Esempio n. 1
0
 def __get_inspected_objs(self, source_file):
     email1 = EmailMessage()
     email1.from_ = '*****@*****.**'
     email1.to = '*****@*****.**'
     email1.subject = 'Subject1'
     email1.date = DateTime('21-06-2015T19:52:00')
     email1.add_related(source_file, "Extracted_From", inline=False)
     return [email1]
    def test_get_namespaces(self):
        m = EmailMessage()
        m.to = "*****@*****.**"
        m.subject = "Here's a cool picture"
        m.links = Links()
        u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
        m.links.append(u.parent.id_)

        self.assertEqual(5, len(Observables([u, m])._get_namespaces()))
def main():
    m = EmailMessage()
    m.from_ = ["*****@*****.**",
               "*****@*****.**",
               "*****@*****.**"]
    m.from_.condition = "Equals"
    m.subject = "New modifications to the specification"
    m.subject.condition = "Equals"

    print(Observables(m).to_xml())
Esempio n. 4
0
def main():
    m = EmailMessage()
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    a = Address("192.168.1.1", Address.CAT_IPV4)

    m.add_related(a, "Received_From", inline=False)

    print(Observables([m, a]).to_xml(encoding=None))
def main():
    m = EmailMessage()
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    a = Address("192.168.1.1", Address.CAT_IPV4)

    m.add_related(a, "Received_From", inline=False)

    print(Observables([m, a]).to_xml(encoding=None))
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    m = EmailMessage()
    m.from_ = ["*****@*****.**",
               "*****@*****.**",
               "*****@*****.**"]
    m.from_.condition = "Equals"
    m.subject = "New modifications to the specification"
    m.subject.condition = "Equals"

    print(Observables(m).to_xml())
Esempio n. 7
0
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    m = EmailMessage()
    m.from_ = ["*****@*****.**",
               "*****@*****.**",
               "*****@*****.**"]
    m.from_.condition = "Equals"
    m.subject = "New modifications to the specification"
    m.subject.condition = "Equals"

    print Observables(m).to_xml()
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    m = EmailMessage()
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    a = Address("192.168.1.1", Address.CAT_IPV4)

    m.add_related(a, "Received_From", inline=False)

    print Observables([m, a]).to_xml()
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    m = EmailMessage()
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    a = Address("192.168.1.1", Address.CAT_IPV4)

    m.add_related(a, "Received_From", inline=False)

    print(Observables([m, a]).to_xml())
Esempio n. 10
0
    def test_get_namespaces(self):
        m = EmailMessage()
        m.to = "*****@*****.**"
        m.subject = "Here's a cool picture"
        m.links = Links()
        u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
        m.links.append(u.parent.id_)

        o = Observables([u, m])
        logger.info(o.to_xml())
        actual_namespaces = o._get_namespaces()

        logger.info("\n".join([str(x) for x in actual_namespaces]))

        self.assertEqual(5, len(actual_namespaces))
Esempio n. 11
0
    def test_get_namespaces(self):
        m = EmailMessage()
        m.to = "*****@*****.**"
        m.subject = "Here's a cool picture"
        m.links = Links()
        u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
        m.links.append(u.parent.id_)

        o = Observables([u, m])
        print o.to_xml()
        actual_namespaces = o._get_namespaces()

        print "\n".join([str(x) for x in actual_namespaces])

        self.assertEqual(5, len(actual_namespaces))
Esempio n. 12
0
def main():
    print '<?xml version="1.0" encoding="UTF-8"?>'

    attachment = File()
    attachment.file_name = "FooBar Specification (critical revision).doc"
    attachment.add_hash(Hash("4EC0027BEF4D7E1786A04D021FA8A67F"))

    email = EmailMessage()
    email.attachments.append(attachment)
    email.subject = String("New modifications to the specification")
    email.to = EmailRecipients(EmailAddress("*****@*****.**"),
                               EmailAddress("*****@*****.**"))
    email.from_ = EmailAddress("*****@*****.**")


    print Observables(email).to_xml()
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    # �I�u�W�F�N�g�̍쐬�iEmailMesage)
    m = EmailMessage()
    # �I�u�W�F�N�g�Ɋ֘A�t��
    m.to = ["*****@*****.**", "*****@*****.**"]
    m.from_ = "*****@*****.**"
    m.subject = "New modifications to the specification"

    # �I�u�W�F�N�g�̍쐬�iAdress)
    a = Address("192.168.1.1", Address.CAT_IPV4)

    # �I�u�W�F�N�g�Ԃ̊֘A
    m.add_related(a, "Received_From", inline=False)
    a.add_related(m, "Received_to", inline=False)

    print Observables([m, a]).to_xml()
Esempio n. 14
0
def main(argv):
    ######################################################################
    # Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY
    # Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
    TITLE = "Test"

    # La description strutturiamola come segue
    # <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
    DESCRIPTION = "Cyber Saiyan - Test - https://infosharing.cybersaiyan.it"

