def test_encryption(self): a = Artifact(self.test_binary_data) a.packaging.append(XOREncryption(0x4a)) a.packaging.append(Base64Encoding()) a2 = round_trip(a, Artifact) self.assertEqual(self.test_binary_data, a2.data)
def to_cybox_observable(self): """ Convert a Certificate to a CybOX Observables. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ custom_prop = Property( ) # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obj = File() # represent cert information as file obj.md5 = self.md5 obj.file_name = self.filename obj.file_format = self.filetype obj.size_in_bytes = self.size obj.custom_properties = CustomProperties() obj.custom_properties.append(custom_prop) obs = Observable(obj) obs.description = self.description data = self.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obj.add_related(a, "Child_Of") # relate artifact to file return ([obs], self.releasability)
def test_base64_encoding(self): a = Artifact(self.test_binary_data) a.packaging.append(Base64Encoding()) a2 = round_trip(a, Artifact) self.assertEqual(self.test_binary_data, a2.data) expected = base64.b64encode(self.test_binary_data) self.assertEqual(expected, a2.packed_data)
def test_compression(self): a = Artifact(self.binary_data) a.packaging = Packaging() a.packaging.compression.append(Bz2Compression()) a.packaging.encryption.append(XOREncryption(0x4a)) a.packaging.encoding.append(Base64Encoding()) a2 = round_trip(a, Artifact) self.assertEqual(self.binary_data, a2.data)
def test_zlib_base64_encoding(self): a = Artifact(self.binary_data) a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) a2 = round_trip(a, Artifact) self.assertEqual(self.binary_data, a2.data) expected = b64encode(compress(self.binary_data)).decode('ascii') self.assertEqual(expected, a2.packed_data)
def test_cannot_set_nonascii_data_with_no_packaging(self): a = Artifact() # You can set this data, but if you don't add any packaging, you should # get an error when trying to get the packed data, since it can't be # encoded as ASCII. a.data = b"\x00abc123\xff" self.assertEqual(six.binary_type, type(a.data)) self.assertRaises(ValueError, _get_packed_data, a) # With Base64 encoding, we can retrieve this. a.packaging.append(Base64Encoding()) self.assertEqual("AGFiYzEyM/8=", a.packed_data)
def to_cybox_observable(self): """ Convert a RawData to a CybOX Observables. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ obj = Artifact(self.data, Artifact.TYPE_FILE) obj.packaging.append(Base64Encoding()) obs = Observable(obj) obs.description = self.description return ([obs], self.releasability)
def to_cybox_observable(self, exclude=None, bin_fmt="raw"): if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256']: if attr not in exclude: val = getattr(self, attr, None) if val: setattr(f, attr, val) if self.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(self.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = self.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude and bin_fmt: data = self.filedata.read() if data: # if sample data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data if bin_fmt == "zlib": a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) elif bin_fmt == "base64": a.packaging.append(Base64Encoding()) f.add_related(a, "Child_Of") # relate artifact to file if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. f.file_format = self.filetype observables.append(Observable(f)) return (observables, self.releasability)
def main(): test_file = os.path.join(os.path.dirname(__file__), "test.pcap") with open(test_file) as f: data = f.read() a = Artifact(data, Artifact.TYPE_NETWORK) a.packaging.append(Base64Encoding()) o = Observable(a) o.description = ("This Observable specifies an instance of an Artifact " "object, specifically some network traffic that was " "captured in a PCAP file and then base64 encoded for " "transport.") print(Observables(o).to_xml())
def to_cybox_observable(self): """ Convert a PCAP to a CybOX Observables. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ obj = File() obj.md5 = self.md5 obj.file_name = self.filename obj.file_format = self.contentType obj.size_in_bytes = self.length obs = Observable(obj) obs.description = self.description art = Artifact(self.filedata.read(), Artifact.TYPE_NETWORK) art.packaging.append(Base64Encoding()) obj.add_related(art, "Child_Of") # relate artifact to file return ([obs], self.releasability)
def transform(self, event): stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident( id_="%s:%s-%s" % (CONPOT_NAMESPACE, 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category( VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append( ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent( 'Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.' ) })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({ 'port_value': event['remote'][1], 'layer4_protocol': 'tcp' }) dest_port = Port.from_dict({ 'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp' }) source_ip = Address.from_dict({ 'address_value': event['remote'][0], 'category': Address.CAT_IPV4 }) dest_ip = Address.from_dict({ 'address_value': event['public_ip'], 'category': Address.CAT_IPV4 }) source_address = SocketAddress.from_dict({ 'ip_address': source_ip.to_dict(), 'port': source_port.to_dict() }) dest_address = SocketAddress.from_dict({ 'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict() }) network_connection = NetworkConnection.from_dict({ 'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': "IPv4", 'layer4_protocol': "TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': "ESTABLISHED", 'destination_tcp_state': "ESTABLISHED", }) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"): """ Convert a CRITs TLO to a CybOX Observable. :param obj: The TLO to convert. :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes` :param exclude: Attributes to exclude. :type exclude: list :param bin_fmt: The format for the binary (if applicable). :type bin_fmt: str """ type_ = obj._meta['crits_type'] if type_ == 'Certificate': custom_prop = Property( ) # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obje = File() # represent cert information as file obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.filetype obje.size_in_bytes = obj.size obje.custom_properties = CustomProperties() obje.custom_properties.append(custom_prop) obs = Observable(obje) obs.description = obj.description data = obj.