def stix_xml(bldata): # Create the STIX Package and Header objects stix_package = STIXPackage() stix_header = STIXHeader() # Set the description stix_header.description = "RiskIQ Blacklist Data - STIX Format" # Set the namespace NAMESPACE = {"http://www.riskiq.com" : "RiskIQ"} set_id_namespace(NAMESPACE) # Set the produced time to now stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() # Create the STIX Package stix_package = STIXPackage() # Build document stix_package.stix_header = stix_header # Build the Package Intent stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) # Build the indicator indicator = Indicator() indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam" indicator.add_indicator_type("URL Watchlist") for datum in bldata: url = URI() url.value = "" url.value = datum['url'] url.type_ = URI.TYPE_URL url.condition = "Equals" indicator.add_observable(url) stix_package.add_indicator(indicator) return stix_package.to_xml()
def capecbuild(capecid): """Build a STIX package based on a CAPEC ID.""" data = _get_attack(capecid) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() ttp = _buildttp(data) if data['related_attacks']: ttp.related_ttps.append( _buildttp(_get_attack(str(data['related_attacks'][0])))) pkg.add_ttp(ttp) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] if __name__ == '__main__': _postconstruct(xml, title) return xml
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] expt.information_source = InformationSource( identity=Identity(name="National Vulnerability Database")) # Add the vulnerability object to the package object expt.add_vulnerability(_vulnbuild(data)) # Add the COA object to the ET object for coa in COAS: expt.potential_coas.append( CourseOfAction( idref=coa['id'], timestamp=expt.timestamp)) # Do some TTP stuff with CAPEC objects if TTPON is True: try: for i in data['capec']: pkg.add_ttp(_buildttp(i, expt)) except KeyError: pass expt.add_weakness(_weakbuild(data)) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] # If the function is not imported then output the xml to a file. if __name__ == '__main__': _postconstruct(xml, title) return xml else: sys.exit("[-] Error retrieving details for " + var)
def stix_xml(bldata): # Create the STIX Package and Header objects stix_package = STIXPackage() stix_header = STIXHeader() # Set the description stix_header.description = "RiskIQ Blacklist Data - STIX Format" # Set the namespace NAMESPACE = {"http://www.riskiq.com": "RiskIQ"} set_id_namespace(NAMESPACE) # Set the produced time to now stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() # Create the STIX Package stix_package = STIXPackage() # Build document stix_package.stix_header = stix_header # Build the Package Intent stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) # Build the indicator indicator = Indicator() indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam" indicator.add_indicator_type("URL Watchlist") for datum in bldata: url = URI() url.value = "" url.value = datum['url'] url.type_ = URI.TYPE_URL url.condition = "Equals" indicator.add_observable(url) stix_package.add_indicator(indicator) return stix_package.to_xml()
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from stix.utils import idgen from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") idgen.set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] # Add the vulnerability object to the package object expt.add_vulnerability(vulnbuild(data)) # Do some TTP stuff with CAPEC objects try: for i in data['capec']: ttp = TTP() ttp.title = "CAPEC-" + str(i['id']) ttp.description = i['summary'] ttp.exploit_targets.append(ExploitTarget(idref=expt.id_)) pkg.add_ttp(ttp) except KeyError: pass # Do some weakness stuff if data['cwe'] != 'Unknown': weak = Weakness() weak.cwe_id = data['cwe'] expt.add_weakness(weak) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() # If the function is not imported then output the xml to a file. if __name__ == '__main__': title = pkg.id_.split(':', 1)[-1] with open(title + ".xml", "w") as text_file: text_file.write(xml) return xml
