Esempio n. 1
0
def main(args):
    if len(args) < 4:
        sys.exit("Invalid parameters")
    baseURL = args[1]
    if not baseURL:
        baseURL = 'https://www.misp-project.org'
    orgname = args[2]
    orgname = re.sub('[\W]+', '', orgname.replace(" ", "_"))
    NS_DICT[baseURL] = orgname
    try:
        idgen.set_id_namespace(Namespace(baseURL, orgname))
    except TypeError:
        idgen.set_id_namespace(Namespace(baseURL, orgname, "MISP"))
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = "Export from {} MISP".format(args[2])
    stix_header.package_intents = "Threat Report"
    stix_package.stix_header = stix_header
    stix_package.version = "1.1.1"
    stix_package.timestamp = datetime.datetime.now()
    if args[3] == 'json':
        stix_string = stix_package.to_json()[:-1]
        stix_string += ', "related_packages": ['
    else:
        stix_string = stix_package.to_xml(auto_namespace=False,
                                          ns_dict=NS_DICT,
                                          schemaloc_dict=SCHEMALOC_DICT)
        stix_string = stix_string.decode().replace("</stix:STIX_Package>\n",
                                                   "")
    print(stix_string)
Esempio n. 2
0
def main(args):
    pathname = os.path.dirname(sys.argv[0])
    if len(sys.argv) > 3:
        namespace[0] = sys.argv[3]
    if len(sys.argv) > 4:
        namespace[1] = sys.argv[4].replace(" ", "_")
        namespace[1] = re.sub('[\W]+', '', namespace[1])
    try:
        idgen.set_id_namespace({namespace[0]: namespace[1]})
    except ValueError:
        try:
            idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
        except TypeError:
            idgen.set_id_namespace(
                Namespace(namespace[0], namespace[1], "MISP"))
    event = loadEvent(args, pathname)
    if 'response' in event:
        event = event['response'][0]['Event']
    else:
        event = event['Event']
#    print(event['Galaxy'])
#    sys.exit(0)
    SDOs = []
    object_refs = []
    external_refs = []
    identity = setIdentity(event)
    SDOs.append(identity)
    attributes = readAttributes(event, identity, object_refs, external_refs)
    report = eventReport(event, identity, object_refs, external_refs)
    SDOs.append(report)
    for attribute in attributes:
        SDOs.append(attribute)
    stix_package = generateEventPackage(event, SDOs)
    saveFile(args, pathname, stix_package)
Esempio n. 3
0
 def __init__(self, args):
     self.misp_event = pymisp.MISPEvent()
     self.args = args
     if len(args) > 3:
         namespace[0] = args[3]
     if len(args) > 4:
         ns = args[4].replace(" ", "_")
         namespace[1] = re.sub('[\W]+', '', ns)
     if not namespace[0]:
         namespace[0] = 'https://www.misp-project.org'
     try:
         idgen.set_id_namespace({namespace[0]: namespace[1]})
     except ValueError:
         try:
             idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
         except TypeError:
             idgen.set_id_namespace(Namespace(namespace[0], namespace[1], "MISP"))
     self.namespace_prefix = idgen.get_id_namespace_alias()
     self.simple_type_to_method = {"port": self.generate_port_observable, "domain|ip": self.generate_domain_ip_observable}
     self.simple_type_to_method.update(dict.fromkeys(hash_type_attributes["single"] + hash_type_attributes["composite"] + ["filename"] + ["attachment"], self.resolve_file_observable))
     self.simple_type_to_method.update(dict.fromkeys(["ip-src", "ip-dst", "ip-src|port", "ip-dst|port"], self.generate_ip_observable))
     self.simple_type_to_method.update(dict.fromkeys(["regkey", "regkey|value"], self.generate_regkey_observable))
     self.simple_type_to_method.update(dict.fromkeys(["hostname", "domain", "url", "AS", "mutex", "named pipe", "link"], self.generate_simple_observable))
     self.simple_type_to_method.update(dict.fromkeys(["email-src", "email-dst", "email-subject"], self.resolve_email_observable))
     self.simple_type_to_method.update(dict.fromkeys(["http-method", "user-agent"], self.resolve_http_observable))
     self.simple_type_to_method.update(dict.fromkeys(["pattern-in-file", "pattern-in-traffic", "pattern-in-memory"], self.resolve_pattern_observable))
Esempio n. 4
0
    def _get_namespace_def(self, additional_ns_dict=None):
        # copy necessary namespaces

        namespaces = self._get_namespaces()

        if additional_ns_dict:
            for ns, prefix in additional_ns_dict.iteritems():
                namespaces.update([Namespace(ns, prefix)])

        # TODO: For now, always add the ID namespace. Later we can figure out
        # how to intelligently do it only when necessary
        namespaces.update([cybox.utils.idgen._get_generator().namespace])

        # if there are any other namepaces, include xsi for "schemaLocation"
        if namespaces:
            namespaces.update([META.lookup_prefix('xsi')])

        if not namespaces:
            return ""

        namespaces = sorted(namespaces, key=str)

        return ('\n\t' + get_xmlns_string(namespaces) +
                '\n\txsi:schemaLocation="' + get_schemaloc_string(namespaces) +
                '"')
def main(args):
    if len(args) < 4:
        sys.exit("Invalid parameters")

    baseURL = args[1]
    if not baseURL:
        baseURL = 'https://www.misp-project.org'
    orgname = args[2]

    namespace = [baseURL, orgname.replace(" ", "_")]
    namespace[1] = re.sub('[\W]+', '', namespace[1])
    NS_DICT[namespace[0]] = namespace[1]

    try:
        idgen.set_id_namespace({baseURL: namespace[1]})
    except ValueError:
        # Some weird stix error that sometimes occurs if the stars
        # align and Mixbox is being mean to us
        # Glory to STIX, peace and good xmlns be upon it
        try:
            idgen.set_id_namespace(Namespace(baseURL, namespace[1]))
        except TypeError:
            # Ok this only occurs if the script is being run under py3
            # and if we're running a REALLY weird version of stix
            # May as well catch it
            idgen.set_id_namespace(Namespace(baseURL, namespace[1], "MISP"))

    stix_package = STIXPackage()
    stix_header = STIXHeader()

    stix_header.title = "Export from {} MISP".format(orgname)
    stix_header.package_intents = "Threat Report"
    stix_package.stix_header = stix_header
    stix_package.version = "1.1.1"
    stix_package.timestamp = datetime.datetime.now()

    if args[3] == 'json':
        stix_string = stix_package.to_json()[:-1]
        stix_string += ', "related_packages": ['
    else:
        stix_string = stix_package.to_xml(auto_namespace=False,
                                          ns_dict=NS_DICT,
                                          schemaloc_dict=SCHEMALOC_DICT)
        stix_string = stix_string.decode()
        stix_string = stix_string.replace("</stix:STIX_Package>\n", "")
    print(stix_string)
Esempio n. 6
0
def main(args):
    pathname = os.path.dirname(sys.argv[0])
    if len(sys.argv) > 3:
        namespace[0] = sys.argv[3]
    if len(sys.argv) > 4:
        namespace[1] = sys.argv[4].replace(" ", "_")
        namespace[1] = re.sub('[\W]+', '', namespace[1])
    try:
        idgen.set_id_namespace({namespace[0]: namespace[1]})
    except ValueError:
        try:
            idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
        except TypeError:
            idgen.set_id_namespace(Namespace(namespace[0], namespace[1], "MISP"))