    # La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community 
    IDENTITY = "Cyber Saiyan Community"

    # File degli IoC
    IOCFILE = "CS-ioc.txt"

    # Prefisso STIX output files STIX 1.2 e STIX 2
    OUTFILEPREFIX = "package"

    # Short Description - UNUSED
    SHORT = "unused"
    ######################################################################

    VERBOSE = 0

    # Parse ARGV[]
    try:
        opts, args = getopt.getopt(argv, "ht:d:i:f:o:v")
    except getopt.GetoptError:
        print(
            "CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
        sys.exit(2)

    for opt, arg in opts:
        if opt == "-h":
            print(
                "CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
            sys.exit()
        elif opt == "-t":
            TITLE = arg
        elif opt == "-d":
            DESCRIPTION = arg
        elif opt == "-i":
            IDENTITY = arg
        elif opt == "-f":
            IOCFILE = arg
        elif opt == "-o":
            OUTFILEPREFIX = arg
        elif opt == "-v":
            VERBOSE = 1

    print("---------------------")
    print("TITLE: " + TITLE)
    print("DESCRIPTION: " + DESCRIPTION)
    print("IDENTITY: " + IDENTITY)
    print("IOC FILE: " + IOCFILE)
    print("---------------------")

    ########################
    # Commond data
    timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S")

    ########################
    # Build STIX 1.2 file
    info_src = InformationSource()
    info_src.identity = Identity(name=IDENTITY)

    NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
    set_id_namespace(NAMESPACE)

    wrapper = STIXPackage()

    marking_specification = MarkingSpecification()
    marking_specification.controlled_structure = "//node() | //@*"
    tlp = TLPMarkingStructure()
    tlp.color = "white"
    marking_specification.marking_structures.append(tlp)

    handling = Marking()
    handling.add_marking(marking_specification)

    wrapper.stix_header = STIXHeader(information_source=info_src,
                                     title=TITLE,
                                     description=DESCRIPTION,
                                     short_description=SHORT)
    wrapper.stix_header.handling = handling

    # HASH indicators
    indicatorHASH = Indicator()
    indicatorHASH.title = TITLE + " - HASH"
    indicatorHASH.add_indicator_type("File Hash Watchlist")

    # DOMAIN indicators
    indiDOMAIN = Indicator()
    indiDOMAIN.title = TITLE + " - DOMAIN"
    indiDOMAIN.add_indicator_type("Domain Watchlist")

    # URL indicators
    indiURL = Indicator()
    indiURL.title = TITLE + " - URL"
    indiURL.add_indicator_type("URL Watchlist")

    # IP indicators
    indiIP = Indicator()
    indiIP.title = TITLE + " - IP"
    indiIP.add_indicator_type("IP Watchlist")

    # EMAIL indicators
    indiEMAIL = Indicator()
    indiEMAIL.title = TITLE + " - EMAIL"
    indiEMAIL.add_indicator_type("Malicious E-mail")

    ########################
    # Build STIX 2 file
    pattern_sha256 = []
    pattern_md5 = []
    pattern_sha1 = []
    pattern_domain = []
    pattern_url = []
    pattern_ip = []
    pattern_email = []

    # Marking
    marking_def_white = stix2.TLP_WHITE

    # campagna
    # [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY)
    campaign_MAIN = stix2.Campaign(
        created=timestamp,
        modified=timestamp,
        name=TITLE,
        description=DESCRIPTION,
        first_seen=timestamp,
        objective="TBD"
    )

    ########################
    # Read IoC file
    loaddata(IOCFILE)

    if (VERBOSE): print("Reading IoC file " + IOCFILE + "...")
    ioccount = 0

    # sha256
    for ioc in listSHA256:
        # STIX 1.2
        filei = File()
        filei.add_hash(Hash(ioc))

        obsi = Observable(filei)
        indicatorHASH.add_observable(obsi)
        if (VERBOSE): print("SHA256: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc + "'] OR ")

    # md5
    for ioc in listMD5:
        # STIX 1.2
        filej = File()
        filej.add_hash(Hash(ioc))

        obsj = Observable(filej)
        indicatorHASH.add_observable(obsj)
        if (VERBOSE): print("MD5: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ")

    # sha1
    for ioc in listSHA1:
        # STIX 1.2
        filek = File()
        filek.add_hash(Hash(ioc))

        obsk = Observable(filek)
        indicatorHASH.add_observable(obsk)
        if (VERBOSE): print("SHA1: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ")

    # domains
    for ioc in listDOMAIN:
        # STIX 1.2
        url = URI()
        url.value = ioc
        url.type_ = URI.TYPE_DOMAIN
        url.condition = "Equals"

        obsu = Observable(url)
        indiDOMAIN.add_observable(obsu)
        if (VERBOSE): print("DOMAIN: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ")

    # url
    for ioc in listURL:
        # STIX 1.2
        url = URI()
        url.value = ioc
        url.type_ = URI.TYPE_URL
        url.condition = "Equals"

        obsu = Observable(url)
        indiURL.add_observable(obsu)
        if (VERBOSE): print("URL: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_url.append("[url:value = '" + ioc + "'] OR ")

