def generateIPObservable(attribute):
address_object = Address()
cidr = False
if ("/" in attribute["value"]):
ip = attribute["value"].split('/')[0]
cidr = True
else:
ip = attribute["value"]
try:
socket.inet_aton(ip)
ipv4 = True
except socket.error:
ipv4 = False
if (cidr == True):
address_object.category = "cidr"
elif (ipv4 == True):
address_object.category = "ipv4-addr"
else:
address_object.category = "ipv6-addr"
if (attribute["type"] == "ip-src"):
address_object.is_source = True
else:
address_object.is_source = False
address_object.address_value = attribute["value"]
return address_object
def resolveIPType(attribute_value, attribute_type):
address_object = Address()
cidr = False
if ("|" in attribute_value):
attribute_value = attribute_value.split('|')[0]
if ("/" in attribute_value):
ip = attribute_value.split('/')[0]
cidr = True
else:
ip = attribute_value
try:
socket.inet_aton(ip)
ipv4 = True
except socket.error:
ipv4 = False
if (cidr == True):
address_object.category = "cidr"
condition = "Contains"
elif (ipv4 == True):
address_object.category = "ipv4-addr"
condition = "Equals"
else:
address_object.category = "ipv6-addr"
condition = "Equals"
if attribute_type.startswith("ip-src"):
address_object.is_source = True
address_object.is_destination = False
if attribute_type.startswith("ip-dst"):
address_object.is_source = False
address_object.is_destination = True
address_object.address_value = attribute_value
address_object.condition = condition
return address_object
def generateIPObservable(attribute):
address_object = Address()
cidr = False
if ("/" in attribute["value"]):
ip = attribute["value"].split('/')[0]
cidr = True
else:
ip = attribute["value"]
try:
socket.inet_aton(ip)
ipv4 = True
except socket.error:
ipv4 = False
if (cidr == True):
address_object.category = "cidr"
elif (ipv4 == True):
address_object.category = "ipv4-addr"
else:
address_object.category = "ipv6-addr"
if (attribute["type"] == "ip-src"):
address_object.is_source = True
else:
address_object.is_source = False
address_object.address_value = attribute["value"]
return address_object
def to_cybox_observable(self):
"""
Convert an IP to a CybOX Observables.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
obj = Address()
obj.address_value = self.ip
temp_type = self.ip_type.replace("-", "")
if temp_type.find(Address.CAT_ASN.replace("-", "")) >= 0:
obj.category = Address.CAT_ASN
elif temp_type.find(Address.CAT_ATM.replace("-", "")) >= 0:
obj.category = Address.CAT_ATM
elif temp_type.find(Address.CAT_CIDR.replace("-", "")) >= 0:
obj.category = Address.CAT_CIDR
elif temp_type.find(Address.CAT_MAC.replace("-", "")) >= 0:
obj.category = Address.CAT_MAC
elif temp_type.find(Address.CAT_IPV4_NETMASK.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV4_NETMASK
elif temp_type.find(Address.CAT_IPV4_NET.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV4_NET
elif temp_type.find(Address.CAT_IPV4.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV4
elif temp_type.find(Address.CAT_IPV6_NETMASK.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV6_NETMASK
elif temp_type.find(Address.CAT_IPV6_NET.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV6_NET
elif temp_type.find(Address.CAT_IPV6.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV6
return ([Observable(obj)], self.releasability)
def resolveIPType(attribute_value, attribute_type):
address_object = Address()
cidr = False
if ("/" in attribute_value):
ip = attribute_value.split('/')[0]
cidr = True
else:
ip = attribute_value
try:
socket.inet_aton(ip)
ipv4 = True
except socket.error:
ipv4 = False
if (cidr == True):
address_object.category = "cidr"
elif (ipv4 == True):
address_object.category = "ipv4-addr"
else:
address_object.category = "ipv6-addr"
if (attribute_type == "ip-src") or (attribute_type == "domain|ip"):
address_object.is_source = True
else:
address_object.is_source = False
address_object.address_value = attribute_value
return address_object
def to_cybox_observable(self):
"""
Convert an IP to a CybOX Observables.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
obj = Address()
obj.address_value = self.ip
temp_type = self.ip_type.replace("-", "")
if temp_type.find(Address.CAT_ASN.replace("-", "")) >= 0:
obj.category = Address.CAT_ASN
elif temp_type.find(Address.CAT_ATM.replace("-", "")) >= 0:
obj.category = Address.CAT_ATM
elif temp_type.find(Address.CAT_CIDR.replace("-", "")) >= 0:
obj.category = Address.CAT_CIDR
elif temp_type.find(Address.CAT_MAC.replace("-", "")) >= 0:
obj.category = Address.CAT_MAC
elif temp_type.find(Address.CAT_IPV4_NETMASK.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV4_NETMASK
elif temp_type.find(Address.CAT_IPV4_NET.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV4_NET
elif temp_type.find(Address.CAT_IPV4.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV4
elif temp_type.find(Address.CAT_IPV6_NETMASK.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV6_NETMASK
elif temp_type.find(Address.CAT_IPV6_NET.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV6_NET
elif temp_type.find(Address.CAT_IPV6.replace("-", "")) >= 0:
obj.category = Address.CAT_IPV6
return ([Observable(obj)], self.releasability)
def susIPfound(ip):
a = Address()
a.address_value = ip
a.category = a.CAT_IPV4
indicator = Indicator()
indicator.title = "Suspicious IP address"
indicator.description = (
"An indicator containing a suspicious IPv4 address found statically in the sample"
)
indicator.set_produced_time(utils.dates.now())
indicator.add_object(a)
return indicator
def susIP(ip):
a = Address()
a.address_value = ip
a.category = a.CAT_IPV4
indicator = Indicator()
indicator.title = "Suspicious IP address"
indicator.description = (
"An indicator containing a IPv4 address resolved from a suspicious domain"
)
indicator.set_produced_time(utils.dates.now())
indicator.add_object(a)
return indicator
def test_round_trip(self):
v = String("*****@*****.**")
c = Address.CAT_EMAIL
a = Address()
a.address_value = v
a.category = c
addr2 = round_trip(a, Address, output=False)
self.assertEqual(addr2.address_value, v)
self.assertEqual(addr2.category, c)
def test_istypeof(self):
a = "*****@*****.**"
addr1 = EmailAddress(a)
self.assertTrue(Address.istypeof(addr1))
self.assertTrue(EmailAddress.istypeof(addr1))
# Address with no category set
addr2 = Address(a)
self.assertTrue(Address.istypeof(addr2))
self.assertFalse(EmailAddress.istypeof(addr2))
# Even though the isinstance check fails, the istypeof check should
# succeed
addr2.category = Address.CAT_EMAIL
self.assertTrue(Address.istypeof(addr2))
self.assertTrue(EmailAddress.istypeof(addr2))
self.assertFalse(isinstance(addr2, EmailAddress))
# Address with category set to something other than CAT_EMAIL
addr2.category = Address.CAT_IPV4
self.assertTrue(Address.istypeof(addr2))
self.assertFalse(EmailAddress.istypeof(addr2))
def test_round_trip(self):
email = "*****@*****.**"
category = Address.CAT_EMAIL
addr = Address()
addr.address_value = email
addr.category = category
