def test_memory_store_custom_object(mem_store): @CustomObject('x-new-obj', [ ('property1', properties.StringProperty(required=True)), ]) class NewObj(): pass newobj = NewObj(property1='something') mem_store.add(newobj, True) newobj_r = mem_store.get(newobj.id) assert newobj_r.id == newobj.id assert newobj_r.property1 == 'something'
def test_filesystem_custom_object(fs_store): @CustomObject('x-new-obj', [ ('property1', properties.StringProperty(required=True)), ]) class NewObj(): pass newobj = NewObj(property1='something') fs_store.add(newobj, allow_custom=True) newobj_r = fs_store.get(newobj.id, allow_custom=True) assert newobj_r.id == newobj.id assert newobj_r.property1 == 'something' # remove dir shutil.rmtree(os.path.join(FS_PATH, "x-new-obj"), True)
class AWSNACL(Command): _type = 'x-aws-nacl' _properties = OrderedDict([ ('action', properties.EnumProperty(allowed=["allow", "deny", "delete"], required=True)), ('target', TargetProperty(required=True)), ('args', ArgsProperty(required=True)), ('actuator', ActuatorProperty(required=True)), ('command_id', properties.StringProperty()) ]) def _check_object_constraints(self): super(AWSNACL, self)._check_object_constraints() if not isinstance(self.target, _Target) or \ not self.target.type in ['ipv4_connection', 'slpf']: raise ValueError("Unsupported target (%s)" % self.target.type) if not isinstance(self.actuator, AWSResourceActuator): raise ValueError("Unsupported actuator (%s)" % self.actuator.type) if not self.args.get("slpf") or not self.args.slpf.get("insert_rule") or \ not self.args.slpf.get("direction"): raise ValueError("Missing required args (%s)" % self.args) if self.target.type == 'slpf' and not self.target.slpf.get( "rule_number"): raise ValueError("Missing required target specifiers (%s)" % self.target) # 1-32766 is valid rule number range per AWS docs if self.args.slpf.insert_rule < 1 or self.args.slpf.insert_rule > 32766: raise ValueError("Invalid rule number requested") if self.clean(self.target.protocol, { 'tcp': 6, 'udp': 17, 'icmp': 1 }) == None: raise ValueError("Invalid protocol requested (%s)" % self.target.protocol) if self.clean(self.args.slpf.direction, { 'ingress': False, 'egress': True }) == None: raise ValueError("Invalid direction requested (%s)" % self.args.slpf.direction) def clean(self, value, valid): if not isinstance(valid, dict): raise ValueError("Valid values must be dictionary") return valid.get(value)
class AWSSecurityGroup(Command): _type = 'x-aws-sg' _properties = OrderedDict([ ('action', properties.EnumProperty( allowed=[ "allow", "delete" ], required=True )), ('target', TargetProperty(required=True)), ('args', ArgsProperty()), ('actuator', ActuatorProperty(required=True)), ('command_id', properties.StringProperty()) ]) def _check_object_constraints(self): super(AWSSecurityGroup, self)._check_object_constraints() if not isinstance(self.target, _Target) or \ not self.target.type in ['ipv4_connection']: raise ValueError("Unsupported target (%s)"%self.target) if not isinstance(self.actuator, AWSResourceActuator): raise ValueError("Unsupported actuator (%s)"%self.actuator)
import yaml from stix2 import CustomObject, properties, Bundle def create_bundle(json): """ Writes the Sigma rules into a file. """ file = open('sigma_rules_stix_bundle.json', 'w') file.write(Bundle(json).serialize(pretty=False)) @CustomObject( 'x-sigma-rules', [ ('action', properties.StringProperty() ), ## needs updating its not part of the schema ('title', properties.StringProperty()), ('status', properties.StringProperty()), ('description', properties.StringProperty()), ('references', properties.ListProperty( properties.StringProperty())), ##posible list here ('reference', properties.ListProperty(properties.StringProperty()) ), ##should be looked at there are two differences ('author', properties.StringProperty()), ('date', properties.StringProperty()), ('logsource', properties.DictionaryProperty()), ('detection', properties.DictionaryProperty()), ('fields', properties.ListProperty(properties.StringProperty())), ('falsepositives', properties.ListProperty( properties.StringProperty())),