    event = loadEvent(args, pathname)
    stix_package = generateEventPackage(event)
    saveFile(args, pathname, stix_package)
    print(json.dumps({'success' : 1, 'message' : ''}))
Esempio n. 7
0
def main(args):
    pathname = os.path.dirname(sys.argv[0])
    if len(sys.argv) > 3:
        namespace[0] = sys.argv[3]
    if len(sys.argv) > 4:
        namespace[1] = sys.argv[4].replace(" ", "_")
    NS_DICT[namespace[0]] = namespace[1]
    cybox.utils.idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
    stix.utils.idgen.set_id_namespace({namespace[0]: namespace[1]})
    events = loadEvent(args, pathname)
    stix_package = generateMainPackage(events)
    for event in events:
        sub_package = generateEventPackage(event)
        stix_package.related_packages.append(sub_package)
    saveFile(args, pathname, stix_package)
    print json.dumps({'success': 1, 'message': ''})
Esempio n. 8
0
def gen_stix_indicator_sample(config,
                              target=None,
                              datatype=None,
                              title='random test data',
                              description='random test data',
                              package_intents='Indicators - Watchlist',
                              tlp_color='WHITE',
                              observables_list=None):
    '''generate sample stix data comprised of indicator_count
    indicators of type datatype'''
    # setup the xmlns...
    xmlns_url = config['edge']['sites'][target]['stix']['xmlns_url']
    xmlns_name = config['edge']['sites'][target]['stix']['xmlns_name']
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = '../../../../descendant-or-self::node()'
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    indicator_ = Indicator()
    indicator_.title = str(uuid.uuid4()) + '_sample_indicator'
    indicator_.confidence = 'Unknown'
    indicator_.add_indicator_type('Malware Artifacts')
    observable_composition_ = ObservableComposition()
    observable_composition_.operator = \
        indicator_.observable_composition_operator
    for observable_id in observables_list:
        observable_ = Observable()
        observable_.idref = observable_id
        observable_composition_.add(observable_)
    indicator_.observable = Observable()
    indicator_.observable.observable_composition = observable_composition_
    stix_package.add_indicator(indicator_)
    return (stix_package)
Esempio n. 9
0
def main(args):
    if len(sys.argv) < 4:
        sys.exit("Invalid parameters")
    namespace = [sys.argv[1], sys.argv[2]]
    NS_DICT[namespace[1]] = namespace[0]
    cybox.utils.idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
    stix.utils.idgen.set_id_namespace({namespace[0]: namespace[1]})
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = "Export from " + namespace[1] + " MISP"
    stix_header.package_intents = "Threat Report"
    stix_package.stix_header = stix_header
    if sys.argv[3] == 'json':
        stix_string = stix_package.to_json()[:-1]
        stix_string += ', "related_packages": ['
    else:
        stix_string = stix_package.to_xml(auto_namespace=False,
                                          ns_dict=NS_DICT,
                                          schemaloc_dict=SCHEMALOC_DICT)
        stix_string = stix_string.replace("</stix:STIX_Package>\n", "")
    print(stix_string)
Esempio n. 10
0
def stix_pkg(config,
             src,
             endpoint,
             payload,
             title='random test data',
             description='random test data',
             package_intents='Indicators - Watchlist',
             tlp_color='WHITE',
             dest=None):
    '''package observables'''
    # setup the xmlns...
    xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
    xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = '../../../../descendant-or-self::node()'
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    if isinstance(payload, Observable):
        stix_package.add_observable(payload)
    elif isinstance(payload, Indicator):
        stix_package.add_indicator(payload)
    elif isinstance(payload, Incident):
        stix_package.add_incident(payload)
    return (stix_package)
Esempio n. 11
0
def stix_framing(*args):
    import datetime, re
    from stix.core import STIXPackage, STIXHeader
    from cybox.utils import Namespace
    # As python3 is forced anyway, mixbox is used and we don't need to try to import idgen from stix.utils
    from mixbox import idgen
    from stix import __version__ as STIXVER
    NS_DICT = {
        "http://cybox.mitre.org/common-2": 'cyboxCommon',
        "http://cybox.mitre.org/cybox-2": 'cybox',
        "http://cybox.mitre.org/default_vocabularies-2": 'cyboxVocabs',
        "http://cybox.mitre.org/objects#AccountObject-2": 'AccountObj',
        "http://cybox.mitre.org/objects#ASObject-1": 'ASObj',
        "http://cybox.mitre.org/objects#AddressObject-2": 'AddressObj',
        "http://cybox.mitre.org/objects#PortObject-2": 'PortObj',
        "http://cybox.mitre.org/objects#DomainNameObject-1": 'DomainNameObj',
        "http://cybox.mitre.org/objects#EmailMessageObject-2":
        'EmailMessageObj',
        "http://cybox.mitre.org/objects#FileObject-2": 'FileObj',
        "http://cybox.mitre.org/objects#HTTPSessionObject-2": 'HTTPSessionObj',
        "http://cybox.mitre.org/objects#HostnameObject-1": 'HostnameObj',
        "http://cybox.mitre.org/objects#MutexObject-2": 'MutexObj',
        "http://cybox.mitre.org/objects#PipeObject-2": 'PipeObj',
        "http://cybox.mitre.org/objects#URIObject-2": 'URIObj',
        "http://cybox.mitre.org/objects#WinRegistryKeyObject-2":
        'WinRegistryKeyObj',
        'http://cybox.mitre.org/objects#WinServiceObject-2': 'WinServiceObj',
        "http://cybox.mitre.org/objects#NetworkConnectionObject-2":
        'NetworkConnectionObj',
        "http://cybox.mitre.org/objects#NetworkSocketObject-2":
        'NetworkSocketObj',
        "http://cybox.mitre.org/objects#SocketAddressObject-1":
        'SocketAddressObj',
        "http://cybox.mitre.org/objects#SystemObject-2": 'SystemObj',
        "http://cybox.mitre.org/objects#ProcessObject-2": 'ProcessObj',
        "http://cybox.mitre.org/objects#X509CertificateObject-2":
        'X509CertificateObj',
        "http://cybox.mitre.org/objects#WhoisObject-2": 'WhoisObj',
        "http://cybox.mitre.org/objects#WinExecutableFileObject-2":
        'WinExecutableFileObj',
        "http://data-marking.mitre.org/Marking-1": 'marking',
        "http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1":
        'tlpMarking',
        "http://stix.mitre.org/ExploitTarget-1": 'et',
        "http://stix.mitre.org/Incident-1": 'incident',
        "http://stix.mitre.org/Indicator-2": 'indicator',
        "http://stix.mitre.org/TTP-1": 'ttp',
        "http://stix.mitre.org/ThreatActor-1": 'ta',
        "http://stix.mitre.org/common-1": 'stixCommon',
        "http://stix.mitre.org/default_vocabularies-1": 'stixVocabs',
        "http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1":
        'ciqIdentity',
        "http://stix.mitre.org/extensions/TestMechanism#Snort-1": 'snortTM',
        "http://stix.mitre.org/stix-1": 'stix',
        "http://www.w3.org/2001/XMLSchema-instance": 'xsi',
        "urn:oasis:names:tc:ciq:xal:3": 'xal',
        "urn:oasis:names:tc:ciq:xnl:3": 'xnl',
        "urn:oasis:names:tc:ciq:xpil:3": 'xpil',
    }
    SCHEMALOC_DICT = {
        'http://cybox.mitre.org/common-2':
        'http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd',
        'http://cybox.mitre.org/cybox-2':
        'http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd',
        'http://cybox.mitre.org/default_vocabularies-2':
        'http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd',
        'http://cybox.mitre.org/objects#AccountObject-2':
        ' http://cybox.mitre.org/XMLSchema/objects/Account/2.1/Account_Object.xsd',
        'http://cybox.mitre.org/objects#ASObject-1':
        'http://cybox.mitre.org/XMLSchema/objects/AS/1.0/AS_Object.xsd',
        'http://cybox.mitre.org/objects#AddressObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd',
        'http://cybox.mitre.org/objects#PortObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Port/2.1/Port_Object.xsd',
        'http://cybox.mitre.org/objects#DomainNameObject-1':
        'http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd',
        'http://cybox.mitre.org/objects#EmailMessageObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd',
        'http://cybox.mitre.org/objects#FileObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd',
        'http://cybox.mitre.org/objects#HTTPSessionObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/HTTP_Session/2.1/HTTP_Session_Object.xsd',
        'http://cybox.mitre.org/objects#HostnameObject-1':
        'http://cybox.mitre.org/XMLSchema/objects/Hostname/1.0/Hostname_Object.xsd',
        'http://cybox.mitre.org/objects#MutexObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Mutex/2.1/Mutex_Object.xsd',
        'http://cybox.mitre.org/objects#PipeObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Pipe/2.1/Pipe_Object.xsd',
        'http://cybox.mitre.org/objects#URIObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd',
        'http://cybox.mitre.org/objects#WinServiceObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Win_Service/2.1/Win_Service_Object.xsd',
        'http://cybox.mitre.org/objects#WinRegistryKeyObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Win_Registry_Key/2.1/Win_Registry_Key_Object.xsd',
        'http://cybox.mitre.org/objects#NetworkConnectionObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.0.1/Network_Connection_Object.xsd',
        'http://cybox.mitre.org/objects#NetworkSocketObject-2':
        'https://cybox.mitre.org/XMLSchema/objects/Network_Socket/2.1/Network_Socket_Object.xsd',
        'http://cybox.mitre.org/objects#SystemObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/System/2.1/System_Object.xsd',
        'http://cybox.mitre.org/objects#SocketAddressObject-1':
        'http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd',
        'http://cybox.mitre.org/objects#ProcessObject-2':
        'https://cybox.mitre.org/XMLSchema/objects/Process/2.1/Process_Object.xsd',
        'http://cybox.mitre.org/objects#X509CertificateObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/X509_Certificate/2.1/X509_Certificate_Object.xsd',
        'http://cybox.mitre.org/objects#WhoisObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Whois/2.1/Whois_Object.xsd',
        'http://cybox.mitre.org/objects#WinExecutableFileObject-2':
        'http://cybox.mitre.org/XMLSchema/objects/Win_Executable_File/2.1/Win_Executable_File_Object.xsd',
        'http://data-marking.mitre.org/Marking-1':
        'http://stix.mitre.org/XMLSchema/data_marking/1.1.1/data_marking.xsd',
        'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1':
        'http://stix.mitre.org/XMLSchema/extensions/marking/tlp/1.1.1/tlp_marking.xsd',
        'http://stix.mitre.org/ExploitTarget-1':
        'http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd',
        'http://stix.mitre.org/Incident-1':
        'http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd',
        'http://stix.mitre.org/Indicator-2':
        'http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd',
        'http://stix.mitre.org/TTP-1':
        'http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd',
        'http://stix.mitre.org/ThreatActor-1':
        'http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd',
        'http://stix.mitre.org/common-1':
        'http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd',
        'http://stix.mitre.org/default_vocabularies-1':
        'http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd',
        'http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1':
        'http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd',
        'http://stix.mitre.org/extensions/TestMechanism#Snort-1':
        'http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd',
        'http://stix.mitre.org/stix-1':
        'http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd',
        'urn:oasis:names:tc:ciq:xal:3':
        'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xAL.xsd',
        'urn:oasis:names:tc:ciq:xnl:3':
        'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xNL.xsd',
        'urn:oasis:names:tc:ciq:xpil:3':
        'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd',
    }