addr2 = cybox.test.round_trip(addr)
self.assertEqual(addr.to_dict(), addr2.to_dict())
# Explicitly check these fields
self.assertEqual(category, addr2.category)
self.assertEqual(email, str(addr2))
def resolve_ip_type(attribute_type, attribute_value):
address_object = Address()
if '|' in attribute_value:
attribute_value = attribute_value.split('|')[0]
if '/' in attribute_value:
attribute_value = attribute_value.split('/')[0]
address_object.category = "cidr"
condition = "Contains"
else:
try:
socket.inet_aton(attribute_value)
address_object.category = "ipv4-addr"
except socket.error:
address_object.category = "ipv6-addr"
condition = "Equals"
if attribute_type.startswith("ip-src"):
address_object.is_source = True
address_object.is_destination = False
else:
address_object.is_source = False
address_object.is_destination = True
address_object.address_value = attribute_value
address_object.condition = condition
return address_object
def test_round_trip(self):
email = "*****@*****.**"
category = Address.CAT_EMAIL
addr = Address()
addr.address_value = email
addr.category = category
addr2 = cybox.test.round_trip(addr)
self.assertEqual(addr.to_dict(), addr2.to_dict())
# Explicitly check these fields
self.assertEqual(category, addr2.category)
self.assertEqual(email, str(addr2))
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['ipAddr']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['URI']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
obsURI.title = 'URI: ' + sURI
sDscrpt = 'URI: ' + sURI + " | "
sDscrpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
#Parser File Hash
sHash = data[sKey]['attrib']['hash']
if len(sHash) > 0:
objFile = File()
sFileName = data[sKey]['attrib']['fileName']
if len(sFileName) > 0:
objFile.file_name = sFileName
objFile.file_format = sFileName.split('.')[1]
objFile.add_hash(Hash(sHash, exact=True))
obsFile = Observable(objFile)
objFile = None
obsFile.sighting_count = 1
obsFile.title = 'File: ' + sFileName
sDscrpt = 'FileName: ' + sFileName + " | "
sDscrpt += "FileHash: " + sHash + " | "
obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsFile)
obsFile = None
objIndicator.add_indicator_type("File Hash Watchlist")
### Add Generated observable to Indicator
objIndicator.observables = listOBS
objIndicator.observable_composition_operator = 'OR'
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Old Title / Description Generator
#objIndicator.title = data[sKey]['attrib']['title'];
#objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";
### Generate Indicator Title based on availbe data
sTitle = 'ZeuS Tracker (' + data[sKey]['attrib'][
'status'] + ')| ' + data[sKey]['attrib']['title']
if len(sAddr) > 0:
sAddLine = "This IP address has been identified as malicious"
if len(sDomain) > 0:
sAddLine = "This domain has been identified as malicious"
if len(sAddLine) > 0:
sTitle = sTitle + " | " + sAddLine
if len(srcObj.Domain) > 0:
sTitle = sTitle + " by " + srcObj.Domain
else:
sTitle = sTitle + "."
if len(sTitle) > 0:
objIndicator.title = sTitle
#Generate Indicator Description based on availbe data
sDscrpt = ""
if len(sAddr) > 0:
sAddLine = "This IP address " + sAddr
if len(sDomain) > 0:
sAddLine = "This domain " + sDomain
if len(sAddr) > 0 and len(sDomain) > 0:
sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
if len(sAddLine) > 0:
sDscrpt = sDscrpt + sAddLine
sDscrpt = sDscrpt + " has been identified as malicious"
if len(srcObj.Domain) > 0:
sDscrpt = sDscrpt + " by " + srcObj.Domain
else:
sDscrpt = sDscrpt + "."
sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
sKey]['attrib']['link'] + "]."
if len(sDscrpt) > 0:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
objMalware.add_name("ZeuS")
objMalware.add_name("Zbot")
objMalware.add_name("Zeus")
objMalware.add_type("Remote Access Trojan")
objMalware.short_description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware effects Microsoft Windows operating system"
objMalware.description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.[1] Zeus is spread mainly through drive-by downloads and phishing schemes. (2014(http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29))"
objTTP = TTP(title="ZeuS")
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def csv2stix(outFormat,inFile):
#=============
# Build package metadata
#=============
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = "TG3390"
stix_package.stix_header.description = "Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
stix_package.stix_header.handling = handling
#=============
# Build package structure
#=============
ta_tg3390 = ThreatActor(title="TG3390")
ta_tg3390.identity = Identity(name="TG3390")
attack_pattern = AttackPattern()
attack_pattern.description = ("Infrastructure Building")
ttp_infrastructure = TTP(title="Infrastructure Building")
ttp_infrastructure.behavior = Behavior()
ttp_infrastructure.behavior.add_attack_pattern(attack_pattern)
ttp_infrastructure.add_intended_effect("Unauthorized Access")
infra_domainInd = Indicator(title="Domains associated with TG3390 Infrastructure")
infra_domainInd.add_indicator_type("Domain Watchlist")
infra_domainInd.confidence = "High"
infra_domainInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
infra_IPInd = Indicator(title="[H] IP Addresses associated with TG3390 Infrastructure")
infra_IPInd.add_indicator_type("IP Watchlist")
infra_IPInd.confidence = "High"
infra_IPInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
infra_IPInd_M = Indicator(title="[M] IP Addresses associated with TG3390 Infrastructure")
infra_IPInd_M.add_indicator_type("IP Watchlist")
infra_IPInd_M.confidence = "Medium"
infra_IPInd_M.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
httpBrowserObj = MalwareInstance()
httpBrowserObj.add_name("HTTP Browser")
ttp_httpB = TTP(title="HTTP Browser")
ttp_httpB.behavior = Behavior()
ttp_httpB.behavior.add_malware_instance(httpBrowserObj)
ttp_httpB.add_intended_effect("Theft - Intellectual Property")
httpB_hashInd = Indicator(title="File hashes for HTTP Browser")
httpB_hashInd.add_indicator_type("File Hash Watchlist")
httpB_hashInd.confidence = "High"
httpB_hashInd.add_indicated_ttp(TTP(idref=ttp_httpB.id_))
httpBrowserDropperObj = MalwareInstance()
httpBrowserDropperObj.add_name("HTTP Browser Dropper")
ttp_httpBDpr = TTP(title="HTTP Browser Dropper")
ttp_httpBDpr.behavior = Behavior()
ttp_httpBDpr.behavior.add_malware_instance(httpBrowserDropperObj)
ttp_httpBDpr.add_intended_effect("Theft - Intellectual Property")
httpBDpr_hashInd = Indicator(title="File hashes for HTTP Browser Dropper")
httpBDpr_hashInd.add_indicator_type("File Hash Watchlist")
httpBDpr_hashInd.confidence = "High"
httpBDpr_hashInd.add_indicated_ttp(TTP(idref=ttp_httpBDpr.id_))
plugXObj = MalwareInstance()
plugXObj.add_name("PlugX Dropper")
ttp_plugX = TTP(title="PlugX Dropper")
ttp_plugX.behavior = Behavior()
ttp_plugX.behavior.add_malware_instance(plugXObj)
ttp_plugX.add_intended_effect("Theft - Intellectual Property")
