def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com" : "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def capecbuild(capecid):
"""Build a STIX package based on a CAPEC ID."""
data = _get_attack(capecid)
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
ttp = _buildttp(data)
if data['related_attacks']:
ttp.related_ttps.append(
_buildttp(_get_attack(str(data['related_attacks'][0]))))
pkg.add_ttp(ttp)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(
identity=Identity(name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(
idref=coa['id'],
timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def capecbuild(capecid):
"""Build a STIX package based on a CAPEC ID."""
data = _get_attack(capecid)
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
ttp = _buildttp(data)
if data['related_attacks']:
ttp.related_ttps.append(
_buildttp(_get_attack(str(data['related_attacks'][0]))))
pkg.add_ttp(ttp)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com": "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from stix.utils import idgen
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
idgen.set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
# Add the vulnerability object to the package object
expt.add_vulnerability(vulnbuild(data))
# Do some TTP stuff with CAPEC objects
try:
for i in data['capec']:
ttp = TTP()
ttp.title = "CAPEC-" + str(i['id'])
ttp.description = i['summary']
ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
pkg.add_ttp(ttp)
except KeyError:
pass
# Do some weakness stuff
if data['cwe'] != 'Unknown':
weak = Weakness()
weak.cwe_id = data['cwe']
expt.add_weakness(weak)
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
title = pkg.id_.split(':', 1)[-1]
with open(title + ".xml", "w") as text_file:
text_file.write(xml)
return xml
def _custom_namespace(url, alias):
try:
from stix.utils import set_id_namespace
namespace = {url: alias}
set_id_namespace(namespace)
except ImportError:
from mixbox.namespaces import Namespace
from stix.utils import idgen
namespace = Namespace(url, alias, "")
idgen.set_id_namespace(namespace)
def parse_file(file_to_parse):
set_id_namespace({IDManager().get_namespace(): LOCAL_ALIAS})
cybox_set_id_namespace(Namespace(IDManager().get_namespace(), LOCAL_ALIAS))
parse_func = 'parse_txt'
if 'pdf' in file_to_parse.content_type:
parse_func = 'parse_pdf_pypdf2'
try:
return parse_using_func(file_to_parse, parse_func)
except Exception as e:
raise (IOCParseException(e.message))
def main():
# Parse command line arguments
argparser = get_arg_parser()
args = argparser.parse_args()
# initialize logging
init_logging(args.verbose)
# Set the namespace to be used in the STIX Package
utils.set_id_namespace({"http://openioc.org/openioc":"openioc"})
# Create Observables from binding object
stix_package = translate.to_stix(args.infile)
# Write the STIXPackage to a output file
write_package(stix_package, outfn=args.outfile)
def tearDown(self):
utils.set_id_namespace(utils.EXAMPLE_NAMESPACE)
def export_stix(request, model, id):
c = None
if model == "cluster":
c = Cluster.objects.get(pk=id)
n = Node.objects.filter(subcluster__cluster=c)
r = Relation.objects.filter(subcluster__cluster=c)
elif model == "subcluster":
c = SubCluster.objects.get(pk=id)
n = Node.objects.filter(subcluster=c)
r = Relation.objects.filter(subcluster=c)
NAMESPACE = {}
url = "http://localhost"
prefix = "localhost"
NAMESPACE[url] = prefix
#ns = Namespace(url, prefix, '')
#idgen = IDGenerator(namespace=ns)
#set_id_namespace(ns)
#full_path = ('http', ('', 's')[request.is_secure()], '://', request.META['HTTP_HOST'], request.path)
#url = ''.join(full_path)
#NAMESPACE[url] = request.META['HTTP_HOST'].split(":")[0]
