def hostchars_indicator(hostnames=[]): hostchars = Indicator() hostchars.add_indicator_type("Host Characteristics") for h in hostnames: hostname = Hostname() hostname.hostname_value = h hostchars.add_observable(hostname) return hostchars
def create_host_indicator(self, host_indicator): indicator = Indicator() indicator.title = 'Hostname of site hosting malware' indicator.add_indicator_type('Domain Watchlist') host = Hostname() host.value = host_indicator host.condition = 'Equals' indicator.add_observable(host) return indicator
def add_obs_to_pkg(obs, pkg): if "ip" in obs: for i in obs["ip"]: address = Address() address.address_value = i pkg.add_observable(address) if "host" in obs: for h in obs["host"]: hostname = Hostname() hostname.hostname_value = h pkg.add_observable(hostname) if "domain" in obs: for d in obs["domain"]: domain = DomainName() domain.value = d pkg.add_observable(domain) return pkg
def _set_search_items_from_hostname_object(patterns, prop): u''' extract and set search key/value items from Cybox binding HostName Object ''' if prop is None or type(prop) != HostnameObjectType: return # translate cybox.bindings object to cybox.objects object obj = Hostname.from_obj(prop) # Host Name if obj.hostname_value is not None: host = unicode(obj.hostname_value) if host[0] == '[' and host[len(host) - 1] == ']': _add_search_item(patterns, u"HostName", host[1:len(host) - 2].split(',')) else: _add_search_item(patterns, u"HostName", host)
def convert_address_ref(obj2x, direction, obs2x_id): sa = None add_property = direction + "_ref" port_property = direction + "_port" if add_property in obj2x: if obj2x[add_property] in _STIX1X_OBJS: sa = SocketAddress() obj = _STIX1X_OBJS[obj2x[add_property]] if isinstance(obj, Address): sa.ip_address = obj elif isinstance(obj, DomainName): sa.hostname = Hostname() sa.hostname.hostname_value = obj.value else: warn("%s is not an index found in %s", 306, obj2x[add_property], obs2x_id) if port_property in obj2x: if not sa: sa = SocketAddress() sa.port = Port() sa.port.port_value = obj2x[port_property] return sa
def test_missing_naming_system(self): hn = Hostname.from_dict({'hostname_value': "www.example2.com"}) self.assertTrue("www.example2.com" in hn.to_xml())
def addsec_to_cybox(as_obtype, as_obdata): # # Addition Security to CybOX mappings, for discrete/separate observables # # 30: DataTypeSymbolName if as_obtype == 30: a = API() a.function_name = as_obdata return a # 32: DataTypeLibraryName if as_obtype == 32: l = Library() l.name = as_obdata l.path = as_obdata return l # 14: DataTypeUsername if as_obtype == 14: u = UserAccount() u.username = as_obdata return u # 10: DataTypeFile if as_obtype == 10: f = File() f.full_path = as_obdata return f # 23: DataTypeHostname if as_obtype == 23: h = Hostname() h.hostname_value = as_obdata return h # 29: DataTypeEnvString if as_obtype == 29: # Here, Process is meant to represent the hosting process; then we # attach the actual environment variable value p = Process() p.environment_variable_list = as_obdata return p # 17: DataTypeApplication if as_obtype == 17: # Particularly on Android, identification of an installed package fits # somewhere between File and Process, but not quite either. The closest # fit is around LinuxPackage, which is what we use. We should technically # derive from it, but we're trying to keep things simple. p = LinuxPackage() p.name = as_obdata return p # 11: DataTypeX509 # 12: DataTypeX509Subject # 13: DataTypeX509Issuer if as_obtype == 11 or as_obtype == 12 or as_obtype == 13: c = X509Certificate() if as_obtype == 11: c.raw_certificate = as_obdata.encode('hex') if as_obtype == 12: c.certificate.subject = as_obdata if as_obtype == 13: c.certificate.issuer = as_obdata return c # 2: DataTypeSHA1Hash # 7: DataTypeVersionString # 18: DataTypeString # 31: DataTypePropertyName # TODO: find the proper CybOX to represent these; for now, we don't # report them return None
