def url(ip,provider,reporttime): vuln = Vulnerability() vuln.cve_id = "IPV4-" + str(ip) vuln.description = "maliciousURL" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) addr = Address(address_value=str(ip), category=Address.CAT_IPV4) addr.condition = "Equals" # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "URL-" + str(ip) indicator.description = ("Malicious URL " + str(ip) + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) indicator.add_observable(addr) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml','w') f.write(stix_package.to_xml()) f.close()
def md5(hash,provider,reporttime): vuln = Vulnerability() vuln.cve_id = "MD5-" + hash vuln.description = "maliciousMD5" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) # Create a CyboX File Object f = File() # This automatically detects that it's an MD5 hash based on the length f.add_hash(hash) # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "MD5-" + hash indicator.description = ("Malicious hash " + hash + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) # Add The File Object to the Indicator. This will promote the CybOX Object # to a CybOX Observable internally. indicator.add_observable(f) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml','w') f.write(stix_package.to_xml()) f.close()
def url(ip, provider, reporttime): vuln = Vulnerability() vuln.cve_id = "IPV4-" + str(ip) vuln.description = "maliciousURL" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) addr = Address(address_value=str(ip), category=Address.CAT_IPV4) addr.condition = "Equals" # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "URL-" + str(ip) indicator.description = ("Malicious URL " + str(ip) + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) indicator.add_observable(addr) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml', 'w') f.write(stix_package.to_xml()) f.close()
def md5(hash, provider, reporttime): vuln = Vulnerability() vuln.cve_id = "MD5-" + hash vuln.description = "maliciousMD5" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) # Create a CyboX File Object f = File() # This automatically detects that it's an MD5 hash based on the length f.add_hash(hash) # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "MD5-" + hash indicator.description = ("Malicious hash " + hash + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) # Add The File Object to the Indicator. This will promote the CybOX Object # to a CybOX Observable internally. indicator.add_observable(f) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml', 'w') f.write(stix_package.to_xml()) f.close()
def generateTTP(incident, attribute, ttps, eventTags): ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"], mergeTags(eventTags, attribute["AttributeTag"])) ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) et.id_= namespace[1] + ":et-" + attribute["uuid"] if attribute["comment"] != "" and attribute["comment"] != "Imported via the freetext import.": et.title = attribute["comment"] else: et.title = "Vulnerability " + attribute["value"] et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) if attribute["comment"] != "": ttp.description = attribute["comment"] ttps.append(ttp) rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp) relatedTTP = RelatedTTP(rttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def main(): pkg = STIXPackage() vuln = Vulnerability() vuln.cve_id = "CVE-2013-3893" et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11") et.add_vulnerability(vuln) pkg.add_exploit_target(et) print pkg.to_xml()
def main(): pkg = STIXPackage() vuln = Vulnerability() vuln.cve_id = "CVE-2013-3893" vuln.add_reference( "https://technet.microsoft.com/library/security/2887505") et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11") et.add_vulnerability(vuln) pkg.add_exploit_target(et) print(pkg.to_xml(encoding=None))
def generate_vulnerability(self, incident, tags, attribute): ttp = self.create_ttp(tags, attribute) vulnerability = Vulnerability() vulnerability.cve_id = attribute.value ET = ExploitTarget(timestamp=attribute.timestamp) ET.id_ = "{}:et-{}".format(namespace[1], attribute.uuid) if attribute.comment and attribute.comment != "Imported via the freetext import.": ET.title = attribute.comment else: ET.title = "Vulnerability {}".format(attribute.value) ET.add_vulnerability(vulnerability) ttp.exploit_targets.append(ET) self.append_ttp(incident, attribute, ttp)
def add_cve_info(pkg): global cve_info if cve_info != []: processed_ttps = [] for x in cve_info: et = ExploitTarget() for cve in x.get('cves'): v = Vulnerability() v.cve_id = cve et.add_vulnerability(v) pkg.add_exploit_target(et) ttp = x.get('related_ttp') if ttp not in processed_ttps: if not ttp.exploit_targets: ttp.exploit_targets = ExploitTargets() ttp.exploit_targets.append(RelatedExploitTarget(ExploitTarget(idref=et._id))) processed_ttps.append(ttp)
def vulnbuild(data): """Do some vulnerability stuff.""" vuln = Vulnerability() vuln.cve_id = data['id'] vuln.source = NVD_URL + data['id'] vuln.title = data['id'] vuln.description = data['summary'] # The below has issues with python-stix 1.2 (https://github.com/STIXProject # /python-stix/issues/276) # vuln.published_datetime = data['Published'] vuln.references = data['references'] vuln.is_known = 1 # Create the CVSS object and then assign it to the vuln object cvssvec = CVSSVector() cvssvec.overall_score = data['cvss'] vuln.cvss_score = cvssvec return vuln
def fqdn(fqdn,provider,reporttime): currentTime = time.time() parsed_uri = urlparse( str(fqdn) ) domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri) if domain.startswith('https'): domain = domain[8:] else: domain = domain[7:] if domain.endswith('/'): domain = domain[:-1] vuln = Vulnerability() vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime) vuln.description = "maliciousIPV4" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) url = URI() url.value = fqdn url.type_ = URI.TYPE_URL url.condition = "Equals" # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "FQDN-" + str(fqdn) indicator.description = ("Malicious FQDN " + str(fqdn) + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) indicator.add_observable(url) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' + str(currentTime) + '.xml','w') f.write(stix_package.to_xml()) f.close()
