marking_structures = tlp_marking_structure
marking_specification.controlled_structure = '../../../../descendant-or-self::node() | ../../../../descendant-or-self::node()/@*'
marking = Marking()
marking.add_marking(marking_specification)
stix_header.handling = marking
stix_header.title = event.info
stix_header.description = event.info
stix_header.short_description = event.info
for attribute in event.attributes:
stix_package.add_indicator(attribute.convert())
stix_package.stix_header = stix_header
stix_packages.append(stix_package)
return stix_packages
def set_stix_header(self, threat_name, threat_descr, threat_source=None, reference=None):
# Create a STIX Package
hdr = STIXHeader()
hdr.title = threat_name
hdr.add_description(threat_descr)
hdr.information_source = InformationSource()
if threat_source is not None:
hdr.information_source.description = threat_source
if reference is not None:
hdr.information_source.references = fields.TypedField(reference, References)
# Set the produced time to now
hdr.information_source.time = Time()
hdr.information_source.time.produced_time = datetime.utcnow()
self._pkg.stix_header = hdr
def wrap_maec(maec_package, file_name=None):
"""Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package.
Args:
maec_package: the ``maec.package.package.Package`` instance to wrap in STIX.
file_name: the name of the input file from which the MAEC Package originated,
to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional.
Returns:
A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package.
"""
# Set the namespace to be used in the STIX Package
stix.utils.set_id_namespace(
{"https://github.com/MAECProject/maec-to-stix": "MAECtoSTIX"})
# Create the STIX MAEC Instance
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(maec_malware_instance)
# Create the STIX Package and add the TTP to it
stix_package = STIXPackage()
stix_package.add_ttp(ttp)
# Create the STIX Header and add it to the Package
stix_header = STIXHeader()
if file_name:
stix_header.title = "STIX TTP wrapper around MAEC file: " + str(
file_name)
stix_header.add_package_intent("Malware Characterization")
# Add the Information Source to the STIX Header
tool_info = ToolInformation()
stix_header.information_source = InformationSource()
tool_info.name = "MAEC to STIX"
tool_info.version = str(maec_to_stix.__version__)
stix_header.information_source.tools = ToolInformationList(tool_info)
stix_package.stix_header = stix_header
return stix_package
def _create_stix_package(self):
"""Create and return a STIX Package with the basic information populated.
Returns:
A ``stix.STIXPackage`` object with a STIX Header that describes the intent of
the package in terms of capturing malware artifacts, along with some associated
metadata.
"""
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.add_package_intent("Indicators - Malware Artifacts")
if self.file_name:
stix_header.title = "STIX Indicators extracted from MAEC file: " + str(
self.file_name)
# Add the Information Source to the STIX Header
tool_info = ToolInformation()
stix_header.information_source = InformationSource()
tool_info.name = "MAEC to STIX"
tool_info.version = str(__version__)
stix_header.information_source.tools = ToolInformationList(tool_info)
stix_package.stix_header = stix_header
return stix_package
def main():
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "CVE-2014-0160"
vuln.add_reference("http://heartbleed.com/")
et = ExploitTarget(title="Heartbleed")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="Generic Heartbleed Exploits")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature for Heartbleed")
indicator.confidence = Confidence("High")
tm = SnortTestMechanism()
tm.rules = [
"""alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""",
"""alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)"""
]
tm.efficacy = "Low"
tm.producer = InformationSource(identity=Identity(name="FOX IT"))
tm.producer.references = [
"http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/"
]
indicator.test_mechanisms = TestMechanisms([tm])
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def _observable_to_indicator_stix(observable):
"""Translate a CybOX Observable into a STIX Indicator.
Args:
observable: Observable object that will be translated
Returns:
Indicator object with STIX utility and CybOX tags
"""
# Build STIX tool content
tool = ToolInformation(tool_name='OpenIOC to STIX Utility')
tool.version = version.__version__
# Build Indicator.producer contents
producer = InformationSource()
producer.tools = ToolInformationList(tool)
# Build Indicator
indicator = Indicator(title="CybOX-represented Indicator Created from OpenIOC File")
indicator.producer = producer
indicator.add_observable(observable)
return indicator
def __map_stix_header(self, event):
self.init()
stix_header = STIXHeader(title=event.title)
stix_header.description = event.description
stix_header.short_description = event.title
identifiy = self.create_stix_identity(event)
time = self.cybox_mapper.get_time(produced_time=event.created_at,
received_time=event.modified_on)
info_source = InformationSource(identity=identifiy, time=time)
stix_header.information_source = info_source
# Add TLP
marking = Marking()
marking_spec = MarkingSpecification()
marking.add_marking(marking_spec)
tlp_marking_struct = TLPMarkingStructure()
tlp_marking_struct.color = event.tlp.upper()
tlp_marking_struct.marking_model_ref = 'http://govcert.lu/en/docs/POL_202_V2.2_rfc2350.pdf'
marking_spec.marking_structures = list()
marking_spec.marking_structures.append(tlp_marking_struct)
stix_header.handling = marking
return stix_header
def setProd(target, org):
ident = Identity(name=org)
information_source = InformationSource(identity = ident)
target.producer = information_source
def setRep(target, org):
ident = Identity(name=org)
information_source = InformationSource(identity = ident)
target.reporter = information_source
def setSrc(target, org):
ident = Identity(name=org)
information_source = InformationSource(identity = ident)
target.information_source = information_source