def _custom_namespace(url, alias): try: from stix.utils import set_id_namespace namespace = {url: alias} set_id_namespace(namespace) except ImportError: from mixbox.namespaces import Namespace from stix.utils import idgen namespace = Namespace(url, alias, "") idgen.set_id_namespace(namespace)
def parse_file(file_to_parse): set_id_namespace({IDManager().get_namespace(): LOCAL_ALIAS}) cybox_set_id_namespace(Namespace(IDManager().get_namespace(), LOCAL_ALIAS)) parse_func = 'parse_txt' if 'pdf' in file_to_parse.content_type: parse_func = 'parse_pdf_pypdf2' try: return parse_using_func(file_to_parse, parse_func) except Exception as e: raise (IOCParseException(e.message))
def main(): # Parse command line arguments argparser = get_arg_parser() args = argparser.parse_args() # initialize logging init_logging(args.verbose) # Set the namespace to be used in the STIX Package utils.set_id_namespace({"http://openioc.org/openioc":"openioc"}) # Create Observables from binding object stix_package = translate.to_stix(args.infile) # Write the STIXPackage to a output file write_package(stix_package, outfn=args.outfile)
def tearDown(self): utils.set_id_namespace(utils.EXAMPLE_NAMESPACE)
def export_stix(request, model, id): c = None if model == "cluster": c = Cluster.objects.get(pk=id) n = Node.objects.filter(subcluster__cluster=c) r = Relation.objects.filter(subcluster__cluster=c) elif model == "subcluster": c = SubCluster.objects.get(pk=id) n = Node.objects.filter(subcluster=c) r = Relation.objects.filter(subcluster=c) NAMESPACE = {} url = "http://localhost" prefix = "localhost" NAMESPACE[url] = prefix #ns = Namespace(url, prefix, '') #idgen = IDGenerator(namespace=ns) #set_id_namespace(ns) #full_path = ('http', ('', 's')[request.is_secure()], '://', request.META['HTTP_HOST'], request.path) #url = ''.join(full_path) #NAMESPACE[url] = request.META['HTTP_HOST'].split(":")[0] set_id_namespace(NAMESPACE) pkg = create_package() intent = "Indicators" report = create_report(source=url, intent=intent) pkg.add_report(report) ctitle = c.name cdscr = c.description campaign = create_campaign(title=ctitle, description=cdscr) pkg.add_campaign(campaign) hostlist = [] #hosts = n.filter(label__name="Host",key_property__key__name="name") hosts = n.filter(index__label__name="Host",index__property_key__name="name") for host in hosts: #h = host.key_property.value h = host.value if not h in hostlist: hostlist.append(h) domainlist = [] domains = n.filter(index__label__name="Domain",index__property_key__name="name") for domain in domains: #d = domain.key_property.value d = domain.value if not d in domainlist: domainlist.append(d) iplist = [] ips = n.filter(index__label__name="IP",index__property_key__name="address") for ip in ips: #i = ip.key_property.value i = ip.value if not i in iplist: iplist.append(i) """ indicators = [ hostchars_indicator(hostlist), domainlist_indicator(domainlist), iplist_indicator(iplist), ] indicators = add_relcampaign_to_indicators(campaign, indicators) pkg = add_indicators_to_pkg(indicators, pkg) """ obs = { "ip":iplist, "domain":domainlist, "host":hostlist, } pkg = add_obs_to_pkg(obs, pkg) out = "/static/export/stix_" + model + id + ".xml" fh = open(appdir + out, "wb") fh.write(pkg.to_xml()) fh.close() return redirect(out)
def setUp(self): utils.set_id_namespace({"http://schemas.mandiant.com/2010/ioc": "mandiant-openioc"})
