def ICMPObj(icmp): # block types 0 (ping response), 8 (ping request) nc = NetworkConnection() indicator = Indicator() nc.layer3_protocol = "ICMP" if icmp[0] == 0: # echo-reply if icmp[1] != VMIP: # incoming reply from a server VM pinged ssocketaddress = SocketAddress() ssocketaddress.ip_address = icmp[1] nc.source_socket_address = ssocketaddress indicator.title = "ICMP echo-reply" indicator.description = ("0") else: # outgoing reply to a server that pinged you dsocketaddress = SocketAddress() dsocketaddress.ip_address = icmp[2] nc.destination_socket_address = dsocketaddress indicator.title = "ICMP echo-reply" indicator.description = ("0") elif icmp[0] == 8: # echo-request if icmp[1] != VMIP: # incoming ping request from a server ssocketaddress = SocketAddress() ssocketaddress.ip_address = icmp[1] nc.source_socket_address = ssocketaddress indicator.title = "ICMP echo-request" indicator.description = ("8") else: # VM is sending a ping request dsocketaddress = SocketAddress() dsocketaddress.ip_address = icmp[2] nc.destination_socket_address = dsocketaddress indicator.title = "ICMP echo-request" indicator.description = ("8") indicator.set_produced_time(utils.dates.now()) indicator.add_object(nc) return indicator
def SSHObj(SSH): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "TCP" networkconnection.layer7_protocol = "SSH" if SSH[0] != VMIP and SSH[4] == 1 and SSH[5] == 0: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = SSH[0] sport = Port() sport.port_value = SSH[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif SSH[2] != VMIP and SSH[4] == 1 and SSH[5] == 0: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = SSH[2] dport = Port() dport.port_value = SSH[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator = Indicator() if SSH[6] != '': indicator.title = "SSH Request with pulic key" indicator.description = ("SSH public key: " + SSH[6]) else: indicator.title = "SSH Request" indicator.description = ( "An indicator containing information about a SSH request") indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def UDPRequestObj(udpinfo): u = NetworkConnection() u.layer3_protocol = "IPv4" u.layer4_protocol = "UDP" ssocketaddress = SocketAddress() if udpinfo[3] != VMIP: ssocketaddress.ip_address = udpinfo[3] sport = Port() sport.port_value = udpinfo[0] sport.layer4_protocol = "UDP" ssocketaddress.port = sport u.source_socket_address = ssocketaddress dsocketaddress = SocketAddress() if udpinfo[2] != VMIP: dsocketaddress.ip_address = udpinfo[2] dport = Port() dport.port_value = udpinfo[1] dport.layer4_protocol = "UDP" dsocketaddress.port = dport u.destination_socket_address = dsocketaddress indicator = Indicator() indicator.title = "UDP connection" indicator.description = ( "An indicator containing information about a UDP connection") indicator.set_produced_time(utils.dates.now()) indicator.add_object(u) return indicator
def DNSRequestObj(dnsinfo): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "UDP" networkconnection.layer7_protocol = "DNS" ssocketaddress = SocketAddress() sport = Port() sport.port_value = dnsinfo[1] sport.layer4_protocol = "UDP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress dsocketaddress = SocketAddress() dsocketaddress.ip_address = dnsinfo[2] dport = Port() dport.port_value = dnsinfo[3] dport.layer4_protocol = "UDP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress layer7connections = Layer7Connections() dqr = DNSQuery() indicator = Indicator() dnsques = DNSQuestion() dnsques.qname = dnsinfo[4] dnsques.qtype = translateType(dnsinfo[5]) dqr.question = dnsques indicator.title = "DNS Request" indicator.description = ( "An indicator containing information about a DNS Request") layer7connections.dns_query = dqr networkconnection.layer7_connections = layer7connections indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def TCPConnectionEstablishedObj(tcpinfo): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "TCP" if tcpinfo[0] != VMIP: # incoming connection networkconnection.destination_tcp_state = "ESTABLISHED" ssocketaddress = SocketAddress() ssocketaddress.ip_address = tcpinfo[0] sport = Port() sport.port_value = tcpinfo[2] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif tcpinfo[1] != VMIP: # outgoing connection networkconnection.source_tcp_state = "ESTABLISHED" dsocketaddress = SocketAddress() dsocketaddress.ip_address = tcpinfo[1] dport = Port() dport.port_value = tcpinfo[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator = Indicator() indicator.title = "TCP Connection Established" indicator.description = ( "An indicator containing information about a successful TCP hand shake" ) indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def builder_to_stix_object(self, object_data): network_connection = NetworkConnection() src_socket_address = ObservableObjectGenerator._generate_socket_object( object_data['source_socket_address']) dst_socket_address = ObservableObjectGenerator._generate_socket_object( object_data['destination_socket_address']) network_connection.source_socket_address = src_socket_address network_connection.destination_socket_address = dst_socket_address return network_connection
def create_network_connection_closed_observable(ct): obj = NetworkConnection() obj.creation_time = d[ct]['timestamp'] sock = SocketAddress() sock.ip_address = d[ct]['src_ip'] obj.source_socket_address = sock obj.custom_properties = CustomProperties() create_custom_properties(obj, "Event_Name", d[ct]['eventid']) create_custom_properties(obj, "Message", d[ct]['message']) create_custom_properties(obj, "Service", d[ct]['system']) create_custom_properties(obj, "Host", d[ct]['sensor']) create_custom_properties(obj, "session_Duration", d[ct]['duration']) return obj
def create_network_connection(self,creation_time=None,destination_socket_address=None,destination_tcp_state=None,source_socket_address=None,source_tcp_state=None,tls_used=None, layer7_protocol=None,layer4_protocol=None,layer3_protocol=None,layer7_connections=None): network_connection = NetworkConnection() network_connection.creation_time= DateTime(creation_time) network_connection.destination_socket_address = destination_socket_address network_connection.destination_tcp_state = destination_tcp_state network_connection.source_socket_address = source_socket_address network_connection.source_tcp_state = source_tcp_state network_connection.tls_used =tls_used network_connection.layer7_protocol= layer7_protocol network_connection.layer4_protocol =layer4_protocol network_connection.layer3_protocol = layer3_protocol network_connection.layer7_connections = layer7_connections return network_connection