def transform(data, new_only=True): """ transform - The transforms are source specific. Source: http://www.malwaredomainlist.com/hostslist/mdl.xml data - must be source xml converted to a dictionary :param data: :param new_only: :return: """ # Input validation if not isinstance(data, dict): return False work = [] history = db('local_file', 'history', ADPTR_SRC_ID) value2key = db('local_file', 'value_to_key', 'values') items = data.get('rss', {}).get('channel', {}).get('item') if items: for item in items: guid = item.get('guid', {}).get('#text') if guid: # Check to see if this item has been process before # if not, add to work if guid in history: if not new_only: work.append(item) else: work.append(item) db('local_file', 'history', ADPTR_SRC_ID, {guid: { 'date': str(datetime.now()) }}) if work: ### Generate STIXPackage and STIXHeader set_ns_stix(ADPTR_NS_STIX) set_ns_cybox(ADPTR_NS_CYBOX) STIXPackage._version = ADPTR_VER_STIX pkg = STIXPackage() src_info, value2key = gen_info_src({}, 'www.malwaredomainlist.com', value2key) hdr = STIXHeader() hdr.title = data.get('rss', {}).get('channel', {}).get('title') hdr.description = data.get('rss', {}).get('channel', {}).get('description') hdr.information_source = src_info pkg.stix_header = hdr for item in work: key = item.get('guid', {}).get('#text') # Decompose data description tmp = [x.strip() for x in item.get('description').split(',')] decomp = {} for x in tmp: k, v = x.split(':') decomp.update({k.strip(): v.strip()}) # Generate STIX Indicator ind, history = gen_indicator(item, key, history) ind.producer = src_info ind.short_description = 'MDL RefID: %s | %s' % ( key, decomp.get('Description')) # Decompose host host = decomp.get('Host') uri = None file_ = None if '/' in host: host, uri = host.split('/', 1) # TODO: parse out file Name if host: # Generate Cybox HostName obj = Hostname() obj.is_domain_name = True obj.naming_system = 'DNS' obj.hostname_value = host ob, value2key = gen_CyboxOb(obj, host, value2key) ob.title = 'HostName: %s' % obj.hostname_value ind.add_observable(CyboxOb(idref=ob.id_)) pkg.add_observable(ob) if uri: # Generate Cybox URI obj = URI() obj.type_ = URI.TYPE_URL url = AnyURI('%s/%s' % (host, uri)) obj.value = url ob, value2key = gen_CyboxOb(obj, url, value2key) ob.title = 'URL: %s' % url ind.add_observable(CyboxOb(idref=ob.id_)) pkg.add_observable(ob) if file_: obj = File() ip = decomp.get('IP address') if ip: obj_ip = Address() if isIPv4(ip): obj_ip.category = Address.CAT_IPV4 elif isIPv6(ip): obj_ip.category = Address.CAT_IPV6 else: break obj_ip.is_source = True obj_ip.address_value = ip # if obj_host: # obj_ip.add_related(obj_host, # ObjectRelationship.TERM_RESOLVED_TO, # inline=False) ob = CyboxOb(obj_ip) ob.title = 'IP: %s' % ip ind.add_observable(CyboxOb(idref=ob.id_)) pkg.add_observable(ob) asn = decomp.get('ASN') if asn: obj_asn = Address() obj_asn.category = Address.CAT_ASN obj_asn.address_value = asn # if obj_host: # obj_asn.add_related(obj_host, # ObjectRelationship.TERM_CONNECTED_TO, # inline=False) # if obj_ip: # obj_asn.add_related(obj_ip, # ObjectRelationship.TERM_CONNECTED_TO, # inline=False) ob = CyboxOb(obj_asn) ob.title = 'ASN: %s' % ip ind.add_observable(CyboxOb(idref=ob.id_)) pkg.add_observable(ob) pkg.add_indicator(ind) db('local_file', 'value_to_key', 'values', value2key) db('local_file', 'history', ADPTR_SRC_ID, history) return pkg