def transform(self, event): stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident( id_="%s:%s-%s" % (CONPOT_NAMESPACE, 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category( VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append( ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent( 'Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.' ) })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({ 'port_value': event['remote'][1], 'layer4_protocol': 'tcp' }) dest_port = Port.from_dict({ 'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp' }) source_ip = Address.from_dict({ 'address_value': event['remote'][0], 'category': Address.CAT_IPV4 }) dest_ip = Address.from_dict({ 'address_value': event['public_ip'], 'category': Address.CAT_IPV4 }) source_address = SocketAddress.from_dict({ 'ip_address': source_ip.to_dict(), 'port': source_port.to_dict() }) dest_address = SocketAddress.from_dict({ 'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict() }) network_connection = NetworkConnection.from_dict({ 'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': "IPv4", 'layer4_protocol': "TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': "ESTABLISHED", 'destination_tcp_state': "ESTABLISHED", }) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
def convert_file(ifn, ofn, vcdb): global cve_info global targets_item cve_info = [] targets_item = None with open(ifn) as json_data: veris_item = json.load(json_data) json_data.close() schema_version_item = veris_item.get("schema_version") if not schema_version_item: error("The 'schema_version' item is required") elif not (schema_version_item == "1.3" or schema_version_item == "1.3.0"): error("This converter is for VERIS schema version 1.3. This file has schema version " + schema_version_item) return pkg = STIXPackage() action_item = veris_item.get('action') if not action_item: error("The 'action' item is required") else: add_action_item(action_item, pkg) add_cve_info(pkg) actor_item = veris_item.get('actor') if not actor_item: error("The 'actor' item is required") else: add_actor_item(actor_item, pkg) incident = Incident() pkg.add_incident(incident) asset_item = veris_item.get('asset') if not asset_item: error("The 'asset' item is required") else: attribute_item = veris_item.get('attribute') add_asset_item(asset_item, attribute_item, incident) # added as 1.3 campaign_id_item = veris_item.get('campaign_id') if campaign_id_item: add_campaign_item(campaign_id_item, pkg) confidence_item = veris_item.get('confidence') if confidence_item: add_confidence_item(confidence_item, incident) #control_failure - not found in data if veris_item.get('control_failure'): warn("'control_failure' item not handled, yet") corrective_action_item = veris_item.get('corrective_action') cost_corrective_action_item = veris_item.get('cost_corrective_action') if corrective_action_item or cost_corrective_action_item: add_coa_items(corrective_action_item, cost_corrective_action_item, pkg) discovery_method_item = veris_item.get('discovery_method') if not discovery_method_item: error("The 'discovery_method' item is required") else: incident.add_discovery_method(map_discovey_method(discovery_method_item)) discovery_notes_item = veris_item.get('discovery_notes') if discovery_notes_item: warn("'discovery_notes' item not handled yet") impact_item = veris_item.get('impact') if impact_item: add_impact_item(impact_item, incident) incident_id_item = veris_item.get('incident_id') if not incident_id_item: error("The 'incident_id' item is required") else: external_id = ExternalID() external_id.value = incident_id_item external_id.source = "VERIS" incident.add_external_id(external_id) notes_item = veris_item.get('notes') if notes_item: pkg.stix_header = STIXHeader() pkg.stix_header.title = "Notes: " + notes_item # plus item for records from VCDB have some known useful information if vcdb: plus_item = veris_item.get('plus') if plus_item: add_plus_item(plus_item, incident, pkg) # removed as of 1.3 - see campaign_id # related_incidents_item = veris_item.get('related_incidents') # if related_incidents_item: # add_related_incidents_item(related_incidents_item, incident) security_incident_item = veris_item.get('security_incident') if not security_incident_item: error("The 'security_incident' item is required") else: incident.security_compromise = map_security_incident_item_to_security_compromise(security_incident_item) reference_item = veris_item.get('reference') source_id_item = veris_item.get('source_id') if source_id_item or reference_item: add_information_source_items(reference_item, source_id_item, schema_version_item, incident) summary_item = veris_item.get('summary') if summary_item: incident.title = summary_item #targeted_item = veris_item.get('targeted') #if targeted_item: timeline_item = veris_item.get('timeline') if not timeline_item: error("The 'timeline' item is required") else: add_timeline_item(timeline_item, incident) victim_item = veris_item.get('victim') if victim_item: add_victim_item(victim_item, incident) add_related(pkg) if not ofn: stixXML = sys.stdout else: stixXML = open(ofn, 'wb') stixXML.write(pkg.to_xml()) stixXML.close()
def transform(self, event): self._set_namespace(self.config['contact_domain'], self.config['contact_name']) stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category(VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append(ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.') })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector") ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'}) dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp'}) source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4}) dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4}) source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()}) dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()}) network_connection = NetworkConnection.from_dict( {'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': u"IPv4", 'layer4_protocol': u"TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': u"ESTABLISHED", 'destination_tcp_state': u"ESTABLISHED", } ) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
t.incident_opened = t1 t.incident_discovery = t1 t.incident_reported = t1 t.first_malicious_action = t2 t.initial_compromise = t2 t.first_data_exfiltration = t2 t.containment_achieved = t3 t.restoration_achieved = t3 t.incident_closed = t3 incident.time = t # Additional Attributes incident.add_category('Unauthorized Access') incident.add_intended_effect('Destruction') incident.confidence = 'High' incident.add_discovery_method('NIDS') # People incident.add_coordinator(InformationSource(identity=Identity(name='Fred'))) incident.add_responder(InformationSource(identity=Identity(name='Frank'))) incident.reporter = InformationSource(identity=Identity(name='Alice')) incident.add_victim(Identity(name='Bob')) # Related Observable (by id) addr1 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) observable = Observable(addr1) related_observable = RelatedObservable(Observable(idref=observable.id_)) incident.related_observables.append(related_observable) # Related Indicator (by id) indicator = Indicator()