    # ip
    for ioc in listIP:
        # STIX 1.2
        ip = Address()
        ip.address_value = ioc

        obsu = Observable(ip)
        indiIP.add_observable(obsu)
        if (VERBOSE): print("IP: " + ioc)

        ioccount += 1

        # STIX 2
        pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ")

    # email
    for ioc in listEMAIL:
        # STIX 1.2
        email = EmailAddress()
        email.address_value = ioc

        obsu = Observable(email)
        indiEMAIL.add_observable(obsu)

        if (VERBOSE): print("Email: " + ioc)
        ioccount += 1

        # STIX 2
        pattern_email.append("[email-message:from_ref.value = '" + ioc + "'] OR ")

    # subject
    for ioc in listSUBJECT:
        # STIX 1.2
        emailsubject = EmailMessage()
        emailsubject.subject = ioc

        obsu = Observable(emailsubject)
        indiEMAIL.add_observable(obsu)

        if (VERBOSE): print("Subject: " + ioc)
        ioccount += 1

        # STIX 2 (http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html)
        # Replace all quotes in a subject string with escaped quotes
        pattern_email.append("[email-message:subject = '" + ioc.replace("'", "\\'") + "'] OR ")

    ########################
    # add all indicators to STIX 1.2
    wrapper.add_indicator(indicatorHASH)
    wrapper.add_indicator(indiDOMAIN)
    wrapper.add_indicator(indiURL)
    wrapper.add_indicator(indiIP)
    wrapper.add_indicator(indiEMAIL)

    ########################
    # prepare for STIX 2
    bundle_objects = [campaign_MAIN, marking_def_white]

    if len(pattern_sha256) != 0:
        stix2_sha256 = "".join(pattern_sha256)
        stix2_sha256 = stix2_sha256[:-4]

        indicator_SHA256 = stix2.Indicator(
            name=TITLE + " - SHA256",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_sha256,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_SHA256 = stix2.Relationship(indicator_SHA256, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_SHA256)
        bundle_objects.append(relationship_indicator_SHA256)

    if len(pattern_md5) != 0:
        stix2_md5 = "".join(pattern_md5)
        stix2_md5 = stix2_md5[:-4]

        indicator_MD5 = stix2.Indicator(
            name=TITLE + " - MD5",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_md5,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_MD5 = stix2.Relationship(indicator_MD5, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_MD5)
        bundle_objects.append(relationship_indicator_MD5)

    if len(pattern_sha1) != 0:
        stix2_sha1 = "".join(pattern_sha1)
        stix2_sha1 = stix2_sha1[:-4]

        indicator_SHA1 = stix2.Indicator(
            name=TITLE + " - SHA1",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_sha1,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_SHA1 = stix2.Relationship(indicator_SHA1, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_SHA1)
        bundle_objects.append(relationship_indicator_SHA1)

    if len(pattern_domain) != 0:
        stix2_domain = "".join(pattern_domain)
        stix2_domain = stix2_domain[:-4]

        indicator_DOMAINS = stix2.Indicator(
            name=TITLE + " - DOMAINS",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_domain,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_DOMAINS = stix2.Relationship(indicator_DOMAINS, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_DOMAINS)
        bundle_objects.append(relationship_indicator_DOMAINS)

    if len(pattern_url) != 0:
        stix2_url = "".join(pattern_url)
        stix2_url = stix2_url[:-4]

        indicator_URLS = stix2.Indicator(
            name=TITLE + " - URL",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_url,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_URLS = stix2.Relationship(indicator_URLS, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_URLS)
        bundle_objects.append(relationship_indicator_URLS)

    if len(pattern_ip) != 0:
        stix2_ip = "".join(pattern_ip)
        stix2_ip = stix2_ip[:-4]

        indicator_IPS = stix2.Indicator(
            name=TITLE + " - IPS",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_ip,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_IPS = stix2.Relationship(indicator_IPS, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_IPS)
        bundle_objects.append(relationship_indicator_IPS)

    if len(pattern_email) != 0:
        stix2_email = "".join(pattern_email)
        stix2_email = stix2_email[:-4]

        indicator_EMAILS = stix2.Indicator(
            name=TITLE + " - EMAILS",
            created=timestamp,
            modified=timestamp,
            description=DESCRIPTION,
            labels=["malicious-activity"],
            pattern=stix2_email,
            object_marking_refs=[marking_def_white]
        )
        relationship_indicator_EMAILS = stix2.Relationship(indicator_EMAILS, "indicates", campaign_MAIN)
        bundle_objects.append(indicator_EMAILS)
        bundle_objects.append(relationship_indicator_EMAILS)

    # creo il bunble STIX 2
    bundlestix2 = stix2.Bundle(objects=bundle_objects)

    if (ioccount > 0):
        ########################
        # save to STIX 1.2 file
        print("Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix")
        f = open(OUTFILEPREFIX + ".stix", "wb")
        f.write(wrapper.to_xml())
        f.close()

        ########################
        # save to STIX 2 file
        print("Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2")
        g = open(OUTFILEPREFIX + ".stix2", "w")
        g.write(str(bundlestix2))
        g.close()
    else:
        print("No IoC found")