コード例 #1
0
    def test_encryption(self):
        a = Artifact(self.test_binary_data)
        a.packaging.append(XOREncryption(0x4a))
        a.packaging.append(Base64Encoding())
        a2 = round_trip(a, Artifact)

        self.assertEqual(self.test_binary_data, a2.data)
コード例 #2
0
ファイル: certificate.py プロジェクト: stefanvangastel/crits
    def to_cybox_observable(self):
        """
            Convert a Certificate to a CybOX Observables.
            Returns a tuple of (CybOX object, releasability list).

            To get the cybox object as xml or json, call to_xml() or
            to_json(), respectively, on the resulting CybOX object.
        """
        custom_prop = Property(
        )  # make a custom property so CRITs import can identify Certificate exports
        custom_prop.name = "crits_type"
        custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
        custom_prop._value = "Certificate"
        obj = File()  # represent cert information as file
        obj.md5 = self.md5
        obj.file_name = self.filename
        obj.file_format = self.filetype
        obj.size_in_bytes = self.size
        obj.custom_properties = CustomProperties()
        obj.custom_properties.append(custom_prop)
        obs = Observable(obj)
        obs.description = self.description
        data = self.filedata.read()
        if data:  # if cert data available
            a = Artifact(data, Artifact.TYPE_FILE)  # create artifact w/data
            a.packaging.append(Base64Encoding())
            obj.add_related(a, "Child_Of")  # relate artifact to file
        return ([obs], self.releasability)
コード例 #3
0
    def test_base64_encoding(self):
        a = Artifact(self.test_binary_data)
        a.packaging.append(Base64Encoding())
        a2 = round_trip(a, Artifact)
        self.assertEqual(self.test_binary_data, a2.data)

        expected = base64.b64encode(self.test_binary_data)
        self.assertEqual(expected, a2.packed_data)
コード例 #4
0
    def test_compression(self):
        a = Artifact(self.binary_data)
        a.packaging = Packaging()
        a.packaging.compression.append(Bz2Compression())
        a.packaging.encryption.append(XOREncryption(0x4a))
        a.packaging.encoding.append(Base64Encoding())
        a2 = round_trip(a, Artifact)

        self.assertEqual(self.binary_data, a2.data)
コード例 #5
0
ファイル: artifact_test.py プロジェクト: kralca/python-cybox
    def test_zlib_base64_encoding(self):
        a = Artifact(self.binary_data)
        a.packaging.append(ZlibCompression())
        a.packaging.append(Base64Encoding())
        a2 = round_trip(a, Artifact)
        self.assertEqual(self.binary_data, a2.data)

        expected = b64encode(compress(self.binary_data)).decode('ascii')
        self.assertEqual(expected, a2.packed_data)
コード例 #6
0
ファイル: artifact_test.py プロジェクト: kralca/python-cybox
    def test_cannot_set_nonascii_data_with_no_packaging(self):
        a = Artifact()
        # You can set this data, but if you don't add any packaging, you should
        # get an error when trying to get the packed data, since it can't be
        # encoded as ASCII.
        a.data = b"\x00abc123\xff"
        self.assertEqual(six.binary_type, type(a.data))
        self.assertRaises(ValueError, _get_packed_data, a)

        # With Base64 encoding, we can retrieve this.
        a.packaging.append(Base64Encoding())
        self.assertEqual("AGFiYzEyM/8=", a.packed_data)
コード例 #7
0
    def to_cybox_observable(self):
        """
            Convert a RawData to a CybOX Observables.
            Returns a tuple of (CybOX object, releasability list).