    baseurl, orgname, return_type = args
    if not baseurl:
        baseurl = 'https://www.misp-project.org'
    real_orgname = args[1]
    orgname = re.sub('[\W]+', '', orgname.replace(" ", "_"))
    NS_DICT[baseurl] = orgname
    try:
        idgen.set_id_namespace(Namespace(baseurl, orgname))
    except TypeError:
        idgen.set_id_namespace(Namespace(baseurl, orgname, "MISP"))
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = "Export from {} MISP".format(real_orgname)
    stix_header.package_intents = "Threat Report"
    stix_package.stix_header = stix_header
    stix_package.version = "1.1.1"
    stix_package.timestamp = datetime.datetime.now()
    return stix_json_framing(
        stix_package) if return_type == 'json' else stix_xml_framing(
            stix_package, NS_DICT, SCHEMALOC_DICT)
Esempio n. 12
0
from stix.incident import Incident, Time, ImpactAssessment, ExternalID, AffectedAsset
from stix.exploit_target import ExploitTarget, Vulnerability
from stix.incident.history import JournalEntry, History, HistoryItem
from stix.threat_actor import ThreatActor
from stix.core import STIXPackage, STIXHeader
from stix.common import InformationSource, Identity, Confidence
from stix.data_marking import Marking, MarkingSpecification
from stix.extensions.marking.tlp import TLPMarkingStructure
from stix.common.related import *
from stix.common.confidence import Confidence
from stix.common.vocabs import IncidentStatus
from cybox.utils import Namespace

namespace = ['https://github.com/MISP/MISP', 'MISP']

cybox.utils.idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
stix.utils.idgen.set_id_namespace({namespace[0]: namespace[1]})


NS_DICT = {
	"http://cybox.mitre.org/common-2" : 'cyboxCommon',
	"http://cybox.mitre.org/cybox-2" : 'cybox',	
	"http://cybox.mitre.org/default_vocabularies-2" : 'cyboxVocabs',
	"http://cybox.mitre.org/objects#ASObject-1" : 'ASObj',
	"http://cybox.mitre.org/objects#AddressObject-2" : 'AddressObj',
	"http://cybox.mitre.org/objects#DomainNameObject-1" : 'DomainNameObj',
	"http://cybox.mitre.org/objects#EmailMessageObject-2" : 'EmailMessageObj',
	"http://cybox.mitre.org/objects#FileObject-2" : 'FileObj',
	"http://cybox.mitre.org/objects#HTTPSessionObject-2" : 'HTTPSessionObj',
	"http://cybox.mitre.org/objects#HostnameObject-1" : 'HostnameObj',
	"http://cybox.mitre.org/objects#MutexObject-2" : 'MutexObj',
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        oObsSrcData = genObsSrcData(srcObj, data[sKey])
        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['ip']
        if len(sAddr) > 0:
            objAddr = Address()
            objAddr.is_destination = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.type = 'ipv4-addr'
            elif isIPv6(sAddr):
                objAddr.type = 'ipv6-addr'
            else:
                continue

            obsAddr = Observable(objAddr)
            objAddr = None
            obsAddr.sighting_count = 1
            oObsSrcData.sighting_count = 1
            obsAddr.observable_source.append(oObsSrcData)

            sTitle = 'IP: ' + sAddr
            obsAddr.title = sTitle
            sDscpt = 'ipv4-addr' + ': ' + sAddr + " | "
            sDscpt += "is_destination: True | "
            if data[sKey]['attrib']['first']:
                sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | "
            if data[sKey]['attrib']['last']:
                sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | "
            obsAddr.description = "<![CDATA[" + sDscpt + "]]>"
            listOBS.append(obsAddr)
            obsAddr = None

        ### Parsing Network Address
        sAddr = data[sKey]['attrib']['inetnum']
        if sAddr:
            objAddr = Address()
            objAddr.is_destination = True
            sAddrNet = sAddr.split("-")
            objAddr.address_value = sAddrNet[0].strip(
            ) + "##comma##" + sAddrNet[1].strip()
            objAddr.address_value.condition = 'InclusiveBetween'

            objAddr.category = 'ipv4-net'

            obsAddr = Observable(objAddr)
            objAddr = None
            obsAddr.sighting_count = 1
            oObsSrcData.sighting_count = 1
            obsAddr.observable_source.append(oObsSrcData)

            sTitle = 'NETWORK_range: ' + sAddr
            obsAddr.title = sTitle
            sDscpt = 'ipv4-net' + ': ' + sAddr + " | "
            if data[sKey]['attrib']['netname']:
                sDscpt += 'netName' + ': ' + data[sKey]['attrib'][
                    'netname'] + " | "
            obsAddr.description = "<![CDATA[" + sDscpt + "]]>"
            listOBS.append(obsAddr)
            obsAddr = None

        ### Parsing Email Address
        sEMAIL = data[sKey]['attrib']['email']
        if sEMAIL:
            objEmail = EmailAddress()
            #objEmail.is_source = True
            objEmail.address_value = sEMAIL
            objEmail.address_value.condition = 'Equals'

            objEmail.category = 'e-mail'

            obsEmail = Observable(objEmail)
            objEmail = None
            obsEmail.sighting_count = 1
            oObsSrcData.sighting_count = 1
            if len(data[sKey]['attrib']['source']) > 0:
                oObsSrcData.name = data[sKey]['attrib']['source']
            obsEmail.observable_source.append(oObsSrcData)

            sTitle = 'REGISTRAR_email: ' + sEMAIL
            obsEmail.title = sTitle
            sDscrpt = 'REGISTRAR_email: ' + sEMAIL
            if data[sKey]['attrib']['descr']:
                sDscrpt += " | REGISTRAR_name: " + data[sKey]['attrib'][
                    'descr'] + " | "

            obsEmail.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsEmail)
            obsEmail = None

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if len(sDomain) > 0:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            objDomain.is_destination = True
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            objDomain = None
            obsDomain.sighting_count = 1
            oObsSrcData.sighting_count = 1
            obsDomain.observable_source.append(oObsSrcData)
            obsDomain.title = 'Domain: ' + sDomain
            sDscpt = 'Domain: ' + sDomain + " | "
            sDscpt += "isDestination: True | "
            if data[sKey]['attrib']['first']:
                sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | "
            if data[sKey]['attrib']['last']:
                sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | "

            #if
            obsDomain.description = "<![CDATA[" + sDscpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        #Parser URI
        sURI = data[sKey]['attrib']['url']
        if len(sURI) > 0:
            objURI = URI()
            objURI.value = sURI
            objURI.value.condition = 'Equals'
            objURI.type_ = URI.TYPE_URL
            obsURI = Observable(objURI)
            objURI = None
            obsURI.sighting_count = 1
            oObsSrcData.sighting_count = 1
            obsURI.observable_source.append(oObsSrcData)
            obsURI.title = 'URI: ' + sURI
            sDscpt = 'URI: ' + sURI + " | "
            sDscpt += "Type: URL | "
            obsURI.description = "<![CDATA[" + sDscpt + "]]>"
            listOBS.append(obsURI)
            obsURI = None
            objIndicator.add_indicator_type("URL Watchlist")

        sDscrpt = None
        sCntry_code = None
        sCntry_name = None
        sRgstra_email = None
        sRgstra_name = None

