Python IPv4Addressの例、stix2.IPv4Address Pythonの例

コード例 #1

0

ファイルを表示

 def get_ip_stix_object_for_domain(self, line, ip):
     ipv4_regex = r"([0-9]{1,3}\.){3}[0-9]{1,3}"
     if re.search(ipv4_regex, line):
         ip = IPv4Address(
             type="ipv4-addr",
             id="ipv4-addr--" + str(uuid1()),
             value=ip,
             custom_properties={
                 "container_id": Stix2.get_containerid(line),
                 "timestamp": line[:24],
                 "full_output": line,
             },
             allow_custom=True,
         )
         self.ipv4.append(ip)
         self.all_stix_objects.append(ip)
     else:
         ip = IPv6Address(
             type="ipv6-addr",
             id="ipv6-addr--" + str(uuid1()),
             value=ip,
             custom_properties={
                 "container_id": Stix2.get_containerid(line),
                 "timestamp": line[:24],
                 "full_output": line,
             },
             allow_custom=True,
         )
         self.ipv6.append(ip)
         self.all_stix_objects.append(ip)
     return ip

コード例 #2

0

ファイルを表示

ファイル: observables.py プロジェクト: vxsh4d0w/connectors

def create_observable_ipv4_address(properties: ObservableProperties) -> IPv4Address:
    """Create an observable representing an IPv4 address."""
    return IPv4Address(
        value=properties.value,
        object_marking_refs=properties.object_markings,
        custom_properties=_get_custom_properties(properties),
    )

コード例 #3

0

ファイルを表示

ファイル: honssh-bruteforce-to-Stix2.py プロジェクト: rajasaad7/Honssh-logs-to-Stix2

def user_account_observable(timestamp, ip, id, passwors, success):
    usr = UserAccount(user_id=id)

    source = IPv4Address(value=ip)
    dict = {"Password": passwors, "src_ip_ref": "0", "success": success}
    obs = ObservedData(first_observed=timestamp,
                       last_observed=timestamp,
                       number_observed=1,
                       objects={
                           "0": source,
                           "1": usr
                       },
                       custom_properties=dict)
    wrt.add(obs)

コード例 #4

0

ファイルを表示

ファイル: transfer_one.py プロジェクト: benbenwt/lisa_docker

def create_ipv4(content):
    ref_list = []
    ipv4_object_list = []
    value = get(get(content, 'network_analysis'), 'endpoints')
    points_l = ''
    if value != -1:
        points_l = value
    for points in points_l:
        ip = get(points, 'ip')
        if ip != -1:
            ipv4_object = IPv4Address(type='ipv4-addr', value=ip)
            ipv4_object_list.append(ipv4_object)
            ref_list.append(ipv4_object['id'])
    return (ipv4_object_list, ref_list)

コード例 #5

0

ファイルを表示

    def parse_line_to_stix_object(self, classifier, line, regex):
        if self.is_on_whitelist(classifier["prepare"](re.search(
                regex, line).group(1))):
            return ""
        if classifier["name"] == "processes_created":
            process = Process(
                type="process",
                id="process--" + str(uuid1()),
                command_line=classifier["prepare"](re.search(regex,
                                                             line).group(1)),
                custom_properties={
                    "container_id": Stix2.get_containerid(line),
                    "timestamp": line[:24],
                    "full_output": line,
                    "executable_path": Stix2.get_executable_path(line),
                },
                allow_custom=True,
            )
            self.processes.append(process)
            self.all_stix_objects.append(process)
        if classifier["name"].startswith("files_"):
            name = classifier["prepare"](re.search(
                regex, line).group(1)).split("/")[-1]
            dir_str = "/".join(classifier["prepare"](re.search(
                regex, line).group(1)).split("/")[:-1]) or "/"
            if not name:
                name = classifier["prepare"](re.search(
                    regex, line).group(1)).split("/")[-2]
                dir_str = "/".join(classifier["prepare"](re.search(
                    regex, line).group(1)).split("/")[:-2]) or "/"
            file = File(
                type="file",
                id="file--" + str(uuid1()),
                name=name,
                custom_properties={
                    "parent_directory_str": dir_str,
                    "container_id": Stix2.get_containerid(line),
                    "timestamp": line[:24],
                    "full_output": line,
                },
                allow_custom=True,
            )
            self.all_stix_objects.append(file)
            if classifier["name"] == "files_removed":
                self.files_removed.append(file)
            if classifier["name"] == "files_written":
                self.files_written.append(file)
            if classifier["name"] == "files_read":
                self.files_read.append(file)
        if classifier["name"] == "hosts_connected":
            ipv4_regex = r"([0-9]{1,3}\.){3}[0-9]{1,3}"