            To get the cybox object as xml or json, call to_xml() or
            to_json(), respectively, on the resulting CybOX object.
        """
        obj = Artifact(self.data, Artifact.TYPE_FILE)
        obj.packaging.append(Base64Encoding())
        obs = Observable(obj)
        obs.description = self.description
        return ([obs], self.releasability)
コード例 #8
0
ファイル: sample.py プロジェクト: decompile/crits
    def to_cybox_observable(self, exclude=None, bin_fmt="raw"):
        if exclude == None:
            exclude = []

        observables = []
        f = File()
        for attr in ['md5', 'sha1', 'sha256']:
            if attr not in exclude:
                val = getattr(self, attr, None)
                if val:
                    setattr(f, attr, val)
        if self.ssdeep and 'ssdeep' not in exclude:
            f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
        if 'size' not in exclude and 'size_in_bytes' not in exclude:
            f.size_in_bytes = UnsignedLong(self.size)
        if 'filename' not in exclude and 'file_name' not in exclude:
            f.file_name = self.filename
        # create an Artifact object for the binary if it exists
        if 'filedata' not in exclude and bin_fmt:
            data = self.filedata.read()
            if data:  # if sample data available
                a = Artifact(data,
                             Artifact.TYPE_FILE)  # create artifact w/data
                if bin_fmt == "zlib":
                    a.packaging.append(ZlibCompression())
                    a.packaging.append(Base64Encoding())
                elif bin_fmt == "base64":
                    a.packaging.append(Base64Encoding())
                f.add_related(a, "Child_Of")  # relate artifact to file
        if 'filetype' not in exclude and 'file_format' not in exclude:
            #NOTE: this doesn't work because the CybOX File object does not
            #   have any support built in for setting the filetype to a
            #   CybOX-binding friendly object (e.g., calling .to_dict() on
            #   the resulting CybOX object fails on this field.
            f.file_format = self.filetype
        observables.append(Observable(f))
        return (observables, self.releasability)
コード例 #9
0
def main():
    test_file = os.path.join(os.path.dirname(__file__), "test.pcap")

    with open(test_file) as f:
        data = f.read()

    a = Artifact(data, Artifact.TYPE_NETWORK)
    a.packaging.append(Base64Encoding())

    o = Observable(a)

    o.description = ("This Observable specifies an instance of an Artifact "
                     "object, specifically some network traffic that was "
                     "captured in a PCAP file and then base64 encoded for "
                     "transport.")

    print(Observables(o).to_xml())
コード例 #10
0
ファイル: pcap.py プロジェクト: he0x/crits
    def to_cybox_observable(self):
        """
            Convert a PCAP to a CybOX Observables.
            Returns a tuple of (CybOX object, releasability list).

            To get the cybox object as xml or json, call to_xml() or
            to_json(), respectively, on the resulting CybOX object.
        """
        obj = File()
        obj.md5 = self.md5
        obj.file_name = self.filename
        obj.file_format = self.contentType
        obj.size_in_bytes = self.length
        obs = Observable(obj)
        obs.description = self.description
        art = Artifact(self.filedata.read(), Artifact.TYPE_NETWORK)
        art.packaging.append(Base64Encoding())
        obj.add_related(art, "Child_Of")  # relate artifact to file
        return ([obs], self.releasability)
コード例 #11
0
    def transform(self, event):
        stix_package = STIXPackage()
        self._add_header(stix_package, "Unauthorized traffic to honeypot",
                         "Describes one or more honeypot incidents")

        incident = Incident(
            id_="%s:%s-%s" %
            (CONPOT_NAMESPACE, 'incident', event['session_id']))
        initial_time = StixTime()
        initial_time.initial_compromise = event['timestamp'].isoformat()
        incident.time = initial_time
        incident.title = "Conpot Event"
        incident.short_description = "Traffic to Conpot ICS honeypot"
        incident.add_category(
            VocabString(value='Scans/Probes/Attempted Access'))

        tool_list = ToolInformationList()
        tool_list.append(
            ToolInformation.from_dict({
                'name':
                "Conpot",
                'vendor':
                "Conpot Team",
                'version':
                conpot.__version__,
                'description':
                textwrap.dedent(
                    'Conpot is a low interactive server side Industrial Control Systems '
                    'honeypot designed to be easy to deploy, modify and extend.'
                )
            }))
        incident.reporter = InformationSource(tools=tool_list)

        incident.add_discovery_method("Monitoring Service")
        incident.confidence = "High"