        # add Phishing Email Target
        # add Phishing email Details phishtank_ID

        if data[sKey]['attrib']['country']:
            sCntry_code = data[sKey]['attrib']['country']
            if sCntry_code in dictCC2CN:
                sCntry_name = dictCC2CN[sCntry_code]

        if data[sKey]['attrib']['email'] > 0:
            sRgstra_email = data[sKey]['attrib']['email']

        if data[sKey]['attrib']['descr']:
            sRgstra_name = data[sKey]['attrib']['descr']

        sDscrpt = " clean-mx.de has identified this "
        if isIPv4(data[sKey]['attrib']['domain']):
            sDscrpt += "ip address " + data[sKey]['attrib']['domain'] + " "
        else:
            sDscrpt += "domain " + data[sKey]['attrib']['domain'] + " "

        sDscrpt += "as malicious "
        if data[sKey]['attrib']['target']:
            sDscrpt += "and uses phishing email(s) targeting " + data[sKey][
                'attrib']['target'] + " users with "
        else:
            sDscrpt += "and sent out "

        sDscrpt += "email containg this url <-Do Not Connect-> {" + data[sKey][
            'attrib']['url'] + "} <-Do Not Connect-> link. "

        if data[sKey]['attrib']['phishtank']:
            sDscrpt += "For more detail on the specific phisihing email use this phishtank ID [" + data[
                sKey]['attrib']['phishtank'] + "]. "

        if sCntry_code:
            sDscrpt += " This url appears to originated in " + sCntry_code
            if sCntry_name:
                sDscrpt += " (" + sCntry_name + ")"
        if sCntry_code and (sRgstra_email or sRgstra_name):
            sDscrpt += " and is "
        if sRgstra_email:
            sDscrpt += "register to " + sRgstra_email
        if sRgstra_email and sRgstra_name:
            sDscrpt += " of " + sRgstra_name
        elif sRgstra_name:
            sDscrpt += "register to " + sRgstra_name
        sDscrpt += "."

        if sCntry_code or sRgstra_email or sRgstra_name:
            objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        sTitle = 'Phishing ID:' + sKey + " "
        if data[sKey]['attrib']["target"]:
            sTitle += "Target: " + data[sKey]['attrib']["target"] + " "

        if data[sKey]['attrib']["url"]:
            sTitle += "URL: " + data[sKey]['attrib']["url"] + " "

        objIndicator.title = sTitle

        ### Add Generated observable to Indicator
        objIndicator.add_indicator_type("IP Watchlist")
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(sProducer) > 0:
            objIndicator.set_producer_identity(sProducer)

        objIndicator.set_produced_time(data[sKey]['attrib']['first'])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    objTOU = TermsOfUseMarkingStructure()
    #sTOU = open('tou.txt').read()
    objTOU.terms_of_use = sProducer + " | " + srcObj.srcTOU
    marking_specification.marking_structures.append(objTOU)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')

    ### Input Check
    if srcObj is None or data is None:
        # TODO: Needs error msg: Missing srcData Object
        return False

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['ipAddr']
        if sAddr:
            objAddr = Address()
            objAddr.is_source = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.category = 'ipv4-addr'
            elif isIPv6(sAddr):
                objAddr.category = 'ipv6-addr'
            else:
                continue

            obsAddr = Observable(objAddr)
            obsAddr.sighting_count = 1
            obsAddr.title = 'IP: ' + sAddr
            sDscrpt = 'IPv4' + ': ' + sAddr + " | "
            sDscrpt += "isSource: True | "
            obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsAddr)
            objIndicator.add_indicator_type("IP Watchlist")

            ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if sDomain:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            objIndicator.add_indicator_type("Domain Watchlist")

        # Parser File Hash
        # sHash = data[sKey]['attrib']['hash'];
        # if len(sHash) > 0:
        # objFile = File()
        # sFileName = data[sKey]['attrib']['fileName']
        # if len(sFileName) > 0:
        # objFile.file_name   = sFileName
        # objFile.file_format = sFileName.split('.')[1]

        # objFile.add_hash(Hash(sHash, exact=True))
        # obsFile = Observable(objFile)
        # objFile = None;
        # obsFile.sighting_count = 1
        # obsFile.title = 'File: ' + sFileName
        #     sDscrpt = 'FileName: ' + sFileName + " | "
        #     sDscrpt += "FileHash: " + sHash + " | "
        #     obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
        #     listOBS.append(obsFile)
        #     obsFile = None;
        #     objIndicator.add_indicator_type("File Hash Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observables = listOBS
        objIndicator.observable_composition_operator = 'OR'

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(srcObj.Domain) > 0:
            objIndicator.set_producer_identity(srcObj.Domain)

        if data[sKey]['attrib']['dateVF']:
            objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Old Title / Description Generator
        #objIndicator.title = data[sKey]['attrib']['title'];
        #objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";

        ### Generate Indicator Title based on availbe data
        sTitle = 'Feodo Tracker: '
        if sAddr:
            sAddLine = "This IP address has been identified as malicious"
        if sDomain:
            sAddLine = "This domain has been identified as malicious"
        if len(sAddLine) > 0:
            sTitle += " | " + sAddLine
        if len(srcObj.Domain) > 0:
            sTitle += " by " + srcObj.Domain
        else:
            sTitle += "."
        if len(sTitle) > 0:
            objIndicator.title = sTitle

        #Generate Indicator Description based on availbe data
        sDscrpt = ""
        if sAddr:
            sAddLine = "This IP address " + sAddr
        if sDomain:
            sAddLine = "This domain " + sDomain
        if sAddr and sDomain:
            sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
        if len(sAddLine) > 0:
            sDscrpt += sAddLine

        sDscrpt += " has been identified as malicious"
        if len(srcObj.Domain) > 0:
            sDscrpt += " by " + srcObj.Domain
        else:
            sDscrpt += "."
        sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + \
                  data[sKey]['attrib']['link'] + "]."

        if len(sDscrpt) > 0:
            objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        objMalware.add_name("Cridex")
        objMalware.add_name("Bugat")
        objMalware.add_name("Dridex")
        objMalware.add_type("Remote Access Trojan")
        objMalware.short_description = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials"

        sDscrpt = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D:\n"
        sDscrpt += "\n"
        sDscrpt += "  Version A: Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.\n"
        sDscrpt += "  Version B: Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.\n"
        sDscrpt += "  Version C: Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.\n"
        sDscrpt += "  Version D: Successor of Cridex. This version is also known as Dridex\n"
        objMalware.description = "<![CDATA[" + sDscrpt + "]]>"

        objTTP = TTP(title="Feodo")
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)

        ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return stix_package
Esempio n. 15
0
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if len(sDomain) > 0:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        #Parsing Producer
        infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
        infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
        if len(srcObj.Domain) > 0:
            objIndicator.producer = infoSrc

        if data[sKey]['attrib']['lstDateVF']:
            objIndicator.set_produced_time(
                data[sKey]['attrib']['lstDateVF'][0])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Generate Indicator Title based on availbe data
        lstContainng = []
        lstIs = []
        sTitle = 'This domain ' + data[sKey]['attrib'][
            'domain'] + ' has been identified as malicious'
        if len(data[sKey]['attrib']['ref']):
            sTitle += ' by ' + data[sKey]['attrib']['ref']

        if len(data[sKey]['attrib']['type']) > 0:
            sTitle += ', via this vector [' + data[sKey]['attrib'][
                'type'] + '].'
        else:
            sTitle += '.'
        objIndicator.title = sTitle

        ### Generate Indicator Description based on availbe data
        sDscrpt = 'Lehigh.edu site has added this domain ' + data[sKey][
            'attrib']['domain']
        sDscrpt += ' to recommend block list.'
        sDscrpt += ' This site has been identified as malicious'
        sDscrpt += ' by ' + data[sKey]['attrib']['ref']
        sDscrpt += ' and was still attive on the following dates ' + str(
            data[sKey]['attrib']['lstDateVF']) + "."
        objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        objMalware.add_type("Remote Access Trojan")

        ttpTitle = data[sKey]['attrib']['type']
        objTTP = TTP(title=ttpTitle)
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        oObsSrcData = genObsSrcData(srcObj, data[sKey])

        ### Parsing IP Address
        sAddr = sKey
        if len(sAddr) > 0:
            objAddr = Address()
            objAddr.is_source = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'InclusiveBetween'

            objAddr.category = 'ipv4-net'

            obsAddr = Observable(objAddr)
            objAddr = None
            obsAddr.sighting_count = int(data[sKey]['attrib']['Attacks'])
            oObsSrcData.sighting_count = int(data[sKey]['attrib']['Attacks'])
            obsAddr.observable_source.append(oObsSrcData)

            sTitle = 'NETWORK_range: ' + sAddr
            obsAddr.title = sTitle
            sDscpt = 'ipv4-net' + ': ' + sAddr + " | "
            sDscpt += "is_source: True | "
            sDscpt += "Attack_Count: " + data[sKey]['attrib']['Attacks'] + " | "
            sDscpt += "Attack_DateRange: " + data[sKey]['attrib'][
                'dateRange'] + " | "
            obsAddr.description = sDscpt
            listOBS.append(obsAddr)
            obsAddr = None

