def dns_queries(dnsqueries): a = MalwareAction() ao = AssociatedObject() a.name = "Query DNS" a.type_ = "Query" # hostnameの解決 quri = URI() quri.value = dnsqueries["hostname"] dns_question = DNSQuestion() dns_question.qname = quri ao.properties = DNSQuery() ao.properties.question = dns_question # resultの解決 if dnsqueries.has_key("results"): records = [] for result in dnsqueries["results"]: dnsrecord = DNSRecord() dnsrecord.domain_name = quri.value address = Address() address.CAT_IPV4 address.address_value = result dnsrecord.ip_address = address records.append(dnsrecord) ao.properties.answer_resource_records = DNSResourceRecords(records) #print ao.properties.path # print for debug a.associated_objects = AssociatedObjects() a.associated_objects.append(ao) #print a.associated_objects.to # debug print return a
def dict_from_object(cls, defined_object): """Parse and return a dictionary for a Network Connection Object object""" defined_object_dict = {} if defined_object.get_tls_used() is not None: defined_object_dict["tls_used"] = {"value": defined_object.get_tls_used()} if defined_object.get_Layer3_Protocol() is not None: defined_object_dict["layer3_protocol"] = Base_Object_Attribute.dict_from_object( defined_object.get_Layer3_Protocol() ) if defined_object.get_Layer4_Protocol() is not None: defined_object_dict["layer4_protocol"] = Base_Object_Attribute.dict_from_object( defined_object.get_Layer4_Protocol() ) if defined_object.get_Layer7_Protocol() is not None: defined_object_dict["layer7_protocol"] = Base_Object_Attribute.dict_from_object( defined_object.get_Layer7_Protocol() ) if defined_object.get_Local_IP_Address() is not None: defined_object_dict["local_ip_address"] = Address.dict_from_object(defined_object.get_Local_IP_Address()) if defined_object.get_Local_Port() is not None: defined_object_dict["local_port"] = Port.dict_from_object(defined_object.get_Local_Port()) if defined_object.get_Remote_IP_Address() is not None: defined_object_dict["remote_ip_address"] = Address.dict_from_object(defined_object.get_Remote_IP_Address()) if defined_object.get_Remote_Port() is not None: defined_object_dict["remote_port"] = Port.dict_from_object(defined_object.get_Remote_Port()) if defined_object.get_Layer7_Connections() is not None: layer7_conn = defined_object.get_Layer7_Connections() layer7_conn_dict = {} if layer7_conn.get_HTTP_Session() is not None: layer7_conn_dict["http_session"] = HTTP_Session.dict_from_object(layer7_conn.get_HTTP_Session()) defined_object_dict["layer7_connections"] = layer7_conn_dict return defined_object_dict
def url(ip,provider,reporttime): vuln = Vulnerability() vuln.cve_id = "IPV4-" + str(ip) vuln.description = "maliciousURL" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) addr = Address(address_value=str(ip), category=Address.CAT_IPV4) addr.condition = "Equals" # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "URL-" + str(ip) indicator.description = ("Malicious URL " + str(ip) + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) indicator.add_observable(addr) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml','w') f.write(stix_package.to_xml()) f.close()
def test_roundtrip2(self): addr_dict = {'address_value': "1.2.3.4", 'category': Address.CAT_IPV4, 'is_destination': True, 'is_source': False} addr_obj = Address.object_from_dict(addr_dict) addr_dict2 = Address.dict_from_object(addr_obj) self.assertEqual(addr_dict, addr_dict2)
def create_ip_indicator(self, ip_indicator): indicator = Indicator() indicator.title = 'IP address of site hosting malware' indicator.add_indicator_type('IP Watchlist') addr = Address(address_value=ip_indicator, category=Address.CAT_IPV4) addr.condition = 'Equals' indicator.add_observable(addr) return indicator
def iplist_indicator(ips=[]): iplist = Indicator() iplist.add_indicator_type("IP Watchlist") for i in ips: address = Address() address.address_value = i #address.category="ipv4-addr" iplist.add_observable(address) return iplist
def test_round_trip(self): v = String("*****@*****.**") c = Address.CAT_EMAIL a = Address() a.address_value = v a.category = c addr2 = round_trip(a, Address, output=False) self.assertEqual(addr2.address_value, v) self.assertEqual(addr2.category, c)
def stix(self): """Output data as STIX. STIX is highly subjective and difficult to format without getting more data from the user. Passive DNS results are formtted into a STIX watchlist with descriptions and other details about the record. :return: STIX formatted watchlist """ if python3: raise RuntimeError("STIX is not supported when using Python 3 due to dependency libraries.") stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Passive DNS resolutions associated" \ " with %s during the time periods of " \ " %s - %s" % (self.queryValue, self.firstSeen, self.lastSeen) stix_package.stix_header = stix_header for record in self._records: indicator = Indicator( title="Observed from %s - %s" % ( record.firstSeen, record.lastSeen ), short_description="Resolution observed by %s." % ( ','.join(record.source) ), description="Passive DNS data collected and aggregated from" \ " PassiveTotal services." ) if is_ip(record.resolve): indicator.add_indicator_type('IP Watchlist') ioc = Address( address_value=record.resolve, category=Address.CAT_IPV4 ) else: indicator.add_indicator_type('Domain Watchlist') ioc = DomainName(value=record.resolve) ioc.condition = "Equals" indicator.add_observable(ioc) stix_package.add_indicator(indicator) output = stix_package.to_xml() return output
def test_round_trip(self): email = "*****@*****.**" category = Address.CAT_EMAIL addr = Address() addr.address_value = email addr.category = category addr2 = cybox.test.round_trip(addr) self.assertEqual(addr.to_dict(), addr2.to_dict()) # Explicitly check these fields self.assertEqual(category, addr2.category) self.assertEqual(email, str(addr2))
def create_ipv4_observable(ipv4_address): ipv4_object = Address.from_dict({"address_value": ipv4_address, "category": Address.CAT_IPV4}) ipv4_observable = Observable(ipv4_object) ipv4_observable.title = "Malware Artifact - IP" ipv4_observable.description = "IP derived from sandboxed malware sample." ipv4_observable.short_description = "IP from malware." return ipv4_observable
def from_obj(header_obj): header = EmailHeader() header.to = EmailRecipients.from_obj(header_obj.get_To()) header.cc = EmailRecipients.from_obj(header_obj.get_CC()) header.bcc = EmailRecipients.from_obj(header_obj.get_BCC()) header.from_ = Address.from_obj(header_obj.get_From()) header.subject = String.from_obj(header_obj.get_Subject()) header.in_reply_to = String.from_obj(header_obj.get_In_Reply_To()) header.date = DateTime.from_obj(header_obj.get_Date()) header.message_id = String.from_obj(header_obj.get_Message_ID()) header.sender = Address.from_obj(header_obj.get_Sender()) header.reply_to = Address.from_obj(header_obj.get_Reply_To()) header.errors_to = String.from_obj(header_obj.get_Errors_To()) return header
def from_dict(header_dict): header = EmailHeader() header.to = EmailRecipients.from_dict(header_dict.get('to')) header.cc = EmailRecipients.from_dict(header_dict.get('cc')) header.bcc = EmailRecipients.from_dict(header_dict.get('bcc')) header.from_ = Address.from_dict(header_dict.get('from'), Address.CAT_EMAIL) header.subject = String.from_dict(header_dict.get('subject')) header.in_reply_to = String.from_dict(header_dict.get('in_reply_to')) header.date = DateTime.from_dict(header_dict.get('date')) header.message_id = String.from_dict(header_dict.get('message_id')) header.sender = Address.from_dict(header_dict.get('sender'), Address.CAT_EMAIL) header.reply_to = Address.from_dict(header_dict.get('reply_to'), Address.CAT_EMAIL) header.errors_to = String.from_dict(header_dict.get('errors_to')) return header
def main(): stix_package = STIXPackage() ttp = TTP(title="C2 Behavior") indicator = Indicator(title="IP Address for known C2 Channel") indicator.add_indicator_type("IP Watchlist") addr = Address(address_value="10.0.0.0", category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print(stix_package.to_xml(encoding=None))
def generateIPObservable(attribute): address_object = Address() cidr = False if ("/" in attribute["value"]): ip = attribute["value"].split('/')[0] cidr = True else: ip = attribute["value"] try: socket.inet_aton(ip) ipv4 = True except socket.error: ipv4 = False if (cidr == True): address_object.category = "cidr" elif (ipv4 == True): address_object.category = "ipv4-addr" else: address_object.category = "ipv6-addr" if (attribute["type"] == "ip-src"): address_object.is_source = True else: address_object.is_source = False address_object.address_value = attribute["value"] return address_object
def from_obj(socket_address_obj): if not socket_address_obj: return None socket_address_ = SocketAddress() socket_address_.ip_address = Address.from_obj(socket_address_obj.get_IP_Address()) socket_address_.port = Port.from_obj(socket_address_obj.get_Port()) return socket_address_
def from_dict(socket_address_dict): if not socket_address_dict: return None socket_address_ = SocketAddress() socket_address_.ip_address = Address.from_dict(socket_address_dict.get('ip_address')) socket_address_.port = Port.from_dict(socket_address_dict.get('port')) return socket_address_
def main(): data = json.load(open("data.json")) stix_package = STIXPackage(stix_header=STIXHeader(title=data['title'], package_intents='Incident')) ttps = {} for info in data['ips']: # Add TTP, unless it's already been added if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) # Add indicator indicator = Indicator(title=info['ip']) addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) indicator.add_indicated_ttp(TTP(idref=ttps[info['bot']].id_)) stix_package.add_indicator(indicator) # Add incident incident = Incident(title=info['ip']) incident.time = Time() incident.time.first_malicious_action = info['first_seen'] addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) observable = Observable(item=addr) stix_package.add_observable(observable) related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware") incident.leveraged_ttps.append(related_ttp) related_observable = RelatedObservable(Observable(idref=observable.id_)) incident.related_observables.append(related_observable) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) incident.related_indicators.append(related_indicator) stix_package.add_incident(incident) print stix_package.to_xml()
def main(): NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) # �I�u�W�F�N�g�̍쐬�iEmailMesage) m = EmailMessage() # �I�u�W�F�N�g�Ɋ֘A�t�� m.to = ["*****@*****.**", "*****@*****.**"] m.from_ = "*****@*****.**" m.subject = "New modifications to the specification" # �I�u�W�F�N�g�̍쐬�iAdress) a = Address("192.168.1.1", Address.CAT_IPV4) # �I�u�W�F�N�g�Ԃ̊֘A m.add_related(a, "Received_From", inline=False) a.add_related(m, "Received_to", inline=False) print Observables([m, a]).to_xml()
def add_obs_to_pkg(obs, pkg): if "ip" in obs: for i in obs["ip"]: address = Address() address.address_value = i pkg.add_observable(address) if "host" in obs: for h in obs["host"]: hostname = Hostname() hostname.hostname_value = h pkg.add_observable(hostname) if "domain" in obs: for d in obs["domain"]: domain = DomainName() domain.value = d pkg.add_observable(domain) return pkg
def object_from_dict(cls, socket_dict): """Create the Socket Object object representation from an input dictionary""" socket_obj = socket_binding.socket_objectType() socket_obj.set_anyAttributes_({'xsi:type' : 'socket_obj:socket_objectType'}) for key, value in socket_dict.items(): if key == 'is_blocking' and utils.test_value(value): socket_obj.set_is_blocking(value.get('value')) elif key == 'is_listening' and utils.test_value(value): socket_obj.set_is_listening(value.get('value')) elif key == 'address_family' and utils.test_value(value): socket_obj.set_Address_Family(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value)) elif key == 'domain' and utils.test_value(value): socket_obj.set_Domain(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value)) elif key == 'local_address': socket_address_obj = socket_binding.SocketAddressType() for local_address_key, local_address_value in value.items(): if local_address_key == 'ip_address' : ip_address_obj = Address.create_from_dict(local_address_value) if ip_address_obj.hasContent_() : socket_address_obj.set_IP_Address(ip_address_obj) elif local_address_key == 'port' : port_obj = Port.create_from_dict(local_address_value) if port_obj.hasContent_() : socket_address_obj.set_Port(port_obj) if socket_address_obj.hasContent_() : socket_obj.set_Local_Address(socket_address_obj) elif key == 'options': socket_options_obj = cls.__socket_options_object_from_dict(value) if socket_options_obj.hasContent_() : socket_obj.set_Options(socket_options_obj) elif key == 'protocol' and utils.test_value(value): socket_obj.set_Protocol(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value)) elif key == 'remote_address' and utils.test_value(value): socket_address_obj = socket_binding.SocketAddressType() for remote_address_key, remote_address_value in value.items(): if remote_address_key == 'ip_address' : ip_address_obj = Address.create_from_dict(remote_address_value) if ip_address_obj.hasContent_() : socket_address_obj.set_IP_Address(ip_address_obj) elif remote_address_key == 'port' : port_obj = Port.create_from_dict(remote_address_value) if port_obj.hasContent_() : socket_address_obj.set_Port(port_obj) if socket_address_obj.hasContent_() : socket_obj.set_Remote_Address(socket_address_obj) elif key == 'type' and utils.test_value(value): socket_obj.set_Type(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'), value)) return socket_obj
