コード例 #1
0
ファイル: ce1susstix.py プロジェクト: tsmolka/ce1sus
    def create_indicator(self, ce1sus_indicator, event_permissions, user):
        indicator = Indicator()
        indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid)
        indicator.title = ce1sus_indicator.title
        indicator.description = ce1sus_indicator.description
        indicator.short_description = ce1sus_indicator.short_description
        if ce1sus_indicator.confidence:
            indicator.confidence = ce1sus_indicator.confidence.title()
        else:
            indicator.confidence = 'Low'
        # TODO: handling
        # TODO: markings
        for type_ in ce1sus_indicator.types:
            indicator.add_indicator_type(type_.name)

        if ce1sus_indicator.operator:
            indicator.observable_composition_operator = ce1sus_indicator.operator
        # Todo Add confidence
        # indicator_attachment.confidence = "Low"
        creator = self.create_stix_identity(ce1sus_indicator)
        time = self.cybox_mapper.get_time(
            produced_time=ce1sus_indicator.created_at)
        info_source = InformationSource(identity=creator, time=time)
        indicator.producer = info_source
        observables = ce1sus_indicator.get_observables_for_permissions(
            event_permissions, user)
        for obs in observables:
            cybox_obs = self.create_observable(obs, event_permissions, user)
            indicator.add_observable(cybox_obs)
        valid_time = ValidTime(start_time=ce1sus_indicator.created_at,
                               end_time=ce1sus_indicator.created_at)
        indicator.add_valid_time_position(valid_time)
        return indicator
コード例 #2
0
def buildIndicator(input_dict):
    indicator = Indicator()
    indicator.description = input_dict["description"]
    if input_dict["confidence"]:
        indicator.confidence = input_dict["confidence"]

    if input_dict["impact"]:
        indicator.likely_impact = input_dict["impact"]

    if input_dict["producer"]:
        indicator.producer = InformationSource()
        indicator.producer.identity = Identity(input_dict["producer"])
    indicator.title = input_dict["title"]
    indicator.add_valid_time_position(valid_time.ValidTime(input_dict["starttime"], input_dict["endtime"]))
    if input_dict["type"]:
        indicator.add_indicator_type(input_dict["type"])

    return indicator
コード例 #3
0
def to_stix_comments(obj):
    from crits.comments.handlers import get_comments
    from stix.indicator import Indicator as S_Ind

    comments = get_comments(obj.id, obj._meta['crits_type'], False)
    ind_comments = []

    for each in comments:
        if not each.private:
            ind = S_Ind()
            ind.title = "CRITs Comment(s)"
            ind.description = each.comment
            ind.short_description = each.url_key
            ind.producer = to_stix_information_source(each)
            ind.timestamp = each.edit_date #should be date, but for some reason, it's not getting the correct value

            ind_comments.append(ind)

    return ind_comments
コード例 #4
0
ファイル: translate.py プロジェクト: dandye/openioc-to-stix
def _observable_to_indicator_stix(observable):
    """Translate a CybOX Observable into a STIX Indicator.

    Args:
        observable: Observable object that will be translated

    Returns:
        Indicator object with STIX utility and CybOX tags
    """
    # Build STIX tool content
    tool = ToolInformation(tool_name='OpenIOC to STIX Utility')
    tool.version = version.__version__

    # Build Indicator.producer contents
    producer = InformationSource()
    producer.tools = ToolInformationList(tool)

    # Build Indicator
    indicator = Indicator(title="CybOX-represented Indicator Created from OpenIOC File")
    indicator.producer = producer
    indicator.add_observable(observable)

    return indicator
コード例 #5
0
def _observable_to_indicator_stix(observable):
    """Translate a CybOX Observable into a STIX Indicator.