        ### Parsing Registrar Information
        if data[sKey]['attrib']['email']:
            objEmail = EmailAddress()
            objEmail.address_value = data[sKey]['attrib']['email']
            objEmail.address_value.condition = 'Equals'
            objEmail.category = 'e-mail'

            objWhoisReg = WhoisRegistrar()
            if len(data[sKey]['attrib']['Name']) > 1:
                objWhoisReg.name = data[sKey]['attrib']['Name']
            objWhoisReg.email_address = objEmail
            objEmail = None

            objWhois = WhoisEntry()
            objWhois.registrar_info = objWhoisReg

            obsWhois = Observable(objWhois)
            #print obsWhois.id_
            objWhois = None
            obsWhois.sighting_count = 1

            sTitle = 'REGISTRAR_email: ' + data[sKey]['attrib']['email']
            if len(data[sKey]['attrib']['Name']) > 0:
                sTitle += " | REGISTRAR_name: " + data[sKey]['attrib'][
                    'Name'] + " | "
            obsWhois.title = sTitle
            obsWhois.description = sTitle
            listOBS.append(obsWhois)
            obsWhois = None

        sDscrpt = None
        sCntry_code = None
        sCntry_name = None
        sRgstra_email = None
        sRgstra_name = None

        if len(data[sKey]['attrib']['Country']) > 0:
            sCntry_code = data[sKey]['attrib']['Country']
            if sCntry_code in dictCC2CN:
                sCntry_name = dictCC2CN[sCntry_code]

        if 'email' in data[sKey]['attrib']:
            sRgstra_email = data[sKey]['attrib']['email']

        if len(data[sKey]['attrib']['Name']) > 0:
            sRgstra_name = data[sKey]['attrib']['Name']

        sDscrpt = "This IP block appears to have "
        if sCntry_code:
            sDscrpt += "originated in " + sCntry_code
            if sCntry_name:
                sDscrpt += "(" + sCntry_name + ")"
        if sCntry_code and (sRgstra_email or sRgstra_name):
            sDscrpt += " and is "
        if sRgstra_email:
            sDscrpt += "register to " + sRgstra_email
        if sRgstra_email and sRgstra_name:
            sDscrpt += " of " + sRgstra_name
        elif sRgstra_name:
            sDscrpt += "register to " + sRgstra_name
        sDscrpt += "."

        if sCntry_code or sRgstra_email or sRgstra_name:
            objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        objIndicator.title = sAddr.replace('##comma##',
                                           ' - ') + " | " + srcObj.pkgTitle

        ### Add Generated observable to Indicator
        objIndicator.add_indicator_type("IP Watchlist")
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(sProducer) > 0:
            objIndicator.set_producer_identity(sProducer)

        objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    objTOU = TermsOfUseMarkingStructure()
    #sTOU = open('tou.txt').read()
    objTOU.terms_of_use = sProducer + " | " + srcObj.srcTOU
    marking_specification.marking_structures.append(objTOU)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
Esempio n. 17
0
import os
import sys
import hashlib
from datetime import datetime

### This is add to handle the libraies sent in this Package, in your envroment this would typically be vary differnt
sys.path.insert(0, '../../')
### Generally required for all Adpters
from lib.utils.mngMSG import sndMSG
from stix.utils import set_id_namespace as stix_set_id_namespace
from cybox.utils import set_id_namespace as cybox_set_id_namespace
from cybox.utils import Namespace
from xml.sax.saxutils import escape

STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
CYBOX_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
cybox_set_id_namespace(CYBOX_NAMESPACE)


def main():
    from lib.utils.mngFiles import getFile_Source2Dict
    from lib.utils.mngSources_r01 import clsDataSource

    dstCreds = {
        "URI": "http://www.hailataxii.com/taxii-discovery-service",
        "usrName": "phishtank_com",
        "usrPass": "******",
        "crtName": "",
        "crtPass": ""
    }
Esempio n. 18
0
from cybox.objects.uri_object import URI, AnyURI
from cybox.objects.file_object import File
from cybox.objects.address_object import Address
from cybox.utils import set_id_namespace as set_ns_cybox
from cybox.utils import Namespace

from adapters.lib.conns.conndb import db
#from adapters.lib.utils.mngRmtObjs import get_rmt_file
from adapters.lib.utils.cnvtFiles_ng import cnvt_xml2dict
from adapters.lib.utils.mngMSG_ng import log
from adapters.lib.utils.mngSources_r01 import Source
from adapters.lib.utils.mngMisc_ng import isIPv4, isIPv6

ADPTR_SRC_ID = '72771483-4054-43eb-9dec-11196641c615'
ADPTR_NS_STIX = {'http://hailataxii.com': 'opensource'}
ADPTR_NS_CYBOX = Namespace('http://hailataxii.com', 'opensource')
ADPTR_VER_STIX = '1.1.1'


def main():

    dst = {
        "uri": "http://172.16.167.138/taxii-discovery-service",
        "usr_name": "admin",
        "usr_pass": "******",
        "crt_file": "",
        "crt_pass": ""
    }

    src_data = Source(id_=ADPTR_SRC_ID)
    src = db('local_file', 'source_list', ADPTR_SRC_ID)
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['ipAddr']
        if len(sAddr) > 0:
            objAddr = Address()
            objAddr.is_source = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.category = 'ipv4-addr'
            elif isIPv6(sAddr):
                objAddr.category = 'ipv6-addr'
            else:
                continue

            obsAddr = Observable(objAddr)
            objAddr = None
            obsAddr.sighting_count = 1
            obsAddr.title = 'IP: ' + sAddr
            sDscrpt = 'IPv4' + ': ' + sAddr + " | "
            sDscrpt += "isSource: True | "
            obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsAddr)
            obsAddr = None
            objIndicator.add_indicator_type("IP Watchlist")

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if len(sDomain) > 0:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        #Parser URI
        sURI = data[sKey]['attrib']['URI']
        if len(sURI) > 0:
            objURI = URI()
            objURI.value = sURI
            objURI.value.condition = 'Equals'
            objURI.type_ = URI.TYPE_URL
            obsURI = Observable(objURI)
            objURI = None
            obsURI.sighting_count = 1
            obsURI.title = 'URI: ' + sURI
            sDscrpt = 'URI: ' + sURI + " | "
            sDscrpt += "Type: URL | "
            obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsURI)
            obsURI = None
            objIndicator.add_indicator_type("URL Watchlist")

        #Parser File Hash
        sHash = data[sKey]['attrib']['hash']
        if len(sHash) > 0:
            objFile = File()
            sFileName = data[sKey]['attrib']['fileName']
            if len(sFileName) > 0:
                objFile.file_name = sFileName
                objFile.file_format = sFileName.split('.')[1]

            objFile.add_hash(Hash(sHash, exact=True))
            obsFile = Observable(objFile)
            objFile = None
            obsFile.sighting_count = 1
            obsFile.title = 'File: ' + sFileName
            sDscrpt = 'FileName: ' + sFileName + " | "
            sDscrpt += "FileHash: " + sHash + " | "
            obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsFile)
            obsFile = None
            objIndicator.add_indicator_type("File Hash Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observables = listOBS
        objIndicator.observable_composition_operator = 'OR'

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(sProducer) > 0:
            objIndicator.set_producer_identity(sProducer)

        objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Old Title / Description Generator
        #objIndicator.title = data[sKey]['attrib']['title'];
        #objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";

        ### Generate Indicator Title based on availbe data
        sTitle = 'ZeuS Tracker (' + data[sKey]['attrib'][
            'status'] + ')| ' + data[sKey]['attrib']['title']
        if len(sAddr) > 0:
            sAddLine = "This IP address has been identified as malicious"
        if len(sDomain) > 0:
            sAddLine = "This domain has been identified as malicious"
        if len(sAddLine) > 0:
            sTitle = sTitle + " | " + sAddLine
        if len(srcObj.Domain) > 0:
            sTitle = sTitle + " by " + srcObj.Domain
        else:
            sTitle = sTitle + "."
        if len(sTitle) > 0:
            objIndicator.title = sTitle