set_id_namespace(NAMESPACE)
pkg = create_package()
intent = "Indicators"
report = create_report(source=url, intent=intent)
pkg.add_report(report)
ctitle = c.name
cdscr = c.description
campaign = create_campaign(title=ctitle, description=cdscr)
pkg.add_campaign(campaign)
hostlist = []
#hosts = n.filter(label__name="Host",key_property__key__name="name")
hosts = n.filter(index__label__name="Host",index__property_key__name="name")
for host in hosts:
#h = host.key_property.value
h = host.value
if not h in hostlist:
hostlist.append(h)
domainlist = []
domains = n.filter(index__label__name="Domain",index__property_key__name="name")
for domain in domains:
#d = domain.key_property.value
d = domain.value
if not d in domainlist:
domainlist.append(d)
iplist = []
ips = n.filter(index__label__name="IP",index__property_key__name="address")
for ip in ips:
#i = ip.key_property.value
i = ip.value
if not i in iplist:
iplist.append(i)
"""
indicators = [
hostchars_indicator(hostlist),
domainlist_indicator(domainlist),
iplist_indicator(iplist),
]
indicators = add_relcampaign_to_indicators(campaign, indicators)
pkg = add_indicators_to_pkg(indicators, pkg)
"""
obs = {
"ip":iplist,
"domain":domainlist,
"host":hostlist,
}
pkg = add_obs_to_pkg(obs, pkg)
out = "/static/export/stix_" + model + id + ".xml"
fh = open(appdir + out, "wb")
fh.write(pkg.to_xml())
fh.close()
return redirect(out)
def setUp(self):
utils.set_id_namespace({"http://schemas.mandiant.com/2010/ioc": "mandiant-openioc"})
from cybox.objects.device_object import Device
from cybox.objects.api_object import API
from cybox.objects.library_object import Library
from cybox.objects.user_account_object import UserAccount
from cybox.objects.file_object import File
from cybox.objects.hostname_object import Hostname
from cybox.objects.x509_certificate_object import X509Certificate
from cybox.objects.process_object import Process
from cybox.objects.linux_package_object import LinuxPackage
from cybox.objects.artifact_object import Artifact
from cybox.objects.custom_object import Custom
from cybox.common.object_properties import CustomProperties, Property
from stix.utils import set_id_namespace
NAMESPACE = {'http://www.addditionsecurity.com': 'addsec'}
set_id_namespace(NAMESPACE)
##############################################################################
#
# The main transform function; takes Addition Security binary protobuf and returns STIX XML
#
def transform(addsec_data):
#
# Parse the Addition Security protobuf object, which contains a STIX report representation
#
as_report = addsec_cti_pb2.Report()
as_report.ParseFromString(addsec_data)
def create_stix_file():
# List of indicators to be deduped
hostnames = []
ips = []
urls = []
md5s = []
sha1s = []
# Set namespace
NAMESPACE = {PRODUCER_URL: PRODUCER_NAME}
set_id_namespace(NAMESPACE)
# JSON load the POSTed request data
try:
data_recv = request.data
data = json.loads(data_recv)
except:
return make_response(
jsonify({'Error': "Unable to decode json object"}), 400)
# Parse the JSON object
try:
# Get MD5 of sample
malware_sample = data['alert']['explanation']['malware-detected'][
'malware']
count = 0
sample_hash = ""
try:
for entry in malware_sample:
if "md5sum" in malware_sample[count]:
sample_hash = malware_sample[count]['md5sum']
count += 1
except:
if "md5sum" in malware_sample:
sample_hash = malware_sample['md5sum']
# If all else fails
if sample_hash == "":
sample_hash = "Unknown"
# Indicators
# Domains
domain_indicator = Indicator()
domain_indicator.title = "Malware Artifacts - Domain"
domain_indicator.type = "Malware Artifacts"
domain_indicator.description = (
"Domains derived from sandboxed malware sample. MD5 Hash: " +