plugX_hashInd = Indicator(title="File hashes for PlugX Dropper")
plugX_hashInd.add_indicator_type("File Hash Watchlist")
plugX_hashInd.confidence = "High"
plugX_hashInd.add_indicated_ttp(TTP(idref=ttp_plugX.id_))
#=============
# Process content in to structure
#=============
ip_rules = []
ip_rules_M = []
domain_rules = []
with open(inFile, 'rb') as f:
reader = csv.reader(f)
for row in reader:
obs = row[0]
obsType = row[1]
description = row[2]
confidence = row[3]
#print obs,obsType,description,confidence
if description == 'TG-3390 infrastructure':
if obsType == 'Domain name':
domain_obj = DomainName()
domain_obj.value = obs
#domain_obj.title = description
infra_domainInd.add_object(domain_obj)
domain_rule = generate_snort([obs], 'DomainName', str(infra_domainInd.id_).split(':',1)[1].split('-',1)[1])
domain_rules.append(domain_rule)
elif obsType == 'IP address':
ipv4_obj = Address()
ipv4_obj.category = "ipv4-addr"
ipv4_obj.address_value = obs
ipv4_obj.title = description
ind_ref = str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1]
if confidence == "High":
infra_IPInd.add_object(ipv4_obj)
ip_rules.append(obs)
else:
infra_IPInd_M.add_object(ipv4_obj)
ip_rules_M.append(obs)
else:
print "TTP Infra: obsType is wrong"
elif description == 'HttpBrowser RAT dropper':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
httpBDpr_hashInd.add_observable(file_obj)
elif description == 'HttpBrowser RAT':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
httpB_hashInd.add_observable(file_obj)
elif description == 'PlugX RAT dropper':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
plugX_hashInd.add_observable(file_obj)
else:
print "TTP not found"
#print ip_rules
ip_rule = generate_snort(ip_rules, 'Address', str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1])
ip_rule_M = generate_snort(ip_rules_M, 'Address', str(infra_IPInd_M.id_).split(':',1)[1].split('-',1)[1])
ip_tm = SnortTestMechanism()
ip_tm.rules = [ip_rule]
ip_tm.efficacy = "High"
ip_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_IPInd.test_mechanisms = [ip_tm]
ip_M_tm = SnortTestMechanism()
ip_M_tm.rules = [ip_rule_M]
ip_M_tm.efficacy = "Medium"
ip_M_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_IPInd_M.test_mechanisms = [ip_M_tm]
domain_tm = SnortTestMechanism()
domain_tm.rules = domain_rules
domain_tm.efficacy = "High"
domain_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_domainInd.test_mechanisms = [domain_tm]
#=============
# Add the composed content to the structure
#=============
stix_package.add_indicator(infra_domainInd)
stix_package.add_indicator(infra_IPInd)
stix_package.add_indicator(infra_IPInd_M)
stix_package.add_indicator(httpBDpr_hashInd)
stix_package.add_indicator(httpB_hashInd)
stix_package.add_indicator(plugX_hashInd)
stix_package.add_ttp(ttp_infrastructure)
stix_package.add_ttp(ttp_httpB)
stix_package.add_ttp(ttp_httpBDpr)
stix_package.add_ttp(ttp_plugX)
"""
if outFormat =='dict':
print stix_package.to_dict()
if outFormat =='json':
parsed = stix_package.to_json()
jsonpkg = json.loads(parsed)
pprint.pprint(jsonpkg)
if outFormat =='stix':
print stix_package.to_xml()
"""
#if verbose:
#print stix_package.to_xml()
#pprint(stix_package.to_json())
return stix_package
def transform(data, new_only=True):
"""
transform - The transforms are source specific.
Source: http://www.malwaredomainlist.com/hostslist/mdl.xml
data - must be source xml converted to a dictionary
:param data:
:param new_only:
:return:
"""
# Input validation
if not isinstance(data, dict):
return False
work = []
history = db('local_file', 'history', ADPTR_SRC_ID)
value2key = db('local_file', 'value_to_key', 'values')
items = data.get('rss', {}).get('channel', {}).get('item')
if items:
for item in items:
guid = item.get('guid', {}).get('#text')
if guid:
# Check to see if this item has been process before
# if not, add to work
if guid in history:
if not new_only:
work.append(item)
else:
work.append(item)
db('local_file', 'history', ADPTR_SRC_ID,
{guid: {
'date': str(datetime.now())
}})
if work:
### Generate STIXPackage and STIXHeader
set_ns_stix(ADPTR_NS_STIX)
set_ns_cybox(ADPTR_NS_CYBOX)
STIXPackage._version = ADPTR_VER_STIX
pkg = STIXPackage()
src_info, value2key = gen_info_src({}, 'www.malwaredomainlist.com',
value2key)
hdr = STIXHeader()
hdr.title = data.get('rss', {}).get('channel', {}).get('title')
hdr.description = data.get('rss', {}).get('channel',
{}).get('description')
hdr.information_source = src_info
pkg.stix_header = hdr
for item in work:
key = item.get('guid', {}).get('#text')
# Decompose data description
tmp = [x.strip() for x in item.get('description').split(',')]
decomp = {}
for x in tmp:
k, v = x.split(':')
decomp.update({k.strip(): v.strip()})
# Generate STIX Indicator
ind, history = gen_indicator(item, key, history)
ind.producer = src_info
ind.short_description = 'MDL RefID: %s | %s' % (
key, decomp.get('Description'))
# Decompose host
host = decomp.get('Host')
uri = None
file_ = None
if '/' in host:
host, uri = host.split('/', 1)
# TODO: parse out file Name
if host: # Generate Cybox HostName
obj = Hostname()
obj.is_domain_name = True
obj.naming_system = 'DNS'
obj.hostname_value = host
ob, value2key = gen_CyboxOb(obj, host, value2key)
ob.title = 'HostName: %s' % obj.hostname_value
ind.add_observable(CyboxOb(idref=ob.id_))
pkg.add_observable(ob)
if uri: # Generate Cybox URI
obj = URI()
obj.type_ = URI.TYPE_URL
url = AnyURI('%s/%s' % (host, uri))
obj.value = url
ob, value2key = gen_CyboxOb(obj, url, value2key)
ob.title = 'URL: %s' % url
ind.add_observable(CyboxOb(idref=ob.id_))
pkg.add_observable(ob)
if file_:
obj = File()
ip = decomp.get('IP address')
if ip:
obj_ip = Address()
if isIPv4(ip):
obj_ip.category = Address.CAT_IPV4
elif isIPv6(ip):
obj_ip.category = Address.CAT_IPV6
else:
break
obj_ip.is_source = True
obj_ip.address_value = ip
# if obj_host:
# obj_ip.add_related(obj_host,
# ObjectRelationship.TERM_RESOLVED_TO,
# inline=False)
ob = CyboxOb(obj_ip)
ob.title = 'IP: %s' % ip
ind.add_observable(CyboxOb(idref=ob.id_))
pkg.add_observable(ob)
asn = decomp.get('ASN')
if asn:
obj_asn = Address()
obj_asn.category = Address.CAT_ASN
obj_asn.address_value = asn
# if obj_host:
# obj_asn.add_related(obj_host,
# ObjectRelationship.TERM_CONNECTED_TO,
# inline=False)
# if obj_ip:
# obj_asn.add_related(obj_ip,
# ObjectRelationship.TERM_CONNECTED_TO,
# inline=False)
ob = CyboxOb(obj_asn)
ob.title = 'ASN: %s' % ip
ind.add_observable(CyboxOb(idref=ob.id_))
pkg.add_observable(ob)
pkg.add_indicator(ind)
db('local_file', 'value_to_key', 'values', value2key)
db('local_file', 'history', ADPTR_SRC_ID, history)
return pkg
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
oObsSrcData = genObsSrcData(srcObj, data[sKey])
### Parsing IP Address
sAddr = data[sKey]['attrib']['ip']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.type = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.type = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
oObsSrcData.sighting_count = 1