from cybox.objects.device_object import Device from cybox.objects.api_object import API from cybox.objects.library_object import Library from cybox.objects.user_account_object import UserAccount from cybox.objects.file_object import File from cybox.objects.hostname_object import Hostname from cybox.objects.x509_certificate_object import X509Certificate from cybox.objects.process_object import Process from cybox.objects.linux_package_object import LinuxPackage from cybox.objects.artifact_object import Artifact from cybox.objects.custom_object import Custom from cybox.common.object_properties import CustomProperties, Property from stix.utils import set_id_namespace NAMESPACE = {'http://www.addditionsecurity.com': 'addsec'} set_id_namespace(NAMESPACE) ############################################################################## # # The main transform function; takes Addition Security binary protobuf and returns STIX XML # def transform(addsec_data): # # Parse the Addition Security protobuf object, which contains a STIX report representation # as_report = addsec_cti_pb2.Report() as_report.ParseFromString(addsec_data)
def create_stix_file(): # List of indicators to be deduped hostnames = [] ips = [] urls = [] md5s = [] sha1s = [] # Set namespace NAMESPACE = {PRODUCER_URL: PRODUCER_NAME} set_id_namespace(NAMESPACE) # JSON load the POSTed request data try: data_recv = request.data data = json.loads(data_recv) except: return make_response( jsonify({'Error': "Unable to decode json object"}), 400) # Parse the JSON object try: # Get MD5 of sample malware_sample = data['alert']['explanation']['malware-detected'][ 'malware'] count = 0 sample_hash = "" try: for entry in malware_sample: if "md5sum" in malware_sample[count]: sample_hash = malware_sample[count]['md5sum'] count += 1 except: if "md5sum" in malware_sample: sample_hash = malware_sample['md5sum'] # If all else fails if sample_hash == "": sample_hash = "Unknown" # Indicators # Domains domain_indicator = Indicator() domain_indicator.title = "Malware Artifacts - Domain" domain_indicator.type = "Malware Artifacts" domain_indicator.description = ( "Domains derived from sandboxed malware sample. MD5 Hash: " + sample_hash) domain_indicator.short_description = ("Domainss from " + sample_hash) domain_indicator.set_producer_identity(PRODUCER_NAME) domain_indicator.set_produced_time(utils.dates.now()) domain_indicator.indicator_types.append("Domain Watchlist") # IPs ip_indicator = Indicator() ip_indicator.title = "Malware Artifacts - IP" ip_indicator.description = ( "IPs derived from sandboxed malware sample. MD5 Hash: " + sample_hash) ip_indicator.short_description = ("IPs from " + sample_hash) ip_indicator.set_producer_identity(PRODUCER_NAME) ip_indicator.set_produced_time(utils.dates.now()) ip_indicator.indicator_types.append("IP Watchlist") # URLs url_indicator = Indicator() url_indicator.title = "Malware Artifacts - URL" url_indicator.description = ( "URLs derived from sandboxed malware sample. MD5 Hash: " + sample_hash) url_indicator.short_description = ("URLs from " + sample_hash) url_indicator.set_producer_identity(PRODUCER_NAME) url_indicator.set_produced_time(utils.dates.now()) url_indicator.indicator_types.append("URL Watchlist") # Hashs hash_indicator = Indicator() hash_indicator.title = "Malware Artifacts - File Hash" hash_indicator.description = ( "File hashes derived from sandboxed malware sample. MD5 Hash: " + sample_hash) hash_indicator.short_description = ("Hash from " + sample_hash) hash_indicator.set_producer_identity(PRODUCER_NAME) hash_indicator.set_produced_time(utils.dates.now()) hash_indicator.indicator_types.append("File Hash Watchlist") # Create a STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader({"Indicators - Malware Artifacts"}) stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str( data['alert']['id']) stix_package.stix_header = stix_header if "network" in data['alert']['explanation']['os-changes']: # Add indicators for network for entry in data['alert']['explanation']['os-changes']['network']: if "hostname" in entry: hostnames.append(entry['hostname']) if "ipaddress" in entry: ips.append(entry['ipaddress']) if "http_request" in entry: domain = re.search('~~Host:\s(.*?)~~', entry['http_request']) url = re.search('^.*\s(.*?)