def main(args): if len(args) < 4: sys.exit("Invalid parameters") baseURL = args[1] if not baseURL: baseURL = 'https://www.misp-project.org' orgname = args[2] orgname = re.sub('[\W]+', '', orgname.replace(" ", "_")) NS_DICT[baseURL] = orgname try: idgen.set_id_namespace(Namespace(baseURL, orgname)) except TypeError: idgen.set_id_namespace(Namespace(baseURL, orgname, "MISP")) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = "Export from {} MISP".format(args[2]) stix_header.package_intents = "Threat Report" stix_package.stix_header = stix_header stix_package.version = "1.1.1" stix_package.timestamp = datetime.datetime.now() if args[3] == 'json': stix_string = stix_package.to_json()[:-1] stix_string += ', "related_packages": [' else: stix_string = stix_package.to_xml(auto_namespace=False, ns_dict=NS_DICT, schemaloc_dict=SCHEMALOC_DICT) stix_string = stix_string.decode().replace("</stix:STIX_Package>\n", "") print(stix_string)
def main(args): if len(args) < 4: sys.exit("Invalid parameters") baseURL = args[1] if not baseURL: baseURL = 'https://www.misp-project.org' orgname = args[2] namespace = [baseURL, orgname.replace(" ", "_")] namespace[1] = re.sub('[\W]+', '', namespace[1]) NS_DICT[namespace[0]] = namespace[1] try: idgen.set_id_namespace({baseURL: namespace[1]}) except ValueError: # Some weird stix error that sometimes occurs if the stars # align and Mixbox is being mean to us # Glory to STIX, peace and good xmlns be upon it try: idgen.set_id_namespace(Namespace(baseURL, namespace[1])) except TypeError: # Ok this only occurs if the script is being run under py3 # and if we're running a REALLY weird version of stix # May as well catch it idgen.set_id_namespace(Namespace(baseURL, namespace[1], "MISP")) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = "Export from {} MISP".format(orgname) stix_header.package_intents = "Threat Report" stix_package.stix_header = stix_header stix_package.version = "1.1.1" stix_package.timestamp = datetime.datetime.now() if args[3] == 'json': stix_string = stix_package.to_json()[:-1] stix_string += ', "related_packages": [' else: stix_string = stix_package.to_xml(auto_namespace=False, ns_dict=NS_DICT, schemaloc_dict=SCHEMALOC_DICT) stix_string = stix_string.decode() stix_string = stix_string.replace("</stix:STIX_Package>\n", "") print(stix_string)
def main(args): if len(sys.argv) < 4: sys.exit("Invalid parameters") namespace = [sys.argv[1], sys.argv[2].replace(" ", "_")] namespace[1] = re.sub('[\W]+', '', namespace[1]) NS_DICT[namespace[0]] = namespace[1] stix.utils.idgen.set_id_namespace({namespace[0]: namespace[1]}) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = "Export from " + sys.argv[2] + " MISP" stix_header.package_intents = "Threat Report" stix_package.stix_header = stix_header if sys.argv[3] == 'json': stix_string = stix_package.to_json()[:-1] stix_string += ', "related_packages": [' else: stix_string = stix_package.to_xml(auto_namespace=False, ns_dict=NS_DICT, schemaloc_dict=SCHEMALOC_DICT) stix_string = stix_string.replace("</stix:STIX_Package>\n", "") print(stix_string)
def stix_framing(*args): import datetime, re from stix.core import STIXPackage, STIXHeader from cybox.utils import Namespace # As python3 is forced anyway, mixbox is used and we don't need to try to import idgen from stix.utils from mixbox import idgen from stix import __version__ as STIXVER NS_DICT = { "http://cybox.mitre.org/common-2" : 'cyboxCommon', "http://cybox.mitre.org/cybox-2" : 'cybox', "http://cybox.mitre.org/default_vocabularies-2" : 'cyboxVocabs', "http://cybox.mitre.org/objects#AccountObject-2" : 'AccountObj', "http://cybox.mitre.org/objects#ASObject-1" : 'ASObj', "http://cybox.mitre.org/objects#AddressObject-2" : 'AddressObj', "http://cybox.mitre.org/objects#PortObject-2" : 'PortObj', "http://cybox.mitre.org/objects#DomainNameObject-1" : 'DomainNameObj', "http://cybox.mitre.org/objects#EmailMessageObject-2" : 'EmailMessageObj', "http://cybox.mitre.org/objects#FileObject-2" : 'FileObj', "http://cybox.mitre.org/objects#HTTPSessionObject-2" : 'HTTPSessionObj', "http://cybox.mitre.org/objects#HostnameObject-1" : 