    Args:
        observable: Observable object that will be translated

    Returns:
        Indicator object with STIX utility and CybOX tags
    """
    # Build STIX tool content
    tool = ToolInformation(tool_name='OpenIOC to STIX Utility')
    tool.version = version.__version__

    # Build Indicator.producer contents
    producer = InformationSource()
    producer.tools = ToolInformationList(tool)

    # Build Indicator
    indicator = Indicator(title="CybOX-represented Indicator Created from OpenIOC File")
    indicator.producer = producer
    indicator.add_observable(observable)

    return indicator
コード例 #6
0
def to_stix_rfi(obj):
    from stix.indicator import Indicator as S_Ind
    list_rfis = []

    for each in obj.rfi:
        ind = S_Ind()
        ind.title = "CRITs RFI"
        ind.timestamp = each.date
        ind.description = each.topic
        ind.id_ = each.source

        list_rfis.append(ind)

        for item in each.instance:
            ind_2 = S_Ind()
            ind_2.title = "CRITs RFI"
            ind_2.timestamp = each.date
            ind_2.description = each.topic
            ind_2.producer = to_source(item)
            ind_2.id_ = each.source

            list_rfis.append(ind_2)

    return list_rfis
コード例 #7
0
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if len(sDomain) > 0:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        #Parsing Producer
        infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
        infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
        if len(srcObj.Domain) > 0:
            objIndicator.producer = infoSrc

        if data[sKey]['attrib']['lstDateVF']:
            objIndicator.set_produced_time(
                data[sKey]['attrib']['lstDateVF'][0])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Generate Indicator Title based on availbe data
        lstContainng = []
        lstIs = []
        sTitle = 'This domain ' + data[sKey]['attrib'][
            'domain'] + ' has been identified as malicious'
        if len(data[sKey]['attrib']['ref']):
            sTitle += ' by ' + data[sKey]['attrib']['ref']

        if len(data[sKey]['attrib']['type']) > 0:
            sTitle += ', via this vector [' + data[sKey]['attrib'][
                'type'] + '].'
        else:
            sTitle += '.'
        objIndicator.title = sTitle

        ### Generate Indicator Description based on availbe data
        sDscrpt = 'Lehigh.edu site has added this domain ' + data[sKey][
            'attrib']['domain']
        sDscrpt += ' to recommend block list.'
        sDscrpt += ' This site has been identified as malicious'
        sDscrpt += ' by ' + data[sKey]['attrib']['ref']
        sDscrpt += ' and was still attive on the following dates ' + str(
            data[sKey]['attrib']['lstDateVF']) + "."
        objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        objMalware.add_type("Remote Access Trojan")

        ttpTitle = data[sKey]['attrib']['type']
        objTTP = TTP(title=ttpTitle)
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
コード例 #8
0
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        # if 'indicator' in data[sKey]['meta']['IDs']:
        #     objIndicator.id_ = data[sKey]['meta']['IDs'].key
        # else:
        #     data[sKey]['meta']['IDs'].update({objIndicator.id_:'indicator'})

        listOBS = []

        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['IP Address']
        if sAddr:
            objAddr = Address()
            objAddr.is_source = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.category = 'ipv4-addr'
            elif isIPv6(sAddr):
                objAddr.category = 'ipv6-addr'
            else:
                continue

            obsAddr = Observable(objAddr)
            # if 'address"' in data[sKey]['meta']['IDs']:
            #     obsAddr.id_ = data[sKey]['meta']['IDs'].key
            # else:
            #     data[sKey]['meta']['IDs'].update({objIndicator.id_:'address'})

            objAddr = None
            obsAddr.sighting_count = 1
            obsAddr.title = 'IP: ' + sAddr
            sDscrpt = 'IPv4' + ': ' + sAddr + " | "
            sDscrpt += "isSource: True | "
            obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsAddr)
            obsAddr = None
            objIndicator.add_indicator_type("IP Watchlist")

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['Hostname']
        if sDomain:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            # if 'domain' in data[sKey]['meta']['IDs']:
            #     obsDomain.id_ = data[sKey]['meta']['IDs'].key
            # else:
            #     data[sKey]['meta']['IDs'].update({obsDomain.id_:'domain'})

            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        ### Parsing Port Number
        sPortList = data[sKey]['attrib']['Ports']
        for item in sPortList:
            if sPortList[item]:
                objPort = Port()
                sPort = sPortList[item]
                objPort.port_value = int(sPort)
                objPort.port_value.condition = 'Equals'
                objPort.layer4_protocol = 'TCP'
                obsPort = Observable(objPort)
                objPort = None
                obsPort.sighting_count = 1
                obsPort.title = 'Port: ' + str(sPort)
                sDscrpt = 'PortNumber: ' + str(sPort) + " | "
                sDscrpt += "Protocol: TCP | "
                obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
                listOBS.append(obsPort)

        ### Add Generated observable to Indicator
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        #Parsing Producer
        infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
        #infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
        objIndicator.producer = infoSrc