"""Generate random stix id (uuid v1) This id will stored and resolved by openCTI We will stored only 5 stix of this type to prevent database flooding :param stix_type: the stix type """ @staticmethod def generate_random_stix_id(stix_type): new_uuid = str(uuid.uuid1()) return stix_type + "--" + new_uuid @CustomObservable( "x-opencti-simple-observable", [ ("key", properties.StringProperty(required=True)), ("value", properties.StringProperty(required=True)), ("description", properties.StringProperty()), ( "created_by_ref", properties.ReferenceProperty(valid_types="identity", spec_version="2.1"), ), ("x_opencti_score", properties.IntegerProperty()), ("x_opencti_create_indicator", properties.BooleanProperty()), ("labels", properties.ListProperty(properties.StringProperty)), ("external_references", properties.ListProperty(ExternalReference)), ( "object_marking_refs", properties.ListProperty( properties.ReferenceProperty(valid_types="marking-definition",
from datetime import datetime import pandas as pd import os import re import json import xlrd from datetime import datetime from dateutil import parser import numpy as np from stix2 import (Bundle, AttackPattern, ThreatActor, IntrusionSet, Relationship, CustomObject, properties, Malware, Tool, Campaign, Identity, MarkingDefinition, ExternalReference, StatementMarking, GranularMarking) from stix2.properties import (ReferenceProperty, ListProperty, StringProperty, TimestampProperty) @CustomObject('x-mitre-tactic', [ ('name', properties.StringProperty(required=True)), ('description', properties.StringProperty(required=True)), ('x_mitre_shortname', properties.StringProperty(required=True)) ]) class Tactic(object): def __init__(self, x_mitre_shortname=None, **kwargs): if x_mitre_shortname and x_mitre_shortname not in ["strategic-planning", "objective-planning", "develop-people", "develop-networks", "microtargeting", "develop-content", "channel-selection", "pump-priming", "exposure", "go-physical", "persistence", "measure-effectiveness"]: raise ValueError("'%s' is not a recognized AMITT Tactic." % x_mitre_shortname) @CustomObject('x-amitt-narrative', [ ('name', StringProperty(required=True)), ('description', StringProperty()), ('aliases', ListProperty(StringProperty)),
#! usr/bin/env python3 import praw # Reddit library import csv import json from datetime import datetime, timedelta, date from config import credentials import boto3 import os from stix2 import Bundle, ObservedData, IPv4Address, UserAccount, Bundle from stix2 import CustomObservable, properties @CustomObservable('x-csaware-social', [ ('source', properties.StringProperty()), ('title', properties.StringProperty()), ('text', properties.StringProperty()), ('subject', properties.StringProperty()), ]) class CSAwareSocial(): pass BUCKET_NAME = "cs-aware-data-collection" USERS_FILE = './users.json' FIELDS = ['subreddit', 'username', 'date', 'title', 'text', 'json'] PERIOD = 1 # Number of hours POST_LIMIT = 50 # We want data from the last PERIOD hours
import re from stix2 import CustomObject, properties, KillChainPhase from yeti.core.errors import ValidationError from .indicator_base import Indicator @CustomObject('x-regex', [('labels', properties.StringProperty(required=True)), ('name', properties.StringProperty()), ('description', properties.StringProperty()), ('pattern', properties.StringProperty(required=True)), ('valid_from', properties.TimestampProperty(required=True)), ('valid_until', properties.TimestampProperty()), ('kill_chain_phases', properties.ListProperty(KillChainPhase))]) class StixRegex(): def __init__(self, pattern=None, **_): try: re.compile(pattern) except re.error as e: raise ValidationError('{0:s} is not a valid regular expression:' ' {1:s}'.format(pattern, str(e))) class Regex(Indicator): """STIX Indicator Yeti object. Extends the Indicator STIX2 definition. """
