def to_source(obj): from stix.common import InformationSource, Identity mySource = InformationSource() mySource.time = Time(obj.request.date) mySource.description = obj.request.rfi mySource.identity = Identity(name=obj.request.source) for item in obj.response: itemSource = InformationSource() itemSource.time = Time(item.date) itemSource.identity = Identity(name=item.source) itemSource.description = item.rfi mySource.add_contributing_source(itemSource) return mySource
def to_stix_sightings(obj): from stix.indicator.sightings import Sighting from stix.common import InformationSource, Identity mySighting = Sighting() mySighting.source = InformationSource() if obj.sightings.sighting: itemSighting = InformationSource() itemSighting.time = Time(obj.sightings.date) itemSighting.identity = Identity(name=settings.COMPANY_NAME) mySighting.source.add_contributing_source(itemSighting) for each in obj.sightings.instances: itemSighting = InformationSource() itemSighting.time = Time(each.date) itemSighting.identity = Identity(name=each.name) mySighting.source.add_contributing_source(itemSighting) return mySighting
def to_stix_information_source(obj): from stix.common import InformationSource, Identity mySource = InformationSource() for item in obj.source: for each in item.instances: itemSource = InformationSource() itemSource.time = Time(each.date) itemSource.identity = Identity(name=item.name) itemSource.add_description(each.reference) itemSource.add_description(each.method) mySource.add_contributing_source(itemSource) return mySource
def create_cybox_object(self, jdict, whitelist, config): listObservables = [] NS = cybox.utils.Namespace("cert.siemens.com", "siemens_cert") cybox.utils.set_id_namespace(NS) """ store information about malware binary that was analyzed """ if 'target' in jdict and 'category' in jdict['target'] and jdict['target']['category'] == 'file': log.debug("handling File information ...") main_file_object = self.__create_cybox_main_file(jdict['target']['file']) file_md5 = jdict['target']['file']['md5'] elif 'target' in jdict and 'category' in jdict['target'] and jdict['target']['category'] == 'url': log.warning("Not a file analysis report! URL reports not handled") return else: log.error("No target information in report ... skipping") return """ try to find email that dropped this attachment """ if config["attachemail"] or config["referenceemail"]: log.info("handling email attack vector information ...") email_object_properties, email_observables_list, email_stix_path_tuple_list = self.__check_malware_mailing_list(file_md5, log, config) if email_object_properties and len(email_object_properties)>0: for email_object in email_object_properties: main_file_object.add_related(email_object, "Contained_Within", inline=False) else: log.warning("failed linking mail object (no objects to link)") email_stix_path_tuple_list = [] else: email_object = None email_observables = [] email_stix_path_tuple_list = [] """ store extended information about malware file """ if 'static' in jdict: log.debug("handling extended File information ...") win_executable_extension = self.__create_cybox_win_executable(jdict['target']['file'], jdict['static']) if win_executable_extension: main_file_object.add_related(win_executable_extension, "Characterized_By", inline=False) win_executable_extension = [win_executable_extension] else: log.warning("No extended File information found") win_executable_extension = [] """ store domains connected to """ if 'network' in jdict and 'domains' in jdict['network']: log.debug("handling Domain information ...") domains, addresses = self.__create_cybox_domains(jdict['network']['domains'], whitelist) for dom in domains: main_file_object.add_related(dom, 'Connected_To', inline=False) else: domains = [] addresses = [] """ store http session information """ if 'network' in jdict and 'http' in jdict['network']: log.debug("handling HTTP information ...") http_requests = self.__create_cybox_https(jdict['network']['http'], whitelist) for session in http_requests: main_file_object.add_related(session, 'Connected_To', inline=False) else: http_requests = [] """ store dns queries information about the malware """ if 'network' in jdict and 'dns' in jdict['network']: log.debug("handling DNS information ...") queries = self.__create_cybox_dns_queries(jdict['network']['dns'], whitelist) for query in queries: main_file_object.add_related(query, 'Connected_To', inline=False) else: queries = [] """ store information about dropped files """ if 'dropped' in jdict: log.debug('handling dropped files ...') dropped = self.__create_cybox_dropped_files(jdict['dropped'], jdict['target']['file']['sha256']) for drop in dropped: main_file_object.add_related(drop, 'Dropped', inline=False) else: dropped = [] """ store virustotal information """ if 'virustotal' in jdict and 'positives' in jdict['virustotal']: log.debug('handling virustotal information ...') vtInformationTools = self.__create_stix_virustotal(jdict['virustotal'], log, config) vtFound = True else: vtInformationTools = [] vtFound = False """ create observables """ if config["attachemail"] and len(email_observables)>0: obs = Observables([main_file_object]+email_observables+win_executable_extension+domains+addresses+http_requests+dropped+queries) else: obs = Observables([main_file_object]+win_executable_extension+domains+addresses+http_requests+dropped+queries) """ generate stix id with siemens namespace """ if config: stix_id_generator = stix.utils.IDGenerator(namespace={config["xmlns"]: config["namespace"]}) else: stix_id_generator = stix.utils.IDGenerator(namespace={"cert.siemens.com": "siemens_cert"}) """ create stix package """ stix_id = stix_id_generator.create_id() stix_package = STIXPackage(observables=obs, id_=stix_id) stix_header = STIXHeader() stix_header.title = "Analysis report: %s" % (str(main_file_object.file_name).decode('utf8', errors='xmlcharrefreplace')) if 'info' in jdict and 'started' in jdict['info']: sandbox_report_date = dateparser.parse(jdict['info']['started']+' CET').isoformat() else: sandbox_report_date = datetime.datetime.now(pytz.timezone('Europe/Berlin')).isoformat() stix_header.description = 'Summarized analysis results for file "%s" with MD5 hash "%s" created on %s.' % (str(main_file_object.file_name).decode('utf8', errors='xmlcharrefreplace'), main_file_object.hashes.md5, sandbox_report_date) stix_header.add_package_intent("Malware Characterization") """ create markings """ spec = MarkingSpecification() spec.idref = stix_id spec.controlled_structure = "//node()" tlpmark = TLPMarkingStructure() if config: if not vtFound: tlpmark.color = config["color"] else: tlpmark.color = "GREEN" elif vtFound: tlpmark.color = "GREEN" else: tlpmark.color = "AMBER" spec.marking_structure = [tlpmark] """ attach to header """ stix_header.handling = Marking([spec]) stix_information_source = InformationSource() stix_information_source.time = Time(produced_time=sandbox_report_date) stix_information_source.tools = ToolInformationList([ToolInformation(tool_name="SIEMENS-ANALYSIS-TOOL-ID-12", tool_vendor="ANALYSIS-ID: %s" % (jdict['info']['id']))]+vtInformationTools) stix_header.information_source = stix_information_source stix_package.stix_header = stix_header """ write result xml file """ xml_file_name = "stix-%s-malware-report.xml" % (file_md5) xml_report_file_path = os.path.join(self.reports_path, xml_file_name) fp = open(xml_report_file_path, 'w') if config: fp.write(stix_package.to_xml(ns_dict={config["xmlns"]: config["namespace"]})) else: fp.write(stix_package.to_xml(ns_dict={'cert.siemens.com': 'siemens_cert'})) fp.close() if config["copytoshare"]: self.__copy_xml_to_ti_share(xml_report_file_path, xml_file_name, config) for item in email_stix_path_tuple_list: self.__copy_xml_to_ti_share(item[0], item[1], config, "email") else: log.warning("copy to TI share is disabled: %s" % (config["copytoshare"])) return