sample_hash)
domain_indicator.short_description = ("Domainss from " + sample_hash)
domain_indicator.set_producer_identity(PRODUCER_NAME)
domain_indicator.set_produced_time(utils.dates.now())
domain_indicator.indicator_types.append("Domain Watchlist")
# IPs
ip_indicator = Indicator()
ip_indicator.title = "Malware Artifacts - IP"
ip_indicator.description = (
"IPs derived from sandboxed malware sample. MD5 Hash: " +
sample_hash)
ip_indicator.short_description = ("IPs from " + sample_hash)
ip_indicator.set_producer_identity(PRODUCER_NAME)
ip_indicator.set_produced_time(utils.dates.now())
ip_indicator.indicator_types.append("IP Watchlist")
# URLs
url_indicator = Indicator()
url_indicator.title = "Malware Artifacts - URL"
url_indicator.description = (
"URLs derived from sandboxed malware sample. MD5 Hash: " +
sample_hash)
url_indicator.short_description = ("URLs from " + sample_hash)
url_indicator.set_producer_identity(PRODUCER_NAME)
url_indicator.set_produced_time(utils.dates.now())
url_indicator.indicator_types.append("URL Watchlist")
# Hashs
hash_indicator = Indicator()
hash_indicator.title = "Malware Artifacts - File Hash"
hash_indicator.description = (
"File hashes derived from sandboxed malware sample. MD5 Hash: " +
sample_hash)
hash_indicator.short_description = ("Hash from " + sample_hash)
hash_indicator.set_producer_identity(PRODUCER_NAME)
hash_indicator.set_produced_time(utils.dates.now())
hash_indicator.indicator_types.append("File Hash Watchlist")
# Create a STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader({"Indicators - Malware Artifacts"})
stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str(
data['alert']['id'])
stix_package.stix_header = stix_header
if "network" in data['alert']['explanation']['os-changes']:
# Add indicators for network
for entry in data['alert']['explanation']['os-changes']['network']:
if "hostname" in entry:
hostnames.append(entry['hostname'])
if "ipaddress" in entry:
ips.append(entry['ipaddress'])
if "http_request" in entry:
domain = re.search('~~Host:\s(.*?)~~',
entry['http_request'])
url = re.search('^.*\s(.*?)\sHTTP', entry['http_request'])
if domain:
domain_name = domain.group(1)
if url:
url_string = url.group(1)
urls.append(domain_name + url_string)
# Add indicators for files
for entry in data['alert']['explanation']['os-changes']['network']:
if "md5sum" in entry['processinfo']:
filename = re.search('([\w-]+\..*)',
entry['processinfo']['imagepath'])
if filename:
md5s.append((filename.group(1),
entry['processinfo']['md5sum']))
if "process" in data['alert']['explanation']['os-changes']:
# Add indicators from process
for entry in data['alert']['explanation']['os-changes']['process']:
if "md5sum" in entry:
filename = re.search('([\w-]+\..*)', entry['value'])
if filename:
md5s.append((filename.group(1), entry['md5sum']))
if "sha1sum" in entry:
filename = re.search('([\w-]+\..*)', entry['value'])
if filename:
sha1s.append((filename.group(1), entry['sha1sum']))
# Dedupe lists
for hostname in set(hostnames):
hostname_observable = create_domain_name_observable(hostname)
domain_indicator.add_observable(hostname_observable)
for ip in set(ips):
ip_observable = create_ipv4_observable(ip)
ip_indicator.add_observable(ip_observable)
for url in set(urls):
url_observable = create_url_observable(url)
url_indicator.add_observable(url_observable)
for hash in set(md5s):
hash_observable = create_file_hash_observable(hash[0], hash[1])
hash_indicator.add_observable(hash_observable)
for hash in set(sha1s):
hash_observable = create_file_hash_observable(hash[0], hash[1])
hash_indicator.add_observable(hash_observable)