def from_dict(recipients_dict): if not recipients_dict: return None # recipients_dict should really be a list, not a dict r = EmailRecipients() if recipients_dict is not None: r.recipients = [Address.from_dict(a, Address.CAT_EMAIL) for a in recipients_dict] return r
def add_ipv4_observable(self, ipv4_address): if ipv4_address in self.__ipv4: return self.__ipv4.add(ipv4_address) ipv4_object = Address.from_dict({'address_value': ipv4_address, 'category': Address.CAT_IPV4}) ipv4_observable = Observable(ipv4_object) ipv4_observable.title = "Malware Artifact - IP" ipv4_observable.description = "IP derived from sandboxed malware sample." ipv4_observable.short_description = "IP from malware." self.ip_indicator.add_observable(ipv4_observable)
def main(): package = STIXPackage() # Create the indicator indicator = Indicator(title="IP Address for known C2 Channel") indicator.add_indicator_type("IP Watchlist") address = Address(category="ipv4-addr") address.address_value = "10.0.0.0" address.address_value.condition = "Equals" indicator.observable = address package.add_indicator(indicator) # Create the campaign campaign = Campaign(title="Operation Omega") package.add_campaign(campaign) # Link the campaign to the indicator campaign.related_indicators.append(RelatedIndicator(item=Indicator(idref=indicator.id_))) print package.to_xml()
def object_from_dict(cls, network_connection_attributes): """Create the Network Connection Object object representation from an input dictionary""" network_connection_obj = network_connection_binding.NetworkConnectionType() for key, value in network_connection_attributes.items(): if key == "tls_used" and utils.test_value(value): network_connection_obj.set_tls_used(value.get("value")) elif key == "layer3_protocol" and utils.test_value(value): network_connection_obj.set_Layer3_Protocol( Base_Object_Attribute.object_from_dict( common_types_binding.StringObjectAttributeType(datatype="String"), value ) ) elif key == "layer4_protocol" and utils.test_value(value): network_connection_obj.set_Layer4_Protocol( Base_Object_Attribute.object_from_dict( common_types_binding.StringObjectAttributeType(datatype="String"), value ) ) elif key == "layer7_protocol" and utils.test_value(value): network_connection_obj.set_Layer7_Protocol( Base_Object_Attribute.object_from_dict( common_types_binding.StringObjectAttributeType(datatype="String"), value ) ) elif key == "local_ip_address": network_connection_obj.set_Local_IP_Address(Address.object_from_dict(value)) elif key == "local_port": network_connection_obj.set_Local_Port(Port.object_from_dict(value)) elif key == "remote_ip_address": network_connection_obj.set_Remote_IP_Address(Address.object_from_dict(value)) elif key == "remote_port": network_connection_obj.set_Local_Port(Port.object_from_dict(value)) elif key == "layer7_connections": layer7_conn_object = network_connection_binding.Layer7ConnectionsType() if value.get("http_session") is not None: layer7_conn_object.set_HTTP_Session(HTTP_Session.object_from_dict(value.get("http_session"))) if layer7_conn_object.hasContent_(): network_connection_obj.set_Layer7_Connections(layer7_conn_object) return network_connection_obj
def dict_from_object(cls, socket_obj): """Parse and return a dictionary for a Socket Object object""" socket_dict = {} if socket_obj.get_is_blocking() is not None: socket_dict['is_blocking'] = {'value' : socket_obj.get_is_blocking()} if socket_obj.get_is_listening() is not None: socket_dict['is_listening'] = {'value' : socket_obj.get_is_listening()} if socket_obj.get_Address_Family() is not None: socket_dict['address_family'] = Base_Object_Attribute.dict_from_object(socket_obj.get_Address_Family()) if socket_obj.get_Domain() is not None: socket_dict['domain'] = Base_Object_Attribute.dict_from_object(socket_obj.get_Domain()) if socket_obj.get_Local_Address() is not None: local_address_dict = {} if socket_obj.get_Local_Address().get_IP_Address() is not None: local_address_dict['ip_address'] = Address.dict_from_object(socket_obj.get_Local_Address().get_IP_Address()) if socket_obj.get_Local_Address().get_Port() is not None: local_address_dict['port'] = Port.dict_from_object(socket_obj.get_Local_Address().get_Port()) if socket_obj.get_Options() is not None: socket_dict['options'] = cls.__socket_options_dict_from_object(socket_obj.get_Options()) if socket_obj.get_Protocol() is not None: Base_Object_Attribute.dict_from_object(socket_obj.get_Protocol()) if socket_obj.get_Remote_Address() is not None: remote_address_dict = {} if socket_obj.get_Remote_Address().get_IP_Address() is not None: remote_address_dict['ip_address'] = Address.dict_from_object(socket_obj.get_Local_Address().get_IP_Address()) if socket_obj.get_Remote_Address().get_Port() is not None: remote_address_dict['port'] = Port.dict_from_object(socket_obj.get_Local_Address().get_Port()) if socket_obj.get_Type() is not None: Base_Object_Attribute.dict_from_object(socket_obj.get_Type()) return socket_dict
def from_dict(contact_dict, contact=None): if not contact_dict: return None if contact is None: contact = WhoisContact() contact.contact_type = contact_dict.get('contact_type') contact.contact_id = String.from_dict(contact_dict.get('contact_id')) contact.name = String.from_dict(contact_dict.get('name')) contact.email_address = Address.from_dict(contact_dict.get('email_address'), Address.CAT_EMAIL) contact.phone_number = String.from_dict(contact_dict.get('phone_number')) contact.address = String.from_dict(contact_dict.get('address')) return contact
def from_obj(contact_obj, contact=None): if not contact_obj: return None if contact is None: contact = WhoisContact() contact.contact_type = contact_obj.get_contact_type() contact.contact_id = String.from_obj(contact_obj.get_Contact_ID()) contact.name = String.from_obj(contact_obj.get_Name()) contact.email_address = Address.from_obj(contact_obj.get_Email_Address()) contact.phone_number = String.from_obj(contact_obj.get_Phone_Number()) contact.address = String.from_obj(contact_obj.get_Address()) return contact
def from_dict(opt_header_dict): if not opt_header_dict: return None opt_header = OptionalHeader() opt_header.boundary = String.from_dict(opt_header_dict.get('boundary')) opt_header.content_type = String.from_dict(opt_header_dict.get('content_type')) opt_header.mime_version = String.from_dict(opt_header_dict.get('mime_version')) opt_header.precedence = String.from_dict(opt_header_dict.get('precedence')) opt_header.x_mailer = String.from_dict(opt_header_dict.get('x_mailer')) opt_header.x_originating_ip = Address.from_dict(opt_header_dict.get('x_originating_ip'), Address.CAT_IPV4) opt_header.x_priority = PositiveInteger.from_dict(opt_header_dict.get('x_priority')) return opt_header
def from_obj(opt_header_obj): if not opt_header_obj: return None opt_header = OptionalHeader() opt_header.boundary = String.from_obj(opt_header_obj.get_Boundary()) opt_header.content_type = String.from_obj(opt_header_obj.get_Content_Type()) opt_header.mime_version = String.from_obj(opt_header_obj.get_MIME_Version()) opt_header.precedence = String.from_obj(opt_header_obj.get_Precedence()) opt_header.x_mailer = String.from_obj(opt_header_obj.get_X_Mailer()) opt_header.x_originating_ip = Address.from_obj(opt_header_obj.get_X_Originating_IP()) opt_header.x_priority = PositiveInteger.from_obj(opt_header_obj.get_X_Priority()) return opt_header
def main(): data = json.load(open("data.json")) stix_package = STIXPackage() ttps = {} for info in data['ips']: if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) indicator = Indicator(title=info['ip']) indicator.add_indicator_type("IP Watchlist") addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) indicator.add_indicated_ttp(TTP(idref=ttps[info['bot']].id_)) stix_package.add_indicator(indicator) print stix_package.to_xml()
def test_list(self): recips = EmailRecipients(Address(self.email1, Address.CAT_EMAIL), Address(self.email2, Address.CAT_EMAIL)) self._compare(recips)
def main(): # NOTE: ID values will differ due to being regenerated on each script execution pkg1 = STIXPackage() pkg1.title = "Example of Indicator Composition for an aggregate indicator composition" # USE CASE: Indicator with aggregate pattern # Add TTP for malware usage malware_ttp = TTP() malware_ttp.behavior = Behavior() malware = MalwareInstance() malware.title = "foobar malware" malware.add_type("Remote Access Trojan") malware_ttp.behavior.add_malware_instance(malware) c2_ttp = TTP() c2_ttp.resources = Resource() c2_ttp.resources.infrastructure = Infrastructure() c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2")) pkg1.add_ttp(c2_ttp) pkg1.add_ttp(malware_ttp) nw_ind = Indicator() nw_ind.description = "Indicator for a particular C2 infstructure IP address." # add network network connection to this indicator obs = NetworkConnection() sock = SocketAddress() sock.ip_address = "46.123.99.25" sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" obs.destination_socket_address = sock nw_ind.add_observable(obs) nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # create File Hash indicator w/ embedded Observable file_ind = Indicator() file_ind.description = "Indicator for the hash of the foobar malware." file_ind.add_indicator_type("File Hash Watchlist") file_obs = File() file_obs.add_hash("01234567890abcdef01234567890abcdef") file_obs.hashes[0].type_ = "MD5" file_obs.hashes[0].type_.condition = "Equals" file_ind.add_observable(file_obs) # create references file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_)) # create container indicator ind = Indicator() ind.add_indicator_type(VocabString("Campaign Characteristics")) ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign." # Add campaign with related camp = Campaign() camp.title = "holy grail" pkg1.add_campaign(camp) camp.related_ttps.append(TTP(idref=c2_ttp.id_)) camp.related_ttps.append(TTP(idref=malware_ttp.id_)) # Add threat actor ta = ThreatActor() ta.identity = Identity() ta.identity.name = "boobear" ta.observed_ttps.append(TTP(idref=malware_ttp.id_)) pkg1.add_threat_actor(ta) # Create composite expression ind.composite_indicator_expression = CompositeIndicatorExpression() ind.composite_indicator_expression.operator = "AND" ind.composite_indicator_expression.append(file_ind) ind.composite_indicator_expression.append(nw_ind) pkg1.add_indicator(ind) print pkg1.to_xml() # USE CASE: Indicator with partial matching pkg2 = STIXPackage() pkg2.title = "Example of Indicator Composition for a one of many indicator composition" # create container indicator watchlistind = Indicator() watchlistind.add_indicator_type("IP Watchlist") watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed." watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # Create composite expression watchlistind.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind.composite_indicator_expression.operator = "OR" ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25'] for ip in ips: new_ind = Indicator() new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed" # add network network connection to this indicator obs = Address() obs.address_value = ip obs.address_value.condition = "Equals" new_ind.add_observable(obs) new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind.composite_indicator_expression.append(new_ind) pkg2.add_indicator(watchlistind) print pkg2.to_xml() # USE CASE: Indicator with compound detection pkg3 = STIXPackage() pkg3.title = "Example of Indicator Composition for compound detection" # create container indicator watchlistind2 = Indicator() watchlistind2.add_indicator_type("IP Watchlist") watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence." # Create composite expression watchlistind2.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind2.composite_indicator_expression.operator = "OR" watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind2.confidence = "High" nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant." nw_ind.confidence = "Low" nw_ind.indicator_types = ["C2"] file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant." file_ind.confidence = "Low" watchlistind2.composite_indicator_expression.append(nw_ind) watchlistind2.composite_indicator_expression.append(file_ind) pkg3.add_indicator(watchlistind2) print pkg3.to_xml()