obsAddr.observable_source.append(oObsSrcData)
sTitle = 'IP: ' + sAddr
obsAddr.title = sTitle
sDscpt = 'ipv4-addr' + ': ' + sAddr + " | "
sDscpt += "is_destination: True | "
if data[sKey]['attrib']['first']:
sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | "
if data[sKey]['attrib']['last']:
sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | "
obsAddr.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Network Address
sAddr = data[sKey]['attrib']['inetnum']
if sAddr:
objAddr = Address()
objAddr.is_destination = True
sAddrNet = sAddr.split("-")
objAddr.address_value = sAddrNet[0].strip(
) + "##comma##" + sAddrNet[1].strip()
objAddr.address_value.condition = 'InclusiveBetween'
objAddr.category = 'ipv4-net'
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
oObsSrcData.sighting_count = 1
obsAddr.observable_source.append(oObsSrcData)
sTitle = 'NETWORK_range: ' + sAddr
obsAddr.title = sTitle
sDscpt = 'ipv4-net' + ': ' + sAddr + " | "
if data[sKey]['attrib']['netname']:
sDscpt += 'netName' + ': ' + data[sKey]['attrib'][
'netname'] + " | "
obsAddr.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Email Address
sEMAIL = data[sKey]['attrib']['email']
if sEMAIL:
objEmail = EmailAddress()
#objEmail.is_source = True
objEmail.address_value = sEMAIL
objEmail.address_value.condition = 'Equals'
objEmail.category = 'e-mail'
obsEmail = Observable(objEmail)
objEmail = None
obsEmail.sighting_count = 1
oObsSrcData.sighting_count = 1
if len(data[sKey]['attrib']['source']) > 0:
oObsSrcData.name = data[sKey]['attrib']['source']
obsEmail.observable_source.append(oObsSrcData)
sTitle = 'REGISTRAR_email: ' + sEMAIL
obsEmail.title = sTitle
sDscrpt = 'REGISTRAR_email: ' + sEMAIL
if data[sKey]['attrib']['descr']:
sDscrpt += " | REGISTRAR_name: " + data[sKey]['attrib'][
'descr'] + " | "
obsEmail.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsEmail)
obsEmail = None
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
objDomain.is_destination = True
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
oObsSrcData.sighting_count = 1
obsDomain.observable_source.append(oObsSrcData)
obsDomain.title = 'Domain: ' + sDomain
sDscpt = 'Domain: ' + sDomain + " | "
sDscpt += "isDestination: True | "
if data[sKey]['attrib']['first']:
sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | "
if data[sKey]['attrib']['last']:
sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | "
#if
obsDomain.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['url']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
oObsSrcData.sighting_count = 1
obsURI.observable_source.append(oObsSrcData)
obsURI.title = 'URI: ' + sURI
sDscpt = 'URI: ' + sURI + " | "
sDscpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
sDscrpt = None
sCntry_code = None
sCntry_name = None
sRgstra_email = None
sRgstra_name = None
# add Phishing Email Target
# add Phishing email Details phishtank_ID
if data[sKey]['attrib']['country']:
sCntry_code = data[sKey]['attrib']['country']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
if data[sKey]['attrib']['email'] > 0:
sRgstra_email = data[sKey]['attrib']['email']
if data[sKey]['attrib']['descr']:
sRgstra_name = data[sKey]['attrib']['descr']
sDscrpt = " clean-mx.de has identified this "
if isIPv4(data[sKey]['attrib']['domain']):
sDscrpt += "ip address " + data[sKey]['attrib']['domain'] + " "
else:
sDscrpt += "domain " + data[sKey]['attrib']['domain'] + " "
sDscrpt += "as malicious "
if data[sKey]['attrib']['target']:
sDscrpt += "and uses phishing email(s) targeting " + data[sKey][
'attrib']['target'] + " users with "
else:
sDscrpt += "and sent out "
sDscrpt += "email containg this url <-Do Not Connect-> {" + data[sKey][
'attrib']['url'] + "} <-Do Not Connect-> link. "
if data[sKey]['attrib']['phishtank']:
sDscrpt += "For more detail on the specific phisihing email use this phishtank ID [" + data[
sKey]['attrib']['phishtank'] + "]. "
if sCntry_code:
sDscrpt += " This url appears to originated in " + sCntry_code
if sCntry_name:
sDscrpt += " (" + sCntry_name + ")"
if sCntry_code and (sRgstra_email or sRgstra_name):
sDscrpt += " and is "
if sRgstra_email:
sDscrpt += "register to " + sRgstra_email
if sRgstra_email and sRgstra_name:
sDscrpt += " of " + sRgstra_name
elif sRgstra_name:
sDscrpt += "register to " + sRgstra_name
sDscrpt += "."
if sCntry_code or sRgstra_email or sRgstra_name:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
sTitle = 'Phishing ID:' + sKey + " "
if data[sKey]['attrib']["target"]:
sTitle += "Target: " + data[sKey]['attrib']["target"] + " "
if data[sKey]['attrib']["url"]:
sTitle += "URL: " + data[sKey]['attrib']["url"] + " "
objIndicator.title = sTitle
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['first'])
objIndicator.set_received_time(data[sKey]['dateDL'])
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
#sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + srcObj.srcTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def cybox_object_address(obj):
a = Address()
a.address_value =obj.address_value
a.category = obj.category
a.condition = obj.condition
return a
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
### Input Check
if srcObj is None or data is None:
# TODO: Needs error msg: Missing srcData Object
return False
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['ipAddr']
if sAddr:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if sDomain:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
objIndicator.add_indicator_type("Domain Watchlist")
# Parser File Hash
# sHash = data[sKey]['attrib']['hash'];
# if len(sHash) > 0:
# objFile = File()
# sFileName = data[sKey]['attrib']['fileName']
# if len(sFileName) > 0:
# objFile.file_name = sFileName
# objFile.file_format = sFileName.split('.')[1]
# objFile.add_hash(Hash(sHash, exact=True))
# obsFile = Observable(objFile)
# objFile = None;
# obsFile.sighting_count = 1
# obsFile.title = 'File: ' + sFileName
# sDscrpt = 'FileName: ' + sFileName + " | "
# sDscrpt += "FileHash: " + sHash + " | "
# obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
# listOBS.append(obsFile)
# obsFile = None;
# objIndicator.add_indicator_type("File Hash Watchlist")
### Add Generated observable to Indicator
objIndicator.observables = listOBS
objIndicator.observable_composition_operator = 'OR'
#Parsing Producer
sProducer = srcObj.Domain
if len(srcObj.Domain) > 0:
objIndicator.set_producer_identity(srcObj.Domain)
if data[sKey]['attrib']['dateVF']:
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Old Title / Description Generator
#objIndicator.title = data[sKey]['attrib']['title'];
#objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";
### Generate Indicator Title based on availbe data
sTitle = 'Feodo Tracker: '
if sAddr:
sAddLine = "This IP address has been identified as malicious"
if sDomain:
sAddLine = "This domain has been identified as malicious"
if len(sAddLine) > 0:
sTitle += " | " + sAddLine
if len(srcObj.Domain) > 0:
sTitle += " by " + srcObj.Domain
else:
sTitle += "."