'HostnameObj', "http://cybox.mitre.org/objects#MutexObject-2" : 'MutexObj', "http://cybox.mitre.org/objects#PipeObject-2" : 'PipeObj', "http://cybox.mitre.org/objects#URIObject-2" : 'URIObj', "http://cybox.mitre.org/objects#WinRegistryKeyObject-2" : 'WinRegistryKeyObj', 'http://cybox.mitre.org/objects#WinServiceObject-2' : 'WinServiceObj', "http://cybox.mitre.org/objects#NetworkConnectionObject-2" : 'NetworkConnectionObj', "http://cybox.mitre.org/objects#NetworkSocketObject-2" : 'NetworkSocketObj', "http://cybox.mitre.org/objects#SocketAddressObject-1" : 'SocketAddressObj', "http://cybox.mitre.org/objects#SystemObject-2" : 'SystemObj', "http://cybox.mitre.org/objects#ProcessObject-2" : 'ProcessObj', "http://cybox.mitre.org/objects#X509CertificateObject-2" : 'X509CertificateObj', "http://cybox.mitre.org/objects#WhoisObject-2" : 'WhoisObj', "http://cybox.mitre.org/objects#WinExecutableFileObject-2" : 'WinExecutableFileObj', "http://data-marking.mitre.org/Marking-1" : 'marking', "http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" : 'tlpMarking', "http://stix.mitre.org/ExploitTarget-1" : 'et', "http://stix.mitre.org/Incident-1" : 'incident', "http://stix.mitre.org/Indicator-2" : 'indicator', "http://stix.mitre.org/TTP-1" : 'ttp', "http://stix.mitre.org/ThreatActor-1" : 'ta', "http://stix.mitre.org/common-1" : 'stixCommon', "http://stix.mitre.org/default_vocabularies-1" : 'stixVocabs', "http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1" : 'ciqIdentity', "http://stix.mitre.org/extensions/TestMechanism#Snort-1" : 'snortTM', "http://stix.mitre.org/stix-1" : 'stix', "http://www.w3.org/2001/XMLSchema-instance" : 'xsi', "urn:oasis:names:tc:ciq:xal:3" : 'xal', "urn:oasis:names:tc:ciq:xnl:3" : 'xnl', "urn:oasis:names:tc:ciq:xpil:3" : 'xpil', } SCHEMALOC_DICT = { 'http://cybox.mitre.org/common-2': 'http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd', 'http://cybox.mitre.org/cybox-2': 'http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd', 'http://cybox.mitre.org/default_vocabularies-2': 'http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd', 'http://cybox.mitre.org/objects#AccountObject-2': ' http://cybox.mitre.org/XMLSchema/objects/Account/2.1/Account_Object.xsd', 'http://cybox.mitre.org/objects#ASObject-1': 'http://cybox.mitre.org/XMLSchema/objects/AS/1.0/AS_Object.xsd', 'http://cybox.mitre.org/objects#AddressObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd', 'http://cybox.mitre.org/objects#PortObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Port/2.1/Port_Object.xsd', 'http://cybox.mitre.org/objects#DomainNameObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd', 'http://cybox.mitre.org/objects#EmailMessageObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd', 'http://cybox.mitre.org/objects#FileObject-2': 'http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd', 'http://cybox.mitre.org/objects#HTTPSessionObject-2': 'http://cybox.mitre.org/XMLSchema/objects/HTTP_Session/2.1/HTTP_Session_Object.xsd', 'http://cybox.mitre.org/objects#HostnameObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Hostname/1.0/Hostname_Object.xsd', 'http://cybox.mitre.org/objects#MutexObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Mutex/2.1/Mutex_Object.xsd', 'http://cybox.mitre.org/objects#PipeObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Pipe/2.1/Pipe_Object.xsd', 'http://cybox.mitre.org/objects#URIObject-2': 'http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd', 'http://cybox.mitre.org/objects#WinServiceObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Service/2.1/Win_Service_Object.xsd', 'http://cybox.mitre.org/objects#WinRegistryKeyObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Registry_Key/2.1/Win_Registry_Key_Object.xsd', 'http://cybox.mitre.org/objects#NetworkConnectionObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.0.1/Network_Connection_Object.xsd', 'http://cybox.mitre.org/objects#NetworkSocketObject-2': 'https://cybox.mitre.org/XMLSchema/objects/Network_Socket/2.1/Network_Socket_Object.xsd', 'http://cybox.mitre.org/objects#SystemObject-2': 