def genStixDoc( outputDir_, targetFileSha1_, targetFileSha256_, targetFileSha512_, targetFileSsdeep_, targetFileMd5_, targetFileSize_, targetFileName_, ipv4Addresses_, hostNames_): """ Generate Stix document from the input values. The doc structure is the file object along with the related network items: addresses, domain names. Output is written to files, which are then wrapped with taxii and uploaded using a separate script. """ parsedTargetFileName = reFileName(targetFileName_)[1] parsedTargetFilePrefix = reFileName(targetFileName_)[0] stix.utils.set_id_namespace({"http://www.equifax.com/cuckoo2Stix" : "cuckoo2Stix"}) NS = cybox.utils.Namespace("http://www.equifax.com/cuckoo2Stix", "cuckoo2Stix") cybox.utils.set_id_namespace(NS) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators' stix_header.description = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators' stix_package.stix_header = stix_header # Create the ttp malware_instance = MalwareInstance() malware_instance.add_name(parsedTargetFileName) malware_instance.description = targetFileSha1_ ttp = TTP(title='TTP: ' + parsedTargetFileName) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) stix_package.add_ttp(ttp) # Create the indicator for the ipv4 addresses ipv4Object = Address(ipv4Addresses_, Address.CAT_IPV4) ipv4Object.condition = 'Equals' ipv4Indicator = Indicator() ipv4Indicator.title = parsedTargetFileName + ': ipv4 addresses' ipv4Indicator.add_indicator_type('IP Watchlist') ipv4Indicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware')) ipv4Indicator.observable = ipv4Object ipv4Indicator.confidence = 'Low' # Create the indicator for the domain names domainNameObject = DomainName() domainNameObject.value = hostNames_ domainNameObject.condition = 'Equals' domainNameIndicator = Indicator() domainNameIndicator.title = parsedTargetFileName + ': domain names' domainNameIndicator.add_indicator_type('Domain Watchlist') domainNameIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware')) domainNameIndicator.observable = domainNameObject domainNameIndicator.confidence = 'Low' # Create the indicator for the file fileObject = File() fileObject.file_name = parsedTargetFileName fileObject.file_name.condition = 'Equals' fileObject.size_in_bytes = targetFileSize_ fileObject.size_in_bytes.condition = 'Equals' fileObject.add_hash(Hash(targetFileSha1_, type_='SHA1', exact=True)) fileObject.add_hash(Hash(targetFileSha256_, type_='SHA256', exact=True)) fileObject.add_hash(Hash(targetFileSha512_, type_='SHA512', exact=True)) fileObject.add_hash(Hash(targetFileSsdeep_, type_='SSDEEP', exact=True)) fileObject.add_hash(Hash(targetFileMd5_, type_='MD5', exact=True)) fileIndicator = Indicator() fileIndicator.title = parsedTargetFileName + ': hashes' fileIndicator.description = parsedTargetFilePrefix fileIndicator.add_indicator_type('File Hash Watchlist') fileIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship="Indicates Malware")) fileIndicator.observable = fileObject fileIndicator.confidence = 'Low' stix_package.indicators = [fileIndicator, ipv4Indicator, domainNameIndicator] stagedStixDoc = stix_package.to_xml() stagedStixDoc = fixAddressObject(stagedStixDoc) stagedStixDoc = fixDomainObject(stagedStixDoc) today = datetime.datetime.now() now = today.strftime('%Y-%m-%d_%H%M%S') if not os.path.exists(outputDir_): os.makedirs(outputDir_) with open (outputDir_ + '/' + now + '-' + targetFileSha1_ + '.stix.xml', 'a') as myfile: myfile.write(stagedStixDoc) _l.debug('Wrote file: ' + now + '-' + targetFileSha1_ + '.stix.xml') return
def test_observables_len(self): a = Address("*****@*****.**", Address.CAT_EMAIL) a2 = Address("*****@*****.**", Address.CAT_EMAIL) o = Observables([a, a2]) self.assertEqual(2, len(o))
def generate_observable(cybox_obj=None): cybox_obj = cybox_obj or Address(address_value='10.0.0.1') return Observable(cybox_obj)
def main(): # define constants TI_REQUEST_URL = "https://api.intelgraph.idefense.com/rest/threatindicator/v0" # iDefense API Key # To avoid hard-coding creds, I'm using environment variables if os.environ.get('IDEF_TOKEN') is None: print( "error: please store your iDefense IntelGraph API key in the IDEF_TOKEN environment" ) sys.exit(1) API_KEY = os.environ.get('IDEF_TOKEN') API_SECRET = '' # TODO: use command-line parameter timestr = datetime.datetime.utcnow() - datetime.timedelta(days=1) LAST_IMPORT = timestr.strftime("%Y-%m-%dT%H:%M:%S") + ".000Z" HEADERS = { "Content-Type": "application/json", "auth-token": API_KEY, "X-Api-Key-Proof": API_SECRET } print(HEADERS) page = 1 more_data = True count = 0 # Set namespace NAMESPACE = Namespace("https://intelgraph.idefense.com", "idefense") set_id_namespace(NAMESPACE) # Create STIX Package stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "iDefense Threat Indicators Feed" stix_package.stix_header = stix_header ttps = {} malware = {} try: while more_data: request_payload = { "start_date": LAST_IMPORT, "page_size": 200, "page": page } r = requests.post(TI_REQUEST_URL, headers=HEADERS, data=json.dumps(request_payload)) print(r) response = [] if r.status_code == requests.codes.ok: try: # Read in response as json response = r.json() except (ValueError, KeyError): print("Response couldn't be decoded :(") more_data = False continue more_data = response.get('more', 'False') print("Page %d ==> %s (%s)" % (page, response['more'], response['total_size'])) page += 1 # Iterate the response for indicatorD in response['results']: count += 1 # Indicator value such as the value of the IP/Domain/URL indicator = indicatorD.get('key') print(indicator, indicatorD.get('type')) if indicatorD.get('last_seen_as') is None: last_seen_as = 'UNKNOWN' else: last_seen_as = ''.join(indicatorD.get('last_seen_as')) # Identify TTP if last_seen_as not in ttps: ttps[last_seen_as] = TTP(title=last_seen_as) stix_package.add_ttp(ttps[last_seen_as]) # Identify malware source if 'files' in indicatorD: for hashD in indicatorD['files']: md5 = hashD.get('key') # Malware Family classification of the hash if available if hashD.get('malware_family') is None: malware_family = "Unknown" else: malware_family = ''.join( hashD.get('malware_family')) if md5 not in malware: malware[md5] = add_malware( md5, malware_family, hashD.get('uuid')) if indicatorD.get('type') == "url": # Create indicator indicator = Indicator( id_="indicator-{0}".format(indicatorD.get('uuid')), title=''.join(indicatorD.get('malware_family')), timestamp=indicatorD.get('last_seen')) indicator.add_indicator_type("URL Watchlist") # Populate URL url = URI() url.value = indicatorD.get('key') url.type_ = URI.TYPE_URL url.value.condition = "Equals" indicator.add_observable(url) elif indicatorD.get('type') == "domain": # Populate domain name indicator = Indicator( id_="indicator-{0}".format(indicatorD.get('uuid')), title=''.join(indicatorD.get('malware_family')), timestamp=indicatorD.get('last_seen')) indicator.add_indicator_type("Domain Watchlist") domain = DomainName() domain.value = indicatorD.get('key') domain.value.condition = "Equals" indicator.add_observable(domain) elif indicatorD.get('type') == "ip": # Create indicator indicator = Indicator( id_="indicator-{0}".format(indicatorD.get('uuid')), title=indicatorD.get('malware_family'), timestamp=indicatorD.get('last_seen')) indicator.add_indicator_type("IP Watchlist") # Populate IP address addr = Address(address_value=indicatorD.get('key'), category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) # Link TTP indicator.add_indicated_ttp( TTP(idref=ttps[last_seen_as].id_)) # Indicate confidence score indicator.confidence = Confidence( value=VocabString(indicatorD.get('confidence'))) # Add related indicator to malware indicator.add_related_indicator(malware[md5]) # Add to package stix_package.add_indicator(indicator) else: print("API request couldn't be fulfilled due status code: %d" % r.status_code) more_data = False except requests.exceptions.ConnectionError as e: print("Check your network connection\n %s" % str(e)) except requests.exceptions.HTTPError as e: print("Bad HTTP response\n %s" % str(e)) except Exception as e: print("Uncaught exception\n %s" % str(e)) # Output to XML with open('stix-1.2.1.xml', 'wb') as f: f.write(stix_package.to_xml())
def transform(self, event): stix_package = STIXPackage() self._add_header( stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents", ) incident = Incident( id_="%s:%s-%s" % (CONPOT_NAMESPACE, "incident", event["session_id"])) initial_time = StixTime() initial_time.initial_compromise = event["timestamp"].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category( VocabString(value="Scans/Probes/Attempted Access")) tool_list = ToolInformationList() tool_list.append( ToolInformation.from_dict({ "name": "Conpot", "vendor": "Conpot Team", "version": conpot.__version__, "description": textwrap.dedent( "Conpot is a low interactive server side Industrial Control Systems " "honeypot designed to be easy to deploy, modify and extend." ), })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() # identity_spec = STIXCIQIdentity3_0() # identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") # ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({ "port_value": event["remote"][1], "layer4_protocol": "tcp" }) dest_port = Port.from_dict({ "port_value": self.protocol_to_port_mapping[event["data_type"]], "layer4_protocol": "tcp", }) source_ip = Address.from_dict({ "address_value": event["remote"][0], "category": Address.CAT_IPV4 }) dest_ip = Address.from_dict({ "address_value": event["public_ip"], "category": Address.CAT_IPV4 }) source_address = SocketAddress.from_dict({ "ip_address": source_ip.to_dict(), "port": source_port.to_dict() }) dest_address = SocketAddress.from_dict({ "ip_address": dest_ip.to_dict(), "port": dest_port.to_dict() }) network_connection = NetworkConnection.from_dict({ "source_socket_address": source_address.to_dict(), "destination_socket_address": dest_address.to_dict(), "layer3_protocol": "IPv4", "layer4_protocol": "TCP", "layer7_protocol": event["data_type"], "source_tcp_state": "ESTABLISHED", "destination_tcp_state": "ESTABLISHED", }) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event["data"]) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
class RelatedObjectTest(unittest.TestCase): def setUp(self): cybox.utils.set_id_method(2) self.ip = Address("192.168.1.1", Address.CAT_IPV4) self.domain = URI("example.local", URI.TYPE_DOMAIN) def test_inline_changes_parent_id(self): old_domain_parent_id = self.domain.parent.id_ old_ip_parent_id = self.ip.parent.id_ self.domain.add_related(self.ip, "Resolves To", inline=True) self.assertEqual(old_domain_parent_id, self.domain.parent.id_) self.assertNotEqual(old_ip_parent_id, self.ip.parent.id_) def test_noninline_does_not_change_parent_id(self): old_domain_parent_id = self.domain.parent.id_ old_ip_parent_id = self.ip.parent.id_ self.domain.add_related(self.ip, "Resolves To", inline=False) self.assertEqual(old_domain_parent_id, self.domain.parent.id_) self.assertEqual(old_ip_parent_id, self.ip.parent.id_) def test_no_relationships(self): self._test_round_trip(Observables([self.ip, self.domain])) def test_inline(self): self.domain.add_related(self.ip, "Resolves To", inline=True) o2 = self._test_round_trip(Observables(self.domain)) self._test_returned_objects(o2) expected_id = self.ip.parent.id_ # Domain is the first observable, and has an inlined object with an id actual_id = o2.observables[0].object_.related_objects[0].id_ self.assertEqual(expected_id, actual_id) def test_backward_relationship(self): self.domain.add_related(self.ip, "Resolves To", inline=False) # IP should already be known before Domain is parsed o2 = self._test_round_trip(Observables([self.ip, self.domain])) self._test_returned_objects(o2) expected_id = self.ip.parent.id_ # Domain is the second observable, and should only have an IDREF actual_id = o2.observables[1].object_.related_objects[0].idref self.assertEqual(expected_id, actual_id) def test_forward_relationship(self): self.domain.add_related(self.ip, "Resolves To", inline=False) # The "related" IP object will be encountered in the Domain object # before the actual IP has been seen. Make sure this doesn't break. o2 = self._test_round_trip(Observables([self.domain, self.ip])) self._test_returned_objects(o2) expected_id = self.ip.parent.id_ # Domain is the second observable, and should only have an IDREF actual_id = o2.observables[0].object_.related_objects[0].idref self.assertEqual(expected_id, actual_id) def test_missing_related_object(self): self.domain.add_related(self.ip, "Resolves To", inline=False) # If we only include the domain, the dereference will fail. o2 = self._test_round_trip(Observables([self.domain])) rel_obj = o2.observables[0].object_.related_objects[0] self.assertRaises(cybox.utils.CacheMiss, rel_obj.get_properties) def _test_round_trip(self, observables): self.maxDiff = None print observables.to_xml() observables2 = cybox.test.round_trip(observables) self.assertEqual(observables.to_dict(), observables2.to_dict()) return observables2 def _test_returned_objects(self, o2): # Get the Domain object (ID will contain "URI") for obs in o2.observables: if "URI" in obs.object_.id_: ip_obj = obs.object_.related_objects[0] break # Check that the properties are identical self.assertEqual(self.ip.to_dict(), ip_obj.get_properties().to_dict())