def create_network_connection_observable(ct): obj = NetworkConnection() obj.creation_time = d[ct]['timestamp'] obj.layer7_protocol = d[ct]['protocol'] # src_info obj.source_socket_address = create_socket_address(d[ct]['src_ip'], d[ct]['src_port']) # dst_info obj.destination_socket_address = create_socket_address( d[ct]['dst_ip'], d[ct]['dst_port']) #create_custom_properties obj.custom_properties = CustomProperties() create_custom_properties(obj, "Event_Name", d[ct]['eventid']) create_custom_properties(obj, "Message", d[ct]['message']) create_custom_properties(obj, "Service", d[ct]['system']) create_custom_properties(obj, "Host", d[ct]['sensor']) return obj
def FTPObj(ftp): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "TCP" networkconnection.layer7_protocol = "FTP" indicator = Indicator() if ftp[4] == '220': if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Service ready for new user: "******"TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("User logged in") indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator elif ftp[4] == '250': if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Requested file action okay, completed.") indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator elif ftp[5] == "USER": if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Requested username: "******"PASS": if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Requested Password: "******"STOR": if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Upload file to server: " + ftp[6]) indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator elif ftp[5] == "RETR": if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Retrieve a copy of the file: " + ftp[6]) indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def home(request): """ Name: home Desc: Main GUI view """ # Forms:Job,target and relay creation create_job_form = CreateJob(request=request, prefix="create_job") create_target_form = CreateTarget(request=request, prefix="create_target") create_relay_form = CreateRelay(request=request, prefix="create_relay") if request.method == "POST": # Remove a relay if "delete_relay_id" in request.POST: try: Relay.objects.get(pk=request.POST["delete_relay_id"]).delete() except ObjectDoesNotExist, e: pass # Create new relay if "create_relay-name" in request.POST: # Actuator creation create_relay_form = CreateRelay(request.POST, request=request, prefix="create_relay") if create_relay_form.is_valid(): host = create_relay_form.save() host.save() # TODO - Call a sync here # Job Creations if "create_job-raw_message" in request.POST: new_job = Job(capability=Capability.objects.get( pk=request.POST["create_job-capability"]), target=Target.objects.get( pk=request.POST["create_job-target"]), raw_message="Pending", status=JobStatus.objects.get(status="Pending"), created_by=request.user) new_job.save() # Now we have a pk - update the id command = json.loads(request.POST["create_job-raw_message"]) command["modifiers"]["command-ref"] = new_job.id logger.info("Job Created\n%s" % json.dumps(command)) new_job.raw_message = json.dumps(command, sort_keys=True, indent=4).replace( "\t", u'\xa0\xa0\xa0\xa0\xa0') new_job.save() # Target Creations namespace_url = getattr(settings, "NAMESPACE_URL", None) namespace_id = getattr(settings, "NAMESPACE_ID", None) set_id_namespace(Namespace(namespace_url, namespace_id)) if "create_target-cybox_type" in request.POST: cybox_type = CybOXType.objects.get( pk=request.POST["create_target-cybox_type"]) if cybox_type.identifier == "cybox:NetworkConnectionObjectType": obs = NetworkConnection() # Source sock = SocketAddress() sock.ip_address = request.POST["create_target-source_address"] sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" sport = Port() sport.port_value = int( request.POST["create_target-source_port"]) sock.port = sport obs.source_socket_address = sock # Dest sock = SocketAddress() sock.ip_address = request.POST[ "create_target-destination_address"] sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" dport = Port() dport.port_value = int( request.POST["create_target-destination_port"]) sock.port = dport obs.destination_socket_address = sock name = "Network Connection %s:%s -> %s:%s (%s)" % ( request.POST["create_target-source_address"], request.POST["create_target-source_port"], request.POST["create_target-destination_address"], request.POST["create_target-destination_port"], request.POST["create_target-protocol"]) raw_message = Observable(item=obs, title=name).to_json() elif cybox_type.identifier == "cybox:AddressObjectType": name = "Address %s " % (request.POST["create_target-address"]) raw_message = Observable(item=Address( address_value=request.POST["create_target-address"], category=Address.CAT_IPV4), title=name).to_json() elif cybox_type.identifier == "cybox:URIObjectType": name = "URI %s " % (request.POST["create_target-uri"]) obs = URI() obs.value = request.POST["create_target-uri"] obs.type_ = URI.TYPE_URL obs.condition = "Equals" raw_message = Observable(item=obs, title=name).to_json() elif cybox_type.identifier == "cybox:EmailMessageObjectType": name = "Email %s " % ( request.POST["create_target-email_subject"]) obs = EmailMessage() obs.raw_body = request.POST["create_target-email_message"] obs.header = EmailHeader() obs.header.subject = request.POST[ "create_target-email_subject"] obs.header.subject.condition = "StartsWith" obs.header.to = request.POST["create_target-email_to"] obs.header.from_ = request.POST["create_target-email_from"] raw_message = Observable(item=obs, title=name).to_json() else: # Should never reach here raw_message = {} name = "Undefined Object" create_target_form = CreateTarget(request.POST, request=request, prefix="create_target") if create_target_form.is_valid(): target = create_target_form.save(commit=False) target.name = name target.raw_message = raw_message target.save()