def create_indicator(self, ce1sus_indicator, event_permissions, user):
indicator = Indicator()
indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid)
indicator.title = ce1sus_indicator.title
indicator.description = ce1sus_indicator.description
indicator.short_description = ce1sus_indicator.short_description
if ce1sus_indicator.confidence:
indicator.confidence = ce1sus_indicator.confidence.title()
else:
indicator.confidence = 'Low'
# TODO: handling
# TODO: markings
for type_ in ce1sus_indicator.types:
indicator.add_indicator_type(type_.name)
if ce1sus_indicator.operator:
indicator.observable_composition_operator = ce1sus_indicator.operator
# Todo Add confidence
# indicator_attachment.confidence = "Low"
creator = self.create_stix_identity(ce1sus_indicator)
time = self.cybox_mapper.get_time(
produced_time=ce1sus_indicator.created_at)
info_source = InformationSource(identity=creator, time=time)
indicator.producer = info_source
observables = ce1sus_indicator.get_observables_for_permissions(
event_permissions, user)
for obs in observables:
cybox_obs = self.create_observable(obs, event_permissions, user)
indicator.add_observable(cybox_obs)
valid_time = ValidTime(start_time=ce1sus_indicator.created_at,
end_time=ce1sus_indicator.created_at)
indicator.add_valid_time_position(valid_time)
return indicator
def resolveObjects(incident, ttps, objects, eventTags, org):
for obj in objects:
tmp_incident = Incident()
resolveAttributes(tmp_incident, ttps, obj["Attribute"], eventTags, org)
indicator = Indicator(
timestamp=getDateFromTimestamp(int(obj["timestamp"])))
indicator.id_ = namespace[1] + ":MispObject-" + obj["uuid"]
setProd(indicator, org)
if obj["comment"] != "":
indicator.description = obj["comment"]
tlpTags = eventTags
for attr in obj["Attribute"]:
tlpTags = mergeTags(tlpTags, attr)
setTLP(indicator, obj["distribution"], tlpTags, True)
indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")"
indicator.description = indicator.title
indicator.add_indicator_type("Malware Artifacts")
indicator.add_valid_time_position(ValidTime())
indicator.observable_composition_operator = "AND"
for rindicator in tmp_incident.related_indicators:
if rindicator.item.observable:
indicator.add_observable(rindicator.item.observable)
relatedIndicator = RelatedIndicator(indicator,
relationship=obj["meta-category"])
incident.related_indicators.append(relatedIndicator)
def generateIndicator(attribute):
indicator = Indicator()
indicator.id_="example:indicator-" + attribute["uuid"]
setTLP(indicator, attribute["distribution"])
indicator.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value, description=confidence_description)
return indicator
def generateIndicator(attribute):
indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"]
if attribute["comment"] != "":
indicator.description = attribute["comment"]
setTLP(indicator, attribute["distribution"])
indicator.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
return indicator
def generateIndicator(attribute):
indicator = Indicator()
indicator.id_ = "example:indicator-" + attribute["uuid"]
setTLP(indicator, attribute["distribution"])
indicator.title = "MISP Attribute #" + attribute[
"id"] + " uuid: " + attribute["uuid"]
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value,
description=confidence_description)
return indicator
def generate_indicator(self, attribute, tags, org):
indicator = Indicator(timestamp=attribute.timestamp)
indicator.id_ = "{}:indicator-{}".format(namespace[1], attribute.uuid)
self.set_prod(indicator, org)
if attribute.comment:
indicator.description = attribute.comment
self.set_tlp(indicator, attribute.distribution, self.merge_tags(tags, attribute))
indicator.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id)
indicator.description = indicator.title
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute.to_ids, None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=attribute.timestamp)
return indicator
def to_stix_rfi(obj):
from stix.indicator import Indicator as S_Ind
list_rfis = []
for each in obj.rfi:
ind = S_Ind()
ind.title = "CRITs RFI"
ind.timestamp = each.date
ind.description = each.topic
ind.id_ = each.source
list_rfis.append(ind)
for item in each.instance:
ind_2 = S_Ind()
ind_2.title = "CRITs RFI"
ind_2.timestamp = each.date
ind_2.description = each.topic
ind_2.producer = to_source(item)
ind_2.id_ = each.source
list_rfis.append(ind_2)
return list_rfis
def main():
pkg = STIXPackage()
indicator = Indicator()
indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50"
indicator.title = "Malicious site hosting downloader"
indicator.add_indicator_type("URL Watchlist")
url = URI()
url.value = "http://x4z9arb.cn/4712"
url.type_ = URI.TYPE_URL
indicator.add_observable(url)
pkg.add_indicator(indicator)
print pkg.to_xml()
def main():
pkg = STIXPackage()
indicator = Indicator()
indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50"
indicator.title = "Malicious site hosting downloader"
indicator.add_indicator_type("URL Watchlist")
url = URI()
url.value = "http://x4z9arb.cn/4712"
url.type_ = URI.TYPE_URL
url.value.condition = "Equals"
indicator.add_observable(url)
pkg.add_indicator(indicator)
print pkg.to_xml()
def to_stix_relationship(obj):
from stix.indicator import Indicator
ind_rel = []
for relationship in obj.relationships:
#if not relationship.private: #testing
ind = Indicator()
ind.title = "MARTI Relation"
ind.timestamp = relationship.relationship_date
ind.confidence = relationship.rel_confidence.title()
ind.id_ = relationship.url_key
ind.add_indicator_type(get_indicator_type(relationship.rel_type))
ind.description = relationship.rel_reason
ind.short_description = relationship.relationship
ind_rel.append(ind)
return ind_rel