\sHTTP', entry['http_request']) if domain: domain_name = domain.group(1) if url: url_string = url.group(1) urls.append(domain_name + url_string) # Add indicators for files for entry in data['alert']['explanation']['os-changes']['network']: if "md5sum" in entry['processinfo']: filename = re.search('([\w-]+\..*)', entry['processinfo']['imagepath']) if filename: md5s.append((filename.group(1), entry['processinfo']['md5sum'])) if "process" in data['alert']['explanation']['os-changes']: # Add indicators from process for entry in data['alert']['explanation']['os-changes']['process']: if "md5sum" in entry: filename = re.search('([\w-]+\..*)', entry['value']) if filename: md5s.append((filename.group(1), entry['md5sum'])) if "sha1sum" in entry: filename = re.search('([\w-]+\..*)', entry['value']) if filename: sha1s.append((filename.group(1), entry['sha1sum'])) # Dedupe lists for hostname in set(hostnames): hostname_observable = create_domain_name_observable(hostname) domain_indicator.add_observable(hostname_observable) for ip in set(ips): ip_observable = create_ipv4_observable(ip) ip_indicator.add_observable(ip_observable) for url in set(urls): url_observable = create_url_observable(url) url_indicator.add_observable(url_observable) for hash in set(md5s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) for hash in set(sha1s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) # Add those to the package stix_package.add(domain_indicator) stix_package.add(ip_indicator) stix_package.add(url_indicator) stix_package.add(hash_indicator) # Save to file save_as = SAVE_DIRECTORY + "/fireeye_" + str( data['alert']['id']) + ".xml" f = open(save_as, 'w') f.write(stix_package.to_xml()) f.close # Return success response return make_response( jsonify({'Success': "STIX document succesfully generated"}), 200) # Unable to parse object except: return make_response(jsonify({'Error': "Unable to parse JSON object"}), 400)
def create_stix_file(): # List of indicators to be deduped hostnames = [] ips = [] urls = [] md5s = [] sha1s = [] # Set namespace NAMESPACE = {PRODUCER_URL: PRODUCER_NAME} set_id_namespace(NAMESPACE) # JSON load the POSTed request data try: data_recv = request.data data = json.loads(data_recv) except: return make_response(jsonify({"Error": "Unable to decode json object"}), 400) # Parse the JSON object try: # Get MD5 of sample malware_sample = data["alert"]["explanation"]["malware-detected"]["malware"] count = 0 sample_hash = "" try: for entry in malware_sample: if "md5sum" in malware_sample[count]: sample_hash = malware_sample[count]["md5sum"] count += 1 except: if "md5sum" in malware_sample: sample_hash = malware_sample["md5sum"] # If all else fails if sample_hash == "": sample_hash = "Unknown" # Indicators # Domains domain_indicator = Indicator() domain_indicator.title = "Malware Artifacts - Domain" domain_indicator.type = "Malware Artifacts" domain_indicator.description = "Domains derived from sandboxed malware sample. MD5 Hash: " + sample_hash domain_indicator.short_description = "Domainss from " + sample_hash domain_indicator.set_producer_identity(PRODUCER_NAME) domain_indicator.set_produced_time(utils.dates.now()) domain_indicator.indicator_types.append("Domain Watchlist") # IPs ip_indicator = Indicator() ip_indicator.title = "Malware Artifacts - IP" ip_indicator.description = "IPs derived from sandboxed malware sample. MD5 Hash: " + sample_hash ip_indicator.short_description = "IPs from " + sample_hash ip_indicator.set_producer_identity(PRODUCER_NAME) ip_indicator.set_produced_time(utils.dates.now()) ip_indicator.indicator_types.append("IP Watchlist") # URLs url_indicator = Indicator() url_indicator.title = "Malware Artifacts - URL" url_indicator.description = "URLs derived from sandboxed malware sample. MD5 Hash: " + sample_hash url_indicator.short_description = "URLs from " + sample_hash url_indicator.set_producer_identity(PRODUCER_NAME) url_indicator.set_produced_time(utils.dates.now()) url_indicator.indicator_types.append("URL Watchlist") # Hashs hash_indicator = Indicator() hash_indicator.title = "Malware Artifacts - File