def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign.id_))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp.id_))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print(wrapper.to_xml())
def create_report(source=None, intent=None):
report = Report()
header = Header()
header.information_source = InformationSource(source)
header.add_intent("Indicators")
report.header = header
return report
def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign._id))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp._id))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print wrapper.to_xml()
def get_all_stix_reports( ):
print("[get_all_stix_reports] BEGIN =============")
reports = []
docs = extract.get_all_report_docs()
print("docs.len {0} ".format(len(docs)))
for d in docs:
print("append doc {0} ".format(d))
rep = Report.from_dict(d)
header = rep.header
# print("[report title] : {0}".format( header.intents() ))
reports.append(rep)
print("reports.len {0} ".format(len(reports)))
print("[get_all_stix_reports] END =============")
return reports
def build_stix( input_dict ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "TTP " + input_dict['title']
# Add handling requirements if needed
if input_dict['marking']:
mark = SimpleMarkingStructure()
mark.statement = input_dict['marking']
mark_spec = MarkingSpecification()
mark_spec.marking_structures.append(mark)
stix_header.handling = Marking(mark_spec)
stix_package.stix_header = stix_header
report = Report()
if input_dict['incidents']:
for each in input_dict['incidents'].split(','):
result = query_db('select * from incidents where id = ?',
[each], one=True)
report.add_incident(buildIncident(result))
if input_dict['ttps']:
for each in input_dict['ttps'].split(','):
result = query_db('select * from ttps where id = ?',
[each], one=True)
report.add_ttp(buildTtp(result))
if input_dict['indicators']:
for each in input_dict['indicators'].split(','):
result = query_db('select * from indicators where id = ?',
[each], one=True)
report.add_indicator(buildIndicator(result))
if input_dict['observables']:
for each in input_dict['observables'].split(','):
result = query_db('select * from observables where id = ?',
[each], one=True)
report.add_observable(buildObservable(result))
if input_dict['threatActors']:
for each in input_dict['threatActors'].split(','):
result = query_db('select * from threatActors where id = ?',
[each], one=True)
report.add_threat_actor(buildThreatActor(result))
if input_dict['targets']:
for each in input_dict['targets'].split(','):
result = query_db('select * from targets where id = ?',
[each], one=True)
report.add_exploit_target(buildTarget(result))
if input_dict['coas']:
for each in input_dict['coas'].split(','):
result = query_db('select * from coas where id = ?',
[each], one=True)
report.add_course_of_action(buildCoa(result))
if input_dict['campaigns']:
for each in input_dict['campaigns'].split(','):
result = query_db('select * from campaigns where id = ?',
[each], one=True)
report.add_campaign(buildCampaign(result))
stix_package.add_report(report)
return stix_package
def convert_report(r20):
r1x = Report(id_=convert_id20(r20["id"]),
timestamp=text_type(r20["modified"]))
r1x.header = Header()
if "name" in r20:
r1x.header.title = r20["name"]
if "description" in r20:
r1x.header.add_description(r20["description"])
intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"],
REPORT_LABELS_MAP)
for i in intents:
r1x.header.add_intent(i)
if "published" in r20:
add_missing_property_to_description(r1x.header, "published",
r20["published"])
for ref in r20["object_refs"]:
ref_type = get_type_from_id(ref)
ref1x = convert_id20(ref)
if ref_type == "attack-pattern":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "campaign":
r1x.add_campaign(Campaign(idref=ref1x))
elif ref_type == 'course-of-action':
r1x.add_course_of_action(CourseOfAction(idref=ref1x))
elif ref_type == "indicator":
r1x.add_indicator(Indicator(idref=ref1x))
elif ref_type == "observed-data":
r1x.add_observable(Observable(idref=ref1x))
elif ref_type == "malware":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "threat-actor":
r1x.add_threat_actor(ThreatActor(idref=ref1x))
elif ref_type == "tool":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "vulnerability":
r1x.add_exploit_target(ExploitTarget(idref=ref1x))
elif ref_type == "identity" or ref_type == "relationship":
warn("%s in %s is not explicitly a member of a STIX 1.x report",
703, ref, r20["id"])
elif ref_type == "intrusion-set":
warn("%s in %s cannot be represented in STIX 1.x", 612, ref,
r20["id"])
else:
warn("ref type %s in %s is not known", 0, ref_type, r20["id"])
if "object_marking_refs" in r20:
for m_id in r20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(r1x, ms, descendants=True)
if "granular_markings" in r20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, r20["id"])
return r1x
def transform(addsec_data):
#
# Parse the Addition Security protobuf object, which contains a STIX report representation
#
as_report = addsec_cti_pb2.Report()
as_report.ParseFromString(addsec_data)
#
# Create a new STIX package & report container
#
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.description = "Addition Security Report"
stix_report = Report()