def resolve_objects(self, incident, tags):
for misp_object in self.misp_event.objects:
tlp_tags = None
tmp_incident = Incident()
tlp_tags = deepcopy(tags)
self.resolve_attributes(tmp_incident, misp_object.attributes, tags)
indicator = Indicator(timestamp=self.get_date_from_timestamp(int(misp_object.timestamp)))
indicator.id_ = "{}:MispObject-{}".format(namespace[1], misp_object.uuid)
self.set_prod(indicator, self.orgc_name)
for attribute in misp_object.attributes:
tlp_tags = self.merge_tags(tlp_tags, attribute)
self.set_tlp(indicator, misp_object.distribution, tlp_tags)
title = "{} (MISP Object #{})".format(misp_object.name, misp_object.id)
indicator.title = title
indicator.description = misp_object.comment if misp_object.comment else title
indicator.add_indicator_type("Malware Artifacts")
indicator.add_valid_time_position(ValidTime())
indicator.observable_composition_operator = "AND"
for rindicator in tmp_incident.related_indicators:
if rindicator.item.observable:
indicator.add_observable(rindicator.item.observable)
relatedIndicator = RelatedIndicator(indicator, relationship=misp_object['meta-category'])
incident.related_indicators.append(relatedIndicator)
def json2indicator(config, src, dest, endpoint, json_, crits_id):
'''transform crits indicators into stix indicators with embedded
cybox observable composition'''
try:
set_id_method(IDGenerator.METHOD_UUID)
xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
if endpoint == 'indicators':
endpoint_trans = {'Email': 'emails', 'IP': 'ips',
'Sample': 'samples', 'Domain': 'domains',
'Indicator': 'indicators', 'Event': 'events'}
if json_.get('type', None) not in ['Reference', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type='indicator type ' + json_.get('type', 'None'),
id_=crits_id))
return(None)
indicator_ = Indicator()
indicator_.id = xmlns_name + ':indicator-' + crits_id
indicator_.id_ = indicator_.id
indicator_.title = json_['value']
indicator_.confidence = json_['confidence']['rating'].capitalize()
indicator_.add_indicator_type('Malware Artifacts')
observable_composition_ = ObservableComposition()
observable_composition_.operator = \
indicator_.observable_composition_operator
for r in json_['relationships']:
if r.get('relationship', None) not in ['Contains', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type='indicator relationship type '
+ r.get('relationship', 'None'), id_=crits_id))
continue
if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
observable_ = Observable()
observable_.idref = xmlns_name + ':observable-' + r['value']
observable_composition_.add(observable_)
elif r['type'] == 'Indicator':
related_indicator = RelatedIndicator(Indicator(idref=xmlns_name + ':indicator-' + r['value']))
indicator_.related_indicators.append(related_indicator)
# stix indicators don't support related_incident :-(
# elif r['type'] == 'Event':
# related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
# indicator_.related_incidents.append(related_incident)
indicator_.observable = Observable()
indicator_.observable.observable_composition = \
observable_composition_
return(indicator_)
else:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type=endpoint, id_=crits_id))
return(None)
except:
e = sys.exc_info()[0]
config['logger'].error(log.log_messages['obj_convert_error'].format(
src_type='crits', src_obj='indicator', id_=crits_id,
dest_type='stix', dest_obj='indicator'))
config['logger'].exception(e)
return(None)
def json2indicator(config, src, dest, endpoint, json_, crits_id):
'''transform crits indicators into stix indicators with embedded
cybox observable composition'''
try:
set_id_method(IDGenerator.METHOD_UUID)
xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
if endpoint == 'indicators':
endpoint_trans = {
'Email': 'emails',
'IP': 'ips',
'Sample': 'samples',
'Domain': 'domains',
'Indicator': 'indicators',
'Event': 'events'
}
if json_.get('type', None) not in ['Reference', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits',
obj_type='indicator type ' + json_.get('type', 'None'),
id_=crits_id))
return (None)
indicator_ = Indicator()
indicator_.id = xmlns_name + ':indicator-' + crits_id
indicator_.id_ = indicator_.id
indicator_.title = json_['value']
indicator_.confidence = json_['confidence']['rating'].capitalize()
indicator_.add_indicator_type('Malware Artifacts')
observable_composition_ = ObservableComposition()
observable_composition_.operator = \
indicator_.observable_composition_operator
for r in json_['relationships']:
if r.get('relationship',
None) not in ['Contains', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits',
obj_type='indicator relationship type ' +
r.get('relationship', 'None'),
id_=crits_id))
continue
if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
observable_ = Observable()
observable_.idref = xmlns_name + ':observable-' + r['value']
observable_composition_.add(observable_)
elif r['type'] == 'Indicator':
related_indicator = RelatedIndicator(
Indicator(idref=xmlns_name + ':indicator-' +
r['value']))
indicator_.related_indicators.append(related_indicator)
# stix indicators don't support related_incident :-(
# elif r['type'] == 'Event':
# related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
# indicator_.related_incidents.append(related_incident)
indicator_.observable = Observable()
indicator_.observable.observable_composition = \
observable_composition_
return (indicator_)
else:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type=endpoint, id_=crits_id))
return (None)
except:
e = sys.exc_info()[0]
config['logger'].error(log.log_messages['obj_convert_error'].format(
src_type='crits',
src_obj='indicator',
id_=crits_id,
dest_type='stix',
dest_obj='indicator'))
config['logger'].exception(e)
return (None)