        # if data[sKey]['attrib']['lstDateVF']:
        #     objIndicator.set_produced_time(data[sKey]['attrib']['lstDateVF'][0]);
        objIndicator.set_received_time(data[sKey]['meta']['dateDL'])

        ### Generate Indicator Title based on availbe data
        lstContainng = []
        lstIs = []
        sTitle = ' This'
        if data[sKey]['attrib']['Hostname']:
            sTitle += ' domain ' + data[sKey]['attrib']['Hostname']
        else:
            sTitle += ' ipAddress ' + sKey

        sTitle += ' has been identified as a TOR network "Exit Point" router'
        objIndicator.title = sTitle

        ### Generate Indicator Description based on availbe data
        sDscrpt = ' torstatus.blutmagie.de has identified this'
        if data[sKey]['attrib']['Hostname']:
            sDscrpt += ' domain ' + data[sKey]['attrib']['Hostname']
        else:
            sDscrpt += ' ipAddress ' + sKey

        # sDscrpt += ' with a router name of "' + data[sKey]['attrib']['Router Name'] + '"'

        # if data[sKey]['attrib']['Ports']['ORPort']:
        #     sDscrpt += ' using ORPort: ' + str(data[sKey]['attrib']['Ports']['ORPort'])

        # if data[sKey]['attrib']['Ports']['DirPort']:
        #     sDscrpt += ' and DirPort: ' + str(data[sKey]['attrib']['Ports']['DirPort'])

        sDscrpt += ' as a TOR network "Exit Point" router'

        if data[sKey]['attrib']['Country Code']:
            sCntry_code = data[sKey]['attrib']['Country Code']
            if sCntry_code in dictCC2CN:
                sCntry_name = dictCC2CN[sCntry_code]
            sDscrpt += ', which appears to be located in ' + sCntry_name

        sDscrpt += '. \n\n RawData: ' + str(data[sKey]['attrib'])
        objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        # objMalware = MalwareInstance()
        # objMalware.add_type("Remote Access Trojan")

        # ttpTitle = data[sKey]['attrib']['type']
        # objTTP = TTP(title=ttpTitle)
        # objTTP.behavior = Behavior()
        # objTTP.behavior.add_malware_instance(objMalware)
        # objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    # locDataFile = 'db_' + srcObj.fileName.split('.')[0] + '.json'
    # sndFile_Dict2JSON(data,locDataFile);
    # data = None
    return (stix_package)
コード例 #9
0
ファイル: convert.py プロジェクト: bschmoker/stixconvert
def main():
    # get args
    parser = argparse.ArgumentParser ( description = "Parse a given CSV and output STIX XML" 
    , formatter_class=argparse.ArgumentDefaultsHelpFormatter )

    parser.add_argument("--infile","-f", help="input CSV", default = "in.csv")

    args = parser.parse_args()

    # setup header
    contain_pkg = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = "Indicators"
    stix_header.add_package_intent ("Indicators")
    # XXX add Information_Source and Handling
    contain_pkg.stix_header = stix_header


    # create kill chain with three options (pre, post, unknown), relate as needed
    pre = KillChainPhase(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee", name="Pre-infection indicator", ordinality=1)
    post = KillChainPhase(phase_id="stix:KillChainPhase-d5459305-1a27-4f50-9875-23793d75e4fe", name="Post-infection indicator", ordinality=2)
    chain = KillChain(id_="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d", name="Degenerate Cyber Kill Chain"  )
    chain.definer = "U5"

    chain.kill_chain_phases = [pre, post]
    contain_pkg.ttps.kill_chains.append(chain)

    # read input data
    fd = open (args.infile, "rb") 
    infile = csv.DictReader(fd)

    for row in infile:
        # create indicator for each row
        error = False
        ind = Indicator()
        ind.add_alternative_id(row['ControlGroupID'])
        ind.title = "Indicator with ID " + row['IndicatorID'] 
        ind.description = row['Notes']
        ind.producer = InformationSource()
        ind.producer.description = row['Reference']

        # XXX unknown purpose for 'Malware' field - omitted
            # if the field denotes a specific malware family, we might relate as 'Malware TTP' to the indicator