def setUp(self): cybox.utils.set_id_method(2) self.ip = Address("192.168.1.1", Address.CAT_IPV4) self.domain = URI("example.local", URI.TYPE_DOMAIN)
def test_id_prefix(self): a = Address() o = Object(a) self.assertTrue("Address" in o.id_)
def setUp(self): self.ip = Address("192.168.1.1", Address.CAT_IPV4) self.domain = URI("example.local", URI.TYPE_DOMAIN)
def get_indicator_from_json(indicator_json, user_timezone): type_ = indicator_json['type'] v = indicator_json['value'] title = indicator_json['title'] o_ = None # ipv4か? if type_ == JSON_OBJECT_TYPE_IPV4: o_ = Address() o_.address_value = v.replace('[', '').replace(']', '') # urlか? if type_ == JSON_OBJECT_TYPE_URI: o_ = URI() o_.value = v # md5か? if type_ == JSON_OBJECT_TYPE_MD5: o_ = File() o_.md5 = v # sha1か? if type_ == JSON_OBJECT_TYPE_SHA1: o_ = File() o_.sha1 = v # sha256か? if type_ == JSON_OBJECT_TYPE_SHA256: o_ = File() o_.sha256 = v # sha512か? if type_ == JSON_OBJECT_TYPE_SHA512: o_ = File() o_.sha512 = v # email-addressか? if type_ == JSON_OBJECT_TYPE_EMAIL_ADDRESS: o_ = EmailAddress() o_.address_value = v # domainか? if type_ == JSON_OBJECT_TYPE_DOMAIN: o_ = DomainName() o_.value = v.replace('[', '').replace(']', '') # file名か? if type_ == JSON_OBJECT_TYPE_FILE_NAME: o_ = File() o_.file_name = v # なにも該当していないので None if o_ is None: print('何も該当なし:' + str(type_) + ':' + str(v)) return None # indicator 作って返却 indicator_title = '%s (%s)' % (v, title) ind = CommonExtractor.get_indicator_from_object( o_, indicator_title, user_timezone) return ind
def test_invalid_recip_type(self): ipv4 = Address("1.2.3.4", Address.CAT_IPV4) generic_address = Address("aaaa") for a in [{1: 'a'}, 1, True, [1], ipv4, generic_address]: self.assertRaises(TypeError, EmailRecipients, a)
res = urllib2.urlopen(req) except urllib2.HTTPError, e: print "HTTPError: " + str(e.code) except urllib2.URLError, e: print "URLError: " + str(e.reason) doc = xmltodict.parse(res.read()) # Create the STIX Package package = STIXPackage() # Create the STIX Header and add a description. header = STIXHeader() #header.title = "SANS ISC Top-100 Malicious IP Addresses" #header.description = "Source: " + url package.stix_header = header for entry in doc['topips']['ipaddress']: bytes = entry['source'].split('.') indicator = Indicator() indicator.title = "SANS ISC Malicious IP" indicator.add_indicator_type("IP Watchlist") ip = Address() ip.address_value = "%d.%d.%d.%d" % (int(bytes[0]), int( bytes[1]), int(bytes[2]), int(bytes[3])) ip.category = 'ipv4-addr' ip.condition = 'Equals' indicator.add_observable(ip) package.add_indicator(indicator) print(package.to_xml()) if __name__ == '__main__': main()
def to_cybox_observable(self): """ Convert an IP to a CybOX Observables. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ obj = Address() obj.address_value = self.ip temp_type = self.ip_type.replace("-", "") if temp_type.find(Address.CAT_ASN.replace("-", "")) >= 0: obj.category = Address.CAT_ASN elif temp_type.find(Address.CAT_ATM.replace("-", "")) >= 0: obj.category = Address.CAT_ATM elif temp_type.find(Address.CAT_CIDR.replace("-", "")) >= 0: obj.category = Address.CAT_CIDR elif temp_type.find(Address.CAT_MAC.replace("-", "")) >= 0: obj.category = Address.CAT_MAC elif temp_type.find(Address.CAT_IPV4_NETMASK.replace("-", "")) >= 0: obj.category = Address.CAT_IPV4_NETMASK elif temp_type.find(Address.CAT_IPV4_NET.replace("-", "")) >= 0: obj.category = Address.CAT_IPV4_NET elif temp_type.find(Address.CAT_IPV4.replace("-", "")) >= 0: obj.category = Address.CAT_IPV4 elif temp_type.find(Address.CAT_IPV6_NETMASK.replace("-", "")) >= 0: obj.category = Address.CAT_IPV6_NETMASK elif temp_type.find(Address.CAT_IPV6_NET.replace("-", "")) >= 0: obj.category = Address.CAT_IPV6_NET elif temp_type.find(Address.CAT_IPV6.replace("-", "")) >= 0: obj.category = Address.CAT_IPV6 return ([Observable(obj)], self.releasability)
def to_cybox_observable(self, exclude=None): """ Convert an email to a CybOX Observables. Pass parameter exclude to specify fields that should not be included in the returned object. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ if exclude == None: exclude = [] observables = [] obj = EmailMessage() # Assume there is going to be at least one header obj.header = EmailHeader() if 'message_id' not in exclude: obj.header.message_id = String(self.message_id) if 'subject' not in exclude: obj.header.subject = String(self.subject) if 'sender' not in exclude: obj.header.sender = Address(self.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obj.header.x_originating_ip = Address(self.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obj.header.x_mailer = String(self.x_mailer) if 'boundary' not in exclude: obj.header.boundary = String(self.boundary) if 'raw_body' not in exclude: obj.raw_body = self.raw_body if 'raw_header' not in exclude: obj.raw_header = self.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obj.email_server = String(self.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obj.header.from_ = EmailAddress(self.from_address) if 'date' not in exclude and 'isodate' not in exclude: obj.header.date = DateTime(self.isodate) observables.append(Observable(obj)) return (observables, self.releasability)
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') ### Input Check if srcObj is None or data is None: # TODO: Needs error msg: Missing srcData Object return False ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() ### Bulid Object Data for sKey in data: objIndicator = Indicator() listOBS = [] ### Parsing IP Address sAddr = data[sKey]['attrib']['ipAddr'] if sAddr: objAddr = Address() objAddr.is_source = True objAddr.address_value = sAddr objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = 'ipv4-addr' elif isIPv6(sAddr): objAddr.category = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isSource: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) objIndicator.add_indicator_type("IP Watchlist") ### Parsing Domain sDomain = data[sKey]['attrib']['domain'] if sDomain: objDomain = DomainName() objDomain.value = sDomain objDomain.value.condition = 'Equals' if isFQDN(sDomain): objDomain.type = 'FQDN' elif isTLD(sDomain): objDomain.type = 'TLD' else: continue obsDomain = Observable(objDomain) obsDomain.sighting_count = 1 obsDomain.title = 'Domain: ' + sDomain sDscrpt = 'Domain: ' + sDomain + " | " sDscrpt += "isFQDN: True | " obsDomain.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsDomain) objIndicator.add_indicator_type("Domain Watchlist") # Parser File Hash # sHash = data[sKey]['attrib']['hash']; # if len(sHash) > 0: # objFile = File() # sFileName = data[sKey]['attrib']['fileName'] # if len(sFileName) > 0: # objFile.file_name = sFileName # objFile.file_format = sFileName.split('.')[1] # objFile.add_hash(Hash(sHash, exact=True)) # obsFile = Observable(objFile) # objFile = None; # obsFile.sighting_count = 1 # obsFile.title = 'File: ' + sFileName # sDscrpt = 'FileName: ' + sFileName + " | " # sDscrpt += "FileHash: " + sHash + " | " # obsFile.description = "<![CDATA[" + sDscrpt + "]]>" # listOBS.append(obsFile) # obsFile = None; # objIndicator.add_indicator_type("File Hash Watchlist") ### Add Generated observable to Indicator objIndicator.observables = listOBS objIndicator.observable_composition_operator = 'OR' #Parsing Producer sProducer = srcObj.Domain if len(srcObj.Domain) > 0: objIndicator.set_producer_identity(srcObj.Domain) if data[sKey]['attrib']['dateVF']: objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']) objIndicator.set_received_time(data[sKey]['dateDL']) ### Old Title / Description Generator #objIndicator.title = data[sKey]['attrib']['title']; #objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>"; ### Generate Indicator Title based on availbe data sTitle = 'Feodo Tracker: ' if sAddr: sAddLine = "This IP address has been identified as malicious" if sDomain: sAddLine = "This domain has been identified as malicious" if len(sAddLine) > 0: sTitle += " | " + sAddLine if len(srcObj.Domain) > 0: sTitle += " by " + srcObj.Domain else: sTitle += "." if len(sTitle) > 0: objIndicator.title = sTitle #Generate Indicator Description based on availbe data sDscrpt = "" if sAddr: sAddLine = "This IP address " + sAddr if sDomain: sAddLine = "This domain " + sDomain if sAddr and sDomain: sAddLine = "This domain " + sDomain + " (" + sAddr + ")" if len(sAddLine) > 0: sDscrpt += sAddLine sDscrpt += " has been identified as malicious" if len(srcObj.Domain) > 0: sDscrpt += " by " + srcObj.Domain else: sDscrpt += "." sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + \ data[sKey]['attrib']['link'] + "]." if len(sDscrpt) > 0: objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" #Parse TTP objMalware = MalwareInstance() objMalware.add_name("Cridex") objMalware.add_name("Bugat") objMalware.add_name("Dridex") objMalware.add_type("Remote Access Trojan") objMalware.short_description = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials" sDscrpt = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D:\n" sDscrpt += "\n" sDscrpt += " Version A: Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.\n" sDscrpt += " Version B: Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.\n" sDscrpt += " Version C: Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.\n" sDscrpt += " Version D: Successor of Cridex. This version is also known as Dridex\n" objMalware.description = "<![CDATA[" + sDscrpt + "]]>" objTTP = TTP(title="Feodo") objTTP.behavior = Behavior() objTTP.behavior.add_malware_instance(objMalware) objIndicator.add_indicated_ttp(objTTP) #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_)) #stix_package.add_ttp(objTTP) stix_package.add_indicator(objIndicator) ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = srcObj.Domain + " | " + sTOU marking_specification.marking_structures.append(objTOU) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) return stix_package