if len(sTitle) > 0:
objIndicator.title = sTitle
#Generate Indicator Description based on availbe data
sDscrpt = ""
if sAddr:
sAddLine = "This IP address " + sAddr
if sDomain:
sAddLine = "This domain " + sDomain
if sAddr and sDomain:
sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
if len(sAddLine) > 0:
sDscrpt += sAddLine
sDscrpt += " has been identified as malicious"
if len(srcObj.Domain) > 0:
sDscrpt += " by " + srcObj.Domain
else:
sDscrpt += "."
sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + \
data[sKey]['attrib']['link'] + "]."
if len(sDscrpt) > 0:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
objMalware.add_name("Cridex")
objMalware.add_name("Bugat")
objMalware.add_name("Dridex")
objMalware.add_type("Remote Access Trojan")
objMalware.short_description = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials"
sDscrpt = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D:\n"
sDscrpt += "\n"
sDscrpt += " Version A: Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.\n"
sDscrpt += " Version B: Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.\n"
sDscrpt += " Version C: Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.\n"
sDscrpt += " Version D: Successor of Cridex. This version is also known as Dridex\n"
objMalware.description = "<![CDATA[" + sDscrpt + "]]>"
objTTP = TTP(title="Feodo")
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return stix_package
def generate_stix_file(input_file, list_type, delimiter, list_name, tc_name, tmp_dir, validate, verbose):
# observable limit per generated stix file
OBSERVABLES_PER_STIX_FILE = 3000
if verbose:
logging.info("=====================")
logging.info("== GENERATING STIX ==")
logging.info("=====================")
# download or open input file
if validators.url(input_file):
res = requests.get(input_file)
items = res.text.split(delimiter)
else:
# exit if input file doesn't exist
if not os.path.isfile(input_file):
logging.error("Supplied input file '{}' doesn't exist".format(input_file))
sys.exit("Error: Supplied input file '{}' doesn't exist".format(input_file))
else:
with open(input_file, 'r') as f:
items = f.read().split(delimiter)
logging.info("Successfully parsed input file at {}".format(input_file))
# slice input into batches
for batch_num, index in enumerate(range(0, len(items), OBSERVABLES_PER_STIX_FILE), 1):
# slice handles out of bounds indices gracefully
batch_items = items[index:index + OBSERVABLES_PER_STIX_FILE]
# create the STIX Package
package = STIXPackage()
# create the STIX Header and add a description
header = STIXHeader()
package.stix_header = header
reporttime = datetime.datetime.utcnow().strftime('%m/%d/%Y %H:%M:%S %Z')
# create indicator for each item in the batch
for item in batch_items:
item = item.strip()
# basic filtering of empty items and comments
if not item or item.startswith(('#', '//', '--')):
continue
if list_type == 'ip':
indicator_obj = Address()
# attempt to parse as an ip address
try:
parsed_ip = ipaddress.ip_address(item)
if parsed_ip.version == 4:
indicator_obj.category = Address.CAT_IPV4
elif parsed_ip.version == 6:
indicator_obj.category = Address.CAT_IPV6
else:
logging.warning("Unknown IP Address version type: {} - skipping".format(parsed_ip.version))
continue
except ValueError:
# if ip address parsing fails then attempt to parse as an ip network
try:
parsed_ip = ipaddress.ip_network(item, strict=False)
indicator_obj.category = Address.CAT_CIDR
except ValueError:
logging.warning("IP Address {} is neither an IPv4, IPv6, nor CIDR - skipping".format(item))
continue
indicator_obj.address_value = str(parsed_ip)
indicator_obj.condition = "Equals"
indicator_type = "IP Watchlist"
# customizable components below
indicator_title = "IP: {}"
indicator_description = "IP {} reported from {}"
elif list_type == 'domain':
# validate domain
if validate and not validators.domain(item):
logging.warning("Invalid domain: {} - skipping".format(item))
continue
indicator_obj = DomainName()
indicator_obj.value = item
indicator_type = "Domain Watchlist"
# customizable components below
indicator_title = "Domain: {}"
indicator_description = "Domain {} reported from {}"
elif list_type == 'url':
# validate url
if validate and not validators.url(item):
logging.warning("Invalid url: {} - skipping".format(item))
continue
indicator_obj = URI()
indicator_obj.value = item
indicator_obj.type_ = URI.TYPE_URL
indicator_obj.condition = "Equals"
indicator_type = "URL Watchlist"
# customizable components below
indicator_title = "URL: {}"
indicator_description = "URL {} reported from {}"
else:
# invalid input type
logging.error("invalid input type encountered")
raise Exception('Error: invalid input type encountered')
# create a basic Indicator object from the item
indicator = Indicator()
indicator.title = indicator_title.format(str(item))
indicator.description = indicator_description.format(str(item), list_name)
indicator.add_indicator_type(indicator_type)
indicator.set_producer_identity(list_name)
indicator.set_produced_time(str(reporttime))
indicator.add_observable(indicator_obj)
# add the indicator to the stix package
package.add_indicator(indicator)
# save each batch in a separate stix file with the filename ending ..._part_N.stix
collection_filename = "{}_part_{}.stix".format(strip_non_alphanum(tc_name), batch_num)
with open(os.path.join(tmp_dir, collection_filename), 'wb') as f:
f.write(package.to_xml())
logging.info("Successfully created stix file {}".format(collection_filename))
# clear cybox cache to prevent an Out of Memory error
# https://cybox.readthedocs.io/en/stable/api/cybox/core/object.html#cybox.core.object.Object
cache_clear()
return
def build(self):
"""Define the STIX report."""