        # set chain phase
        if 'Pre' in row['Infection Type']:
            ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
        elif 'Post' in row['Infection Type']:
            ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
 

        ind_type = row['Indicator Type']
        if 'IP' in ind_type:
            
            ind.add_indicator_type( "IP Watchlist")
            ind_obj = SocketAddress()
            ind_obj.ip_address = row['Indicator']
            ind_obj.ip_address.condition= "Equals"
            if row['indValue']:
                port = Port()
                # pull port out, since it's in form "TCP Port 42"
                port.port_value = row['indValue'].split()[-1] 
                port.layer4_protocol = row['indValue'].split()[0] 
                port.port_value.condition= "Equals"
                ind_obj.port = port


        elif 'Domain' in ind_type:
            ind.add_indicator_type ("Domain Watchlist")
            ind_obj = DomainName()
            ind_obj.value = row['Indicator']
            ind_obj.value.condition= "Equals"

        elif 'Email' in ind_type:
            # parse out which part of the email is being
            # i.e. "Sender: attach | Subject: whatever"
            tag = row['Indicator'].split(':')[0]
            val = row['Indicator'].split(':')[1]
            ind.add_indicator_type ("Malicious E-mail")
            ind_obj = EmailMessage()
            
            if "Subject" in tag:
                ind_obj.subject = val
                ind_obj.subject.condition= "Equals"
            elif "Sender" in tag:
                ind_obj.sender = val
                ind_obj.sender.condition= "Equals"
            
            elif "Attachment" in tag:
                # make inline File to store filename 
                file_obj = File()
                file_obj.id_ = cybox.utils.create_id(prefix="File")
                file_obj.file_name = val
                file_obj.file_name.condition = "Equals"
                ind_obj.add_related(file_obj, "Contains")
                
                attach = Attachments()
                attach.append(file_obj.id_)
                
                ind_obj.attachments = attach
                
        elif 'User Agent' in ind_type:
            ind.add_indicator_type( VocabString(row['Indicator Type']))
            
            fields = HTTPRequestHeaderFields()
            fields.user_agent = row['Indicator']
            fields.user_agent.condition = "Equals"
            header = HTTPRequestHeader()
            header.parsed_header = fields

            thing = HTTPRequestResponse()
            thing.http_client_request = HTTPClientRequest()
            thing.http_client_request.http_request_header = header

            ind_obj = HTTPSession()
            ind_obj.http_request_response = [thing]
            
        elif 'URI' in ind_type:
            ind.add_indicator_type( VocabString(row['Indicator Type']))
    
            thing = HTTPRequestResponse()
            thing.http_client_request = HTTPClientRequest()
            thing.http_client_request.http_request_line = HTTPRequestLine()
            thing.http_client_request.http_request_line.http_method = row['Indicator'].split()[0]
            thing.http_client_request.http_request_line.http_method.condition = "Equals" 
            thing.http_client_request.http_request_line.value = row['Indicator'].split()[1]
            thing.http_client_request.http_request_line.value.condition = "Equals" 

            ind_obj = HTTPSession()
            ind_obj.http_request_response = [thing]


        elif 'File' in ind_type:
            ind.add_indicator_type( VocabString(row['Indicator Type']))
            ind_obj = File()
            ind_obj.file_name = row['Indicator']
            ind_obj.file_name.condition = "Equals"
            digest = Hash()
            # XXX assumes that hash digests are stored in this field in real data
            digest.simple_hash_value = row['indValue'].strip()
            digest.simple_hash_value.condition = "Equals"
            digest.type_.condition = "Equals"

            ind_obj.add_hash(digest)

        elif 'Registry' in ind_type:
            ind.add_indicator_type( VocabString(row['Indicator Type']))
            
            ind_obj = WinRegistryKey()
            keys = RegistryValues()
            key = RegistryValue()
            key.name = row['Indicator']
            key.name.condition = "Equals"
            key.data = row['indValue']
            key.data.condition = "Equals"
            keys.append(key)
            ind_obj.values = keys

        elif 'Mutex' in ind_type:
            ind.add_indicator_type (VocabString(row['Indicator Type']))
            ind_obj = Mutex()
            ind_obj.name = row['Indicator']
            ind_obj.name.condition= "Equals"

        else:
            print "ERR type not supported: " + ind_type + " <- will be omitted from output"
            error = True

        # finalize indicator
        if not error:
            ind.add_object(ind_obj)
            contain_pkg.add_indicator(ind)

    # DONE looping

    print contain_pkg.to_xml() 
コード例 #10
0
def to_stix(obj, items_to_convert=[], loaded=False, bin_fmt="raw", ref_id=None):
    """
    Converts a CRITs object to a STIX document.