def make_cybox_object(type_, value=None): """ Converts type_, name, and value to a CybOX object instance. :param type_: The object type. :type type_: str :param value: The object value. :type value: str :returns: CybOX object """ if type_ == IndicatorTypes.USER_ID: acct = Account() acct.description = value return acct elif type_ in IPTypes.values(): if type_ == IPTypes.IPv4_ADDRESS: name = 'ipv4-addr' elif type_ == IPTypes.IPv6_ADDRESS: name = 'ipv6-addr' elif type_ == IPTypes.IPv4_SUBNET: name = 'ipv4-net' elif type_ == IPTypes.IPv6_SUBNET: name = 'ipv6-net' return Address(category=name, address_value=value) elif type_ == IndicatorTypes.API_KEY: api = API() api.description = value return api elif type_ == IndicatorTypes.DOMAIN: obj = DomainName() obj.value = value elif type_ == IndicatorTypes.USER_AGENT: obj = HTTPRequestHeaderFields() obj.user_agent = value return obj elif type_ == IndicatorTypes.MUTEX: m = Mutex() m.named = True m.name = String(value) return m elif type_ in (IndicatorTypes.SOURCE_PORT, IndicatorTypes.DEST_PORT): p = Port() try: p.port_value = PositiveInteger(value) except ValueError: # XXX: Raise a better exception... raise UnsupportedCybOXObjectTypeError(type_, name) return p elif type_ == IndicatorTypes.PROCESS_NAME: p = Process() p.name = String(value) return p elif type_ == IndicatorTypes.URI: r = URI() r.type_ = 'URL' r.value = value return r elif type_ in (IndicatorTypes.REGISTRY_KEY, IndicatorTypes.REG_KEY_CREATED, IndicatorTypes.REG_KEY_DELETED, IndicatorTypes.REG_KEY_ENUMERATED, IndicatorTypes.REG_KEY_MONITORED, IndicatorTypes.REG_KEY_OPENED): obj = WinRegistryKey() obj.key = value return obj """ The following are types that are listed in the 'Indicator Type' box of the 'New Indicator' dialog in CRITs. These types, unlike those handled above, cannot be written to or read from CybOX at this point. The reason for the type being omitted is written as a comment inline. This can (and should) be revisited as new versions of CybOX are released. NOTE: You will have to update the corresponding make_crits_object function with handling for the reverse direction. In the mean time, these types will raise unsupported errors. """ #elif type_ == "Device": # No CybOX API #elif type_ == "DNS Cache": # No CybOX API #elif type_ == "GUI": # revisit when CRITs supports width & height specification #elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs #elif type_ == "Linux Package": # No CybOX API #elif type_ == "Network Packet": # No good mapping between CybOX/CRITs #elif type_ == "Network Route Entry": # No CybOX API #elif type_ == "Network Route": # No CybOX API #elif type_ == "Network Subnet": # No CybOX API #elif type_ == "Semaphore": # No CybOX API #elif type_ == "Socket": # No good mapping between CybOX/CRITs #elif type_ == "UNIX File": # No CybOX API #elif type_ == "UNIX Network Route Entry": # No CybOX API #elif type_ == "UNIX Pipe": # No CybOX API #elif type_ == "UNIX Process": # No CybOX API #elif type_ == "UNIX User Account": # No CybOX API #elif type_ == "UNIX Volume": # No CybOX API #elif type_ == "User Session": # No CybOX API #elif type_ == "Whois": # No good mapping between CybOX/CRITs #elif type_ == "Win Computer Account": # No CybOX API #elif type_ == "Win Critical Section": # No CybOX API #elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs #elif type_ == "Win File": # No good mapping between CybOX/CRITs #elif type_ == "Win Kernel": # No CybOX API #elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs #elif type_ == "Win Network Route Entry": # No CybOX API #elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs #elif type_ == "Win Prefetch": # No CybOX API #elif type_ == "Win Semaphore": # No CybOX API #elif type_ == "Win System Restore": # No CybOX API #elif type_ == "Win Thread": # No good mapping between CybOX/CRITs #elif type_ == "Win Waitable Timer": # No CybOX API raise UnsupportedCybOXObjectTypeError(type_, name)
def generate_stix_file(input_file, list_type, delimiter, list_name, tc_name, tmp_dir, validate, verbose): # observable limit per generated stix file OBSERVABLES_PER_STIX_FILE = 3000 if verbose: logging.info("=====================") logging.info("== GENERATING STIX ==") logging.info("=====================") # download or open input file if validators.url(input_file): res = requests.get(input_file) items = res.text.split(delimiter) else: # exit if input file doesn't exist if not os.path.isfile(input_file): logging.error("Supplied input file '{}' doesn't exist".format(input_file)) sys.exit("Error: Supplied input file '{}' doesn't exist".format(input_file)) else: with open(input_file, 'r') as f: items = f.read().split(delimiter) logging.info("Successfully parsed input file at {}".format(input_file)) # slice input into batches for batch_num, index in enumerate(range(0, len(items), OBSERVABLES_PER_STIX_FILE), 1): # slice handles out of bounds indices gracefully batch_items = items[index:index + OBSERVABLES_PER_STIX_FILE] # create the STIX Package package = STIXPackage() # create the STIX Header and add a description header = STIXHeader() package.stix_header = header reporttime = datetime.datetime.utcnow().strftime('%m/%d/%Y %H:%M:%S %Z') # create indicator for each item in the batch for item in batch_items: item = item.strip() # basic filtering of empty items and comments if not item or item.startswith(('#', '//', '--')): continue if list_type == 'ip': indicator_obj = Address() # attempt to parse as an ip address try: parsed_ip = ipaddress.ip_address(item) if parsed_ip.version == 4: indicator_obj.category = Address.CAT_IPV4 elif parsed_ip.version == 6: indicator_obj.category = Address.CAT_IPV6 else: logging.warning("Unknown IP Address version type: {} - skipping".format(parsed_ip.version)) continue except ValueError: # if ip address parsing fails then attempt to parse as an ip network try: parsed_ip = ipaddress.ip_network(item, strict=False) indicator_obj.category = Address.CAT_CIDR except ValueError: logging.warning("IP Address {} is neither an IPv4, IPv6, nor CIDR - skipping".format(item)) continue indicator_obj.address_value = str(parsed_ip) indicator_obj.condition = "Equals" indicator_type = "IP Watchlist" # customizable components below indicator_title = "IP: {}" indicator_description = "IP {} reported from {}" elif list_type == 'domain': # validate domain if validate and not validators.domain(item): logging.warning("Invalid domain: {} - skipping".format(item)) continue indicator_obj = DomainName() indicator_obj.value = item indicator_type = "Domain Watchlist" # customizable components below indicator_title = "Domain: {}" indicator_description = "Domain {} reported from {}" elif list_type == 'url': # validate url if validate and not validators.url(item): logging.warning("Invalid url: {} - skipping".format(item)) continue indicator_obj = URI() indicator_obj.value = item indicator_obj.type_ = URI.TYPE_URL indicator_obj.condition = "Equals" indicator_type = "URL Watchlist" # customizable components below indicator_title = "URL: {}" indicator_description = "URL {} reported from {}" else: # invalid input type logging.error("invalid input type encountered") raise Exception('Error: invalid input type encountered') # create a basic Indicator object from the item indicator = Indicator() indicator.title = indicator_title.format(str(item)) indicator.description = indicator_description.format(str(item), list_name) indicator.add_indicator_type(indicator_type) indicator.set_producer_identity(list_name) indicator.set_produced_time(str(reporttime)) indicator.add_observable(indicator_obj) # add the indicator to the stix package package.add_indicator(indicator) # save each batch in a separate stix file with the filename ending ..._part_N.stix collection_filename = "{}_part_{}.stix".format(strip_non_alphanum(tc_name), batch_num) with open(os.path.join(tmp_dir, collection_filename), 'wb') as f: f.write(package.to_xml()) logging.info("Successfully created stix file {}".format(collection_filename)) # clear cybox cache to prevent an Out of Memory error # https://cybox.readthedocs.io/en/stable/api/cybox/core/object.html#cybox.core.object.Object cache_clear() return
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"): """ Convert a CRITs TLO to a CybOX Observable. :param obj: The TLO to convert. :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes` :param exclude: Attributes to exclude. :type exclude: list :param bin_fmt: The format for the binary (if applicable). :type bin_fmt: str """ type_ = obj._meta['crits_type'] if type_ == 'Certificate': custom_prop = Property( ) # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obje = File() # represent cert information as file obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.filetype obje.size_in_bytes = obj.size obje.custom_properties = CustomProperties() obje.custom_properties.append(custom_prop) obs = Observable(obje) obs.description = obj.description data = obj.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obje.add_related(a, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'Domain': obje = DomainName() obje.value = obj.domain obje.type_ = obj.record_type return ([Observable(obje)], obj.releasability) elif type_ == 'Email': if exclude == None: exclude = [] observables = [] obje = EmailMessage() # Assume there is going to be at least one header obje.header = EmailHeader() if 'message_id' not in exclude: obje.header.message_id = String(obj.message_id) if 'subject' not in exclude: obje.header.subject = String(obj.subject) if 'sender' not in exclude: obje.header.sender = Address(obj.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obje.header.x_originating_ip = Address(obj.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obje.header.x_mailer = String(obj.x_mailer) if 'boundary' not in exclude: obje.header.boundary = String(obj.boundary) if 'raw_body' not in exclude: obje.raw_body = obj.raw_body if 'raw_header' not in exclude: obje.raw_header = obj.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obje.email_server = String(obj.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obje.header.from_ = EmailAddress(obj.from_address) if 'date' not in exclude and 'isodate' not in exclude: obje.header.date = DateTime(obj.isodate) obje.attachments = Attachments() observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'Indicator': observables = [] obje = make_cybox_object(obj.ind_type, obj.value) observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'IP': obje = Address() obje.address_value = obj.ip if obj.ip_type == IPTypes.IPv4_ADDRESS: obje.category = "ipv4-addr" elif obj.ip_type == IPTypes.IPv6_ADDRESS: obje.category = "ipv6-addr" elif obj.ip_type == IPTypes.IPv4_SUBNET: obje.category = "ipv4-net" elif obj.ip_type == IPTypes.IPv6_SUBNET: obje.category = "ipv6-subnet" return ([Observable(obje)], obj.releasability) elif type_ == 'PCAP': obje = File() obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.contentType obje.size_in_bytes = obj.length obs = Observable(obje) obs.description = obj.description art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK) art.packaging.append(Base64Encoding()) obje.add_related(art, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'RawData': obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE) obje.packaging.append(Base64Encoding()) obs = Observable(obje) obs.description = obj.description return ([obs], obj.releasability) elif type_ == 'Sample': if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256']: if attr not in exclude: val = getattr(obj, attr, None) if val: setattr(f, attr, val) if obj.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(obj.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = obj.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude and bin_fmt: data = obj.filedata.read() if data: # if sample data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data if bin_fmt == "zlib": a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) elif bin_fmt == "base64": a.packaging.append(Base64Encoding()) f.add_related(a, "Child_Of") # relate artifact to file if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. f.file_format = obj.filetype observables.append(Observable(f)) return (observables, obj.releasability) else: return (None, None)