Hash" hash_indicator.description = "File hashes derived from sandboxed malware sample. MD5 Hash: " + sample_hash hash_indicator.short_description = "Hash from " + sample_hash hash_indicator.set_producer_identity(PRODUCER_NAME) hash_indicator.set_produced_time(utils.dates.now()) hash_indicator.indicator_types.append("File Hash Watchlist") # Create a STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader({"Indicators - Malware Artifacts"}) stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str(data["alert"]["id"]) stix_package.stix_header = stix_header if "network" in data["alert"]["explanation"]["os-changes"]: # Add indicators for network for entry in data["alert"]["explanation"]["os-changes"]["network"]: if "hostname" in entry: hostnames.append(entry["hostname"]) if "ipaddress" in entry: ips.append(entry["ipaddress"]) if "http_request" in entry: domain = re.search("~~Host:\s(.*?)~~", entry["http_request"]) url = re.search("^.*\s(.*?)\sHTTP", entry["http_request"]) if domain: domain_name = domain.group(1) if url: url_string = url.group(1) urls.append(domain_name + url_string) # Add indicators for files for entry in data["alert"]["explanation"]["os-changes"]["network"]: if "md5sum" in entry["processinfo"]: filename = re.search("([\w-]+\..*)", entry["processinfo"]["imagepath"]) if filename: md5s.append((filename.group(1), entry["processinfo"]["md5sum"])) if "process" in data["alert"]["explanation"]["os-changes"]: # Add indicators from process for entry in data["alert"]["explanation"]["os-changes"]["process"]: if "md5sum" in entry: filename = re.search("([\w-]+\..*)", entry["value"]) if filename: md5s.append((filename.group(1), entry["md5sum"])) if "sha1sum" in entry: filename = re.search("([\w-]+\..*)", entry["value"]) if filename: sha1s.append((filename.group(1), entry["sha1sum"])) # Dedupe lists for hostname in set(hostnames): hostname_observable = create_domain_name_observable(hostname) domain_indicator.add_observable(hostname_observable) for ip in set(ips): ip_observable = create_ipv4_observable(ip) ip_indicator.add_observable(ip_observable) for url in set(urls): url_observable = create_url_observable(url) url_indicator.add_observable(url_observable) for hash in set(md5s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) for hash in set(sha1s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) # Add those to the package stix_package.add(domain_indicator) stix_package.add(ip_indicator) stix_package.add(url_indicator) stix_package.add(hash_indicator) # Save to file save_as = SAVE_DIRECTORY + "/fireeye_" + str(data["alert"]["id"]) + ".xml" f = open(save_as, "w") f.write(stix_package.to_xml()) f.close # Return success response return make_response(jsonify({"Success": "STIX document succesfully generated"}), 200) # Unable to parse object except: return make_response(jsonify({"Error": "Unable to parse JSON object"}), 400)
def doCuckoo(results, options, reports_path): malfilename = "" memstrings = [] try: fileitems = results['target']['file'] malfilename = fileitems['name'] malfilesize = fileitems['size'] malmd5 = fileitems['md5'] malsha1 = fileitems['sha1'] malsha256 = fileitems['sha256'] malsha512 = fileitems['sha512'] malssdeep = fileitems['ssdeep'] malfiletype = fileitems["type"] # MD54K - From Chris Hudel malmd54k = doMD54K(fileitems['path']) #memfile = fileitems['path'][0:len(fileitems['path']) - 64] + "../analyses/" + str(results['info']['id']) + "/memory.dmp" #memstrings = doStrings(stringscmd(memfile)) except: fileitems = [] pass staticitems = results['static'] info = results['info'] # Suspicious PE imports iocimports = [] try: for imports in staticitems['pe_imports']: for item in imports['imports']: if item['name'] in suspiciousimports: iocimports.append(item['name']) except: pass #rsrcentries = [] # PE sectionis badpesections = [] try: for sections in staticitems['pe_sections']: if sections['name'] not in goodpesections: badpesection = [ sections['name'], sections['size_of_data'], str(sections['entropy']) ] badpesections.append(badpesection) except: pass # PE Exports iocexports = [] try: for exportfunc in staticitems['pe_exports']: iocexports.append(exportfunc['name']) except: pass # PE Version Info versioninfo = dict.fromkeys([ 'LegalCopyright', 'InternalName', 'FileVersion', 'CompanyName', 'PrivateBuild', 'LegalTrademarks', 'Comments', 'ProductName', 'SpecialBuild', 'ProductVersion', 'FileDescription', 'OriginalFilename' ]) if 'pe_versioninfo' in staticitems: for item in staticitems['pe_versioninfo']: if item['name'] in versioninfo: versioninfo[item['name']] = item['value'] # Dropped files droppedfiles = [] try: for droppedfile in results['dropped']: droppedfiles.append([ droppedfile['name'], droppedfile['size'], droppedfile['md5'], droppedfile['sha1'], droppedfile['sha256'], droppedfile['sha512'] ]) except: pass # Hosts contacted. This will exclude # localhost, broadcast and any other 'noise' # as indicated by excludedips hosts = [] try: excludedips = [ ip for ip in options.get('excludedips', '').split(',') if ip ] for host in results['network']['hosts']: if host not in excludedips: hosts.append(host) except: pass # Mutexes mutexes = [] try: if 'mutex' in results['behavior']['summary']: # Cuckoo 2.0 for mutex in results['behavior']['summary']['mutex']: mutexes.append(mutex) elif 'mutexes' in results['behavior']['summary']: # Cuckoo 1.x for mutex in results['behavior']['summary']['mutexes']: mutexes.append(mutex) except: pass # Processes processes = [] try: for process in results['behavior']['processes']: processes.append([ process['process_name'], process['process_id'], process['parent_id'] ]) except: pass # grab the string results # currently these are simple # regexes for IPv4 addresses and # emails strings = doStrings(results['strings']) # Registry Keys regkeys = [] if 'regkey_written' in results['behavior']['summary']: # Cuckoo 2.0 regkeys = results['behavior']['summary']['regkey_written'] elif 'keys' in results['behavior']['summary']: # Cuckoo 1.x # This uses modified cuckoo source code to only # pull the Registry keys created, instead # of those created OR just opened regkeys = results['behavior']['summary']['keys'] # Create our metadata dictionary for getting the # metadata values int the IOC metadata = { 'malfilename': malfilename, 'malmd5': malmd5, 'malsha1': malsha1, 'malsha256': malsha256, 'malsha512': malsha512, 'malmd54k': malmd54k, 'malfilesize': malfilesize, 'malssdeep': malssdeep, 'malfiletype': malfiletype, 'iocexports': iocexports, 'iocimports': iocimports, 'badpesections': badpesections, 'versioninfo': versioninfo } dynamicindicators = { "droppedfiles": droppedfiles, "processes": processes, "regkeys": regkeys, 'mutexes': mutexes, 'hosts': hosts } if "namespace" in options: namespace_prefix, namespace_uri = options["namespace"].split(",", 1) utils.set_id_namespace({namespace_uri: namespace_prefix}) stix_package = STIXPackage() package_uuid = stix_package.id_[-36:] stix_header = STIXHeader() desc = "IOCAware Auto-Generated IOC Document" if len(malfilename) > 0: desc += " " + malfilename stix_header.description = desc stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() stix_package.stix_header = stix_header #wfe = createMetaData(stix_package, metadata) #addStrings(stix_package, wfe, strings) createMetaData(stix_package, metadata, strings) createDynamicIndicators(stix_package, dynamicindicators) output_path_format = options.get("output_path", "{reports_path}/iocaware_stix.xml") output_path = output_path_format.format( uuid=package_uuid, reports_path=reports_path, ) stixfile = open(output_path, "w") stixfile.write(stix_package.to_xml())