# Add those to the package
stix_package.add(domain_indicator)
stix_package.add(ip_indicator)
stix_package.add(url_indicator)
stix_package.add(hash_indicator)
# Save to file
save_as = SAVE_DIRECTORY + "/fireeye_" + str(
data['alert']['id']) + ".xml"
f = open(save_as, 'w')
f.write(stix_package.to_xml())
f.close
# Return success response
return make_response(
jsonify({'Success': "STIX document succesfully generated"}), 200)
# Unable to parse object
except:
return make_response(jsonify({'Error': "Unable to parse JSON object"}),
400)
def create_stix_file():
# List of indicators to be deduped
hostnames = []
ips = []
urls = []
md5s = []
sha1s = []
# Set namespace
NAMESPACE = {PRODUCER_URL: PRODUCER_NAME}
set_id_namespace(NAMESPACE)
# JSON load the POSTed request data
try:
data_recv = request.data
data = json.loads(data_recv)
except:
return make_response(jsonify({"Error": "Unable to decode json object"}), 400)
# Parse the JSON object
try:
# Get MD5 of sample
malware_sample = data["alert"]["explanation"]["malware-detected"]["malware"]
count = 0
sample_hash = ""
try:
for entry in malware_sample:
if "md5sum" in malware_sample[count]:
sample_hash = malware_sample[count]["md5sum"]
count += 1
except:
if "md5sum" in malware_sample:
sample_hash = malware_sample["md5sum"]
# If all else fails
if sample_hash == "":
sample_hash = "Unknown"
# Indicators
# Domains
domain_indicator = Indicator()
domain_indicator.title = "Malware Artifacts - Domain"
domain_indicator.type = "Malware Artifacts"
domain_indicator.description = "Domains derived from sandboxed malware sample. MD5 Hash: " + sample_hash
domain_indicator.short_description = "Domainss from " + sample_hash
domain_indicator.set_producer_identity(PRODUCER_NAME)
domain_indicator.set_produced_time(utils.dates.now())
domain_indicator.indicator_types.append("Domain Watchlist")
# IPs
ip_indicator = Indicator()
ip_indicator.title = "Malware Artifacts - IP"
ip_indicator.description = "IPs derived from sandboxed malware sample. MD5 Hash: " + sample_hash
ip_indicator.short_description = "IPs from " + sample_hash
ip_indicator.set_producer_identity(PRODUCER_NAME)
ip_indicator.set_produced_time(utils.dates.now())
ip_indicator.indicator_types.append("IP Watchlist")
# URLs
url_indicator = Indicator()
url_indicator.title = "Malware Artifacts - URL"
url_indicator.description = "URLs derived from sandboxed malware sample. MD5 Hash: " + sample_hash
url_indicator.short_description = "URLs from " + sample_hash
url_indicator.set_producer_identity(PRODUCER_NAME)
url_indicator.set_produced_time(utils.dates.now())
url_indicator.indicator_types.append("URL Watchlist")
# Hashs
hash_indicator = Indicator()
hash_indicator.title = "Malware Artifacts - File Hash"
hash_indicator.description = "File hashes derived from sandboxed malware sample. MD5 Hash: " + sample_hash
hash_indicator.short_description = "Hash from " + sample_hash
hash_indicator.set_producer_identity(PRODUCER_NAME)
hash_indicator.set_produced_time(utils.dates.now())
hash_indicator.indicator_types.append("File Hash Watchlist")
# Create a STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader({"Indicators - Malware Artifacts"})
stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str(data["alert"]["id"])
stix_package.stix_header = stix_header
if "network" in data["alert"]["explanation"]["os-changes"]:
# Add indicators for network
for entry in data["alert"]["explanation"]["os-changes"]["network"]:
if "hostname" in entry:
hostnames.append(entry["hostname"])
if "ipaddress" in entry:
ips.append(entry["ipaddress"])
if "http_request" in entry:
domain = re.search("~~Host:\s(.*?)~~", entry["http_request"])
url = re.search("^.*\s(.*?)\sHTTP", entry["http_request"])