self.stix_header.title = self.pulse["name"]
self.stix_header.description = self.pulse["description"]
self.stix_header.package_intents = "Indicators"
self.stix_header.information_source = InformationSource()
self.stix_header.information_source.time = Time()
self.stix_header.information_source.time.received_time = self.pulse[
"modified"]
self.stix_header.information_source.time.produced_time = self.stix_package.timestamp
self.stix_header.information_source.identity = Identity()
self.stix_header.information_source.identity.name = IDENTITY_NAME
# self.stix_package.stix_header = self.stix_header
# self.stix_package.stix_header.handling = self._marking()
# self.report = Report()
# self.report.header = Header()
# self.report.header.title = self.pulse["name"]
# self.report.header.descriptions = self.pulse["description"]
# self.report.header.intents = "Indicators"
# self.report.header.short_description = "%spulse/%s" % (
# PULSE_SERVER_BASE, str(self.pulse["id"]))
# self.report.header.information_source = InformationSource()
# self.report.header.information_source.time = Time()
# self.report.header.information_source.time.received_time = self.pulse[
# "modified"]
# self.report.header.information_source.time.produced_time = self.report.timestamp
# self.report.header.information_source.identity = Identity()
# self.report.header.information_source.identity.name = IDENTITY_NAME
hashes = False
addresses = False
emails = False
domains = False
urls = False
mutex = False
hash_indicator = Indicator()
hash_indicator.set_producer_identity(IDENTITY_NAME)
hash_indicator.set_produced_time(hash_indicator.timestamp)
hash_indicator.set_received_time(self.pulse["modified"])
hash_indicator.title = "[OTX] [Files] " + self.pulse["name"]
hash_indicator.add_indicator_type("File Hash Watchlist")
hash_indicator.confidence = "Low"
address_indicator = Indicator()
address_indicator.set_producer_identity(IDENTITY_NAME)
address_indicator.set_produced_time(address_indicator.timestamp)
address_indicator.set_received_time(self.pulse["modified"])
address_indicator.title = "[OTX] [IP] " + self.pulse["name"]
address_indicator.add_indicator_type("IP Watchlist")
address_indicator.confidence = "Low"
domain_indicator = Indicator()
domain_indicator.set_producer_identity(IDENTITY_NAME)
domain_indicator.set_produced_time(domain_indicator.timestamp)
domain_indicator.set_received_time(self.pulse["modified"])
domain_indicator.title = "[OTX] [Domain] " + self.pulse["name"]
domain_indicator.add_indicator_type("Domain Watchlist")
domain_indicator.confidence = "Low"
url_indicator = Indicator()
url_indicator.set_producer_identity(IDENTITY_NAME)
url_indicator.set_produced_time(url_indicator.timestamp)
url_indicator.set_received_time(self.pulse["modified"])
url_indicator.title = "[OTX] [URL] " + self.pulse["name"]
url_indicator.add_indicator_type("URL Watchlist")
url_indicator.confidence = "Low"
email_indicator = Indicator()
email_indicator.set_producer_identity(IDENTITY_NAME)
email_indicator.set_produced_time(email_indicator.timestamp)
email_indicator.set_received_time(self.pulse["modified"])
email_indicator.title = "[OTX] [Email] " + self.pulse["name"]
email_indicator.add_indicator_type("Malicious E-mail")
email_indicator.confidence = "Low"
mutex_indicator = Indicator()
mutex_indicator.set_producer_identity(IDENTITY_NAME)
mutex_indicator.set_produced_time(mutex_indicator.timestamp)
mutex_indicator.set_received_time(self.pulse["modified"])
mutex_indicator.title = "[OTX] [Mutex] " + self.pulse["name"]
mutex_indicator.add_indicator_type("Malware Artifacts")
mutex_indicator.confidence = "Low"
for p_indicator in self.pulse["indicators"]:
if p_indicator["type"] in self.hash_translation:
file_object = File()
file_object.add_hash(Hash(p_indicator["indicator"]))
file_object.hashes[0].simple_hash_value.condition = "Equals"
file_object.hashes[0].type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + \
str(file_object.hashes[0].type_) + \
" - " + p_indicator["indicator"]
hash_indicator.add_observable(file_obs)
try:
hash_indicator.description = p_indicator["description"]
except KeyError:
hash_indicator.description = ""
hashes = True
elif p_indicator["type"] in self.address_translation:
ip = Address()
ip.address_value = p_indicator["indicator"]
ip.category = self.address_translation[p_indicator["type"]]
ip.address_value.condition = "Equals"
ip_obs = Observable(ip)
ip_obs.title = "Address: " + str(ip.address_value)
address_indicator.add_observable(ip_obs)
try:
address_indicator.description = p_indicator["description"]
except KeyError:
address_indicator.description = ""
addresses = True
elif p_indicator["type"] in self.name_translation:
domain = DomainName()
domain.value = p_indicator["indicator"]
domain.type_ = "FQDN"
domain.value.condition = "Equals"
domain_obs = Observable(domain)
domain_obs.title = "Domain: " + str(domain.value)
domain_indicator.add_observable(domain_obs)
try:
domain_indicator.description = p_indicator["description"]
except KeyError:
domain_indicator.description = ""
domains = True
elif p_indicator["type"] == "URL":
url = URI()
url.value = p_indicator["indicator"]
url.type_ = URI.TYPE_URL
url.value.condition = "Equals"
url_obs = Observable(url)
url_obs.title = "URI: " + str(url.value)
url_indicator.add_observable(url_obs)
try:
url_indicator.description = p_indicator["description"]
except KeyError:
url_indicator.description = ""
urls = True
elif p_indicator["type"] == "email":
email = Address()
email.address_value = p_indicator["indicator"]
email.category = "e-mail"
email.address_value.condition = "Equals"
email_obs = Observable(email)
email_obs.title = "Address: " + str(email.address_value)
email_indicator.add_observable(email_obs)
try:
email_indicator.description = p_indicator["indicator"]
except KeyError:
email_indicator.description = ""
emails = True
elif p_indicator["type"] == "Mutex":
mutex = Mutex()
mutex.name = p_indicator["indicator"]
mutex.named = True
mutex_obs = Observable(mutex)
mutex_obs.title = "Mutex: " + str(mutex.name)
mutex_indicator.add_observable(mutex_obs)
try:
mutex_indicator.description = p_indicator["indicator"]
except KeyError:
mutex_indicator.description = ""
mutex = True
else:
continue
if hashes:
self.stix_package.add_indicator(hash_indicator)
if addresses:
self.stix_package.add_indicator(address_indicator)
if domains:
self.stix_package.add_indicator(domain_indicator)
if urls:
self.stix_package.add_indicator(url_indicator)
if emails:
self.stix_package.add_indicator(email_indicator)
if mutex:
self.stix_package.add_indicator(mutex_indicator)
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
oObsSrcData = genObsSrcData(srcObj, data[sKey])
### Parsing IP Address
sAddr = sKey
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'InclusiveBetween'
objAddr.category = 'ipv4-net'
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = int(data[sKey]['attrib']['Attacks'])
oObsSrcData.sighting_count = int(data[sKey]['attrib']['Attacks'])
obsAddr.observable_source.append(oObsSrcData)
sTitle = 'NETWORK_range: ' + sAddr
obsAddr.title = sTitle
sDscpt = 'ipv4-net' + ': ' + sAddr + " | "
sDscpt += "is_source: True | "
sDscpt += "Attack_Count: " + data[sKey]['attrib']['Attacks'] + " | "
sDscpt += "Attack_DateRange: " + data[sKey]['attrib'][
'dateRange'] + " | "
obsAddr.description = sDscpt
listOBS.append(obsAddr)
obsAddr = None
### Parsing Registrar Information
if data[sKey]['attrib']['email']:
objEmail = EmailAddress()
objEmail.address_value = data[sKey]['attrib']['email']
objEmail.address_value.condition = 'Equals'
objEmail.category = 'e-mail'
objWhoisReg = WhoisRegistrar()
if len(data[sKey]['attrib']['Name']) > 1:
objWhoisReg.name = data[sKey]['attrib']['Name']
objWhoisReg.email_address = objEmail
objEmail = None
objWhois = WhoisEntry()
objWhois.registrar_info = objWhoisReg
obsWhois = Observable(objWhois)
#print obsWhois.id_
objWhois = None
obsWhois.sighting_count = 1
sTitle = 'REGISTRAR_email: ' + data[sKey]['attrib']['email']
if len(data[sKey]['attrib']['Name']) > 0:
sTitle += " | REGISTRAR_name: " + data[sKey]['attrib'][
'Name'] + " | "
obsWhois.title = sTitle
obsWhois.description = sTitle
listOBS.append(obsWhois)
obsWhois = None
sDscrpt = None
sCntry_code = None
sCntry_name = None
sRgstra_email = None
sRgstra_name = None
if len(data[sKey]['attrib']['Country']) > 0:
sCntry_code = data[sKey]['attrib']['Country']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
if 'email' in data[sKey]['attrib']:
sRgstra_email = data[sKey]['attrib']['email']
if len(data[sKey]['attrib']['Name']) > 0:
sRgstra_name = data[sKey]['attrib']['Name']
sDscrpt = "This IP block appears to have "
if sCntry_code:
sDscrpt += "originated in " + sCntry_code
if sCntry_name:
sDscrpt += "(" + sCntry_name + ")"
if sCntry_code and (sRgstra_email or sRgstra_name):
sDscrpt += " and is "
if sRgstra_email:
sDscrpt += "register to " + sRgstra_email
if sRgstra_email and sRgstra_name:
sDscrpt += " of " + sRgstra_name
elif sRgstra_name:
sDscrpt += "register to " + sRgstra_name
sDscrpt += "."
