def add_information_source_items(reference_item, source_id_item, schema_version_item, incident): insrc = InformationSource() if reference_item: for item in reference_item.split(';'): insrc.add_reference(item.strip()) if source_id_item or schema_version_item: insrc.tools = ToolInformationList() if source_id_item: insrc.identity = Identity() insrc.identity.name = source_id_item tool = ToolInformation() tool.name = "veris2stix" tool.vendor = "MITRE" tool.version = __version__ insrc.tools.append(tool) if schema_version_item: tool = ToolInformation() tool.name = "VERIS schema" tool.vendor = "Verizon" tool.version = schema_version_item insrc.tools.append(tool) incident.information_source = insrc
def _observable_to_indicator_stix(observable): """Translate a CybOX Observable into a STIX Indicator. Args: observable: Observable object that will be translated Returns: Indicator object with STIX utility and CybOX tags """ # Build STIX tool content tool = ToolInformation(tool_name='OpenIOC to STIX Utility') tool.version = version.__version__ # Build Indicator.producer contents producer = InformationSource() producer.tools = ToolInformationList(tool) # Build Indicator indicator = Indicator(title="CybOX-represented Indicator Created from OpenIOC File") indicator.producer = producer indicator.add_observable(observable) return indicator
def create_cybox_object(self, jdict, whitelist, config): listObservables = [] NS = cybox.utils.Namespace("cert.siemens.com", "siemens_cert") cybox.utils.set_id_namespace(NS) """ store information about malware binary that was analyzed """ if 'target' in jdict and 'category' in jdict['target'] and jdict['target']['category'] == 'file': log.debug("handling File information ...") main_file_object = self.__create_cybox_main_file(jdict['target']['file']) file_md5 = jdict['target']['file']['md5'] elif 'target' in jdict and 'category' in jdict['target'] and jdict['target']['category'] == 'url': log.warning("Not a file analysis report! URL reports not handled") return else: log.error("No target information in report ... skipping") return """ try to find email that dropped this attachment """ if config["attachemail"] or config["referenceemail"]: log.info("handling email attack vector information ...") email_object_properties, email_observables_list, email_stix_path_tuple_list = self.__check_malware_mailing_list(file_md5, log, config) if email_object_properties and len(email_object_properties)>0: for email_object in email_object_properties: main_file_object.add_related(email_object, "Contained_Within", inline=False) else: log.warning("failed linking mail object (no objects to link)") email_stix_path_tuple_list = [] else: email_object = None email_observables = [] email_stix_path_tuple_list = [] """ store extended information about malware file """ if 'static' in jdict: log.debug("handling extended File information ...") win_executable_extension = self.__create_cybox_win_executable(jdict['target']['file'], jdict['static']) if win_executable_extension: main_file_object.add_related(win_executable_extension, "Characterized_By", inline=False) win_executable_extension = [win_executable_extension] else: log.warning("No extended File information found") win_executable_extension = [] """ store domains connected to """ if 'network' in jdict and 'domains' in jdict['network']: log.debug("handling Domain information ...") domains, addresses = self.__create_cybox_domains(jdict['network']['domains'], whitelist) for dom in domains: main_file_object.add_related(dom, 'Connected_To', inline=False) else: domains = [] addresses = [] """ store http session information """ if 'network' in jdict and 'http' in jdict['network']: log.debug("handling HTTP information ...") http_requests = self.__create_cybox_https(jdict['network']['http'], whitelist) for session in http_requests: main_file_object.add_related(session, 'Connected_To', inline=False) else: http_requests = [] """ store dns queries information about the malware """ if 'network' in jdict and 'dns' in jdict['network']: log.debug("handling DNS information ...") queries = self.__create_cybox_dns_queries(jdict['network']['dns'], whitelist) for query in queries: main_file_object.add_related(query, 'Connected_To', inline=False) else: queries = [] """ store information about dropped files """ if 'dropped' in jdict: log.debug('handling dropped files ...') dropped = self.__create_cybox_dropped_files(jdict['dropped'], jdict['target']['file']['sha256']) for drop in dropped: main_file_object.add_related(drop, 'Dropped', inline=False) else: dropped = [] """ store virustotal information """ if 'virustotal' in jdict and 'positives' in jdict['virustotal']: log.debug('handling virustotal information ...') vtInformationTools = self.__create_stix_virustotal(jdict['virustotal'], log, config) vtFound = True else: vtInformationTools = [] vtFound = False """ create observables """ if config["attachemail"] and len(email_observables)>0: obs = Observables([main_file_object]+email_observables+win_executable_extension+domains+addresses+http_requests+dropped+queries) else: obs = Observables([main_file_object]+win_executable_extension+domains+addresses+http_requests+dropped+queries) """ generate stix id with siemens namespace """ if config: stix_id_generator = stix.utils.IDGenerator(namespace={config["xmlns"]: config["namespace"]}) else: stix_id_generator = stix.utils.IDGenerator(namespace={"cert.siemens.com": "siemens_cert"}) """ create stix package """ stix_id = stix_id_generator.create_id() stix_package = STIXPackage(observables=obs, id_=stix_id) stix_header = STIXHeader() stix_header.title = "Analysis report: %s" % (str(main_file_object.file_name).decode('utf8', errors='xmlcharrefreplace')) if 'info' in jdict and 'started' in jdict['info']: sandbox_report_date = dateparser.parse(jdict['info']['started']+' CET').isoformat() else: sandbox_report_date = datetime.datetime.now(pytz.timezone('Europe/Berlin')).isoformat() stix_header.description = 'Summarized analysis results for file "%s" with MD5 hash "%s" created on %s.' % (str(main_file_object.file_name).decode('utf8', errors='xmlcharrefreplace'), main_file_object.hashes.md5, sandbox_report_date) stix_header.add_package_intent("Malware Characterization") """ create markings """ spec = MarkingSpecification() spec.idref = stix_id spec.controlled_structure = "//node()" tlpmark = TLPMarkingStructure() if config: if not vtFound: tlpmark.color = config["color"] else: tlpmark.color = "GREEN" elif vtFound: tlpmark.color = "GREEN" else: tlpmark.color = "AMBER" spec.marking_structure = [tlpmark] """ attach to header """ stix_header.handling = Marking([spec]) stix_information_source = InformationSource() stix_information_source.time = Time(produced_time=sandbox_report_date) stix_information_source.tools = ToolInformationList([ToolInformation(tool_name="SIEMENS-ANALYSIS-TOOL-ID-12", tool_vendor="ANALYSIS-ID: %s" % (jdict['info']['id']))]+vtInformationTools) stix_header.information_source = stix_information_source stix_package.stix_header = stix_header """ write result xml file """ xml_file_name = "stix-%s-malware-report.xml" % (file_md5) xml_report_file_path = os.path.join(self.reports_path, xml_file_name) fp = open(xml_report_file_path, 'w') if config: fp.write(stix_package.to_xml(ns_dict={config["xmlns"]: config["namespace"]})) else: fp.write(stix_package.to_xml(ns_dict={'cert.siemens.com': 'siemens_cert'})) fp.close() if config["copytoshare"]: self.__copy_xml_to_ti_share(xml_report_file_path, xml_file_name, config) for item in email_stix_path_tuple_list: self.__copy_xml_to_ti_share(item[0], item[1], config, "email") else: log.warning("copy to TI share is disabled: %s" % (config["copytoshare"])) return