def generateTTP(incident, attribute, ttps, eventTags):
ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
setTLP(ttp, attribute["distribution"], mergeTags(eventTags, attribute["AttributeTag"]))
ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["type"] == "vulnerability":
vulnerability = Vulnerability()
vulnerability.cve_id = attribute["value"]
et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
et.id_= namespace[1] + ":et-" + attribute["uuid"]
if attribute["comment"] != "" and attribute["comment"] != "Imported via the freetext import.":
et.title = attribute["comment"]
else:
et.title = "Vulnerability " + attribute["value"]
et.add_vulnerability(vulnerability)
ttp.exploit_targets.append(et)
else:
malware = MalwareInstance()
malware.add_name(attribute["value"])
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware)
if attribute["comment"] != "":
ttp.description = attribute["comment"]
ttps.append(ttp)
rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp)
relatedTTP = RelatedTTP(rttp, relationship=attribute["category"])
incident.leveraged_ttps.append(relatedTTP)
def generate_vulnerability(self, incident, tags, attribute):
ttp = self.create_ttp(tags, attribute)
vulnerability = Vulnerability()
vulnerability.cve_id = attribute.value
ET = ExploitTarget(timestamp=attribute.timestamp)
ET.id_ = "{}:et-{}".format(namespace[1], attribute.uuid)
if attribute.comment and attribute.comment != "Imported via the freetext import.":
ET.title = attribute.comment
else:
ET.title = "Vulnerability {}".format(attribute.value)
ET.add_vulnerability(vulnerability)
ttp.exploit_targets.append(ET)
self.append_ttp(incident, attribute, ttp)
def test_et(self):
e = ExploitTarget()
e.title = UNICODE_STR
e.description = UNICODE_STR
e.short_description = UNICODE_STR
e2 = round_trip(e)
self._test_equal(e, e2)
def test_et(self):
e = ExploitTarget()
e.title = UNICODE_STR
e.description = UNICODE_STR
e.short_description = UNICODE_STR
e2 = round_trip(e)
self._test_equal(e, e2)
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(
identity=Identity(name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(
idref=coa['id'],
timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(identity=Identity(
name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(idref=coa['id'], timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from stix.utils import idgen
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
idgen.set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
# Add the vulnerability object to the package object
expt.add_vulnerability(vulnbuild(data))
# Do some TTP stuff with CAPEC objects
try:
for i in data['capec']:
ttp = TTP()
ttp.title = "CAPEC-" + str(i['id'])
ttp.description = i['summary']
ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
pkg.add_ttp(ttp)
except KeyError:
pass
# Do some weakness stuff
if data['cwe'] != 'Unknown':
weak = Weakness()
weak.cwe_id = data['cwe']
expt.add_weakness(weak)
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
title = pkg.id_.split(':', 1)[-1]
with open(title + ".xml", "w") as text_file:
text_file.write(xml)
return xml
def get_exploit_target_from_json(ttp_json):
json_cve = ttp_json['value']
json_title = ttp_json['title']
# title は "%CVE番号% (index)" とする
title = '%s (%s)' % (json_cve, json_title)
# CVE 情報を circl から取得する
cve_info = Cve.get_cve_info(json_cve)
# 各種 CVE 情報のリンクを作成
mitre_url = 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + str(
json_cve)
circl_url = 'http://cve.circl.lu/cve/' + str(json_cve)
# Expoit_Target, Vulnerability の Short Description は link
common_short_description = '%s (<a href="%s" target="_blank">MITRE</a>, <a href="%s" target="_blank">circl.lu</a>)<br/>' % (
json_cve, mitre_url, circl_url)
# base_score
try:
vul_cvss_score = CVSSVector()
vul_cvss_score.base_score = cve_info['cvss']
except BaseException:
vul_cvss_score = None
# Expoit_Target, Vulnerability の Description 作成
common_decritpion = common_short_description
# base_score があったら追加する
if vul_cvss_score is not None:
common_decritpion += ('Base Score: %s<br/>' %
(vul_cvss_score.base_score))
# vulnerability の description は circl から取得した description
try:
common_decritpion += ('%s<br/>' % (cve_info['summary']))
except BaseException:
# 取得失敗時は circl のページの url
common_decritpion += ('%s<br/>' % (circl_url))
# ExploitTarget
et = ExploitTarget()
et.title = title
et.description = common_decritpion
et.short_description = common_short_description
# Vulnerability
vulnerablity = Vulnerability()
vulnerablity.title = title
vulnerablity.description = common_decritpion
vulnerablity.short_description = common_short_description
vulnerablity.cve_id = json_cve
if vul_cvss_score is not None:
vulnerablity.cvss_score = vul_cvss_score
et.add_vulnerability(vulnerablity)
return et
def buildTarget(input_dict):
# add incident and confidence
target = ExploitTarget()
target.title = input_dict['title']
target.description = input_dict['description']
if input_dict['vulnerability']:
target.add_vulnerability(input_dict['vulnerability'])
if input_dict['weakness']:
target.add_weakness(input_dict['weakness'])
if input_dict['configuration']:
target.configuration = input_dict['configuration']
if input_dict['informationSource']:
target.information_source = InformationSource(input_dict['informationSource'])
return target
def get_exploit_target_from_cve(cve):
title = cve
# description は mitreのページヘのリンク
description = 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + str(
cve)
# ExploitTarget
et = ExploitTarget()
et.title = title
et.description = description
et.short_description = description
# Vulnerability
vulnerablity = Vulnerability()
vulnerablity.title = title
vulnerablity.description = description
vulnerablity.short_description = description
vulnerablity.cve_id = cve
et.add_vulnerability(vulnerablity)
return et
def get_exploit_target_from_json(ttp_json):
json_cve = ttp_json['value']
json_title = ttp_json['title']
# title は "%CVE番号% (index)" とする
title = '%s (%s)' % (json_cve, json_title)
# # CVE 情報を circl から取得する
cve_info = CommonExtractor.get_cve_info(json_cve)
# Expoit_Target, Vulnerability の Short Description は link
common_short_description = CommonExtractor.get_ttp_common_short_description(
ttp_json)
# # base_score
vul_cvss_score = CommonExtractor.get_vul_cvss_score(cve_info)
# Expoit_Target, Vulnerability の Description 作成
common_decritpion = CommonExtractor.get_ttp_common_description(
ttp_json)
# ExploitTarget
et = ExploitTarget()
et.title = title
et.description = common_decritpion
et.short_description = common_short_description
# Vulnerability
vulnerablity = Vulnerability()
vulnerablity.title = title
vulnerablity.description = common_decritpion
vulnerablity.short_description = common_short_description
vulnerablity.cve_id = json_cve
if vul_cvss_score is not None:
vulnerablity.cvss_score = vul_cvss_score
et.add_vulnerability(vulnerablity)
return et
