def transform(self, event):
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot",
"Describes one or more honeypot incidents")
incident = Incident(
id_="%s:%s-%s" %
(CONPOT_NAMESPACE, 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(
VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(
ToolInformation.from_dict({
'name':
"Conpot",
'vendor':
"Conpot Team",
'version':
conpot.__version__,
'description':
textwrap.dedent(
'Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.'
)
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(
title=
"Victim Targeting: Electricity Sector and Industrial Control System Sector"
)
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({
'port_value': event['remote'][1],
'layer4_protocol': 'tcp'
})
dest_port = Port.from_dict({
'port_value':
self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol':
'tcp'
})
source_ip = Address.from_dict({
'address_value': event['remote'][0],
'category': Address.CAT_IPV4
})
dest_ip = Address.from_dict({
'address_value': event['public_ip'],
'category': Address.CAT_IPV4
})
source_address = SocketAddress.from_dict({
'ip_address':
source_ip.to_dict(),
'port':
source_port.to_dict()
})
dest_address = SocketAddress.from_dict({
'ip_address': dest_ip.to_dict(),
'port': dest_port.to_dict()
})
network_connection = NetworkConnection.from_dict({
'source_socket_address':
source_address.to_dict(),
'destination_socket_address':
dest_address.to_dict(),
'layer3_protocol':
"IPv4",
'layer4_protocol':
"TCP",
'layer7_protocol':
event['data_type'],
'source_tcp_state':
"ESTABLISHED",
'destination_tcp_state':
"ESTABLISHED",
})
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
def convert_file(ifn, ofn, vcdb):
global cve_info
global targets_item
cve_info = []
targets_item = None
with open(ifn) as json_data:
veris_item = json.load(json_data)
json_data.close()
schema_version_item = veris_item.get("schema_version")
if not schema_version_item:
error("The 'schema_version' item is required")
elif not (schema_version_item == "1.3" or schema_version_item == "1.3.0"):
error("This converter is for VERIS schema version 1.3. This file has schema version " + schema_version_item)
return
pkg = STIXPackage()
action_item = veris_item.get('action')
if not action_item:
error("The 'action' item is required")
else:
add_action_item(action_item, pkg)
add_cve_info(pkg)
actor_item = veris_item.get('actor')
if not actor_item:
error("The 'actor' item is required")
else:
add_actor_item(actor_item, pkg)
incident = Incident()
pkg.add_incident(incident)
asset_item = veris_item.get('asset')
if not asset_item:
error("The 'asset' item is required")
else:
attribute_item = veris_item.get('attribute')
add_asset_item(asset_item, attribute_item, incident)
# added as 1.3
campaign_id_item = veris_item.get('campaign_id')
if campaign_id_item:
add_campaign_item(campaign_id_item, pkg)
confidence_item = veris_item.get('confidence')
if confidence_item:
add_confidence_item(confidence_item, incident)
#control_failure - not found in data
if veris_item.get('control_failure'):
warn("'control_failure' item not handled, yet")
corrective_action_item = veris_item.get('corrective_action')
cost_corrective_action_item = veris_item.get('cost_corrective_action')
if corrective_action_item or cost_corrective_action_item:
add_coa_items(corrective_action_item, cost_corrective_action_item, pkg)
discovery_method_item = veris_item.get('discovery_method')
if not discovery_method_item:
error("The 'discovery_method' item is required")
else:
incident.add_discovery_method(map_discovey_method(discovery_method_item))
discovery_notes_item = veris_item.get('discovery_notes')
if discovery_notes_item:
warn("'discovery_notes' item not handled yet")
impact_item = veris_item.get('impact')
if impact_item:
add_impact_item(impact_item, incident)
incident_id_item = veris_item.get('incident_id')
if not incident_id_item:
error("The 'incident_id' item is required")
else:
external_id = ExternalID()
external_id.value = incident_id_item
external_id.source = "VERIS"
incident.add_external_id(external_id)
notes_item = veris_item.get('notes')
if notes_item:
pkg.stix_header = STIXHeader()
pkg.stix_header.title = "Notes: " + notes_item
# plus item for records from VCDB have some known useful information
if vcdb:
plus_item = veris_item.get('plus')
if plus_item:
add_plus_item(plus_item, incident, pkg)
# removed as of 1.3 - see campaign_id
# related_incidents_item = veris_item.get('related_incidents')
# if related_incidents_item:
# add_related_incidents_item(related_incidents_item, incident)
security_incident_item = veris_item.get('security_incident')
if not security_incident_item:
error("The 'security_incident' item is required")
else:
incident.security_compromise = map_security_incident_item_to_security_compromise(security_incident_item)
reference_item = veris_item.get('reference')
source_id_item = veris_item.get('source_id')
if source_id_item or reference_item:
add_information_source_items(reference_item, source_id_item, schema_version_item, incident)
summary_item = veris_item.get('summary')
if summary_item:
incident.title = summary_item
#targeted_item = veris_item.get('targeted')
#if targeted_item:
timeline_item = veris_item.get('timeline')
if not timeline_item:
error("The 'timeline' item is required")
else:
add_timeline_item(timeline_item, incident)
victim_item = veris_item.get('victim')
if victim_item:
add_victim_item(victim_item, incident)
add_related(pkg)
if not ofn:
stixXML = sys.stdout
else:
stixXML = open(ofn, 'wb')
stixXML.write(pkg.to_xml())
stixXML.close()
def transform(self, event):
self._set_namespace(self.config['contact_domain'], self.config['contact_name'])
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents")
incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(ToolInformation.from_dict({
'name': "Conpot",
'vendor': "Conpot Team",
'version': conpot.__version__,
'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.')
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'})
dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol': 'tcp'})
source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4})
dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4})
source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()})
dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()})
network_connection = NetworkConnection.from_dict(
{'source_socket_address': source_address.to_dict(),
'destination_socket_address': dest_address.to_dict(),
'layer3_protocol': u"IPv4",
'layer4_protocol': u"TCP",
'layer7_protocol': event['data_type'],
'source_tcp_state': u"ESTABLISHED",
'destination_tcp_state': u"ESTABLISHED",
}
)
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
t.incident_opened = t1
t.incident_discovery = t1
t.incident_reported = t1
t.first_malicious_action = t2
t.initial_compromise = t2
t.first_data_exfiltration = t2
t.containment_achieved = t3
t.restoration_achieved = t3
t.incident_closed = t3
incident.time = t
# Additional Attributes
incident.add_category('Unauthorized Access')
incident.add_intended_effect('Destruction')
incident.confidence = 'High'
incident.add_discovery_method('NIDS')
# People
incident.add_coordinator(InformationSource(identity=Identity(name='Fred')))
incident.add_responder(InformationSource(identity=Identity(name='Frank')))
incident.reporter = InformationSource(identity=Identity(name='Alice'))
incident.add_victim(Identity(name='Bob'))
# Related Observable (by id)
addr1 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4)
observable = Observable(addr1)
related_observable = RelatedObservable(Observable(idref=observable.id_))
incident.related_observables.append(related_observable)
# Related Indicator (by id)
indicator = Indicator()