    The resulting document includes standardized representations
    of all related objects noted within items_to_convert.

    :param items_to_convert: The list of items to convert to STIX/CybOX
    :type items_to_convert: Either a list of CRITs objects OR
                            a list of {'_type': CRITS_TYPE, '_id': CRITS_ID} dicts
    :param loaded: Set to True if you've passed a list of CRITs objects as
                    the value for items_to_convert, else leave False.
    :type loaded: bool
    :param bin_fmt: Specifies the format for Sample data encoding.
                    Options: None (don't include binary data in STIX output),
                                "raw" (include binary data as is),
                                "base64" (base64 encode binary data)

    :returns: A dict indicating which items mapped to STIX indicators, ['stix_indicators']
                which items mapped to STIX observables, ['stix_observables']
                which items are included in the resulting STIX doc, ['final_objects']
                and the STIX doc itself ['stix_obj'].
    """

    from cybox.common import Time, ToolInformationList, ToolInformation
    from stix.common import StructuredText, InformationSource
    from stix.core import STIXPackage, STIXHeader
    from stix.common.identity import Identity
    import stix.common.kill_chains.lmco as lmco

    # These lists are used to determine which CRITs objects
    # go in which part of the STIX document.
    ind_list = ['Indicator']
    obs_list = ['Domain',
                'Email',
                'IP',
                'Sample']
    camp_list = ['Campaign']
    actor_list = ['Actor']

    # Store message
    stix_msg = {
                    'stix_incidents': [],
                    'stix_indicators': [],
                    'stix_observables': [],
                    'stix_actors': [],
                    'final_objects': []
                }

    if not loaded: # if we have a list of object metadata, load it before processing
        items_to_convert = [class_from_id(item['_type'], item['_id'])
                                for item in items_to_convert]

    # add self to the list of items to STIXify
    if obj not in items_to_convert:
        items_to_convert.append(obj)

    # add any email attachments
    attachments = []
    for obj in items_to_convert:
        if obj._meta['crits_type'] == 'Email':
            for rel in obj.relationships:
                if rel.relationship == RelationshipTypes.CONTAINS:
                    atch = class_from_id('Sample', rel.object_id)
                    if atch not in items_to_convert:
                        attachments.append(atch)
    items_to_convert.extend(attachments)

    # grab ObjectId of items
    refObjs = {key.id: 0 for key in items_to_convert}

    relationships = {}
    stix = []
    stx = False
    tlp = None
    from stix.indicator import Indicator as S_Ind
    for obj in items_to_convert:
        obj_type = obj._meta['crits_type']
        if obj_type == class_from_type('Event')._meta['crits_type']:
            stx, release = to_stix_incident(obj)
            stix_msg['stix_incidents'].append(stx)
        elif obj_type in ind_list: # convert to STIX indicators
            stx, releas = to_stix_indicator(obj)
            stix_msg['stix_indicators'].append(stx)
            refObjs[obj.id] = S_Ind(idref=stx.id_)
        elif obj_type in camp_list:
            camp = to_stix_campaign(obj, False)
            comm = to_stix_comments(obj)
            tlp = to_stix_tlp(obj)
            rel = to_stix_relationship(obj)
            sight = to_stix_sightings(obj)
            kill = to_stix_kill_chains(obj)
            ttp = to_stix_ttps(obj)
            rfi = to_stix_rfi(obj)

            ind = S_Ind()
            ind.title = "MARTI Campaign"

            ind.sightings.append(sight)
            for each in camp:
                ind.add_related_campaign(each)
            for each in comm:
                ind.add_related_indicator(each)
            for each in rel:
                ind.add_related_indicator(each)
            for each in rfi:
                ind.add_related_indicator(each)
            for each in kill:
                ind.add_kill_chain_phase(each)
            for each in ttp:
                ind.add_indicated_ttp(each)

            ind.producer = to_stix_information_source(obj)
            ind.short_descriptions = obj.sectors
            ind.descriptions = obj.aliases

            stx = ind
            stix_msg['stix_indicators'].append(stx)
            refObjs[obj.id] = S_Ind(idref=stx.id_)
        elif obj_type in obs_list: # convert to CybOX observable
            camp = to_stix_campaign(obj)
            comm =  to_stix_comments(obj)
            rel = to_stix_relationship(obj)
            sight = to_stix_sightings(obj)
            kill = to_stix_kill_chains(obj)
            tlp = to_stix_tlp(obj)
            rfi = to_stix_rfi(obj)
            if obj_type == class_from_type('Sample')._meta['crits_type']:
                stx, releas = to_cybox_observable(obj, bin_fmt=bin_fmt)
            else:
                stx, releas = to_cybox_observable(obj)