if domain:
domain_name = domain.group(1)
if url:
url_string = url.group(1)
urls.append(domain_name + url_string)
# Add indicators for files
for entry in data["alert"]["explanation"]["os-changes"]["network"]:
if "md5sum" in entry["processinfo"]:
filename = re.search("([\w-]+\..*)", entry["processinfo"]["imagepath"])
if filename:
md5s.append((filename.group(1), entry["processinfo"]["md5sum"]))
if "process" in data["alert"]["explanation"]["os-changes"]:
# Add indicators from process
for entry in data["alert"]["explanation"]["os-changes"]["process"]:
if "md5sum" in entry:
filename = re.search("([\w-]+\..*)", entry["value"])
if filename:
md5s.append((filename.group(1), entry["md5sum"]))
if "sha1sum" in entry:
filename = re.search("([\w-]+\..*)", entry["value"])
if filename:
sha1s.append((filename.group(1), entry["sha1sum"]))
# Dedupe lists
for hostname in set(hostnames):
hostname_observable = create_domain_name_observable(hostname)
domain_indicator.add_observable(hostname_observable)
for ip in set(ips):
ip_observable = create_ipv4_observable(ip)
ip_indicator.add_observable(ip_observable)
for url in set(urls):
url_observable = create_url_observable(url)
url_indicator.add_observable(url_observable)
for hash in set(md5s):
hash_observable = create_file_hash_observable(hash[0], hash[1])
hash_indicator.add_observable(hash_observable)
for hash in set(sha1s):
hash_observable = create_file_hash_observable(hash[0], hash[1])
hash_indicator.add_observable(hash_observable)
# Add those to the package
stix_package.add(domain_indicator)
stix_package.add(ip_indicator)
stix_package.add(url_indicator)
stix_package.add(hash_indicator)
# Save to file
save_as = SAVE_DIRECTORY + "/fireeye_" + str(data["alert"]["id"]) + ".xml"
f = open(save_as, "w")
f.write(stix_package.to_xml())
f.close
# Return success response
return make_response(jsonify({"Success": "STIX document succesfully generated"}), 200)
# Unable to parse object
except:
return make_response(jsonify({"Error": "Unable to parse JSON object"}), 400)
def doCuckoo(results, options, reports_path):
malfilename = ""
memstrings = []
try:
fileitems = results['target']['file']
malfilename = fileitems['name']
malfilesize = fileitems['size']
malmd5 = fileitems['md5']
malsha1 = fileitems['sha1']
malsha256 = fileitems['sha256']
malsha512 = fileitems['sha512']
malssdeep = fileitems['ssdeep']
malfiletype = fileitems["type"]
# MD54K - From Chris Hudel
malmd54k = doMD54K(fileitems['path'])
#memfile = fileitems['path'][0:len(fileitems['path']) - 64] + "../analyses/" + str(results['info']['id']) + "/memory.dmp"
#memstrings = doStrings(stringscmd(memfile))
except:
fileitems = []
pass
staticitems = results['static']
info = results['info']
# Suspicious PE imports
iocimports = []
try:
for imports in staticitems['pe_imports']:
for item in imports['imports']:
if item['name'] in suspiciousimports:
iocimports.append(item['name'])
except:
pass
#rsrcentries = []
# PE sectionis
badpesections = []
try:
for sections in staticitems['pe_sections']:
if sections['name'] not in goodpesections:
badpesection = [
sections['name'], sections['size_of_data'],
str(sections['entropy'])
]
badpesections.append(badpesection)
except:
pass
# PE Exports
iocexports = []
try:
for exportfunc in staticitems['pe_exports']:
iocexports.append(exportfunc['name'])
except:
pass
# PE Version Info
versioninfo = dict.fromkeys([
'LegalCopyright', 'InternalName', 'FileVersion', 'CompanyName',
'PrivateBuild', 'LegalTrademarks', 'Comments', 'ProductName',
'SpecialBuild', 'ProductVersion', 'FileDescription', 'OriginalFilename'
])
if 'pe_versioninfo' in staticitems:
for item in staticitems['pe_versioninfo']:
if item['name'] in versioninfo:
