def main(): stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "CVE-2014-0160" vuln.add_reference("http://heartbleed.com/") et = ExploitTarget(title="Heartbleed") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="Generic Heartbleed Exploits") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title="Snort Signature for Heartbleed") indicator.confidence = Confidence("High") tm = SnortTestMechanism() tm.rules = [ """alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""", """alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)""" ] tm.efficacy = "Low" tm.producer = InformationSource(identity=Identity(name="FOX IT")) tm.producer.references = [ "http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/" ] indicator.test_mechanisms = TestMechanisms([tm]) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def toStixXml(self, confidence, efficacy): """ This method converts a list of FASGuard generated Snort rules into a STIX compliant XML string ready for output. It first converts the object into a hash of the right format and then converts it into XML using STIXPackage.from_dict and to_xml on the resulting object. Arguments: confidence - High, Medium or Low. High means low false alarm rate. efficacy - High, Medium or Low. High means a low missed detection rate. Returns: Reference to string containing STIX/CybOX XML file. """ logger = logging.getLogger('simple_example') self.logger = logger self.logger.debug('In asg.fasguardStixRule') stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "Unknown" et = ExploitTarget(title="From FASGuard") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="FASGuard Produced Signatures") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title="Snort Signature from FASGuard") indicator.confidence = Confidence(confidence) tm = SnortTestMechanism() tm.rules = self.ruleList tm.efficacy = efficacy tm.producer = InformationSource(identity=Identity(name="FASGuard")) tm.producer.references = ["http://fasguard.github.io/"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) return stix_package.to_xml() # stixDict = {'campaigns': [{}], # 'courses_of_action': [{}], # 'exploit_targets': [{}], # 'id': 'INSERT_PACKAGE_ID_HERE'} # stixDict['indicators'] = [{'indicator': # {'title': # 'Automatically Generated FASGuard Signatures', # 'test_mechanisms': # {'test_mechanism': # {'efficacy':'Low', # 'producer': # {'Identity':'FASGuard'}, # 'rule':'xyz'}}}} # ] stix_package = STIXPackage.from_dict(stixDict) stix_xml = stix_package.to_xml() return stix_xml
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') stixObj = None ### Input Check if srcObj == None or data == None: #TODO: Needs error msg: Missing srcData Object return (False) ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() objIndicator = Indicator() ### Bulid Object Data for sKey in data: objIndicator = Indicator() listOBS = [] ### Parsing IP Address for sAddr in data[sKey]['attrib']['ipAddrList']: if len(sAddr) > 0: objAddr = Address() objAddr.is_destination = True objAddr.address_value = sAddr #objAddr.address_value.operator = 'Equals' objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = 'ipv4-addr' elif isIPv6(sAddr): objAddr.category = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) objAddr = None obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isDestination: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) obsAddr = None ### Parsing Port Number sPort = data[sKey]['attrib']['ipPort'] if len(sPort) > 0: objPort = Port() objPort.port_value = int(sPort) objPort.port_value.condition = 'Equals' sProtocol = data[sKey]['attrib']['ipProt'] if len(sProtocol) > 0: objPort.layer4_protocol = sProtocol.upper() obsPort = Observable(objPort) objPort = None obsPort.sighting_count = 1 obsPort.title = 'Port: ' + sPort sDscrpt = 'PortNumber' + ': ' + sPort + " | " sDscrpt += "Protocol: " + sProtocol.upper() + " | " obsPort.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsPort) ### Add Generated observable to Indicator objIndicator.add_indicator_type("IP Watchlist") objIndicator.observable_composition_operator = 'OR' objIndicator.observables = listOBS from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism from stix.common import InformationSource, Identity testMech = SnortTestMechanism() testMech.rules = [data[sKey]['attrib']['rule']] testMech.efficacy = "Unknown" infoSrc = InformationSource(identity=Identity(name=srcObj.Domain)) infoSrc.add_contributing_source("http://www.shadowserver.org") infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch") infoSrc.add_contributing_source("https://palevotracker.abuse.ch") infoSrc.add_contributing_source("https://zeustracker.abuse.ch") testMech.producer = infoSrc lstRef = data[sKey]['attrib']['reference'].split('|') testMech.producer.references = lstRef objIndicator.test_mechanisms = [testMech] #Parsing Producer sProducer = srcObj.Domain if len(sProducer) > 0: objIndicator.set_producer_identity(sProducer) #objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']); objIndicator.set_received_time(data[sKey]['dateDL']) ### Title / Description Generator objIndicator.set_received_time(data[sKey]['dateDL']) sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | " sTitle += data[sKey]['attrib']['msg'] + " | " sTitle += "rev:" + data[sKey]['attrib']['rev'] objIndicator.title = sTitle sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][ 'rule'] objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" #Parse TTP objMalware = MalwareInstance() nameList = data[sKey]['attrib']['flowbits'] if len(nameList) > 0: nameList = nameList.split("|") for sName in nameList: sName = sName.split(",")[1] objMalware.add_name(sName) #objMalware.add_type("Remote Access Trojan") objMalware.short_description = data[sKey]['attrib']['msg'] ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][ 'attrib']['msg'] objTTP = TTP(title=ttpTitle) objTTP.behavior = Behavior() objTTP.behavior.add_malware_instance(objMalware) objIndicator.add_indicated_ttp(objTTP) #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_)) #stix_package.add_ttp(objTTP) stix_package.add_indicator(objIndicator) objIndicator = None ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = sProducer + " | " + sTOU marking_specification.marking_structures.append(objTOU) handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header stix_header = None ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) return (stix_package)