            # wrap in stix Indicator
            ind = S_Ind()
            for ob in stx:
                ind.add_observable(ob)
                ind.sightings.append(sight)
                for each in camp:
                    ind.add_related_campaign(each)
                for each in comm:
                    ind.add_related_indicator(each)
                for each in rel:
                    ind.add_related_indicator(each)
                for each in rfi:
                    ind.add_related_indicator(each)
                for each in kill:
                    ind.add_kill_chain_phase(each)
            ind.title = "CRITs %s Top-Level Object" % obj_type
            ind.description = ("This is simply a CRITs %s top-level "
                                "object, not actually an Indicator. "
                                "The Observable is wrapped in an Indicator"
                                " to facilitate documentation of the "
                                "relationship." % obj_type)
            ind.confidence = 'None'
            ind.producer = to_stix_information_source(obj)
            ind.short_descriptions = obj.sectors
            stx = ind
            stix_msg['stix_indicators'].append(stx)
            refObjs[obj.id] = S_Ind(idref=stx.id_)
        elif obj_type in actor_list: # convert to STIX actor
            stx, releas = to_stix_actor(obj)
            stix_msg['stix_actors'].append(stx)

        # get relationships from CRITs objects
        for rel in obj.relationships:
            if rel.object_id in refObjs:
                relationships.setdefault(stx.id_, {})
                relationships[stx.id_][rel.object_id] = (rel.relationship,
                                                            rel.rel_confidence.capitalize(),
                                                            rel.rel_type)

        stix_msg['final_objects'].append(obj)
        if stx:
            stix.append(stx)

    # set relationships on STIX objects
    for stix_obj in stix:
        for rel in relationships.get(stix_obj.id_, {}):
            if isinstance(refObjs.get(rel), S_Ind): # if is STIX Indicator
                stix_obj.related_indicators.append(refObjs[rel])
                rel_meta = relationships.get(stix_obj.id_)[rel]
                stix_obj.related_indicators[-1].relationship = rel_meta[0]
                stix_obj.related_indicators[-1].confidence = rel_meta[1]

                # Add any Email Attachments to CybOX EmailMessage Objects
                if isinstance(stix_obj, S_Ind):
                    if 'EmailMessage' in stix_obj.observable.object_.id_:
                        if rel_meta[0] == 'Contains' and rel_meta[2] == 'Sample':
                            email = stix_obj.observable.object_.properties
                            email.attachments.append(refObjs[rel].idref)

    tool_list = ToolInformationList()
    tool = ToolInformation("CRITs", "MITRE")
    tool.version = settings.CRITS_VERSION
    tool_list.append(tool)
    i_s = InformationSource(
        time=Time(produced_time= datetime.now()),
        identity=Identity(name=settings.COMPANY_NAME),
        tools=tool_list)

    if obj._meta['crits_type'] == "Event":
        stix_desc = obj.description()
        stix_int = obj.event_type()
        stix_title = obj.title()
    else:
        stix_desc = "STIX from %s" % settings.COMPANY_NAME
        stix_int = "Collective Threat Intelligence"
        stix_title = "Threat Intelligence Sharing"
    header = STIXHeader(information_source=i_s,
                        description=StructuredText(value=stix_desc),
                        package_intents=[stix_int],
                        title=stix_title,
                        handling=tlp)

    if not ref_id:
        ref_id = uuid.uuid4()

    stix_msg['stix_obj'] = STIXPackage(incidents=stix_msg['stix_incidents'],
                    indicators=stix_msg['stix_indicators'],
                    threat_actors=stix_msg['stix_actors'],
                    stix_header=header,
                    campaigns=camp,
                    id_=ref_id)

    #print stix_msg['stix_obj'].to_xml()

    return stix_msg