def home(request): """ Name: home Desc: Main GUI view """ # Forms:Job,target and relay creation create_job_form = CreateJob(request=request, prefix="create_job") create_target_form = CreateTarget(request=request, prefix="create_target") create_relay_form = CreateRelay(request=request, prefix="create_relay") if request.method == "POST": # Remove a relay if "delete_relay_id" in request.POST: try: Relay.objects.get(pk=request.POST["delete_relay_id"]).delete() except ObjectDoesNotExist, e: pass # Create new relay if "create_relay-name" in request.POST: # Actuator creation create_relay_form = CreateRelay(request.POST, request=request, prefix="create_relay") if create_relay_form.is_valid(): host = create_relay_form.save() host.save() # TODO - Call a sync here # Job Creations if "create_job-raw_message" in request.POST: new_job = Job(capability=Capability.objects.get( pk=request.POST["create_job-capability"]), target=Target.objects.get( pk=request.POST["create_job-target"]), raw_message="Pending", status=JobStatus.objects.get(status="Pending"), created_by=request.user) new_job.save() # Now we have a pk - update the id command = json.loads(request.POST["create_job-raw_message"]) command["modifiers"]["command-ref"] = new_job.id logger.info("Job Created\n%s" % json.dumps(command)) new_job.raw_message = json.dumps(command, sort_keys=True, indent=4).replace( "\t", u'\xa0\xa0\xa0\xa0\xa0') new_job.save() # Target Creations namespace_url = getattr(settings, "NAMESPACE_URL", None) namespace_id = getattr(settings, "NAMESPACE_ID", None) set_id_namespace(Namespace(namespace_url, namespace_id)) if "create_target-cybox_type" in request.POST: cybox_type = CybOXType.objects.get( pk=request.POST["create_target-cybox_type"]) if cybox_type.identifier == "cybox:NetworkConnectionObjectType": obs = NetworkConnection() # Source sock = SocketAddress() sock.ip_address = request.POST["create_target-source_address"] sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" sport = Port() sport.port_value = int( request.POST["create_target-source_port"]) sock.port = sport obs.source_socket_address = sock # Dest sock = SocketAddress() sock.ip_address = request.POST[ "create_target-destination_address"] sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" dport = Port() dport.port_value = int( request.POST["create_target-destination_port"]) sock.port = dport obs.destination_socket_address = sock name = "Network Connection %s:%s -> %s:%s (%s)" % ( request.POST["create_target-source_address"], request.POST["create_target-source_port"], request.POST["create_target-destination_address"], request.POST["create_target-destination_port"], request.POST["create_target-protocol"]) raw_message = Observable(item=obs, title=name).to_json() elif cybox_type.identifier == "cybox:AddressObjectType": name = "Address %s " % (request.POST["create_target-address"]) raw_message = Observable(item=Address( address_value=request.POST["create_target-address"], category=Address.CAT_IPV4), title=name).to_json() elif cybox_type.identifier == "cybox:URIObjectType": name = "URI %s " % (request.POST["create_target-uri"]) obs = URI() obs.value = request.POST["create_target-uri"] obs.type_ = URI.TYPE_URL obs.condition = "Equals" raw_message = Observable(item=obs, title=name).to_json() elif cybox_type.identifier == "cybox:EmailMessageObjectType": name = "Email %s " % ( request.POST["create_target-email_subject"]) obs = EmailMessage() obs.raw_body = request.POST["create_target-email_message"] obs.header = EmailHeader() obs.header.subject = request.POST[ "create_target-email_subject"] obs.header.subject.condition = "StartsWith" obs.header.to = request.POST["create_target-email_to"] obs.header.from_ = request.POST["create_target-email_from"] raw_message = Observable(item=obs, title=name).to_json() else: # Should never reach here raw_message = {} name = "Undefined Object" create_target_form = CreateTarget(request.POST, request=request, prefix="create_target") if create_target_form.is_valid(): target = create_target_form.save(commit=False) target.name = name target.raw_message = raw_message target.save()
def main(argv): ###################################################################### # Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY # Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28) TITLE = raw_input("Insert Title Ioc:") # La description strutturiamola come segue # <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)> DESCRIPTION = raw_input("Insert Decription:") # La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community IDENTITY = raw_input("Insert User Identity:") # File degli IoC IOCFILE = raw_input("Add IoC Source File:") # Prefisso STIX output files STIX 1.2 e STIX 2 OUTFILEPREFIX = "package" # Short Description - UNUSED #SHORT = "Emotet" ###################################################################### VERBOSE = 0 # UTF8 encode TITLE = TITLE.encode('utf8') DESCRIPTION = DESCRIPTION.encode('utf8') IDENTITY = IDENTITY.encode('utf8') print "\nStix File generation in progress...." #print (TITLE) #"TITLE: " + TITLE #print (DESCRIPTION) #"DESCRIPTION: " + DESCRIPTION #print (IDENTITY) #"IDENTITY: " + IDENTITY #print (IOCFILE) #"IOC FILE: " + IOCFILE #print "---------------------" ######################## # Commond data timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') ######################## # Build STIX 1.2 file info_src = InformationSource() info_src.identity = Identity(name=IDENTITY) NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN") set_id_namespace(NAMESPACE) wrapper = STIXPackage() marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) # HASH indicators indicatorHASH = Indicator() indicatorHASH.title = TITLE + " - HASH" indicatorHASH.add_indicator_type("File Hash Watchlist") # DOMAIN indicators indiDOMAIN = Indicator() indiDOMAIN.title = TITLE + " - DOMAIN" indiDOMAIN.add_indicator_type("Domain Watchlist") # URL indicators indiURL = Indicator() indiURL.title = TITLE + " - URL" indiURL.add_indicator_type("URL Watchlist") # IP indicators indiIP = Indicator() indiIP.title = TITLE + " - IP" indiIP.add_indicator_type("IP Watchlist") # EMAIL indicators indiEMAIL = Indicator() indiEMAIL.title = TITLE + " - EMAIL" indiEMAIL.add_indicator_type("Malicious E-mail") ######################## # Build STIX 2 file pattern_sha256 = [] pattern_md5 = [] pattern_sha1 = [] pattern_domain = [] pattern_url = [] pattern_ip = [] pattern_email = [] # Marking marking_def_white = stix2.MarkingDefinition(definition_type="tlp", definition={"tlp": "WHITE"}) # campagna # [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY) campaign_MAIN = stix2.Campaign(created=timestamp, modified=timestamp, name=TITLE, description=DESCRIPTION, first_seen=timestamp, objective="TBD") ######################## # Read IoC file ioc = loaddata(IOCFILE) if (VERBOSE): print "Reading IoC file " + IOCFILE + "..." for idx, ioc in enumerate(ioc): notfound = 1 # sha256 p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE) m = p.match(ioc) if m and notfound: # STIX 1.2 filei = File() filei.add_hash(Hash(ioc)) obsi = Observable(filei) indicatorHASH.add_observable(obsi) if (VERBOSE): print "SHA256: " + ioc notfound = 0 # STIX 2 pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc + "'] OR ") #md5 p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE) m = p.match(ioc) if m and notfound: # STIX 1.2 filej = File() filej.add_hash(Hash(ioc)) obsj = Observable(filej) indicatorHASH.add_observable(obsj) if (VERBOSE): print "MD5: " + ioc notfound = 0 # STIX 2 pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ") #sha1 p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE) m = p.match(ioc) if m and notfound: # STIX 1.2 filek = File() filek.add_hash(Hash(ioc)) obsk = Observable(filek) indicatorHASH.add_observable(obsk) if (VERBOSE): print "SHA1: " + ioc notfound = 0 # STIX 2 pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ") #domains if validators.domain(ioc) and notfound: # STIX 1.2 url = URI() url.value = ioc url.type_ = URI.TYPE_DOMAIN url.condition = "Equals" obsu = Observable(url) indiDOMAIN.add_observable(obsu) if (VERBOSE): print "DOMAIN: " + ioc notfound = 0 # STIX 2 pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ") #url if validators.url(ioc) and notfound: # STIX 1.2 url = URI() url.value = ioc url.type_ = URI.TYPE_URL url.condition = "Equals" obsu = Observable(url) indiURL.add_observable(obsu) if (VERBOSE): print "URL: " + ioc notfound = 0 # STIX 2 pattern_url.append("[url:value = '" + ioc + "'] OR ") #ip if validators.ipv4(ioc) and notfound: # STIX 1.2 ip = Address() ip.address_value = ioc obsu = Observable(ip) indiIP.add_observable(obsu) if (VERBOSE): print "IP: " + ioc notfound = 0 # STIX 2 pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ") #email if validators.email(ioc) and notfound: # STIX 1.2 email = EmailAddress() email.address_value = ioc obsu = Observable(email) indiEMAIL.add_observable(obsu) if (VERBOSE): print "Email: " + ioc notfound = 0 # STIX 2 pattern_email.append("[email-message:from_ref.value = '" + ioc + "'] OR ") ######################## # add all indicators to STIX 1.2 wrapper.add_indicator(indicatorHASH) wrapper.add_indicator(indiDOMAIN) wrapper.add_indicator(indiURL) wrapper.add_indicator(indiIP) wrapper.add_indicator(indiEMAIL) ######################## # prepare for STIX 2 bundle_objects = [campaign_MAIN, marking_def_white] if len(pattern_sha256) != 0: stix2_sha256 = "".join(pattern_sha256) stix2_sha256 = stix2_sha256[:-4] indicator_SHA256 = stix2.Indicator( name=TITLE + " - SHA256", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_sha256, object_marking_refs=[marking_def_white]) relationship_indicator_SHA256 = stix2.Relationship( indicator_SHA256, 'indicates', campaign_MAIN) bundle_objects.append(indicator_SHA256) bundle_objects.append(relationship_indicator_SHA256) if len(pattern_md5) != 0: stix2_md5 = "".join(pattern_md5) stix2_md5 = stix2_md5[:-4] indicator_MD5 = stix2.Indicator( name=TITLE + " - MD5", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_md5, object_marking_refs=[marking_def_white]) relationship_indicator_MD5 = stix2.Relationship( indicator_MD5, 'indicates', campaign_MAIN) bundle_objects.append(indicator_MD5) bundle_objects.append(relationship_indicator_MD5) if len(pattern_sha1) != 0: stix2_sha1 = "".join(pattern_sha1) stix2_sha1 = stix2_sha1[:-4] indicator_SHA1 = stix2.Indicator( name=TITLE + " - SHA1", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_sha1, object_marking_refs=[marking_def_white]) relationship_indicator_SHA1 = stix2.Relationship( indicator_SHA1, 'indicates', campaign_MAIN) bundle_objects.append(indicator_SHA1) bundle_objects.append(relationship_indicator_SHA1) if len(pattern_domain) != 0: stix2_domain = "".join(pattern_domain) stix2_domain = stix2_domain[:-4] indicator_DOMAINS = stix2.Indicator( name=TITLE + " - DOMAINS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_domain, object_marking_refs=[marking_def_white]) relationship_indicator_DOMAINS = stix2.Relationship( indicator_DOMAINS, 'indicates', campaign_MAIN) bundle_objects.append(indicator_DOMAINS) bundle_objects.append(relationship_indicator_DOMAINS) if len(pattern_url) != 0: stix2_url = "".join(pattern_url) stix2_url = stix2_url[:-4] indicator_URLS = stix2.Indicator( name=TITLE + " - URL", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_url, object_marking_refs=[marking_def_white]) relationship_indicator_URLS = stix2.Relationship( indicator_URLS, 'indicates', campaign_MAIN) bundle_objects.append(indicator_URLS) bundle_objects.append(relationship_indicator_URLS) if len(pattern_ip) != 0: stix2_ip = "".join(pattern_ip) stix2_ip = stix2_ip[:-4] indicator_IPS = stix2.Indicator( name=TITLE + " - IPS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_ip, object_marking_refs=[marking_def_white]) relationship_indicator_IPS = stix2.Relationship( indicator_IPS, 'indicates', campaign_MAIN) bundle_objects.append(indicator_IPS) bundle_objects.append(relationship_indicator_IPS) if len(pattern_email) != 0: stix2_email = "".join(pattern_email) stix2_email = stix2_email[:-4] indicator_EMAILS = stix2.Indicator( name=TITLE + " - EMAILS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_email, object_marking_refs=[marking_def_white]) relationship_indicator_EMAILS = stix2.Relationship( indicator_EMAILS, 'indicates', campaign_MAIN) bundle_objects.append(indicator_EMAILS) bundle_objects.append(relationship_indicator_EMAILS) # creo il bunble STIX 2 bundle = stix2.Bundle(objects=bundle_objects) ######################## # save to STIX 1.2 file print print "Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix" f = open(OUTFILEPREFIX + ".stix", "w") f.write(wrapper.to_xml()) f.close() ######################## # save to STIX 2 file print "Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2" g = open(OUTFILEPREFIX + ".stix2", "w") sys.stdout = g print bundle