if sCntry_code or sRgstra_email or sRgstra_name:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
objIndicator.title = sAddr.replace('##comma##',
' - ') + " | " + srcObj.pkgTitle
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
#sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + srcObj.srcTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['ipAddr']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = objAddr.CAT_IPV4
elif isIPv6(sAddr):
objAddr.category = objAddr.CAT_IPV6
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isDestination: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['title']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
obsURI.title = 'URI: ' + sURI
sDscrpt = 'URI: ' + sURI + " | "
sDscrpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
### Add Generated observable to Indicator
objIndicator.observables = listOBS
objIndicator.observable_composition_operator = 'OR'
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Generate Indicator Title based on availbe data
sTitle = 'C2C Site: ' + sURI
objIndicator.title = sTitle
#Generate Indicator Description based on availbe data
sDscrpt = ""
if len(sAddr) > 0:
sAddLine = "This IP address " + sAddr
if len(sDomain) > 0:
sAddLine = "This domain " + sDomain
if len(sAddr) > 0 and len(sDomain) > 0:
sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
if len(sAddLine) > 0:
sDscrpt += sAddLine
sDscrpt = sDscrpt + " has been identified as a command and control site for " + data[
sKey]['attrib']['dscrpt'] + ' malware'
if len(srcObj.Domain) > 0:
sDscrpt = sDscrpt + " by " + srcObj.Domain
else:
sDscrpt = sDscrpt + "."
sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
sKey]['attrib']['link'] + "]."
if len(sDscrpt) > 0:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
pass
#Parse TTP
sType = data[sKey]['attrib']['dscrpt']
if len(sType) > 0:
objMalware = MalwareInstance()
objMalware.add_name(sType)
objMalware.add_type("Remote Access Trojan")
objMalware.short_description = ""
objMalware.description = ""
objTTP = TTP(title=sType)
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
# if 'indicator' in data[sKey]['meta']['IDs']:
# objIndicator.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({objIndicator.id_:'indicator'})
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['IP Address']
if sAddr:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
# if 'address"' in data[sKey]['meta']['IDs']:
# obsAddr.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({objIndicator.id_:'address'})
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['Hostname']
if sDomain:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
# if 'domain' in data[sKey]['meta']['IDs']:
# obsDomain.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({obsDomain.id_:'domain'})
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
### Parsing Port Number
sPortList = data[sKey]['attrib']['Ports']
for item in sPortList:
if sPortList[item]:
objPort = Port()
sPort = sPortList[item]
objPort.port_value = int(sPort)
objPort.port_value.condition = 'Equals'
objPort.layer4_protocol = 'TCP'
obsPort = Observable(objPort)
objPort = None
obsPort.sighting_count = 1
obsPort.title = 'Port: ' + str(sPort)
sDscrpt = 'PortNumber: ' + str(sPort) + " | "
sDscrpt += "Protocol: TCP | "
obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsPort)
### Add Generated observable to Indicator
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
#infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
objIndicator.producer = infoSrc
# if data[sKey]['attrib']['lstDateVF']:
# objIndicator.set_produced_time(data[sKey]['attrib']['lstDateVF'][0]);
objIndicator.set_received_time(data[sKey]['meta']['dateDL'])
### Generate Indicator Title based on availbe data
lstContainng = []
lstIs = []
sTitle = ' This'
if data[sKey]['attrib']['Hostname']:
sTitle += ' domain ' + data[sKey]['attrib']['Hostname']
else:
sTitle += ' ipAddress ' + sKey
sTitle += ' has been identified as a TOR network "Exit Point" router'
objIndicator.title = sTitle
### Generate Indicator Description based on availbe data
sDscrpt = ' torstatus.blutmagie.de has identified this'
if data[sKey]['attrib']['Hostname']:
sDscrpt += ' domain ' + data[sKey]['attrib']['Hostname']
else:
sDscrpt += ' ipAddress ' + sKey
# sDscrpt += ' with a router name of "' + data[sKey]['attrib']['Router Name'] + '"'
# if data[sKey]['attrib']['Ports']['ORPort']:
# sDscrpt += ' using ORPort: ' + str(data[sKey]['attrib']['Ports']['ORPort'])
# if data[sKey]['attrib']['Ports']['DirPort']:
# sDscrpt += ' and DirPort: ' + str(data[sKey]['attrib']['Ports']['DirPort'])
sDscrpt += ' as a TOR network "Exit Point" router'
if data[sKey]['attrib']['Country Code']:
sCntry_code = data[sKey]['attrib']['Country Code']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
sDscrpt += ', which appears to be located in ' + sCntry_name
sDscrpt += '. \n\n RawData: ' + str(data[sKey]['attrib'])
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
# objMalware = MalwareInstance()
# objMalware.add_type("Remote Access Trojan")
# ttpTitle = data[sKey]['attrib']['type']
# objTTP = TTP(title=ttpTitle)
# objTTP.behavior = Behavior()
# objTTP.behavior.add_malware_instance(objMalware)
# objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
# locDataFile = 'db_' + srcObj.fileName.split('.')[0] + '.json'
# sndFile_Dict2JSON(data,locDataFile);
# data = None
return (stix_package)
doc = xmltodict.parse(res.read())
# Create the STIX Package
package = STIXPackage()
# Create the STIX Header and add a description.
header = STIXHeader()
#header.title = "SANS ISC Top-100 Malicious IP Addresses"
#header.description = "Source: " + url
package.stix_header = header
for entry in doc['topips']['ipaddress']:
bytes = entry['source'].split('.')