from scripts.atcutils import ATCutils from stix2 import MemoryStore, CustomObject, properties ATCconfig = ATCutils.load_config("scripts/config.yml") stix_mem = MemoryStore() @CustomObject('x-react-stage', [ ( 'name', properties.StringProperty(required=True)), ( 'description', properties.StringProperty()), ( 'external_references', properties.ObjectReferenceProperty())] ) class ReactStage(object): def __init__(self, name=None, **kwargs): list_of_stages = ['Preparation','Identification','Containment','Eradication','Recovery','Lessons Learned'] if name and name not in list_of_stages: raise ValueError("'%s' is not a recognized stage of RE&CT." % name) @CustomObject( 'x-react-action', [ ( 'name', properties.StringProperty(required=True)), ( 'description', properties.StringProperty()), ( 'external_references', properties.ObjectReferenceProperty()), ( 'kill_chain_phases', properties.ListProperty(properties.DictionaryProperty)) ] ) class ReactAction(object): def __init__(self, name=None, **kwargs): pass @CustomObject('x-react-matrix', [ ( 'name', properties.StringProperty(required=True)), ( 'description', properties.StringProperty()), ( 'tactic_refs', properties.ListProperty(properties.StringProperty)) ] )
@CustomExtension(NetworkTraffic, 'x-common-industrial-protocol', [('service', properties.IntegerProperty()), ('class', properties.IntegerProperty()), ('epath', properties.HexProperty()), ('instance', properties.IntegerProperty()), ('logical_segment_format', properties.IntegerProperty()), ('logical_segment_type', properties.IntegerProperty()), ('path_segment', properties.IntegerProperty()), ('path_segment_type', properties.IntegerProperty()), ('request_path_size', properties.IntegerProperty()), ('cip_response', properties.IntegerProperty()), ('cip_service', properties.IntegerProperty()), ('addstat_size', properties.IntegerProperty()), ('genstat', properties.IntegerProperty()), ('id_product_name', properties.StringProperty()), ('data', properties.HexProperty()), *more]) class Cip: pass @CustomExtension(NetworkTraffic, 'x-cip-command-specific-data', [('cip_data', properties.HexProperty())]) class CipData: pass # settings: GlobalSettings = GlobalSettings() cmprops = [ 'cip_cm_msg_req_size', 'cip_cm_priority',
('al_ctrq_b2', properties.BooleanProperty()), ('al_ctrq_b3', properties.BooleanProperty()), ('al_ctrq_b4', properties.BooleanProperty()), ('al_ctrq_b5', properties.BooleanProperty()), ('al_ctrq_b6', properties.BooleanProperty()), ('al_ctrq_b7', properties.BooleanProperty()), ('al_da_double', properties.FloatProperty()), ('al_da_float', properties.FloatProperty()), ('al_da_int16', properties.IntegerProperty()), ('al_da_int32', properties.IntegerProperty()), ('al_da_int8', properties.IntegerProperty()), ('al_da_length', properties.IntegerProperty()), ('al_da_uint16', properties.IntegerProperty()), ('al_da_uint32', properties.IntegerProperty()), ('al_da_uint8', properties.IntegerProperty()), ('al_da_value', properties.StringProperty()), ('al_datatype', properties.IntegerProperty()), ('al_file_auth', properties.IntegerProperty()), ('al_file_blocknum', properties.IntegerProperty()), ('al_file_data', properties.StringProperty()), ('al_file_handle', properties.IntegerProperty()), ('al_file_lastblock', properties.BooleanProperty()), ('al_file_maxblock', properties.IntegerProperty()), ('al_file_mode', properties.IntegerProperty()), ('al_file_perms', properties.IntegerProperty()), ('al_file_perms_exec_group', properties.BooleanProperty()), ('al_file_perms_exec_owner', properties.BooleanProperty()), ('al_file_perms_exec_world', properties.BooleanProperty()), ('al_file_perms_read_group', properties.BooleanProperty()), ('al_file_perms_read_owner', properties.BooleanProperty()), ('al_file_perms_read_world', properties.BooleanProperty()),