def main(): ###################################################################### # MODIFICARE LE VARIABILI SEGUENTI # Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28) MyTITLE = "Gootkit" # La description strutturiamola come segue # <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)> DESCRIPTION = "D3Lab - Malspam Gootkit con dropper da 450+ MB - https://www.d3lab.net/malspam-gootkit-con-dropper-da-450-mb/" # La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community IDENTITY = "D3Lab via Cyber Saiyan Community" # ###################################################################### # read IoC files file_sha256 = "CS-sha256.txt" sha256 = loaddata(file_sha256) file_md5 = "CS-md5.txt" md5 = loaddata(file_md5) file_sha1 = "CS-sha1.txt" sha1 = loaddata(file_sha1) file_domains = "CS-domain.txt" domains = loaddata(file_domains) file_urls = "CS-url.txt" urls = loaddata(file_urls) file_ips = "CS-ipv4.txt" ips = loaddata(file_ips) file_emails = "CS-email.txt" emails = loaddata(file_emails) # Build STIX file info_src = InformationSource() info_src.identity = Identity(name=IDENTITY) NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN") set_id_namespace(NAMESPACE) timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') SHORT = timestamp wrapper = STIXPackage() marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) wrapper.stix_header = STIXHeader( information_source=info_src, title=MyTITLE.encode(encoding='UTF-8', errors='replace'), description=DESCRIPTION.encode(encoding='UTF-8', errors='replace'), short_description=SHORT.encode(encoding='UTF-8', errors='replace')) wrapper.stix_header.handling = handling # HASH indicators indicatorHASH = Indicator() indicatorHASH.title = MyTITLE + " - HASH" indicatorHASH.add_indicator_type("File Hash Watchlist") print "Reading IoC sha256 file..." p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE) for idx, sha256 in enumerate(sha256): m = p.match(sha256) if m: filei = File() filei.add_hash(Hash(sha256)) obsi = Observable(filei) indicatorHASH.add_observable(obsi) else: print " Malformed sha256: " + sha256 print print "Reading IoC md5 file..." p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE) for idx, md5 in enumerate(md5): m = p.match(md5) if m: filej = File() filej.add_hash(Hash(md5)) obsj = Observable(filej) indicatorHASH.add_observable(obsj) else: print " Malformed md5: " + md5 print print "Reading IoC sha1 file..." p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE) for idx, sha1 in enumerate(sha1): m = p.match(sha1) if m: filek = File() filek.add_hash(Hash(sha1)) obsk = Observable(filek) indicatorHASH.add_observable(obsk) else: print " Malformed sha1: " + sha1 print # DOMAIN indicators indiDOMAIN = Indicator() indiDOMAIN.title = MyTITLE + " - DOMAIN" indiDOMAIN.add_indicator_type("Domain Watchlist") print "Reading IoC domains file..." for idu, domains in enumerate(domains): if validators.domain(domains): url = URI() url.value = domains url.type_ = URI.TYPE_DOMAIN url.condition = "Equals" obsu = Observable(url) indiDOMAIN.add_observable(obsu) else: print " Malformed domain: " + domains print # URL indicators indiURL = Indicator() indiURL.title = MyTITLE + " - URL" indiURL.add_indicator_type("URL Watchlist") print "Reading IoC url file..." for idu, urls in enumerate(urls): if validators.url(urls): url = URI() url.value = urls url.type_ = URI.TYPE_URL url.condition = "Equals" obsu = Observable(url) indiURL.add_observable(obsu) else: print " Malformed url: " + urls print # IP indicators indiIP = Indicator() indiIP.title = MyTITLE + " - IP" indiIP.add_indicator_type("IP Watchlist") print "Reading IoC IP file..." for idu, ips in enumerate(ips): if validators.ipv4(ips): ip = Address() ip.address_value = ips obsu = Observable(ip) indiIP.add_observable(obsu) else: print " Malformed IP: " + ips print # EMAIL indicators indiEMAIL = Indicator() indiEMAIL.title = MyTITLE + " - EMAIL" indiEMAIL.add_indicator_type("Malicious E-mail") print "Reading IoC email file..." for idu, emails in enumerate(emails): if validators.email(emails): email = EmailAddress() email.address_value = emails obsu = Observable(email) indiEMAIL.add_observable(obsu) else: print " Malformed email: " + emails print # add all indicators wrapper.add_indicator(indicatorHASH) wrapper.add_indicator(indiDOMAIN) wrapper.add_indicator(indiURL) wrapper.add_indicator(indiIP) wrapper.add_indicator(indiEMAIL) # print STIX file to stdout print "Writing STIX package: package.stix" f = open("package.stix", "w") f.write(wrapper.to_xml()) f.close() print
def gen_stix_observable_sample(config, target=None, datatype=None, title='random test data', description='random test data', package_intents='Indicators - Watchlist', tlp_color='WHITE'): '''generate sample stix data comprised of indicator_count indicators of type datatype''' # setup the xmlns... xmlns_url = config['edge']['sites'][target]['stix']['xmlns_url'] xmlns_name = config['edge']['sites'][target]['stix']['xmlns_name'] set_stix_id_namespace({xmlns_url: xmlns_name}) set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name)) # construct a stix package... stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = title stix_header.description = description stix_header.package_intents = package_intents marking = MarkingSpecification() marking.controlled_structure = '../../../../descendant-or-self::node()' tlp_marking = TLPMarkingStructure() tlp_marking.color = tlp_color marking.marking_structures.append(tlp_marking) stix_package.stix_header = stix_header stix_package.stix_header.handling = Marking() stix_package.stix_header.handling.add_marking(marking) # ...and stuff it full of random sample data :-) if datatype == 'ip': addr = Address(address_value=datagen.generate_random_ip_address(), category='ipv4-addr') addr.condition = 'Equals' stix_package.add_observable(Observable(addr)) elif datatype == 'domain': domain = DomainName() domain.type_ = 'FQDN' domain.value = datagen.generate_random_domain(config) domain.condition = 'Equals' stix_package.add_observable(Observable(domain)) elif datatype == 'filehash': file_object = File() file_object.file_name = str(uuid.uuid4()) + '.exe' hashes = datagen.generate_random_hashes() for hash in hashes.keys(): file_object.add_hash(Hash(hashes[hash], type_=hash.upper())) for i in file_object.hashes: i.simple_hash_value.condition = "Equals" stix_package.add_observable(Observable(file_object)) elif datatype == 'email': try: msg = datagen.get_random_spam_msg(config) email = EmailMessage() email.header = EmailHeader() header_map = { 'Subject': 'subject', 'To': 'to', 'Cc': 'cc', 'Bcc': 'bcc', 'From': 'from_', 'Sender': 'sender', 'Date': 'date', 'Message-ID': 'message_id', 'Reply-To': 'reply_to', 'In-Reply-To': 'in_reply_to', 'Content-Type': 'content_type', 'Errors-To': 'errors_to', 'Precedence': 'precedence', 'Boundary': 'boundary', 'MIME-Version': 'mime_version', 'X-Mailer': 'x_mailer', 'User-Agent': 'user_agent', 'X-Originating-IP': 'x_originating_ip', 'X-Priority': 'x_priority' } # TODO handle received_lines for key in header_map.keys(): val = msg.get(key, None) if val: email.header.__setattr__(header_map[key], val) email.header.__getattribute__(header_map[key]).condition = \ 'Equals' # TODO handle email bodies (it's mostly all there except for # handling weird text encoding problems that were making # libcybox stacktrace) # body = get_email_payload(random_spam_msg) # if body: # email.raw_body = body stix_package.add_observable(Observable(email)) except: return (None) observable_id = stix_package.observables.observables[0].id_ return (observable_id, stix_package)
ttp = TTP(title="Malware Variant XYZ") related_ttp = RelatedTTP(TTP(idref=ttp.id_)) campaign.related_ttps.append(related_ttp) # Related Incident (basic; by id) incident = Incident(title='We got hacked') t = Time() t.incident_opened = '2018-09-11' incident.time = t related_incident = RelatedIncident(Incident(idref=incident.id_)) campaign.related_incidents.append(related_incident) # Related Indicator (by id) fake = Faker() indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) campaign.related_indicators.append(related_indicator) # Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = Attribution() attrib_ta.append(ThreatActor(idref=ta.id_)) campaign.attribution.append(attrib_ta) # Related Campaign (basic; by id) campaign2 = Campaign(title='Another Campaign') cassoc_campaign = CAssociatedCampaigns() cassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign2.id_))) campaign.associated_campaigns = cassoc_campaign
def make_cybox_object(type_, name=None, value=None): """ Converts type_, name, and value to a CybOX object instance. :param type_: The object type. :type type_: str :param name: The object name. :type name: str :param value: The object value. :type value: str :returns: CybOX object """ if type_ == "Account": acct = Account() acct.description = value return acct elif type_ == "Address": return Address(category=name, address_value=value) elif type_ == "Email Message": e = EmailMessage() e.raw_body = value return e elif type_ == "API": api = API() api.description = value return api elif type_ == "Artifact": if name == "Data Region": atype = Artifact.TYPE_GENERIC elif name == 'FileSystem Fragment': atype = Artifact.TYPE_FILE_SYSTEM elif name == 'Memory Region': atype = Artifact.TYPE_MEMORY else: raise UnsupportedCybOXObjectTypeError(type_, name) return Artifact(value, atype) elif type_ == "Code": obj = Code() obj.code_segment = value obj.type = name return obj elif type_ == "Disk": disk = Disk() disk.disk_name = type_ disk.type = name return disk elif type_ == "Disk Partition": disk = DiskPartition() disk.device_name = type_ disk.type = name return disk elif type_ == "DNS Query": r = URI() r.value = value dq = DNSQuestion() dq.qname = r d = DNSQuery() d.question = dq return d elif type_ == "DNS Record": # DNS Record indicators in CRITs are just a free form text box, there # is no good way to map them into the attributes of a DNSRecord cybox # object. So just stuff it in the description until someone tells me # otherwise. d = StructuredText(value=value) dr = DNSRecord() dr.description = d return dr elif type_ == "GUI Dialogbox": obj = GUIDialogbox() obj.box_text = value return obj elif type_ == "GUI Window": obj = GUIWindow() obj.window_display_name = value return obj elif type_ == "HTTP Request Header Fields" and name and name == "User-Agent": # TODO/NOTE: HTTPRequestHeaderFields has a ton of fields for info. # we should revisit this as UI is reworked or CybOX is improved. obj = HTTPRequestHeaderFields() obj.user_agent = value return obj elif type_ == "Library": obj = Library() obj.name = value obj.type = name return obj elif type_ == "Memory": obj = Memory() obj.memory_source = value return obj elif type_ == "Mutex": m = Mutex() m.named = True m.name = String(value) return m elif type_ == "Network Connection": obj = NetworkConnection() obj.layer7_protocol = value return obj elif type_ == "Pipe": p = Pipe() p.named = True p.name = String(value) return p elif type_ == "Port": p = Port() try: p.port_value = PositiveInteger(value) except ValueError: # XXX: Raise a better exception... raise UnsupportedCybOXObjectTypeError(type_, name) return p elif type_ == "Process": p = Process() p.name = String(value) return p elif type_ == "String": return String(value) elif type_ == "System": s = System() s.hostname = String(value) return s elif type_ == "URI": r = URI() r.type_ = name r.value = value return r elif type_ == "User Account": obj = UserAccount() obj.username = value return obj elif type_ == "Volume": obj = Volume() obj.name = value return obj elif type_ == "Win Driver": w = WinDriver() w.driver_name = String(value) return w elif type_ == "Win Event Log": obj = WinEventLog() obj.log = value return obj elif type_ == "Win Event": w = WinEvent() w.name = String(value) return w elif type_ == "Win Handle": obj = WinHandle() obj.type_ = name obj.object_address = value return obj elif type_ == "Win Kernel Hook": obj = WinKernelHook() obj.description = value return obj elif type_ == "Win Mailslot": obj = WinMailslot() obj.name = value return obj elif type_ == "Win Network Share": obj = WinNetworkShare() obj.local_path = value return obj elif type_ == "Win Process": obj = WinProcess() obj.window_title = value return obj elif type_ == "Win Registry Key": obj = WinRegistryKey() obj.key = value return obj elif type_ == "Win Service": obj = WinService() obj.service_name = value return obj elif type_ == "Win System": obj = WinSystem() obj.product_name = value return obj elif type_ == "Win Task": obj = WinTask() obj.name = value return obj elif type_ == "Win User Account": obj = WinUser() obj.security_id = value return obj elif type_ == "Win Volume": obj = WinVolume() obj.drive_letter = value return obj elif type_ == "X509 Certificate": obj = X509Certificate() obj.raw_certificate = value return obj """ The following are types that are listed in the 'Indicator Type' box of the 'New Indicator' dialog in CRITs. These types, unlike those handled above, cannot be written to or read from CybOX at this point. The reason for the type being omitted is written as a comment inline. This can (and should) be revisited as new versions of CybOX are released. NOTE: You will have to update the corresponding make_crits_object function with handling for the reverse direction. In the mean time, these types will raise unsupported errors. """ #elif type_ == "Device": # No CybOX API #elif type_ == "DNS Cache": # No CybOX API #elif type_ == "GUI": # revisit when CRITs supports width & height specification #elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs #elif type_ == "Linux Package": # No CybOX API #elif type_ == "Network Packet": # No good mapping between CybOX/CRITs #elif type_ == "Network Route Entry": # No CybOX API #elif type_ == "Network Route": # No CybOX API #elif type_ == "Network Subnet": # No CybOX API #elif type_ == "Semaphore": # No CybOX API #elif type_ == "Socket": # No good mapping between CybOX/CRITs #elif type_ == "UNIX File": # No CybOX API #elif type_ == "UNIX Network Route Entry": # No CybOX API #elif type_ == "UNIX Pipe": # No CybOX API #elif type_ == "UNIX Process": # No CybOX API #elif type_ == "UNIX User Account": # No CybOX API #elif type_ == "UNIX Volume": # No CybOX API #elif type_ == "User Session": # No CybOX API #elif type_ == "Whois": # No good mapping between CybOX/CRITs #elif type_ == "Win Computer Account": # No CybOX API #elif type_ == "Win Critical Section": # No CybOX API #elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs #elif type_ == "Win File": # No good mapping between CybOX/CRITs #elif type_ == "Win Kernel": # No CybOX API #elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs #elif type_ == "Win Network Route Entry": # No CybOX API #elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs #elif type_ == "Win Prefetch": # No CybOX API #elif type_ == "Win Semaphore": # No CybOX API #elif type_ == "Win System Restore": # No CybOX API #elif type_ == "Win Thread": # No good mapping between CybOX/CRITs #elif type_ == "Win Waitable Timer": # No CybOX API raise UnsupportedCybOXObjectTypeError(type_, name)