versioninfo[item['name']] = item['value']
# Dropped files
droppedfiles = []
try:
for droppedfile in results['dropped']:
droppedfiles.append([
droppedfile['name'], droppedfile['size'], droppedfile['md5'],
droppedfile['sha1'], droppedfile['sha256'],
droppedfile['sha512']
])
except:
pass
# Hosts contacted. This will exclude
# localhost, broadcast and any other 'noise'
# as indicated by excludedips
hosts = []
try:
excludedips = [
ip for ip in options.get('excludedips', '').split(',') if ip
]
for host in results['network']['hosts']:
if host not in excludedips:
hosts.append(host)
except:
pass
# Mutexes
mutexes = []
try:
if 'mutex' in results['behavior']['summary']:
# Cuckoo 2.0
for mutex in results['behavior']['summary']['mutex']:
mutexes.append(mutex)
elif 'mutexes' in results['behavior']['summary']:
# Cuckoo 1.x
for mutex in results['behavior']['summary']['mutexes']:
mutexes.append(mutex)
except:
pass
# Processes
processes = []
try:
for process in results['behavior']['processes']:
processes.append([
process['process_name'], process['process_id'],
process['parent_id']
])
except:
pass
# grab the string results
# currently these are simple
# regexes for IPv4 addresses and
# emails
strings = doStrings(results['strings'])
# Registry Keys
regkeys = []
if 'regkey_written' in results['behavior']['summary']:
# Cuckoo 2.0
regkeys = results['behavior']['summary']['regkey_written']
elif 'keys' in results['behavior']['summary']:
# Cuckoo 1.x
# This uses modified cuckoo source code to only
# pull the Registry keys created, instead
# of those created OR just opened
regkeys = results['behavior']['summary']['keys']
# Create our metadata dictionary for getting the
# metadata values int the IOC
metadata = {
'malfilename': malfilename,
'malmd5': malmd5,
'malsha1': malsha1,
'malsha256': malsha256,
'malsha512': malsha512,
'malmd54k': malmd54k,
'malfilesize': malfilesize,
'malssdeep': malssdeep,
'malfiletype': malfiletype,
'iocexports': iocexports,
'iocimports': iocimports,
'badpesections': badpesections,
'versioninfo': versioninfo
}
dynamicindicators = {
"droppedfiles": droppedfiles,
"processes": processes,
"regkeys": regkeys,
'mutexes': mutexes,
'hosts': hosts
}
if "namespace" in options:
namespace_prefix, namespace_uri = options["namespace"].split(",", 1)
utils.set_id_namespace({namespace_uri: namespace_prefix})
stix_package = STIXPackage()
package_uuid = stix_package.id_[-36:]
stix_header = STIXHeader()
desc = "IOCAware Auto-Generated IOC Document"
if len(malfilename) > 0:
desc += " " + malfilename
stix_header.description = desc
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
stix_package.stix_header = stix_header
#wfe = createMetaData(stix_package, metadata)
#addStrings(stix_package, wfe, strings)
createMetaData(stix_package, metadata, strings)
createDynamicIndicators(stix_package, dynamicindicators)
output_path_format = options.get("output_path",
"{reports_path}/iocaware_stix.xml")
output_path = output_path_format.format(
uuid=package_uuid,
reports_path=reports_path,
)
stixfile = open(output_path, "w")
stixfile.write(stix_package.to_xml())
# Config Parser
# TODO
"""
Config parser stuff
"""
Config = ConfigParser.ConfigParser()
Config.read('config.cfg')
user=Config.get('viper','user')
password=Config.get('viper','password')
usehtaccess=Config.getboolean('viper','usehtaccess')
from stix.utils import set_id_namespace
NAMESPACE = {Config.get('stix','namespace_url') : Config.get('stix','namespace_name')}
set_id_namespace(NAMESPACE)
from cybox.utils import set_id_namespace, Namespace
NAMESPACE = Namespace(Config.get('stix','namespace_url'), Config.get('stix','namespace_name'))
set_id_namespace(NAMESPACE)
def stix(json):
"""