'http://cybox.mitre.org/XMLSchema/objects/System/2.1/System_Object.xsd', 'http://cybox.mitre.org/objects#SocketAddressObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd', 'http://cybox.mitre.org/objects#ProcessObject-2': 'https://cybox.mitre.org/XMLSchema/objects/Process/2.1/Process_Object.xsd', 'http://cybox.mitre.org/objects#X509CertificateObject-2': 'http://cybox.mitre.org/XMLSchema/objects/X509_Certificate/2.1/X509_Certificate_Object.xsd', 'http://cybox.mitre.org/objects#WhoisObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Whois/2.1/Whois_Object.xsd', 'http://cybox.mitre.org/objects#WinExecutableFileObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Executable_File/2.1/Win_Executable_File_Object.xsd', 'http://data-marking.mitre.org/Marking-1': 'http://stix.mitre.org/XMLSchema/data_marking/1.1.1/data_marking.xsd', 'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1': 'http://stix.mitre.org/XMLSchema/extensions/marking/tlp/1.1.1/tlp_marking.xsd', 'http://stix.mitre.org/ExploitTarget-1': 'http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd', 'http://stix.mitre.org/Incident-1': 'http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd', 'http://stix.mitre.org/Indicator-2': 'http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd', 'http://stix.mitre.org/TTP-1': 'http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd', 'http://stix.mitre.org/ThreatActor-1': 'http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd', 'http://stix.mitre.org/common-1': 'http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd', 'http://stix.mitre.org/default_vocabularies-1': 'http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd', 'http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1': 'http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd', 'http://stix.mitre.org/extensions/TestMechanism#Snort-1': 'http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd', 'http://stix.mitre.org/stix-1': 'http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd', 'urn:oasis:names:tc:ciq:xal:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xAL.xsd', 'urn:oasis:names:tc:ciq:xnl:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xNL.xsd', 'urn:oasis:names:tc:ciq:xpil:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd', } baseurl, orgname, return_type = args if not baseurl: baseurl = 'https://www.misp-project.org' orgname = real_orgname = args[2] orgname = re.sub('[\W]+', '', orgname.replace(" ", "_")) NS_DICT[baseurl] = orgname try: idgen.set_id_namespace(Namespace(baseurl, orgname)) except TypeError: idgen.set_id_namespace(Namespace(baseurl, orgname, "MISP")) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title="Export from {} MISP".format(real_orgname) stix_header.package_intents="Threat Report" stix_package.stix_header = stix_header stix_package.version = "1.1.1" stix_package.timestamp = datetime.datetime.now() if return_type == 'json': header = '{}, "related_packages": ['.format(stix_package.to_json()[:-1]) footer = json_footer else: s_stix_package = "</stix:STIX_Package>\n" header = stix_package.to_xml(auto_namespace=False, ns_dict=NS_DICT, schemaloc_dict=SCHEMALOC_DICT) header = header.decode().replace(s_stix_package, ""); footer = " </stix:Related_Packages>\n{}".format(s_stix_package) return header, ',', footer
# set incident-specific timestamps breach.time = incidentTime() breach.title = "The Multi-sig Hack" breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d") #breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.effects = Effects("Estimated Loss of $280m in Ether") breach.impact_assessment = impact # add the victim victim = Identity() victim.name = "Cappasity" breach.add_victim(victim) victim2 = Identity() victim2.name = "Who else ?" breach.add_victim(victim2) # add Information Sources infoSource = InformationSource(); infoSource.add_description("https://news.ycombinator.com/item?id=15642856") infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/") breach.Information_Source = infoSource; stix_package.add_incident(breach) print(stix_package.to_json())