        # Victim Targeting by Sector
        ciq_identity = CIQIdentity3_0Instance()
        #identity_spec = STIXCIQIdentity3_0()
        #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
        #ciq_identity.specification = identity_spec
        ttp = TTP(
            title=
            "Victim Targeting: Electricity Sector and Industrial Control System Sector"
        )
        ttp.victim_targeting = VictimTargeting()
        ttp.victim_targeting.identity = ciq_identity

        incident.leveraged_ttps.append(ttp)

        indicator = Indicator(title="Conpot Event")
        indicator.description = "Conpot network event"
        indicator.confidence = "High"
        source_port = Port.from_dict({
            'port_value': event['remote'][1],
            'layer4_protocol': 'tcp'
        })
        dest_port = Port.from_dict({
            'port_value':
            self.protocol_to_port_mapping[event['data_type']],
            'layer4_protocol':
            'tcp'
        })
        source_ip = Address.from_dict({
            'address_value': event['remote'][0],
            'category': Address.CAT_IPV4
        })
        dest_ip = Address.from_dict({
            'address_value': event['public_ip'],
            'category': Address.CAT_IPV4
        })
        source_address = SocketAddress.from_dict({
            'ip_address':
            source_ip.to_dict(),
            'port':
            source_port.to_dict()
        })
        dest_address = SocketAddress.from_dict({
            'ip_address': dest_ip.to_dict(),
            'port': dest_port.to_dict()
        })
        network_connection = NetworkConnection.from_dict({
            'source_socket_address':
            source_address.to_dict(),
            'destination_socket_address':
            dest_address.to_dict(),
            'layer3_protocol':
            "IPv4",
            'layer4_protocol':
            "TCP",
            'layer7_protocol':
            event['data_type'],
            'source_tcp_state':
            "ESTABLISHED",
            'destination_tcp_state':
            "ESTABLISHED",
        })
        indicator.add_observable(Observable(network_connection))

        artifact = Artifact()
        artifact.data = json.dumps(event['data'])
        artifact.packaging.append(ZlibCompression())
        artifact.packaging.append(Base64Encoding())
        indicator.add_observable(Observable(artifact))

        incident.related_indicators.append(indicator)
        stix_package.add_incident(incident)

        stix_package_xml = stix_package.to_xml()
        return stix_package_xml
コード例 #12
0
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"):
    """
    Convert a CRITs TLO to a CybOX Observable.

    :param obj: The TLO to convert.
    :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes`
    :param exclude: Attributes to exclude.
    :type exclude: list
    :param bin_fmt: The format for the binary (if applicable).
    :type bin_fmt: str
    """

    type_ = obj._meta['crits_type']
    if type_ == 'Certificate':
        custom_prop = Property(
        )  # make a custom property so CRITs import can identify Certificate exports
        custom_prop.name = "crits_type"
        custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
        custom_prop._value = "Certificate"
        obje = File()  # represent cert information as file
        obje.md5 = obj.md5
        obje.file_name = obj.filename
        obje.file_format = obj.filetype
        obje.size_in_bytes = obj.size
        obje.custom_properties = CustomProperties()
        obje.custom_properties.append(custom_prop)
        obs = Observable(obje)
        obs.description = obj.description
        data = obj.filedata.read()
        if data:  # if cert data available
            a = Artifact(data, Artifact.TYPE_FILE)  # create artifact w/data
            a.packaging.append(Base64Encoding())
            obje.add_related(a, "Child_Of")  # relate artifact to file
        return ([obs], obj.releasability)
    elif type_ == 'Domain':
        obje = DomainName()
        obje.value = obj.domain
        obje.type_ = obj.record_type
        return ([Observable(obje)], obj.releasability)
    elif type_ == 'Email':
        if exclude == None:
            exclude = []

        observables = []