        #Generate Indicator Description based on availbe data
        sDscrpt = ""
        if len(sAddr) > 0:
            sAddLine = "This IP address " + sAddr
        if len(sDomain) > 0:
            sAddLine = "This domain " + sDomain
        if len(sAddr) > 0 and len(sDomain) > 0:
            sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
        if len(sAddLine) > 0:
            sDscrpt = sDscrpt + sAddLine

        sDscrpt = sDscrpt + " has been identified as malicious"
        if len(srcObj.Domain) > 0:
            sDscrpt = sDscrpt + " by " + srcObj.Domain
        else:
            sDscrpt = sDscrpt + "."
        sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
            sKey]['attrib']['link'] + "]."

        if len(sDscrpt) > 0:
            objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        objMalware.add_name("ZeuS")
        objMalware.add_name("Zbot")
        objMalware.add_name("Zeus")
        objMalware.add_type("Remote Access Trojan")
        objMalware.short_description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware effects Microsoft Windows operating system"
        objMalware.description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.[1] Zeus is spread mainly through drive-by downloads and phishing schemes. (2014(http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29))"

        objTTP = TTP(title="ZeuS")
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = sProducer + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
Esempio n. 20
0
def json2incident(config, src, dest, endpoint, json_, crits_id):
    '''transform crits events into stix incidents with related indicators'''
    try:
        set_id_method(IDGenerator.METHOD_UUID)
        xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
        xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
        set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
        if endpoint == 'events':
            endpoint_trans = {
                'Email': 'emails',
                'IP': 'ips',
                'Sample': 'samples',
                'Domain': 'domains',
                'Indicator': 'indicators'
            }
            status_trans = {
                'New': 'New',
                'In Progress': 'Open',
                'Analyzed': 'Closed',
                'Deprecated': 'Rejected'
            }
            incident_ = Incident()
            incident_.id = xmlns_name + ':incident-' + crits_id
            incident_.id_ = incident_.id
            incident_.title = json_['title']
            incident_.description = json_['description']
            incident_.status = status_trans[json_['status']]
            # incident_.confidence = json_['confidence']['rating'].capitalize()
            for r in json_['relationships']:
                if r.get('relationship',
                         None) not in ['Contains', 'Related_To']:
                    config['logger'].error(
                        log.log_messages['unsupported_object_error'].format(
                            type_='crits',
                            obj_type='event relationship type ' +
                            r.get('relationship', 'None'),
                            id_=crits_id))
                    continue
                if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
                    related_observable = RelatedObservable(
                        Observable(idref=xmlns_name + ':observable-' +
                                   r['value']))
                    incident_.related_observables.append(related_observable)
                elif r['type'] == 'Indicator':
                    related_indicator = RelatedIndicator(
                        Indicator(idref=xmlns_name + ':indicator-' +
                                  r['value']))
                    incident_.related_indicators.append(related_indicator)
                elif r['type'] == 'Event':
                    related_incident = RelatedIncident(
                        Incident(idref=xmlns_name + ':incident-' + r['value']))
                    incident_.related_incidents.append(related_incident)
            return (incident_)
        else:
            config['logger'].error(
                log.log_messages['unsupported_object_error'].format(
                    type_='crits', obj_type=endpoint, id_=crits_id))
            return (None)
    except:
        e = sys.exc_info()[0]
        config['logger'].error(log.log_messages['obj_convert_error'].format(
            src_type='crits',
            src_obj='event',
            id_=crits_id,
            dest_type='stix',
            dest_obj='incident'))
        config['logger'].exception(e)
        return (None)
def main():

    # "hardcoded" values
    ns = "urn:example.com:marks_malware_metadata_mart"
    ns_alias = "m4"

    # Set the STIX ID Namespace
    stix_namespace = {ns: ns_alias}
    stix_sin(stix_namespace)

    # Set the CybOX ID Namespace
    cybox_namespace = Namespace(ns, ns_alias)
    cybox_sin(cybox_namespace)

    ttp_id = 'ttp-d539bb85-9363-4814-83c8-fa9975045686'
    ttp_timestamp = '2014-09-30T15:56:27.000000+00:00'

    # Fake database values
    md5_hash = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
    object_id = 'File-927731f2-cc2c-421c-a40e-dc6f4a6c75a4'
    observable_id = 'Observable-45e3e64c-8438-441e-bc49-51e417466e29'
    confidence = 'High'
    confidence_timestamp = '2014-09-29T14:32:00.000000'
    indicator_id = 'Indicator-54baefc1-4742-4b40-ba83-afd51115015b'
    indicator_timestamp = '2014-09-29T14:32:00.000000'

    # Code to create the STIX Package
    sp = STIXPackage()
    sp.stix_header = STIXHeader()
    sp.stix_header.title = "File Hash Reputation for %s" % md5_hash
    sp.stix_header.add_package_intent("Indicators - Malware Artifacts")
    sp.stix_header.information_source = InformationSource()
    sp.stix_header.information_source.identity = Identity()
    sp.stix_header.information_source.identity.name = "Mark's Malware Metadata Mart"

    file_hash = Hash(hash_value=md5_hash, type_='MD5', exact=True)
    file_hash.type_.condition = "Equals"

    file_obj = File()
    file_obj.id_ = (ns_alias + ':' + object_id)
    file_obj.add_hash(file_hash)

    indicator = Indicator(title="File Hash Reputation",
                          id_=(ns_alias + ':' + indicator_id),
                          timestamp=indicator_timestamp)
    indicator.indicator_type = "File Hash Reputation"
    indicator.add_observable(file_obj)
    indicator.observables[0].id_ = ns_alias + ':' + observable_id

    ttp = TTP()
    ttp.id_ = ns_alias + ':' + ttp_id
    ttp.timestamp = ttp_timestamp
    ttp.title = "Malicious File"

    indicator.add_indicated_ttp(TTP(idref=ttp.id_, timestamp=ttp.timestamp))
    indicator.indicated_ttps[0].confidence = confidence
    indicator.indicated_ttps[0].confidence.timestamp = confidence_timestamp

    sp.add_indicator(indicator)
    sp.add_ttp(ttp)

    stix_xml = sp.to_xml()

