def get_ip_stix_object_for_domain(self, line, ip): ipv4_regex = r"([0-9]{1,3}\.){3}[0-9]{1,3}" if re.search(ipv4_regex, line): ip = IPv4Address( type="ipv4-addr", id="ipv4-addr--" + str(uuid1()), value=ip, custom_properties={ "container_id": Stix2.get_containerid(line), "timestamp": line[:24], "full_output": line, }, allow_custom=True, ) self.ipv4.append(ip) self.all_stix_objects.append(ip) else: ip = IPv6Address( type="ipv6-addr", id="ipv6-addr--" + str(uuid1()), value=ip, custom_properties={ "container_id": Stix2.get_containerid(line), "timestamp": line[:24], "full_output": line, }, allow_custom=True, ) self.ipv6.append(ip) self.all_stix_objects.append(ip) return ip
def create_observable_ipv4_address(properties: ObservableProperties) -> IPv4Address: """Create an observable representing an IPv4 address.""" return IPv4Address( value=properties.value, object_marking_refs=properties.object_markings, custom_properties=_get_custom_properties(properties), )
def user_account_observable(timestamp, ip, id, passwors, success): usr = UserAccount(user_id=id) source = IPv4Address(value=ip) dict = {"Password": passwors, "src_ip_ref": "0", "success": success} obs = ObservedData(first_observed=timestamp, last_observed=timestamp, number_observed=1, objects={ "0": source, "1": usr }, custom_properties=dict) wrt.add(obs)
def create_ipv4(content): ref_list = [] ipv4_object_list = [] value = get(get(content, 'network_analysis'), 'endpoints') points_l = '' if value != -1: points_l = value for points in points_l: ip = get(points, 'ip') if ip != -1: ipv4_object = IPv4Address(type='ipv4-addr', value=ip) ipv4_object_list.append(ipv4_object) ref_list.append(ipv4_object['id']) return (ipv4_object_list, ref_list)
def parse_line_to_stix_object(self, classifier, line, regex): if self.is_on_whitelist(classifier["prepare"](re.search( regex, line).group(1))): return "" if classifier["name"] == "processes_created": process = Process( type="process", id="process--" + str(uuid1()), command_line=classifier["prepare"](re.search(regex, line).group(1)), custom_properties={ "container_id": Stix2.get_containerid(line), "timestamp": line[:24], "full_output": line, "executable_path": Stix2.get_executable_path(line), }, allow_custom=True, ) self.processes.append(process) self.all_stix_objects.append(process) if classifier["name"].startswith("files_"): name = classifier["prepare"](re.search( regex, line).group(1)).split("/")[-1] dir_str = "/".join(classifier["prepare"](re.search( regex, line).group(1)).split("/")[:-1]) or "/" if not name: name = classifier["prepare"](re.search( regex, line).group(1)).split("/")[-2] dir_str = "/".join(classifier["prepare"](re.search( regex, line).group(1)).split("/")[:-2]) or "/" file = File( type="file", id="file--" + str(uuid1()), name=name, custom_properties={ "parent_directory_str": dir_str, "container_id": Stix2.get_containerid(line), "timestamp": line[:24], "full_output": line, }, allow_custom=True, ) self.all_stix_objects.append(file) if classifier["name"] == "files_removed": self.files_removed.append(file) if classifier["name"] == "files_written": self.files_written.append(file) if classifier["name"] == "files_read": self.files_read.append(file) if classifier["name"] == "hosts_connected": ipv4_regex = r"([0-9]{1,3}\.){3}[0-9]{1,3}" if re.search(ipv4_regex, line): ipv4 = IPv4Address( type="ipv4-addr", id="ipv4-addr--" + str(uuid1()), value=classifier["prepare"](re.search(regex, line).group(1)), custom_properties={ "container_id": Stix2.get_containerid(line), "timestamp": line[:24], "full_output": line, }, allow_custom=True, ) self.ipv4.append(ipv4) self.all_stix_objects.append(ipv4) else: ipv6 = IPv6Address( type="ipv6-addr", id="ipv6-addr--" + str(uuid1()), value=classifier["prepare"](re.search(regex, line).group(1)), custom_properties={ "container_id": Stix2.get_containerid(line), "timestamp": line[:24], "full_output": line, }, allow_custom=True, ) self.ipv6.append(ipv6) self.all_stix_objects.append(ipv6) if classifier["name"] == "domains": ip = re.search(regex, line).group(1) domain_name = classifier["prepare"](ip) if domain_name != ip: domain = DomainName( type="domain-name", id="domain-name--" + str(uuid1()), value=domain_name, resolves_to_refs=[ self.get_ip_stix_object_for_domain(line, ip) ], custom_properties={ "container_id": Stix2.get_containerid(line), "timestamp": line[:24], "full_output": line, "resolves_to_str": ip, }, allow_custom=True, ) self.domains.append(domain) self.all_stix_objects.append(domain) else: # reverse dns failed, only save ipv4 / ipv6 object self.get_ip_stix_object_for_domain(line, ip)
def _process_indicator(self, indicator: Indicator) -> list[_Observable]: """ Process the indicator depending on its type. Parameters ---------- indicator : Indicator One indicator from an article. Returns ------- List of Observable A list of Observable depending on the indicator type. """ indicator_type = indicator["type"] values = indicator["values"] tlp_marking = TLP_WHITE if indicator[ "source"] == "public" else TLP_AMBER if indicator_type == "hash_md5": return [ File( type="file", hashes={"MD5": v}, object_marking_refs=tlp_marking, ) for v in values ] if indicator_type in ["hash_sha1", "sha1"]: return [ File( type="file", hashes={"SHA-1": v}, object_marking_refs=tlp_marking, ) for v in values ] if indicator_type in ["sha256", "hash_sha256"]: return [ File( type="file", hashes={"SHA-256": v}, object_marking_refs=tlp_marking, ) for v in values ] if indicator_type == "domain": return [ DomainName(type="domain-name", value=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in ["email", "emails"]: return [ EmailAddress(type="email-addr", value=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in ["filename", "filepath"]: return [ File(type="file", name=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type == "ip": return [ IPv4Address(type="ipv4-addr", value=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in ["proces_mutex", "process_mutex", "mutex"]: return [ Mutex(type="mutex", name=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type == "url": return [ URL(type="url", value=v, object_marking_refs=tlp_marking, defanged=False) for v in values ] if indicator_type == "certificate_sha1": return [ X509Certificate( type="x509-certificate", hashes={"SHA-1": v}, object_marking_refs=tlp_marking, ) for v in values ] if indicator_type in [ "certificate_issuerorganizationname", "certificate_issuercommonname", ]: return [ X509Certificate(type="x509-certificate", issuer=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in [ "certificate_subjectorganizationname", "certificate_subjectcountry", "certificate_subjectcommonname", ]: return [ X509Certificate(type="x509-certificate", subject=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in [ "certificate_serialnumber", "code_certificate_serial" ]: return [ X509Certificate( type="x509-certificate", serial_number=v, object_marking_refs=tlp_marking, ) for v in values ] self.helper.log_warning( f"[RiskIQ] indicator with key {indicator_type} not supported. (Values: {values})" ) return []