indicator = Indicator()
indicator.title = "SANS ISC Malicious IP"
indicator.add_indicator_type("IP Watchlist")
ip = Address()
ip.address_value = "%d.%d.%d.%d" % (int(bytes[0]), int(bytes[1]), int(bytes[2]) , int(bytes[3]))
ip.category = 'ipv4-addr'
ip.condition = 'Equals'
indicator.add_observable(ip)
package.add_indicator(indicator)
print(package.to_xml())
if __name__ == '__main__':
main()
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
for sAddr in data[sKey]['attrib']['ipAddrList']:
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
#objAddr.address_value.operator = 'Equals'
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isDestination: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Port Number
sPort = data[sKey]['attrib']['ipPort']
if len(sPort) > 0:
objPort = Port()
objPort.port_value = int(sPort)
objPort.port_value.condition = 'Equals'
sProtocol = data[sKey]['attrib']['ipProt']
if len(sProtocol) > 0:
objPort.layer4_protocol = sProtocol.upper()
obsPort = Observable(objPort)
objPort = None
obsPort.sighting_count = 1
obsPort.title = 'Port: ' + sPort
sDscrpt = 'PortNumber' + ': ' + sPort + " | "
sDscrpt += "Protocol: " + sProtocol.upper() + " | "
obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsPort)
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism
from stix.common import InformationSource, Identity
testMech = SnortTestMechanism()
testMech.rules = [data[sKey]['attrib']['rule']]
testMech.efficacy = "Unknown"
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
infoSrc.add_contributing_source("http://www.shadowserver.org")
infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch")
infoSrc.add_contributing_source("https://palevotracker.abuse.ch")
infoSrc.add_contributing_source("https://zeustracker.abuse.ch")
testMech.producer = infoSrc
lstRef = data[sKey]['attrib']['reference'].split('|')
testMech.producer.references = lstRef
objIndicator.test_mechanisms = [testMech]
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
#objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']);
objIndicator.set_received_time(data[sKey]['dateDL'])
### Title / Description Generator
objIndicator.set_received_time(data[sKey]['dateDL'])
sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | "
sTitle += data[sKey]['attrib']['msg'] + " | "
sTitle += "rev:" + data[sKey]['attrib']['rev']
objIndicator.title = sTitle
sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][
'rule']
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
nameList = data[sKey]['attrib']['flowbits']
if len(nameList) > 0:
nameList = nameList.split("|")
for sName in nameList:
sName = sName.split(",")[1]
objMalware.add_name(sName)
#objMalware.add_type("Remote Access Trojan")
objMalware.short_description = data[sKey]['attrib']['msg']
ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][
'attrib']['msg']
objTTP = TTP(title=ttpTitle)
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
res = urllib2.urlopen(req)
except urllib2.HTTPError, e:
print "HTTPError: " + str(e.code)
except urllib2.URLError, e:
print "URLError: " + str(e.reason)
doc = xmltodict.parse(res.read())
# Create the STIX Package
package = STIXPackage()
# Create the STIX Header and add a description.
header = STIXHeader()
#header.title = "SANS ISC Top-100 Malicious IP Addresses"
#header.description = "Source: " + url
package.stix_header = header
for entry in doc['topips']['ipaddress']:
bytes = entry['source'].split('.')
indicator = Indicator()
indicator.title = "SANS ISC Malicious IP"
indicator.add_indicator_type("IP Watchlist")
ip = Address()
ip.address_value = "%d.%d.%d.%d" % (int(bytes[0]), int(
bytes[1]), int(bytes[2]), int(bytes[3]))
ip.category = 'ipv4-addr'
ip.condition = 'Equals'
indicator.add_observable(ip)
package.add_indicator(indicator)
print(package.to_xml())
if __name__ == '__main__':
main()
def create_stix_package(reference,results):
stix_package = STIXPackage()
STIX_NAMESPACE = {"http://wapacklabs.com" : "wapack"}
OBS_NAMESPACE = Namespace("http://wapacklabs.com", "wapack")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
stix_header = STIXHeader()
fusionreport_title = reference
timestring = time.time()
formatted_timestring = datetime.fromtimestamp(timestring).strftime('%Y_%m_%d')
stix_file_name = fusionreport_title+'_stix_package_TR_'+formatted_timestring+'.xml'
stix_header.description = 'This STIX package includes indicators reported to the Red Sky community. Please send all inquiries to [email protected]'
stix_package.stix_header = stix_header
for item in results:
process_type = str(item["ProcessType"]).decode('utf-8')
if process_type == 'Direct':
indicator = str(item["Indicator"]).decode('utf-8')
#print indicator
item_reference = str(item["Reference"]).decode('utf-8')
source = str(item["Source"]).decode('utf-8')
killchain = str(item["KillChain"]).decode('utf-8')
first_seen = str(item["FirstSeen"]).decode('utf-8')
last_seen = str(item["LastSeen"]).decode('utf-8')
attribution = str(item["Attribution"]).decode('utf-8')
indicator_type = str(item["Type"]).decode('utf-8')
rrname = str(item["Rrname"])
rdata = str(item["Rdata"])
rootnode = str(item["RootNode"])
country = str(item["Country"]).decode('utf-8')
tags = str(item["Tags"]).decode('utf-8')
comment2 = item["Comment"]
comment = unicodedata.normalize('NFKD', comment2).encode('ascii','ignore')
confidence = str(item["Confidence"]).decode('utf-8')
if indicator_type == 'MD5' or indicator_type == 'SHA1':
f = File()
hashval = indicator
hashval2 = hashval.decode('utf8', 'ignore')
f.add_hash(hashval2)
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,f,stix_package)
if indicator_type == 'Registry':
reg = WinRegistryKey()
key = indicator
key_add = key.decode('utf8', 'ignore')
reg.key = key_add
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,reg,stix_package)
if indicator_type == 'Subject':
email_subj_obj = EmailMessage()
email_subj_obj.header = EmailHeader()
subj = indicator
subj_add = subj.decode('utf8', 'ignore')
email_subj_obj.header.subject = subj_add
indcator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,email_subj_obj,stix_package)
if indicator_type == 'File':
filename = File()
file_name_fix = indicator
file_name_fix2 = file_name_fix.decode('utf8', 'ignore')
filename.file_name = file_name_fix2
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,filename,stix_package)
if indicator_type == 'Email':
email = Address()
email.address_value = indicator.decode('utf8', 'ignore')
email.category = Address.CAT_EMAIL
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,email,stix_package)
if indicator_type == 'Domain':
domain = URI()
domainval = indicator.decode('utf8', 'ignore')
domain.value = domainval.decode('utf8', 'ignore')
domain.type_ = URI.TYPE_DOMAIN
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,domain,stix_package)
if indicator_type == 'IP':
ip = Address()
ip.address_value = indicator.decode('utf8', 'ignore')
ip.category = Address.CAT_IPV4
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,ip,stix_package)
if indicator_type == 'String':
strng = Memory()
string = indicator
strng.name = string.decode('utf8', 'ignore')
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,strng,stix_package)
if indicator_type == 'URL':
url = URI()
url_indicator = indicator
url.value = url_indicator.decode('utf8', 'ignore')
url.type_ = URI.TYPE_URL
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,url,stix_package)
f = open(stix_file_name, "w")
a = stix_package.to_xml()
f.write(a)
f.close()
def cybox_object_address(obj):
a = Address()
a.address_value =obj.address_value
a.category = obj.category
a.condition = obj.condition
return a