# Config Parser # TODO """ Config parser stuff """ Config = ConfigParser.ConfigParser() Config.read('config.cfg') user=Config.get('viper','user') password=Config.get('viper','password') usehtaccess=Config.getboolean('viper','usehtaccess') from stix.utils import set_id_namespace NAMESPACE = {Config.get('stix','namespace_url') : Config.get('stix','namespace_name')} set_id_namespace(NAMESPACE) from cybox.utils import set_id_namespace, Namespace NAMESPACE = Namespace(Config.get('stix','namespace_url'), Config.get('stix','namespace_name')) set_id_namespace(NAMESPACE) def stix(json): """ Created a stix file based on a json file that is being handed over """ # Create a new STIXPackage stix_package = STIXPackage() # Create a new STIXHeader stix_header = STIXHeader()
from cybox.objects.domain_name_object import DomainName from cybox.objects.file_object import File from stix.exploit_target import Vulnerability from cybox.objects.mutex_object import Mutex from cybox.common import Hash from stix.indicator import Indicator, CompositeIndicatorExpression from stix.common import InformationSource, Identity from cybox.common import Time from lxml import etree as et from stix.common.vocabs import PackageIntent from stix.utils import set_id_namespace from IPy import * PULSE_SERVER_BASE = "https://otx.alienvault.com/" STIXNAMESPACE = {"https://otx.alienvault.com" : "alienvault-otx"} set_id_namespace(STIXNAMESPACE) class StixExport: def __init__(self, pulse): self.stix_package = STIXPackage() self.stix_header = STIXHeader() self.pulse = pulse self.hash_translation = {"FileHash-MD5": Hash.TYPE_MD5, "FileHash-SHA1": Hash.TYPE_SHA1, "FileHash-SHA256": Hash.TYPE_SHA256} self.address_translation = {"IPv4": Address.CAT_IPV4, "IPv6": Address.CAT_IPV6} self.name_translation = {"domain": URI.TYPE_DOMAIN, "hostname": URI.TYPE_DOMAIN} def build(self): self.stix_header.title = self.pulse["name"] self.stix_header.description = self.pulse["description"] self.stix_header.short_description = "%spulse/%s" % (PULSE_SERVER_BASE, str(self.pulse["id"]))
def createstix(db, themail): # Create the stix object # Set the cybox namespace NAMESPACE = {companyurl: companyname} # new ids will be prefixed with your company name set_id_namespace(NAMESPACE) # Set the TLP color to Green marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = "GREEN" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) # stix assignments stix_package = STIXPackage() ttp = TTP(title="Phishing") stix_package.add_ttp(ttp) stix_package.stix_header = STIXHeader() stix_package.stix_header.handling = handling # Get data from the email dictionary object xid = themail['_id'] xdate = themail['date'] xoriginatingip = themail['x_originating_ip'] xmailer = themail['x_mailer'] xhelo = themail['helo'] xfrom = themail['from'] xsender = themail['sender'] xreplyto = themail['reply_to'] xsubject = themail['subject'] xbody = themail['raw_body'] # Routines to remove unwanted company identifiers from the emails xsubject = scrubit(xsubject) xbody = scrubit(xbody) # Terms to search for in email addresses. # replaces spoofed internal email addresses with [SPOOFED] # change to match your company's domain name without the '.com/.net/etc' searchterms = ['term1', 'term2'] for term in searchterms: if term.upper() in xfrom.upper(): xfrom = '[SPOOFED]' if term.upper() in xsender.upper(): xsender = '[SPOOFED]' if term.upper() in xreplyto.upper(): xreplyto = '[SPOOFED]' # Remove brackets from xoriginating IP xoriginatingip = re.sub(r'\[|\]', '', xoriginatingip) # get email comments ecomment = getcomments(db, xid) # Look for attachment and get info if true if themail['relationships']: # check if the first relationship is a sample because when an email object with attachment # is uploaded to crits the first relationship is always the attachment # which is uploaded seperately as a sample and related back to the original email if themail['relationships'][0]['type'] in 'Sample': myattachment = themail['relationships'][0]['value'] try: myfile = db.sample.find_one({'_id': ObjectId(myattachment)}) hasattachment = True except Exception, e: logger.error( "received error when querying samples collection for email with id %s", xid, exc_info=True) hasattachment = False else: hasattachment = False