        obje = EmailMessage()
        # Assume there is going to be at least one header
        obje.header = EmailHeader()

        if 'message_id' not in exclude:
            obje.header.message_id = String(obj.message_id)

        if 'subject' not in exclude:
            obje.header.subject = String(obj.subject)

        if 'sender' not in exclude:
            obje.header.sender = Address(obj.sender, Address.CAT_EMAIL)

        if 'reply_to' not in exclude:
            obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL)

        if 'x_originating_ip' not in exclude:
            obje.header.x_originating_ip = Address(obj.x_originating_ip,
                                                   Address.CAT_IPV4)

        if 'x_mailer' not in exclude:
            obje.header.x_mailer = String(obj.x_mailer)

        if 'boundary' not in exclude:
            obje.header.boundary = String(obj.boundary)

        if 'raw_body' not in exclude:
            obje.raw_body = obj.raw_body

        if 'raw_header' not in exclude:
            obje.raw_header = obj.raw_header

        #copy fields where the names differ between objects
        if 'helo' not in exclude and 'email_server' not in exclude:
            obje.email_server = String(obj.helo)
        if ('from_' not in exclude and 'from' not in exclude
                and 'from_address' not in exclude):
            obje.header.from_ = EmailAddress(obj.from_address)
        if 'date' not in exclude and 'isodate' not in exclude:
            obje.header.date = DateTime(obj.isodate)

        obje.attachments = Attachments()

        observables.append(Observable(obje))
        return (observables, obj.releasability)
    elif type_ == 'Indicator':
        observables = []
        obje = make_cybox_object(obj.ind_type, obj.value)
        observables.append(Observable(obje))
        return (observables, obj.releasability)
    elif type_ == 'IP':
        obje = Address()
        obje.address_value = obj.ip
        if obj.ip_type == IPTypes.IPv4_ADDRESS:
            obje.category = "ipv4-addr"
        elif obj.ip_type == IPTypes.IPv6_ADDRESS:
            obje.category = "ipv6-addr"
        elif obj.ip_type == IPTypes.IPv4_SUBNET:
            obje.category = "ipv4-net"
        elif obj.ip_type == IPTypes.IPv6_SUBNET:
            obje.category = "ipv6-subnet"
        return ([Observable(obje)], obj.releasability)
    elif type_ == 'PCAP':
        obje = File()
        obje.md5 = obj.md5
        obje.file_name = obj.filename
        obje.file_format = obj.contentType
        obje.size_in_bytes = obj.length
        obs = Observable(obje)
        obs.description = obj.description
        art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK)
        art.packaging.append(Base64Encoding())
        obje.add_related(art, "Child_Of")  # relate artifact to file
        return ([obs], obj.releasability)
    elif type_ == 'RawData':
        obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE)
        obje.packaging.append(Base64Encoding())
        obs = Observable(obje)
        obs.description = obj.description
        return ([obs], obj.releasability)
    elif type_ == 'Sample':
        if exclude == None:
            exclude = []