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obje.add_related(a, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'Domain': obje = DomainName() obje.value = obj.domain obje.type_ = obj.record_type return ([Observable(obje)], obj.releasability) elif type_ == 'Email': if exclude == None: exclude = [] observables = [] obje = EmailMessage() # Assume there is going to be at least one header obje.header = EmailHeader() if 'message_id' not in exclude: obje.header.message_id = String(obj.message_id) if 'subject' not in exclude: obje.header.subject = String(obj.subject) if 'sender' not in exclude: obje.header.sender = Address(obj.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obje.header.x_originating_ip = Address(obj.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obje.header.x_mailer = String(obj.x_mailer) if 'boundary' not in exclude: obje.header.boundary = String(obj.boundary) if 'raw_body' not in exclude: obje.raw_body = obj.raw_body if 'raw_header' not in exclude: obje.raw_header = obj.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obje.email_server = String(obj.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obje.header.from_ = EmailAddress(obj.from_address) if 'date' not in exclude and 'isodate' not in exclude: obje.header.date = DateTime(obj.isodate) obje.attachments = Attachments() observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'Indicator': observables = [] obje = make_cybox_object(obj.ind_type, obj.value) observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'IP': obje = Address() obje.address_value = obj.ip if obj.ip_type == IPTypes.IPv4_ADDRESS: obje.category = "ipv4-addr" elif obj.ip_type == IPTypes.IPv6_ADDRESS: obje.category = "ipv6-addr" elif obj.ip_type == IPTypes.IPv4_SUBNET: obje.category = "ipv4-net" elif obj.ip_type == IPTypes.IPv6_SUBNET: obje.category = "ipv6-subnet" return ([Observable(obje)], obj.releasability) elif type_ == 'PCAP': obje = File() obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.contentType obje.size_in_bytes = obj.length obs = Observable(obje) obs.description = obj.description art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK) art.packaging.append(Base64Encoding()) obje.add_related(art, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'RawData': obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE) obje.packaging.append(Base64Encoding()) obs = Observable(obje) obs.description = obj.description return ([obs], obj.releasability) elif type_ == 'Sample': if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256']: if attr not in exclude: val = getattr(obj, attr, None) if val: setattr(f, attr, val) if obj.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(obj.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = obj.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude and bin_fmt: data = obj.filedata.read() if data: # if sample data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data if bin_fmt == "zlib": a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) elif bin_fmt == "base64": a.packaging.append(Base64Encoding()) f.add_related(a, "Child_Of") # relate artifact to file if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. f.file_format = obj.filetype observables.append(Observable(f)) return (observables, obj.releasability) else: return (None, None)
def map_attribtue(self, instance, attribute): definition_name = attribute.definition.name if hasattr(instance, definition_name.lower()): setattr(instance, definition_name.lower(), attribute.value) value = getattr(instance, definition_name.lower()) value.condition = self.get_condition(attribute) else: if 'hash' in definition_name: if attribute.condition.value: if attribute.condition.value: if attribute.condition.value == "Equals": exact = True else: exact = False else: exact = False else: exact = True h = Hash(attribute.value, exact=exact) h.condition = attribute.condition if instance.hashes is None: instance.hashes = HashList() instance.hashes.append(h) pass elif 'email' in definition_name: self.populate_email(instance, attribute) elif definition_name == 'url': instance.type_ = URI.TYPE_URL instance.value = attribute.value instance.value.condition = self.get_condition(attribute) elif 'Full_Path' and isinstance(instance, Process): # TODO: check why this is set?!? pass elif definition_name == 'WindowsRegistryKey_Key': instance.key = attribute.value instance.key.condition = self.get_condition(attribute) elif definition_name == 'WindowsRegistryKey_Hive': instance.hive = attribute.value instance.hive.condition = self.get_condition(attribute) elif 'WindowsRegistryKey_RegistryValue' in definition_name: value = RegistryValue() if definition_name == 'WindowsRegistryKey_RegistryValue_Data': value.data = attribute.value value.data.condition = self.get_condition(attribute) elif definition_name == 'WindowsRegistryKey_RegistryValue_Data': value.name = attribute.value value.name.condition = self.get_condition(attribute) if not instance.values: instance.values = RegistryValues() instance.values.append(value) instance.data = attribute.value elif definition_name == 'ipv4_addr': instance.category = definition_name.replace('_', '-') instance.address_value = attribute.value instance.address_value.condition = self.get_condition( attribute) elif definition_name == 'DomainName_Value': instance.value = attribute.value elif definition_name == 'Raw_Artifact': path = '{0}/{1}'.format(self.fh.get_base_path(), attribute.value) if isfile(path): with open(path, 'r') as f: bin_string = f.read() instance.data = bin_string # TODO find the corect type instance.type_ = Artifact.TYPE_GENERIC instance.packaging.append(Base64Encoding()) else: instance.data = 'MIA' instance.type_ = Artifact.TYPE_GENERIC instance.packaging.append(Base64Encoding()) elif definition_name == 'content_type': instance.type_ = attribute.value elif definition_name == 'URIType': instance.type_ = attribute.value elif not attribute.definition.cybox_std: self.add_custom_property(instance, attribute) elif isinstance(instance, NetworkConnection) and definition_name in [ 'is_type', 'Port' ]: # TODO: check why this is set?!? pass else: raise Ce1susStixMapperException( 'Cannot map {1} on object type {0}'.format( instance.__class__.__name__, definition_name))