def generateTTP(incident, attribute): ttp = TTP() ttp.id_="example:ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"]) ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget() et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) relatedTTP = RelatedTTP(ttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def fqdn(fqdn, provider, reporttime): currentTime = time.time() parsed_uri = urlparse(str(fqdn)) domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri) if domain.startswith('https'): domain = domain[8:] else: domain = domain[7:] if domain.endswith('/'): domain = domain[:-1] vuln = Vulnerability() vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime) vuln.description = "maliciousIPV4" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) url = URI() url.value = fqdn url.type_ = URI.TYPE_URL url.condition = "Equals" # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "FQDN-" + str(fqdn) indicator.description = ("Malicious FQDN " + str(fqdn) + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) indicator.add_observable(url) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open( '/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' + str(currentTime) + '.xml', 'w') f.write(stix_package.to_xml()) f.close()
def generateTTP(incident, attribute): ttp = TTP() ttp.id_ = "example:ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"]) ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[ "uuid"] if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget() et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) relatedTTP = RelatedTTP(ttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def generateTTP(incident, attribute): ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"]) ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) if attribute["comment"] != "": ttp.description = attribute["comment"] relatedTTP = RelatedTTP(ttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def main(): stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "CVE-2014-0160" vuln.add_reference("http://heartbleed.com/") et = ExploitTarget(title="Heartbleed") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="Generic Heartbleed Exploits") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title="Snort Signature for Heartbleed") indicator.confidence = Confidence("High") tm = SnortTestMechanism() tm.rules = [ """alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""", """alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)""" ] tm.efficacy = "Low" tm.producer = InformationSource(identity=Identity(name="FOX IT")) tm.producer.references = [ "http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/" ] indicator.test_mechanisms = TestMechanisms([tm]) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def main(): stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "CVE-2014-0160" vuln.add_reference("http://heartbleed.com/") et = ExploitTarget(title="Heartbleed") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="Generic Heartbleed Exploits") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title="Snort Signature for Heartbleed") indicator.confidence = Confidence("High") tm = SnortTestMechanism() tm.rules = [ """alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""", """alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)""" ] tm.efficacy = "Low" tm.producer = InformationSource(identity=Identity(name="FOX IT")) tm.producer.references = ["http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/"] indicator.test_mechanisms = TestMechanisms([tm]) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def toStixXml(self, confidence, efficacy): """ This method converts a list of FASGuard generated Snort rules into a STIX compliant XML string ready for output. It first converts the object into a hash of the right format and then converts it into XML using STIXPackage.from_dict and to_xml on the resulting object. Arguments: confidence - High, Medium or Low. High means low false alarm rate. efficacy - High, Medium or Low. High means a low missed detection rate. Returns: Reference to string containing STIX/CybOX XML file. """ logger = logging.getLogger('simple_example') self.logger = logger self.logger.debug('In asg.fasguardStixRule') stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "Unknown" et = ExploitTarget(title="From FASGuard") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="FASGuard Produced Signatures") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title="Snort Signature from FASGuard") indicator.confidence = Confidence(confidence) tm = SnortTestMechanism() tm.rules = self.ruleList tm.efficacy = efficacy tm.producer = InformationSource(identity=Identity(name="FASGuard")) tm.producer.references = ["http://fasguard.github.io/"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) return stix_package.to_xml() # stixDict = {'campaigns': [{}], # 'courses_of_action': [{}], # 'exploit_targets': [{}], # 'id': 'INSERT_PACKAGE_ID_HERE'} # stixDict['indicators'] = [{'indicator': # {'title': # 'Automatically Generated FASGuard Signatures', # 'test_mechanisms': # {'test_mechanism': # {'efficacy':'Low', # 'producer': # {'Identity':'FASGuard'}, # 'rule':'xyz'}}}} # ] stix_package = STIXPackage.from_dict(stixDict) stix_xml = stix_package.to_xml() return stix_xml
def toStixXml(self, confidence, efficacy): """ This method converts a list of FASGuard generated Snort rules into a STIX compliant XML string ready for output. It first converts the object into a hash of the right format and then converts it into XML using STIXPackage.from_dict and to_xml on the resulting object. Arguments: confidence - High, Medium or Low. High means low false alarm rate. efficacy - High, Medium or Low. High means a low missed detection rate. Returns: Reference to string containing STIX/CybOX XML file. """ logger = logging.getLogger('simple_example') self.logger = logger self.logger.debug('In asg.fasguardStixRule') stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "Unknown" et = ExploitTarget(title="From FASGuard") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="FASGuard Produced Signatures") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title = "Snort Signature from FASGuard") indicator.confidence = Confidence(confidence) tm = SnortTestMechanism() tm.rules = self.ruleList tm.efficacy = efficacy tm.producer = InformationSource(identity=Identity(name="FASGuard")) tm.producer.references = ["http://fasguard.github.io/"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) return stix_package.to_xml() # stixDict = {'campaigns': [{}], # 'courses_of_action': [{}], # 'exploit_targets': [{}], # 'id': 'INSERT_PACKAGE_ID_HERE'} # stixDict['indicators'] = [{'indicator': # {'title': # 'Automatically Generated FASGuard Signatures', # 'test_mechanisms': # {'test_mechanism': # {'efficacy':'Low', # 'producer': # {'Identity':'FASGuard'}, # 'rule':'xyz'}}}} # ] stix_package = STIXPackage.from_dict(stixDict) stix_xml = stix_package.to_xml() return stix_xml