def _affectsoft(data): affect_soft = AffectedSoftware() for software in data['vulnerable_configuration']: id_list = software['id'].split(':') prod_obj = Product() prod_obj.product = software['title'] prod_obj.Device_Details = software['id'] prod_obj.vendor = id_list[3].title() if len(id_list) > 6: prod_obj.version = id_list[5] + " " + id_list[6] elif len(id_list) == 6: prod_obj.version = id_list[5] prod_obs = Observable(prod_obj) prod_obs.title = "Product: " + software['title'] affect_soft.append(prod_obs) return affect_soft
Description: Demonstrates the setting of the `affected_software` property on the stix.exploit_target.vulnerability.Vulnerability class. """ # python-cybox from cybox.core import Observable from cybox.objects.product_object import Product # python-stix from stix.core import STIXPackage from stix.exploit_target import ExploitTarget from stix.exploit_target.vulnerability import Vulnerability, AffectedSoftware # Build a Product Object that characterizes our affected software software = Product() software.product = "Foobar" software.version = "3.0" software.edition = "GOTY" # Wrap the Product Object in an Observable instance observable = Observable(software) # Attach the Product observable to the affected_sofware list of # RelatedObservable instances. This wraps our Observable in a # RelatedObservable layer. vuln = Vulnerability() vuln.affected_software = AffectedSoftware() vuln.affected_software.append(observable) # Create the Exploit Target
def transform(addsec_data): # # Parse the Addition Security protobuf object, which contains a STIX report representation # as_report = addsec_cti_pb2.Report() as_report.ParseFromString(addsec_data) # # Create a new STIX package & report container # stix_package = STIXPackage() stix_package.stix_header = STIXHeader() stix_package.stix_header.description = "Addition Security Report" stix_report = Report() # # Addition Security includes various identification information re: the entity of the report. # We are going to convert it into three CybOX objects: Product, Device, and Custom # cybox_product = Product() cybox_product.product = "MobileAwareness" cybox_product.vendor = "Addition Security" cybox_device = Device() cybox_device.device_type = "Mobile Device" cybox_custom_sourceapp = Custom() cybox_custom_sourceapp.custom_name = "addsec:sourceApplication" cybox_custom_sourceapp.custom_properties = CustomProperties() p = Property() p.name = "organizationId" p.value = as_report.organizationId.encode( 'hex') # NOTE: this is binary bytes cybox_custom_sourceapp.custom_properties.append(p) p = Property() p.name = "application" p.value = as_report.applicationId # NOTE: bundleId/packageId of hosting app cybox_custom_sourceapp.custom_properties.append(p) p = Property() p.name = "instanceId" p.value = as_report.systemId.encode('hex') # NOTE: this is binary bytes cybox_custom_sourceapp.custom_properties.append(p) stix_report.add_observable(cybox_product) stix_report.add_observable(cybox_device) stix_report.add_observable(cybox_custom_sourceapp) # # Enumerate the Addition Security reported sightings # for as_sighting in as_report.observations: # # Addition Security lets customers transit custom messages over the reporting channel; these # messages show up as a "Customer Message" indicator with string-based payload. Since these # messages are both proprietary in nature and potentially unrelated to STIX, we are going to # filter them out from this processing. # if as_sighting.observationType == 8: continue # 8: CustomerData # # Sightings are used to report device information as well; let's expel device-related # sightings and re-route their data into the CybOX device object (instead of including # as an indicator w/ sighting) # if as_sighting.testId == 1 or as_sighting.testId == 2: # addsec_to_cybox_device(cybox_device, as_sighting) continue # Ditto for reported product information as well if as_sighting.testId == 8: # 8: SDKVersionInfo addsec_to_cybox_product(cybox_product, as_sighting) continue # # Compose a STIX-appropriate indicator value from the Addition Security indicator ID & SubID # indicator_id = "addsec:asma-%d-%d" % (as_sighting.testId, as_sighting.testSubId) stix_indicator = Indicator(id_=indicator_id) stix_indicator.title = addsec_title_lookup(as_sighting.testId, as_sighting.testSubId) # # Create a sighting for this indicator # stix_sighting = Sighting() stix_indicator.sightings = stix_sighting stix_sighting.timestamp = datetime.datetime.fromtimestamp( as_sighting.timestamp) if as_sighting.confidence > 0: stix_sighting.confidence = addsec_to_stix_confidence( as_sighting.confidence) # # Enumerate the observables for this sighting # for as_observable in as_sighting.datas: cybox_obj = addsec_to_cybox(as_observable.dataType, as_observable.data) if not cybox_obj is None: stix_sighting.related_observables.append( RelatedObservable(Observable(cybox_obj))) # # Finally, add this indicator (w/ sightings & related observables) to the top level report # stix_report.add_indicator(stix_indicator) # # Finalize the STIX report and output the XML # stix_package.reports = stix_report return stix_package.to_xml()
#Add Action Context ex.add_context(context='Host') ################################################################################################################### #Add timestamp import datetime ex.add_timestamp(timestamp=datetime.datetime.now()) ################################################################################################################### #Add Ordinal Position ex.add_ordinal_position(15) ################################################################################################################### #Add Associated objects from cybox.objects.product_object import Product from cybox.common.vocabs import ActionObjectAssociationType at = ActionObjectAssociationType() at.value = ActionObjectAssociationType.TERM_AFFECTED dobj = Product() dobj.product='TestProduct' ob1 = ex.create_associated_object(defined_object=dobj,association_type=at) ex.add_associated_objects(associated_object=ob1) ################################################################################################################### # Add Frequency ex.add_frequnecy(rate=15,scale=18,trend=7,units=19) ################################################################################################################### # Add Relationships from cybox.common.vocabs import ActionRelationshipType ar= ActionRelationship() ar.value = ActionRelationshipType.TERM_INITIATED rf1 = ex.create_action_reference(action_id='test1d:1234') rel1 = ex.create_action_relationship(action_references=[rf1],type=ar) ex.add_relationships(action_relationship=rel1) ###################################################################################################################