#
# Addition Security includes various identification information re: the entity of the report.
# We are going to convert it into three CybOX objects: Product, Device, and Custom
#
cybox_product = Product()
cybox_product.product = "MobileAwareness"
cybox_product.vendor = "Addition Security"
cybox_device = Device()
cybox_device.device_type = "Mobile Device"
cybox_custom_sourceapp = Custom()
cybox_custom_sourceapp.custom_name = "addsec:sourceApplication"
cybox_custom_sourceapp.custom_properties = CustomProperties()
p = Property()
p.name = "organizationId"
p.value = as_report.organizationId.encode(
'hex') # NOTE: this is binary bytes
cybox_custom_sourceapp.custom_properties.append(p)
p = Property()
p.name = "application"
p.value = as_report.applicationId # NOTE: bundleId/packageId of hosting app
cybox_custom_sourceapp.custom_properties.append(p)
p = Property()
p.name = "instanceId"
p.value = as_report.systemId.encode('hex') # NOTE: this is binary bytes
cybox_custom_sourceapp.custom_properties.append(p)
stix_report.add_observable(cybox_product)
stix_report.add_observable(cybox_device)
stix_report.add_observable(cybox_custom_sourceapp)
#
# Enumerate the Addition Security reported sightings
#
for as_sighting in as_report.observations:
#
# Addition Security lets customers transit custom messages over the reporting channel; these
# messages show up as a "Customer Message" indicator with string-based payload. Since these
# messages are both proprietary in nature and potentially unrelated to STIX, we are going to
# filter them out from this processing.
#
if as_sighting.observationType == 8: continue # 8: CustomerData
#
# Sightings are used to report device information as well; let's expel device-related
# sightings and re-route their data into the CybOX device object (instead of including
# as an indicator w/ sighting)
#
if as_sighting.testId == 1 or as_sighting.testId == 2: #
addsec_to_cybox_device(cybox_device, as_sighting)
continue
# Ditto for reported product information as well
if as_sighting.testId == 8: # 8: SDKVersionInfo
addsec_to_cybox_product(cybox_product, as_sighting)
continue
#
# Compose a STIX-appropriate indicator value from the Addition Security indicator ID & SubID
#
indicator_id = "addsec:asma-%d-%d" % (as_sighting.testId,
as_sighting.testSubId)
stix_indicator = Indicator(id_=indicator_id)
stix_indicator.title = addsec_title_lookup(as_sighting.testId,
as_sighting.testSubId)
#
# Create a sighting for this indicator
#
stix_sighting = Sighting()
stix_indicator.sightings = stix_sighting
stix_sighting.timestamp = datetime.datetime.fromtimestamp(
as_sighting.timestamp)
if as_sighting.confidence > 0:
stix_sighting.confidence = addsec_to_stix_confidence(
as_sighting.confidence)
#
# Enumerate the observables for this sighting
#
for as_observable in as_sighting.datas:
cybox_obj = addsec_to_cybox(as_observable.dataType,
as_observable.data)
if not cybox_obj is None:
stix_sighting.related_observables.append(
RelatedObservable(Observable(cybox_obj)))
#
# Finally, add this indicator (w/ sightings & related observables) to the top level report
#
stix_report.add_indicator(stix_indicator)
#
# Finalize the STIX report and output the XML
#
stix_package.reports = stix_report
return stix_package.to_xml()
from stix.core import STIXPackage from stix.report import Report from stix.report.header import Header stix_package = STIXPackage() stix_report = Report() stix_report.header = Header() stix_report.header.description = "Getting Started" stix_package.add(stix_report) print(stix_package.to_xml())
#!/usr/bin/env python # Copyright (c) 2017, The MITRE Corporation. All rights reserved. # See LICENSE.txt for complete terms. """ Description: Build a STIX Indicator document containing a File observable with an associated hash. """ from stix.core import STIXPackage# Imporet the STIX Package API from stix.report import Report# Import the STIX Report API from stix.report.header import Header# Import the STIX Report Header API stix_package = STIXPackage()# Create an instance of STIX stix_report = Report()# Create a Report instance stix_report.header = Header()# Create a header for the report stix_report.header.description = "Getting Started!"# Set the description stix_package.add(stix_report)# Add the report to our STIX Package print(stix_package.to_xml())