    poll_response = tm11.PollResponse(message_id=generate_message_id(),
                                      in_response_to="1234",
                                      collection_name='file_hash_reputation')
    cb = tm11.ContentBlock(content_binding=CB_STIX_XML_111, content=stix_xml)
    poll_response.content_blocks.append(cb)
    print poll_response.to_xml(pretty_print=True)
Esempio n. 22
0
def gen_stix_observable_sample(config,
                               target=None,
                               datatype=None,
                               title='random test data',
                               description='random test data',
                               package_intents='Indicators - Watchlist',
                               tlp_color='WHITE'):
    '''generate sample stix data comprised of indicator_count
    indicators of type datatype'''
    # setup the xmlns...
    xmlns_url = config['edge']['sites'][target]['stix']['xmlns_url']
    xmlns_name = config['edge']['sites'][target]['stix']['xmlns_name']
    set_stix_id_namespace({xmlns_url: xmlns_name})
    set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
    # construct a stix package...
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = title
    stix_header.description = description
    stix_header.package_intents = package_intents
    marking = MarkingSpecification()
    marking.controlled_structure = '../../../../descendant-or-self::node()'
    tlp_marking = TLPMarkingStructure()
    tlp_marking.color = tlp_color
    marking.marking_structures.append(tlp_marking)
    stix_package.stix_header = stix_header
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking)
    # ...and stuff it full of random sample data :-)
    if datatype == 'ip':
        addr = Address(address_value=datagen.generate_random_ip_address(),
                       category='ipv4-addr')
        addr.condition = 'Equals'
        stix_package.add_observable(Observable(addr))
    elif datatype == 'domain':
        domain = DomainName()
        domain.type_ = 'FQDN'
        domain.value = datagen.generate_random_domain(config)
        domain.condition = 'Equals'
        stix_package.add_observable(Observable(domain))
    elif datatype == 'filehash':
        file_object = File()
        file_object.file_name = str(uuid.uuid4()) + '.exe'
        hashes = datagen.generate_random_hashes()
        for hash in hashes.keys():
            file_object.add_hash(Hash(hashes[hash], type_=hash.upper()))
            for i in file_object.hashes:
                i.simple_hash_value.condition = "Equals"
        stix_package.add_observable(Observable(file_object))
    elif datatype == 'email':
        try:
            msg = datagen.get_random_spam_msg(config)
            email = EmailMessage()
            email.header = EmailHeader()
            header_map = {
                'Subject': 'subject',
                'To': 'to',
                'Cc': 'cc',
                'Bcc': 'bcc',
                'From': 'from_',
                'Sender': 'sender',
                'Date': 'date',
                'Message-ID': 'message_id',
                'Reply-To': 'reply_to',
                'In-Reply-To': 'in_reply_to',
                'Content-Type': 'content_type',
                'Errors-To': 'errors_to',
                'Precedence': 'precedence',
                'Boundary': 'boundary',
                'MIME-Version': 'mime_version',
                'X-Mailer': 'x_mailer',
                'User-Agent': 'user_agent',
                'X-Originating-IP': 'x_originating_ip',
                'X-Priority': 'x_priority'
            }
            # TODO handle received_lines
            for key in header_map.keys():
                val = msg.get(key, None)
                if val:
                    email.header.__setattr__(header_map[key], val)
                    email.header.__getattribute__(header_map[key]).condition = \
                        'Equals'
            # TODO handle email bodies (it's mostly all there except for
            #      handling weird text encoding problems that were making
            #      libcybox stacktrace)
            # body = get_email_payload(random_spam_msg)
            # if body:
            #     email.raw_body = body
            stix_package.add_observable(Observable(email))
        except:
            return (None)
    observable_id = stix_package.observables.observables[0].id_
    return (observable_id, stix_package)
Esempio n. 23
0
def json2indicator(config, src, dest, endpoint, json_, crits_id):
    '''transform crits indicators into stix indicators with embedded
    cybox observable composition'''
    try:
        set_id_method(IDGenerator.METHOD_UUID)
        xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
        xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
        set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
        if endpoint == 'indicators':
            endpoint_trans = {
                'Email': 'emails',
                'IP': 'ips',
                'Sample': 'samples',
                'Domain': 'domains',
                'Indicator': 'indicators',
                'Event': 'events'
            }
            if json_.get('type', None) not in ['Reference', 'Related_To']:
                config['logger'].error(
                    log.log_messages['unsupported_object_error'].format(
                        type_='crits',
                        obj_type='indicator type ' + json_.get('type', 'None'),
                        id_=crits_id))
                return (None)
            indicator_ = Indicator()
            indicator_.id = xmlns_name + ':indicator-' + crits_id
            indicator_.id_ = indicator_.id
            indicator_.title = json_['value']
            indicator_.confidence = json_['confidence']['rating'].capitalize()
            indicator_.add_indicator_type('Malware Artifacts')
            observable_composition_ = ObservableComposition()
            observable_composition_.operator = \
                indicator_.observable_composition_operator
            for r in json_['relationships']:
                if r.get('relationship',
                         None) not in ['Contains', 'Related_To']:
                    config['logger'].error(
                        log.log_messages['unsupported_object_error'].format(
                            type_='crits',
                            obj_type='indicator relationship type ' +
                            r.get('relationship', 'None'),
                            id_=crits_id))
                    continue
                if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
                    observable_ = Observable()
                    observable_.idref = xmlns_name + ':observable-' + r['value']
                    observable_composition_.add(observable_)
                elif r['type'] == 'Indicator':
                    related_indicator = RelatedIndicator(
                        Indicator(idref=xmlns_name + ':indicator-' +
                                  r['value']))
                    indicator_.related_indicators.append(related_indicator)
                # stix indicators don't support related_incident :-(
                # elif r['type'] == 'Event':
                #     related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
                #     indicator_.related_incidents.append(related_incident)
            indicator_.observable = Observable()
            indicator_.observable.observable_composition = \
                observable_composition_
            return (indicator_)
        else:
            config['logger'].error(
                log.log_messages['unsupported_object_error'].format(
                    type_='crits', obj_type=endpoint, id_=crits_id))
            return (None)
    except:
        e = sys.exc_info()[0]
        config['logger'].error(log.log_messages['obj_convert_error'].format(
            src_type='crits',
            src_obj='indicator',
            id_=crits_id,
            dest_type='stix',
            dest_obj='indicator'))
        config['logger'].exception(e)
        return (None)
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        # if 'indicator' in data[sKey]['meta']['IDs']:
        #     objIndicator.id_ = data[sKey]['meta']['IDs'].key
        # else:
        #     data[sKey]['meta']['IDs'].update({objIndicator.id_:'indicator'})

        listOBS = []

        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['IP Address']
        if sAddr:
            objAddr = Address()
            objAddr.is_source = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.category = 'ipv4-addr'
            elif isIPv6(sAddr):
                objAddr.category = 'ipv6-addr'
            else:
                continue

            obsAddr = Observable(objAddr)
            # if 'address"' in data[sKey]['meta']['IDs']:
            #     obsAddr.id_ = data[sKey]['meta']['IDs'].key
            # else:
            #     data[sKey]['meta']['IDs'].update({objIndicator.id_:'address'})

            objAddr = None
            obsAddr.sighting_count = 1
            obsAddr.title = 'IP: ' + sAddr
            sDscrpt = 'IPv4' + ': ' + sAddr + " | "
            sDscrpt += "isSource: True | "
            obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsAddr)
            obsAddr = None
            objIndicator.add_indicator_type("IP Watchlist")

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['Hostname']
        if sDomain:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            # if 'domain' in data[sKey]['meta']['IDs']:
            #     obsDomain.id_ = data[sKey]['meta']['IDs'].key
            # else:
            #     data[sKey]['meta']['IDs'].update({obsDomain.id_:'domain'})

            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        ### Parsing Port Number
        sPortList = data[sKey]['attrib']['Ports']
        for item in sPortList:
            if sPortList[item]:
                objPort = Port()
                sPort = sPortList[item]
                objPort.port_value = int(sPort)
                objPort.port_value.condition = 'Equals'
                objPort.layer4_protocol = 'TCP'
                obsPort = Observable(objPort)
                objPort = None
                obsPort.sighting_count = 1
                obsPort.title = 'Port: ' + str(sPort)
                sDscrpt = 'PortNumber: ' + str(sPort) + " | "
                sDscrpt += "Protocol: TCP | "
                obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
                listOBS.append(obsPort)

        ### Add Generated observable to Indicator
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        #Parsing Producer
        infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
        #infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
        objIndicator.producer = infoSrc

        # if data[sKey]['attrib']['lstDateVF']:
        #     objIndicator.set_produced_time(data[sKey]['attrib']['lstDateVF'][0]);
        objIndicator.set_received_time(data[sKey]['meta']['dateDL'])

        ### Generate Indicator Title based on availbe data
        lstContainng = []
        lstIs = []
        sTitle = ' This'
        if data[sKey]['attrib']['Hostname']:
            sTitle += ' domain ' + data[sKey]['attrib']['Hostname']
        else:
            sTitle += ' ipAddress ' + sKey

        sTitle += ' has been identified as a TOR network "Exit Point" router'
        objIndicator.title = sTitle

        ### Generate Indicator Description based on availbe data
        sDscrpt = ' torstatus.blutmagie.de has identified this'
        if data[sKey]['attrib']['Hostname']:
            sDscrpt += ' domain ' + data[sKey]['attrib']['Hostname']
        else:
            sDscrpt += ' ipAddress ' + sKey

        # sDscrpt += ' with a router name of "' + data[sKey]['attrib']['Router Name'] + '"'

        # if data[sKey]['attrib']['Ports']['ORPort']:
        #     sDscrpt += ' using ORPort: ' + str(data[sKey]['attrib']['Ports']['ORPort'])

        # if data[sKey]['attrib']['Ports']['DirPort']:
        #     sDscrpt += ' and DirPort: ' + str(data[sKey]['attrib']['Ports']['DirPort'])

        sDscrpt += ' as a TOR network "Exit Point" router'

        if data[sKey]['attrib']['Country Code']:
            sCntry_code = data[sKey]['attrib']['Country Code']
            if sCntry_code in dictCC2CN:
                sCntry_name = dictCC2CN[sCntry_code]
            sDscrpt += ', which appears to be located in ' + sCntry_name

        sDscrpt += '. \n\n RawData: ' + str(data[sKey]['attrib'])
        objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        # objMalware = MalwareInstance()
        # objMalware.add_type("Remote Access Trojan")