def resolve_ip_type(attribute_type, attribute_value): address_object = Address() if '|' in attribute_value: attribute_value = attribute_value.split('|')[0] if '/' in attribute_value: attribute_value = attribute_value.split('/')[0] address_object.category = "cidr" condition = "Contains" else: try: socket.inet_aton(attribute_value) address_object.category = "ipv4-addr" except socket.error: address_object.category = "ipv6-addr" condition = "Equals" if attribute_type.startswith("ip-src"): address_object.is_source = True address_object.is_destination = False else: address_object.is_source = False address_object.is_destination = True address_object.address_value = attribute_value address_object.condition = condition return address_object
def build(self): """Define the STIX report.""" self.stix_header.title = self.pulse["name"] self.stix_header.description = self.pulse["description"] self.stix_header.package_intents = "Indicators" self.stix_header.information_source = InformationSource() self.stix_header.information_source.time = Time() self.stix_header.information_source.time.received_time = self.pulse[ "modified"] self.stix_header.information_source.time.produced_time = self.stix_package.timestamp self.stix_header.information_source.identity = Identity() self.stix_header.information_source.identity.name = IDENTITY_NAME # self.stix_package.stix_header = self.stix_header # self.stix_package.stix_header.handling = self._marking() # self.report = Report() # self.report.header = Header() # self.report.header.title = self.pulse["name"] # self.report.header.descriptions = self.pulse["description"] # self.report.header.intents = "Indicators" # self.report.header.short_description = "%spulse/%s" % ( # PULSE_SERVER_BASE, str(self.pulse["id"])) # self.report.header.information_source = InformationSource() # self.report.header.information_source.time = Time() # self.report.header.information_source.time.received_time = self.pulse[ # "modified"] # self.report.header.information_source.time.produced_time = self.report.timestamp # self.report.header.information_source.identity = Identity() # self.report.header.information_source.identity.name = IDENTITY_NAME hashes = False addresses = False emails = False domains = False urls = False mutex = False hash_indicator = Indicator() hash_indicator.set_producer_identity(IDENTITY_NAME) hash_indicator.set_produced_time(hash_indicator.timestamp) hash_indicator.set_received_time(self.pulse["modified"]) hash_indicator.title = "[OTX] [Files] " + self.pulse["name"] hash_indicator.add_indicator_type("File Hash Watchlist") hash_indicator.confidence = "Low" address_indicator = Indicator() address_indicator.set_producer_identity(IDENTITY_NAME) address_indicator.set_produced_time(address_indicator.timestamp) address_indicator.set_received_time(self.pulse["modified"]) address_indicator.title = "[OTX] [IP] " + self.pulse["name"] address_indicator.add_indicator_type("IP Watchlist") address_indicator.confidence = "Low" domain_indicator = Indicator() domain_indicator.set_producer_identity(IDENTITY_NAME) domain_indicator.set_produced_time(domain_indicator.timestamp) domain_indicator.set_received_time(self.pulse["modified"]) domain_indicator.title = "[OTX] [Domain] " + self.pulse["name"] domain_indicator.add_indicator_type("Domain Watchlist") domain_indicator.confidence = "Low" url_indicator = Indicator() url_indicator.set_producer_identity(IDENTITY_NAME) url_indicator.set_produced_time(url_indicator.timestamp) url_indicator.set_received_time(self.pulse["modified"]) url_indicator.title = "[OTX] [URL] " + self.pulse["name"] url_indicator.add_indicator_type("URL Watchlist") url_indicator.confidence = "Low" email_indicator = Indicator() email_indicator.set_producer_identity(IDENTITY_NAME) email_indicator.set_produced_time(email_indicator.timestamp) email_indicator.set_received_time(self.pulse["modified"]) email_indicator.title = "[OTX] [Email] " + self.pulse["name"] email_indicator.add_indicator_type("Malicious E-mail") email_indicator.confidence = "Low" mutex_indicator = Indicator() mutex_indicator.set_producer_identity(IDENTITY_NAME) mutex_indicator.set_produced_time(mutex_indicator.timestamp) mutex_indicator.set_received_time(self.pulse["modified"]) mutex_indicator.title = "[OTX] [Mutex] " + self.pulse["name"] mutex_indicator.add_indicator_type("Malware Artifacts") mutex_indicator.confidence = "Low" for p_indicator in self.pulse["indicators"]: if p_indicator["type"] in self.hash_translation: file_object = File() file_object.add_hash(Hash(p_indicator["indicator"])) file_object.hashes[0].simple_hash_value.condition = "Equals" file_object.hashes[0].type_.condition = "Equals" file_obs = Observable(file_object) file_obs.title = "File: " + \ str(file_object.hashes[0].type_) + \ " - " + p_indicator["indicator"] hash_indicator.add_observable(file_obs) try: hash_indicator.description = p_indicator["description"] except KeyError: hash_indicator.description = "" hashes = True elif p_indicator["type"] in self.address_translation: ip = Address() ip.address_value = p_indicator["indicator"] ip.category = self.address_translation[p_indicator["type"]] ip.address_value.condition = "Equals" ip_obs = Observable(ip) ip_obs.title = "Address: " + str(ip.address_value) address_indicator.add_observable(ip_obs) try: address_indicator.description = p_indicator["description"] except KeyError: address_indicator.description = "" addresses = True elif p_indicator["type"] in self.name_translation: domain = DomainName() domain.value = p_indicator["indicator"] domain.type_ = "FQDN" domain.value.condition = "Equals" domain_obs = Observable(domain) domain_obs.title = "Domain: " + str(domain.value) domain_indicator.add_observable(domain_obs) try: domain_indicator.description = p_indicator["description"] except KeyError: domain_indicator.description = "" domains = True elif p_indicator["type"] == "URL": url = URI() url.value = p_indicator["indicator"] url.type_ = URI.TYPE_URL url.value.condition = "Equals" url_obs = Observable(url) url_obs.title = "URI: " + str(url.value) url_indicator.add_observable(url_obs) try: url_indicator.description = p_indicator["description"] except KeyError: url_indicator.description = "" urls = True elif p_indicator["type"] == "email": email = Address() email.address_value = p_indicator["indicator"] email.category = "e-mail" email.address_value.condition = "Equals" email_obs = Observable(email) email_obs.title = "Address: " + str(email.address_value) email_indicator.add_observable(email_obs) try: email_indicator.description = p_indicator["indicator"] except KeyError: email_indicator.description = "" emails = True elif p_indicator["type"] == "Mutex": mutex = Mutex() mutex.name = p_indicator["indicator"] mutex.named = True mutex_obs = Observable(mutex) mutex_obs.title = "Mutex: " + str(mutex.name) mutex_indicator.add_observable(mutex_obs) try: mutex_indicator.description = p_indicator["indicator"] except KeyError: mutex_indicator.description = "" mutex = True else: continue if hashes: self.stix_package.add_indicator(hash_indicator) if addresses: self.stix_package.add_indicator(address_indicator) if domains: self.stix_package.add_indicator(domain_indicator) if urls: self.stix_package.add_indicator(url_indicator) if emails: self.stix_package.add_indicator(email_indicator) if mutex: self.stix_package.add_indicator(mutex_indicator)
class RelatedObjectTest(EntityTestCase, unittest.TestCase): klass = RelatedObject _full_dict = { 'id': "example:Object-1", 'relationship': u("Created"), } def setUp(self): self.ip = Address("192.168.1.1", Address.CAT_IPV4) self.domain = URI("example.local", URI.TYPE_DOMAIN) def test_inline_changes_parent_id(self): old_domain_parent_id = self.domain.parent.id_ old_ip_parent_id = self.ip.parent.id_ self.domain.add_related(self.ip, "Resolved_To", inline=True) self.assertEqual(old_domain_parent_id, self.domain.parent.id_) self.assertNotEqual(old_ip_parent_id, self.ip.parent.id_) def test_noninline_does_not_change_parent_id(self): old_domain_parent_id = self.domain.parent.id_ old_ip_parent_id = self.ip.parent.id_ self.domain.add_related(self.ip, "Resolved_To", inline=False) self.assertEqual(old_domain_parent_id, self.domain.parent.id_) self.assertEqual(old_ip_parent_id, self.ip.parent.id_) def test_no_relationships(self): self._test_round_trip(Observables([self.ip, self.domain])) def test_inline(self): self.domain.add_related(self.ip, "Resolved_To", inline=True) o2 = self._test_round_trip(Observables(self.domain)) self._test_returned_objects(o2) expected_id = self.ip.parent.id_ # Domain is the first observable, and has an inlined object with an id actual_id = o2.observables[0].object_.related_objects[0].id_ self.assertEqual(expected_id, actual_id) def test_backward_relationship(self): self.domain.add_related(self.ip, "Resolved_To", inline=False) # IP should already be known before Domain is parsed o2 = self._test_round_trip(Observables([self.ip, self.domain])) self._test_returned_objects(o2) expected_id = self.ip.parent.id_ # Domain is the second observable, and should only have an IDREF actual_id = o2.observables[1].object_.related_objects[0].idref self.assertEqual(expected_id, actual_id) def test_forward_relationship(self): self.domain.add_related(self.ip, "Resolved_To", inline=False) o1 = Observables([self.domain, self.ip]) # The "related" IP object will be encountered in the Domain object # before the actual IP has been seen. Make sure this doesn't break. o2 = self._test_round_trip(o1) self._test_returned_objects(o2) expected_id = self.ip.parent.id_ # Domain is the second observable, and should only have an IDREF actual_id = o2.observables[0].object_.related_objects[0].idref self.assertEqual(expected_id, actual_id) def test_missing_related_object(self): self.domain.add_related(self.ip, "Resolved_To", inline=False) # If we only include the domain, the dereference will fail. o2 = self._test_round_trip(Observables([self.domain])) rel_obj = o2.observables[0].object_.related_objects[0] self.assertRaises(CacheMiss, rel_obj.get_properties) def test_relationship_standard_xsitype(self): d = { 'id': "example:Object-1", 'relationship': u("Created"), } self._test_round_trip_dict(d) def test_relationship_nonstandard_xsitype(self): d = { 'id': "example:Object-1", 'relationship': { 'value': u("Created"), 'xsi:type': "Foo", } } self._test_round_trip_dict(d) def test_relationship_vocabnameref(self): d = { 'id': "example:Object-1", 'relationship': { 'value': u("Created"), 'vocab_name': "Foo", 'vocab_reference': "http://example.com/FooVocab", } } self._test_round_trip_dict(d) def _test_round_trip(self, observables): self.maxDiff = None logger.info(observables.to_xml()) observables2 = round_trip(observables) self.assertEqual(observables.to_dict(), observables2.to_dict()) return observables2 def _test_returned_objects(self, o2): # Get the Domain object (ID will contain "URI") for obs in o2.observables: if "URI" in obs.object_.id_: ip_obj = obs.object_.related_objects[0] break # Check that the properties are identical self.assertEqual(self.ip.to_dict(), ip_obj.get_properties().to_dict()) def _test_round_trip_dict(self, d): d2 = round_trip_dict(RelatedObject, d) self.maxDiff = None self.assertEqual(d, d2) def test_properties_not_in_inline(self): # https://github.com/CybOXProject/python-cybox/issues/287 o1 = Object(self.domain) o2 = Object(self.ip) o1.add_related(self.ip, "Resolved_To", inline=False) xml = o1.to_xml(encoding=None) print(xml) self.assertTrue(o1.id_ in xml) self.assertTrue(o2.id_ in xml) self.assertFalse(str(self.ip.address_value) in xml)
def test_unicode(self): a = "\u00fc\u00f1\u00ed\[email protected]" addr = Address(a, Address.CAT_EMAIL) addr2 = cybox.test.round_trip(addr) self.assertEqual(addr.to_dict(), addr2.to_dict())