        observables = []
        f = File()
        for attr in ['md5', 'sha1', 'sha256']:
            if attr not in exclude:
                val = getattr(obj, attr, None)
                if val:
                    setattr(f, attr, val)
        if obj.ssdeep and 'ssdeep' not in exclude:
            f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP))
        if 'size' not in exclude and 'size_in_bytes' not in exclude:
            f.size_in_bytes = UnsignedLong(obj.size)
        if 'filename' not in exclude and 'file_name' not in exclude:
            f.file_name = obj.filename
        # create an Artifact object for the binary if it exists
        if 'filedata' not in exclude and bin_fmt:
            data = obj.filedata.read()
            if data:  # if sample data available
                a = Artifact(data,
                             Artifact.TYPE_FILE)  # create artifact w/data
                if bin_fmt == "zlib":
                    a.packaging.append(ZlibCompression())
                    a.packaging.append(Base64Encoding())
                elif bin_fmt == "base64":
                    a.packaging.append(Base64Encoding())
                f.add_related(a, "Child_Of")  # relate artifact to file
        if 'filetype' not in exclude and 'file_format' not in exclude:
            #NOTE: this doesn't work because the CybOX File object does not
            #   have any support built in for setting the filetype to a
            #   CybOX-binding friendly object (e.g., calling .to_dict() on
            #   the resulting CybOX object fails on this field.
            f.file_format = obj.filetype
        observables.append(Observable(f))
        return (observables, obj.releasability)
    else:
        return (None, None)
コード例 #13
0
ファイル: ce1susstix.py プロジェクト: tsmolka/ce1sus
    def map_attribtue(self, instance, attribute):
        definition_name = attribute.definition.name
        if hasattr(instance, definition_name.lower()):
            setattr(instance, definition_name.lower(), attribute.value)
            value = getattr(instance, definition_name.lower())
            value.condition = self.get_condition(attribute)
        else:
            if 'hash' in definition_name:
                if attribute.condition.value:
                    if attribute.condition.value:
                        if attribute.condition.value == "Equals":
                            exact = True
                        else:
                            exact = False
                    else:
                        exact = False
                else:
                    exact = True
                h = Hash(attribute.value, exact=exact)
                h.condition = attribute.condition
                if instance.hashes is None:
                    instance.hashes = HashList()
                instance.hashes.append(h)
                pass
            elif 'email' in definition_name:
                self.populate_email(instance, attribute)
            elif definition_name == 'url':
                instance.type_ = URI.TYPE_URL
                instance.value = attribute.value
                instance.value.condition = self.get_condition(attribute)
            elif 'Full_Path' and isinstance(instance, Process):
                # TODO: check why this is set?!?
                pass
            elif definition_name == 'WindowsRegistryKey_Key':
                instance.key = attribute.value
                instance.key.condition = self.get_condition(attribute)
            elif definition_name == 'WindowsRegistryKey_Hive':
                instance.hive = attribute.value
                instance.hive.condition = self.get_condition(attribute)
            elif 'WindowsRegistryKey_RegistryValue' in definition_name:
                value = RegistryValue()
                if definition_name == 'WindowsRegistryKey_RegistryValue_Data':
                    value.data = attribute.value
                    value.data.condition = self.get_condition(attribute)
                elif definition_name == 'WindowsRegistryKey_RegistryValue_Data':
                    value.name = attribute.value
                    value.name.condition = self.get_condition(attribute)
                if not instance.values:
                    instance.values = RegistryValues()

                instance.values.append(value)
                instance.data = attribute.value
            elif definition_name == 'ipv4_addr':
                instance.category = definition_name.replace('_', '-')
                instance.address_value = attribute.value
                instance.address_value.condition = self.get_condition(
                    attribute)
            elif definition_name == 'DomainName_Value':
                instance.value = attribute.value
            elif definition_name == 'Raw_Artifact':
                path = '{0}/{1}'.format(self.fh.get_base_path(),
                                        attribute.value)
                if isfile(path):
                    with open(path, 'r') as f:
                        bin_string = f.read()
                    instance.data = bin_string
                    # TODO find the corect type
                    instance.type_ = Artifact.TYPE_GENERIC
                    instance.packaging.append(Base64Encoding())
                else:
                    instance.data = 'MIA'
                instance.type_ = Artifact.TYPE_GENERIC
                instance.packaging.append(Base64Encoding())
            elif definition_name == 'content_type':
                instance.type_ = attribute.value
            elif definition_name == 'URIType':
                instance.type_ = attribute.value
            elif not attribute.definition.cybox_std:
                self.add_custom_property(instance, attribute)
            elif isinstance(instance,
                            NetworkConnection) and definition_name in [
                                'is_type', 'Port'
                            ]:
                # TODO: check why this is set?!?
                pass
            else:
                raise Ce1susStixMapperException(
                    'Cannot map {1} on object type {0}'.format(
                        instance.__class__.__name__, definition_name))