        # ttpTitle = data[sKey]['attrib']['type']
        # objTTP = TTP(title=ttpTitle)
        # objTTP.behavior = Behavior()
        # objTTP.behavior.add_malware_instance(objMalware)
        # objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    # locDataFile = 'db_' + srcObj.fileName.split('.')[0] + '.json'
    # sndFile_Dict2JSON(data,locDataFile);
    # data = None
    return (stix_package)
Esempio n. 25
0
def json2observable(config, src, dest, endpoint, json_, crits_id):
    # TODO split into smaller functions
    '''transform crits observables into cybox'''
    try:
        set_id_method(IDGenerator.METHOD_UUID)
        xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
        xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
        set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
        if endpoint == 'ips':
            crits_types = {
                'Address - cidr': 'cidr',
                'Address - ipv4-addr': 'ipv4-addr',
                'Address - ipv4-net': 'ipv4-net',
                'Address - ipv4-net-mask': 'ipv4-netmask',
                'Address - ipv6-addr': 'ipv6-addr',
                'Address - ipv6-net': 'ipv6-net',
                'Address - ipv6-net-mask': 'ipv6-netmask'
            }
            addr = Address(address_value=json_['ip'],
                           category=crits_types[json_['type']])
            addr.condition = 'Equals'
            observable_ = Observable(addr)
        elif endpoint == 'domains':
            domain = DomainName()
            domain.type_ = 'FQDN'
            domain.value = json_['domain']
            domain.condition = 'Equals'
            observable_ = Observable(domain)
        elif endpoint == 'samples':
            crits_types = {
                'md5': 'MD5',
                'sha1': 'SHA1',
                'sha224': 'SHA224',
                'sha256': 'SHA256',
                'sha384': 'SHA384',
                'sha512': 'SHA512',
                'ssdeep': 'SSDEEP'
            }
            file_object = File()
            file_object.file_name = json_['filename']
            for hash in crits_types.keys():
                if hash in json_:
                    file_object.add_hash(
                        Hash(json_[hash], type_=crits_types[hash]))
            for i in file_object.hashes:
                i.simple_hash_value.condition = "Equals"
            observable_ = Observable(file_object)
        elif endpoint == 'emails':
            crits_types = {
                'subject': 'subject',
                'to': 'to',
                'cc': 'cc',
                'from_address': 'from_',
                'sender': 'sender',
                'date': 'date',
                'message_id': 'message_id',
                'reply_to': 'reply_to',
                'boundary': 'boundary',
                'x_mailer': 'x_mailer',
                'x_originating_ip': 'x_originating_ip'
            }
            email = EmailMessage()
            email.header = EmailHeader()
            for k in crits_types.keys():
                val = json_.get(k, None)
                if val:
                    email.header.__setattr__(crits_types[k], val)
                    email.header.__getattribute__(crits_types[k]).condition = \
                        'Equals'
            observable_ = Observable(email)
        else:
            config['logger'].error(
                log.log_messages['unsupported_object_error'].format(
                    type_='crits', obj_type=endpoint, id_=crits_id))
            return (None)
        observable_.id = xmlns_name + ':observable-' + crits_id
        observable_.id_ = observable_.id
        return (observable_)
    except:
        e = sys.exc_info()[0]
        config['logger'].error(log.log_messages['obj_convert_error'].format(
            src_type='crits',
            src_obj='observable',
            id_=crits_id,
            dest_type='cybox',
            dest_obj='observable'))
        config['logger'].exception(e)
        return (None)
Esempio n. 26
0
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['ipAddr']
        if len(sAddr) > 0:
            objAddr = Address()
            objAddr.is_destination = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.category = objAddr.CAT_IPV4
            elif isIPv6(sAddr):
                objAddr.category = objAddr.CAT_IPV6
            else:
                continue

            obsAddr = Observable(objAddr)
            objAddr = None
            obsAddr.sighting_count = 1
            obsAddr.title = 'IP: ' + sAddr
            sDscrpt = 'IPv4' + ': ' + sAddr + " | "
            sDscrpt += "isDestination: True | "
            obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsAddr)
            obsAddr = None
            objIndicator.add_indicator_type("IP Watchlist")

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if len(sDomain) > 0:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'

            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        #Parser URI
        sURI = data[sKey]['attrib']['title']
        if len(sURI) > 0:
            objURI = URI()
            objURI.value = sURI
            objURI.value.condition = 'Equals'
            objURI.type_ = URI.TYPE_URL
            obsURI = Observable(objURI)
            objURI = None
            obsURI.sighting_count = 1
            obsURI.title = 'URI: ' + sURI
            sDscrpt = 'URI: ' + sURI + " | "
            sDscrpt += "Type: URL | "
            obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsURI)
            obsURI = None
            objIndicator.add_indicator_type("URL Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observables = listOBS
        objIndicator.observable_composition_operator = 'OR'

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(sProducer) > 0:
            objIndicator.set_producer_identity(sProducer)

        objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Generate Indicator Title based on availbe data
        sTitle = 'C2C Site: ' + sURI
        objIndicator.title = sTitle

        #Generate Indicator Description based on availbe data
        sDscrpt = ""
        if len(sAddr) > 0:
            sAddLine = "This IP address " + sAddr
        if len(sDomain) > 0:
            sAddLine = "This domain " + sDomain
        if len(sAddr) > 0 and len(sDomain) > 0:
            sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
        if len(sAddLine) > 0:
            sDscrpt += sAddLine

        sDscrpt = sDscrpt + " has been identified as a command and control site for " + data[
            sKey]['attrib']['dscrpt'] + ' malware'

        if len(srcObj.Domain) > 0:
            sDscrpt = sDscrpt + " by " + srcObj.Domain
        else:
            sDscrpt = sDscrpt + "."
        sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
            sKey]['attrib']['link'] + "]."

        if len(sDscrpt) > 0:
            objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
            pass

        #Parse TTP
        sType = data[sKey]['attrib']['dscrpt']
        if len(sType) > 0:
            objMalware = MalwareInstance()

            objMalware.add_name(sType)
            objMalware.add_type("Remote Access Trojan")
            objMalware.short_description = ""
            objMalware.description = ""

            objTTP = TTP(title=sType)
            objTTP.behavior = Behavior()
            objTTP.behavior.add_malware_instance(objMalware)
            objIndicator.add_indicated_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = sProducer + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
Esempio n. 27
0
 def __init__(self, pefile_parser):
     self.pefile_parser = pefile_parser
     NS = Namespace("http://code.google.com/p/pefile/", "pefile")
     maec.utils.set_id_namespace(NS)
     self.package = Package()
     self.generate_maec()
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing IP Address
        for sAddr in data[sKey]['attrib']['ipAddrList']:
            if len(sAddr) > 0:
                objAddr = Address()
                objAddr.is_destination = True
                objAddr.address_value = sAddr
                #objAddr.address_value.operator = 'Equals'
                objAddr.address_value.condition = 'Equals'

                if isIPv4(sAddr):
                    objAddr.category = 'ipv4-addr'
                elif isIPv6(sAddr):
                    objAddr.category = 'ipv6-addr'
                else:
                    continue

                obsAddr = Observable(objAddr)
                objAddr = None
                obsAddr.sighting_count = 1
                obsAddr.title = 'IP: ' + sAddr
                sDscrpt = 'IPv4' + ': ' + sAddr + " | "
                sDscrpt += "isDestination: True | "
                obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
                listOBS.append(obsAddr)
                obsAddr = None

        ### Parsing Port Number
        sPort = data[sKey]['attrib']['ipPort']
        if len(sPort) > 0:
            objPort = Port()
            objPort.port_value = int(sPort)
            objPort.port_value.condition = 'Equals'
            sProtocol = data[sKey]['attrib']['ipProt']
            if len(sProtocol) > 0:
                objPort.layer4_protocol = sProtocol.upper()

            obsPort = Observable(objPort)
            objPort = None
            obsPort.sighting_count = 1
            obsPort.title = 'Port: ' + sPort
            sDscrpt = 'PortNumber' + ': ' + sPort + " | "
            sDscrpt += "Protocol: " + sProtocol.upper() + " | "
            obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsPort)

        ### Add Generated observable to Indicator
        objIndicator.add_indicator_type("IP Watchlist")
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism
        from stix.common import InformationSource, Identity
        testMech = SnortTestMechanism()
        testMech.rules = [data[sKey]['attrib']['rule']]
        testMech.efficacy = "Unknown"

        infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
        infoSrc.add_contributing_source("http://www.shadowserver.org")
        infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch")
        infoSrc.add_contributing_source("https://palevotracker.abuse.ch")
        infoSrc.add_contributing_source("https://zeustracker.abuse.ch")

        testMech.producer = infoSrc

        lstRef = data[sKey]['attrib']['reference'].split('|')
        testMech.producer.references = lstRef

        objIndicator.test_mechanisms = [testMech]

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(sProducer) > 0:
            objIndicator.set_producer_identity(sProducer)

        #objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']);
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Title / Description Generator
        objIndicator.set_received_time(data[sKey]['dateDL'])

        sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | "
        sTitle += data[sKey]['attrib']['msg'] + " | "
        sTitle += "rev:" + data[sKey]['attrib']['rev']
        objIndicator.title = sTitle

        sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][
            'rule']
        objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        nameList = data[sKey]['attrib']['flowbits']
        if len(nameList) > 0:
            nameList = nameList.split("|")
            for sName in nameList:
                sName = sName.split(",")[1]
                objMalware.add_name(sName)

        #objMalware.add_type("Remote Access Trojan")
        objMalware.short_description = data[sKey]['attrib']['msg']

        ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][
            'attrib']['msg']
        objTTP = TTP(title=ttpTitle)
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = sProducer + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)