def _affectsoft(data):
affect_soft = AffectedSoftware()
for software in data['vulnerable_configuration']:
id_list = software['id'].split(':')
prod_obj = Product()
prod_obj.product = software['title']
prod_obj.Device_Details = software['id']
prod_obj.vendor = id_list[3].title()
if len(id_list) > 6:
prod_obj.version = id_list[5] + " " + id_list[6]
elif len(id_list) == 6:
prod_obj.version = id_list[5]
prod_obs = Observable(prod_obj)
prod_obs.title = "Product: " + software['title']
affect_soft.append(prod_obs)
return affect_soft
def _affectsoft(data):
affect_soft = AffectedSoftware()
for software in data['vulnerable_configuration']:
id_list = software['id'].split(':')
prod_obj = Product()
prod_obj.product = software['title']
prod_obj.Device_Details = software['id']
prod_obj.vendor = id_list[3].title()
if len(id_list) > 6:
prod_obj.version = id_list[5] + " " + id_list[6]
elif len(id_list) == 6:
prod_obj.version = id_list[5]
prod_obs = Observable(prod_obj)
prod_obs.title = "Product: " + software['title']
affect_soft.append(prod_obs)
return affect_soft
Description: Demonstrates the setting of the `affected_software` property on the stix.exploit_target.vulnerability.Vulnerability class. """ # python-cybox from cybox.core import Observable from cybox.objects.product_object import Product # python-stix from stix.core import STIXPackage from stix.exploit_target import ExploitTarget from stix.exploit_target.vulnerability import Vulnerability, AffectedSoftware # Build a Product Object that characterizes our affected software software = Product() software.product = "Foobar" software.version = "3.0" software.edition = "GOTY" # Wrap the Product Object in an Observable instance observable = Observable(software) # Attach the Product observable to the affected_sofware list of # RelatedObservable instances. This wraps our Observable in a # RelatedObservable layer. vuln = Vulnerability() vuln.affected_software = AffectedSoftware() vuln.affected_software.append(observable) # Create the Exploit Target
Description: Demonstrates the setting of the `affected_software` property on the stix.exploit_target.vulnerability.Vulnerability class. """ # python-cybox from cybox.core import Observable from cybox.objects.product_object import Product # python-stix from stix.core import STIXPackage from stix.exploit_target import ExploitTarget from stix.exploit_target.vulnerability import Vulnerability, AffectedSoftware # Build a Product Object that characterizes our affected software software = Product() software.product = "Foobar" software.version = "3.0" software.edition = "GOTY" # Wrap the Product Object in an Observable instance observable = Observable(software) # Attach the Product observable to the affected_sofware list of # RelatedObservable instances. This wraps our Observable in a # RelatedObservable layer. vuln = Vulnerability() vuln.affected_software = AffectedSoftware() vuln.affected_software.append(observable) # Create the Exploit Target
def transform(addsec_data):
#
# Parse the Addition Security protobuf object, which contains a STIX report representation
#
as_report = addsec_cti_pb2.Report()
as_report.ParseFromString(addsec_data)
#
# Create a new STIX package & report container
#
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.description = "Addition Security Report"
stix_report = Report()
#
# Addition Security includes various identification information re: the entity of the report.
# We are going to convert it into three CybOX objects: Product, Device, and Custom
#
cybox_product = Product()
cybox_product.product = "MobileAwareness"
cybox_product.vendor = "Addition Security"
cybox_device = Device()
cybox_device.device_type = "Mobile Device"
cybox_custom_sourceapp = Custom()
cybox_custom_sourceapp.custom_name = "addsec:sourceApplication"
cybox_custom_sourceapp.custom_properties = CustomProperties()
p = Property()
p.name = "organizationId"
p.value = as_report.organizationId.encode(
'hex') # NOTE: this is binary bytes
cybox_custom_sourceapp.custom_properties.append(p)
p = Property()
p.name = "application"
p.value = as_report.applicationId # NOTE: bundleId/packageId of hosting app
cybox_custom_sourceapp.custom_properties.append(p)
p = Property()
p.name = "instanceId"
p.value = as_report.systemId.encode('hex') # NOTE: this is binary bytes
cybox_custom_sourceapp.custom_properties.append(p)
stix_report.add_observable(cybox_product)
stix_report.add_observable(cybox_device)
stix_report.add_observable(cybox_custom_sourceapp)
#
# Enumerate the Addition Security reported sightings
#
for as_sighting in as_report.observations:
#
# Addition Security lets customers transit custom messages over the reporting channel; these
# messages show up as a "Customer Message" indicator with string-based payload. Since these
# messages are both proprietary in nature and potentially unrelated to STIX, we are going to
# filter them out from this processing.
#
if as_sighting.observationType == 8: continue # 8: CustomerData
#
# Sightings are used to report device information as well; let's expel device-related
# sightings and re-route their data into the CybOX device object (instead of including
# as an indicator w/ sighting)
#
if as_sighting.testId == 1 or as_sighting.testId == 2: #
addsec_to_cybox_device(cybox_device, as_sighting)
continue
# Ditto for reported product information as well
if as_sighting.testId == 8: # 8: SDKVersionInfo
addsec_to_cybox_product(cybox_product, as_sighting)
continue
#
# Compose a STIX-appropriate indicator value from the Addition Security indicator ID & SubID
#
indicator_id = "addsec:asma-%d-%d" % (as_sighting.testId,
as_sighting.testSubId)
stix_indicator = Indicator(id_=indicator_id)
stix_indicator.title = addsec_title_lookup(as_sighting.testId,
as_sighting.testSubId)
#
# Create a sighting for this indicator
#
stix_sighting = Sighting()
stix_indicator.sightings = stix_sighting
stix_sighting.timestamp = datetime.datetime.fromtimestamp(
as_sighting.timestamp)
if as_sighting.confidence > 0:
stix_sighting.confidence = addsec_to_stix_confidence(
as_sighting.confidence)
#
# Enumerate the observables for this sighting
#
for as_observable in as_sighting.datas:
cybox_obj = addsec_to_cybox(as_observable.dataType,
as_observable.data)
if not cybox_obj is None:
stix_sighting.related_observables.append(
RelatedObservable(Observable(cybox_obj)))
#
# Finally, add this indicator (w/ sightings & related observables) to the top level report
#
stix_report.add_indicator(stix_indicator)
#
# Finalize the STIX report and output the XML
#
stix_package.reports = stix_report
return stix_package.to_xml()
#Add Action Context ex.add_context(context='Host') ################################################################################################################### #Add timestamp import datetime ex.add_timestamp(timestamp=datetime.datetime.now()) ################################################################################################################### #Add Ordinal Position ex.add_ordinal_position(15) ################################################################################################################### #Add Associated objects from cybox.objects.product_object import Product from cybox.common.vocabs import ActionObjectAssociationType at = ActionObjectAssociationType() at.value = ActionObjectAssociationType.TERM_AFFECTED dobj = Product() dobj.product='TestProduct' ob1 = ex.create_associated_object(defined_object=dobj,association_type=at) ex.add_associated_objects(associated_object=ob1) ################################################################################################################### # Add Frequency ex.add_frequnecy(rate=15,scale=18,trend=7,units=19) ################################################################################################################### # Add Relationships from cybox.common.vocabs import ActionRelationshipType ar= ActionRelationship() ar.value = ActionRelationshipType.TERM_INITIATED rf1 = ex.create_action_reference(action_id='test1d:1234') rel1 = ex.create_action_relationship(action_references=[rf1],type=ar) ex.add_relationships(action_relationship=rel1) ###################################################################################################################