Created a stix file based on a json file that is being handed over
"""
# Create a new STIXPackage
stix_package = STIXPackage()
# Create a new STIXHeader
stix_header = STIXHeader()
from cybox.objects.domain_name_object import DomainName
from cybox.objects.file_object import File
from stix.exploit_target import Vulnerability
from cybox.objects.mutex_object import Mutex
from cybox.common import Hash
from stix.indicator import Indicator, CompositeIndicatorExpression
from stix.common import InformationSource, Identity
from cybox.common import Time
from lxml import etree as et
from stix.common.vocabs import PackageIntent
from stix.utils import set_id_namespace
from IPy import *
PULSE_SERVER_BASE = "https://otx.alienvault.com/"
STIXNAMESPACE = {"https://otx.alienvault.com" : "alienvault-otx"}
set_id_namespace(STIXNAMESPACE)
class StixExport:
def __init__(self, pulse):
self.stix_package = STIXPackage()
self.stix_header = STIXHeader()
self.pulse = pulse
self.hash_translation = {"FileHash-MD5": Hash.TYPE_MD5, "FileHash-SHA1": Hash.TYPE_SHA1,
"FileHash-SHA256": Hash.TYPE_SHA256}
self.address_translation = {"IPv4": Address.CAT_IPV4, "IPv6": Address.CAT_IPV6}
self.name_translation = {"domain": URI.TYPE_DOMAIN, "hostname": URI.TYPE_DOMAIN}
def build(self):
self.stix_header.title = self.pulse["name"]
self.stix_header.description = self.pulse["description"]
self.stix_header.short_description = "%spulse/%s" % (PULSE_SERVER_BASE, str(self.pulse["id"]))
def createstix(db, themail):
# Create the stix object
# Set the cybox namespace
NAMESPACE = {companyurl: companyname}
# new ids will be prefixed with your company name
set_id_namespace(NAMESPACE)
# Set the TLP color to Green
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "GREEN"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
# stix assignments
stix_package = STIXPackage()
ttp = TTP(title="Phishing")
stix_package.add_ttp(ttp)
stix_package.stix_header = STIXHeader()
stix_package.stix_header.handling = handling
# Get data from the email dictionary object
xid = themail['_id']
xdate = themail['date']
xoriginatingip = themail['x_originating_ip']
xmailer = themail['x_mailer']
xhelo = themail['helo']
xfrom = themail['from']
xsender = themail['sender']
xreplyto = themail['reply_to']
xsubject = themail['subject']
xbody = themail['raw_body']
# Routines to remove unwanted company identifiers from the emails
xsubject = scrubit(xsubject)
xbody = scrubit(xbody)
# Terms to search for in email addresses.
# replaces spoofed internal email addresses with [SPOOFED]
# change to match your company's domain name without the '.com/.net/etc'
searchterms = ['term1', 'term2']
for term in searchterms:
if term.upper() in xfrom.upper():
xfrom = '[SPOOFED]'
if term.upper() in xsender.upper():
xsender = '[SPOOFED]'
if term.upper() in xreplyto.upper():
xreplyto = '[SPOOFED]'
# Remove brackets from xoriginating IP
xoriginatingip = re.sub(r'\[|\]', '', xoriginatingip)
# get email comments
ecomment = getcomments(db, xid)
# Look for attachment and get info if true
if themail['relationships']:
# check if the first relationship is a sample because when an email object with attachment
# is uploaded to crits the first relationship is always the attachment
# which is uploaded seperately as a sample and related back to the original email
if themail['relationships'][0]['type'] in 'Sample':
myattachment = themail['relationships'][0]['value']
try:
myfile = db.sample.find_one({'_id': ObjectId(myattachment)})
hasattachment = True
except Exception, e:
logger.error(
"received error when querying samples collection for email with id %s",
xid,
exc_info=True)
hasattachment = False
else:
hasattachment = False