            if re.search(ipv4_regex, line):
                ipv4 = IPv4Address(
                    type="ipv4-addr",
                    id="ipv4-addr--" + str(uuid1()),
                    value=classifier["prepare"](re.search(regex,
                                                          line).group(1)),
                    custom_properties={
                        "container_id": Stix2.get_containerid(line),
                        "timestamp": line[:24],
                        "full_output": line,
                    },
                    allow_custom=True,
                )
                self.ipv4.append(ipv4)
                self.all_stix_objects.append(ipv4)
            else:
                ipv6 = IPv6Address(
                    type="ipv6-addr",
                    id="ipv6-addr--" + str(uuid1()),
                    value=classifier["prepare"](re.search(regex,
                                                          line).group(1)),
                    custom_properties={
                        "container_id": Stix2.get_containerid(line),
                        "timestamp": line[:24],
                        "full_output": line,
                    },
                    allow_custom=True,
                )
                self.ipv6.append(ipv6)
                self.all_stix_objects.append(ipv6)
        if classifier["name"] == "domains":
            ip = re.search(regex, line).group(1)
            domain_name = classifier["prepare"](ip)
            if domain_name != ip:
                domain = DomainName(
                    type="domain-name",
                    id="domain-name--" + str(uuid1()),
                    value=domain_name,
                    resolves_to_refs=[
                        self.get_ip_stix_object_for_domain(line, ip)
                    ],
                    custom_properties={
                        "container_id": Stix2.get_containerid(line),
                        "timestamp": line[:24],
                        "full_output": line,
                        "resolves_to_str": ip,
                    },
                    allow_custom=True,
                )
                self.domains.append(domain)
                self.all_stix_objects.append(domain)
            else:  # reverse dns failed, only save ipv4 / ipv6 object
                self.get_ip_stix_object_for_domain(line, ip)

コード例 #6

0

ファイルを表示

ファイル: article_importer.py プロジェクト: nor3th/connectors

    def _process_indicator(self, indicator: Indicator) -> list[_Observable]:
        """
        Process the indicator depending on its type.

        Parameters
        ----------
        indicator : Indicator
            One indicator from an article.

        Returns
        -------
        List of Observable
            A list of Observable depending on the indicator type.
        """
        indicator_type = indicator["type"]
        values = indicator["values"]
        tlp_marking = TLP_WHITE if indicator[
            "source"] == "public" else TLP_AMBER

        if indicator_type == "hash_md5":
            return [
                File(
                    type="file",
                    hashes={"MD5": v},
                    object_marking_refs=tlp_marking,
                ) for v in values
            ]

        if indicator_type in ["hash_sha1", "sha1"]:
            return [
                File(
                    type="file",
                    hashes={"SHA-1": v},
                    object_marking_refs=tlp_marking,
                ) for v in values
            ]

        if indicator_type in ["sha256", "hash_sha256"]:
            return [
                File(
                    type="file",
                    hashes={"SHA-256": v},
                    object_marking_refs=tlp_marking,
                ) for v in values
            ]

        if indicator_type == "domain":
            return [
                DomainName(type="domain-name",
                           value=v,
                           object_marking_refs=tlp_marking) for v in values
            ]

        if indicator_type in ["email", "emails"]:
            return [
                EmailAddress(type="email-addr",
                             value=v,
                             object_marking_refs=tlp_marking) for v in values
            ]

        if indicator_type in ["filename", "filepath"]:
            return [
                File(type="file", name=v, object_marking_refs=tlp_marking)
                for v in values
            ]

        if indicator_type == "ip":
            return [
                IPv4Address(type="ipv4-addr",
                            value=v,
                            object_marking_refs=tlp_marking) for v in values
            ]

        if indicator_type in ["proces_mutex", "process_mutex", "mutex"]:
            return [
                Mutex(type="mutex", name=v, object_marking_refs=tlp_marking)
                for v in values
            ]

        if indicator_type == "url":
            return [
                URL(type="url",
                    value=v,
                    object_marking_refs=tlp_marking,
                    defanged=False) for v in values
            ]

        if indicator_type == "certificate_sha1":
            return [
                X509Certificate(
                    type="x509-certificate",
                    hashes={"SHA-1": v},
                    object_marking_refs=tlp_marking,
                ) for v in values
            ]

        if indicator_type in [
                "certificate_issuerorganizationname",
                "certificate_issuercommonname",
        ]:
            return [
                X509Certificate(type="x509-certificate",
                                issuer=v,
                                object_marking_refs=tlp_marking)
                for v in values
            ]

        if indicator_type in [
                "certificate_subjectorganizationname",
                "certificate_subjectcountry",
                "certificate_subjectcommonname",
        ]:
            return [
                X509Certificate(type="x509-certificate",
                                subject=v,
                                object_marking_refs=tlp_marking)
                for v in values
            ]

        if indicator_type in [
                "certificate_serialnumber", "code_certificate_serial"
        ]:
            return [
                X509Certificate(
                    type="x509-certificate",
                    serial_number=v,
                    object_marking_refs=tlp_marking,
                ) for v in values
            ]

        self.helper.log_warning(
            f"[RiskIQ] indicator with key {indicator_type} not supported. (Values: {values})"
        )
        return []