"arp.proto.type": "0x00000800", "arp.hw.size": "6", "arp.proto.size": "4", "arp.opcode": "1", "arp.src.hw_mac": "00:0c:29:b6:ad:47", "arp.src.proto_ipv4": "192.168.1.200", "arp.dst.hw_mac": "00:00:00:00:00:00", "arp.dst.proto_ipv4": "192.168.1.1" } } } dst_hw_mac, dst_proto_ipv4, hw_size, hw_type, level, opcode, proto_size, proto_type, src_hw_mac, src_proto_ipv4 """ @CustomExtension(NetworkTraffic, 'x-arp-ext', [ ('src_hw_mac', properties.StringProperty(required=True)), ('dst_hw_mac', properties.StringProperty(required=True)), ('src_proto_ipv4', properties.StringProperty(required=True)), ('dst_proto_ipv4', properties.StringProperty(required=True)), ('hw_size', properties.StringProperty(required=True)), ('hw_type', properties.StringProperty(required=True)), ('level', properties.StringProperty(required=True)), ('opcode', properties.StringProperty(required=True)), ('proto_size', properties.StringProperty(required=True)), ('proto_type', properties.StringProperty(required=True)), ('isgratuitous', properties.StringProperty()) ]) class ArpPacket: pass
from stix2 import ObservedData, MemorySink, CustomObservable, properties from os import listdir from os.path import isfile, join @CustomObservable('command-executed', [ ('command', properties.StringProperty(required=True)), ]) class NewObservable(): pass def command_observable(comm, timestamp): com = NewObservable(command=comm) obs = ObservedData(first_observed=timestamp, last_observed=timestamp, number_observed=1, objects={'0': com}) wrt.add(obs) def main_mapper(blutus): file = open(good[blutus], 'r') global wrt wrt = MemorySink() for line in file: a = line.split(':') if a[0].__contains__('Command Executed'): b = a[0].split(' ') c = str(b[0].replace('_', ''))
"""Detail Yeti's incident object structure.""" from stix2 import CustomObject, properties from .entity import Entity @CustomObject('x-incident', [ ('x_internal_references', properties.ListProperty( properties.StringProperty)), ('name', properties.StringProperty()), ('description', properties.StringProperty()), ]) class StixIncident(): _collection_name = 'entities' type = 'x-incident' @property def internal_references(self): return self._stix_object.internal_references class Incident(Entity): """Incident Yeti object.""" _collection_name = 'entities' type = 'x-incident' @property def name(self): return self._stix_object.name
from flask import Flask, render_template, request, abort from svalid import svalid from mock import patch from openc2 import Command, Response, CustomTarget from stix2 import properties import itertools import json import openc2 import pha import requests import uuid @CustomTarget('x-newcontext-com:aws', [ ('image', properties.StringProperty()), ('instance', properties.StringProperty()), ]) class NewContextAWS(object): pass CREATE = 'create' QUERY = 'query' START = 'start' STOP = 'stop' DELETE = 'delete' app = Flask(__name__) _instcmds = ('Query', 'Start', 'Stop', 'Delete')
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' from stix2 import properties from openc2.properties import TargetProperty, ActuatorProperty, ArgsProperty from openc2.base import _OpenC2Base, _Actuator, _Target from openc2 import Command, CustomActuator from collections import OrderedDict @CustomActuator('x-aws-resource', [('aws_account', properties.StringProperty(required=True)), ('aws_region', properties.StringProperty(required=True)), ('aws_resource_id', properties.StringProperty(required=True))] ) class AWSResourceActuator: pass class AWSNACL(Command): _type = 'x-aws-nacl' _properties = OrderedDict([ ('action', properties.EnumProperty(allowed=["allow", "deny", "delete"], required=True)), ('target', TargetProperty(required=True)), ('args', ArgsProperty(required=True)),
from stix2.v21 import Campaign, CustomObject, Identity, LanguageContent from stix2.v21.bundle import Bundle from stix2 import properties import stix2 import unittest __copyright__ = 'Copyright 2018 New Context Services, Inc.' __license__ = '2-clause BSD' __maintainer__ = 'John-Mark Gurney' __email__ = '*****@*****.**' __all__ = ['stixlangwrap'] @CustomObject('x-bogus-lc', [ ('object_ref', properties.StringProperty()), ]) class _BogusLC(object): pass class stixlangwrap(object): '''Wrapper to make accessining and setting languages on STIX objects.''' def __init__(self, lang, obj, no_default=False): '''lang: either a string that is the default language, or a list of strings, with the earlier one preferred over the later ones. obj: A STIX object from the STIX 2 framework. no_default: Raise an Attribute error if one of the specified languages is not available. '''