def SSHObj(SSH):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "TCP"
networkconnection.layer7_protocol = "SSH"
if SSH[0] != VMIP and SSH[4] == 1 and SSH[5] == 0: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = SSH[0]
sport = Port()
sport.port_value = SSH[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif SSH[2] != VMIP and SSH[4] == 1 and SSH[5] == 0: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = SSH[2]
dport = Port()
dport.port_value = SSH[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator = Indicator()
if SSH[6] != '':
indicator.title = "SSH Request with pulic key"
indicator.description = ("SSH public key: " + SSH[6])
else:
indicator.title = "SSH Request"
indicator.description = (
"An indicator containing information about a SSH request")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def DNSRequestObj(dnsinfo):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "UDP"
networkconnection.layer7_protocol = "DNS"
ssocketaddress = SocketAddress()
sport = Port()
sport.port_value = dnsinfo[1]
sport.layer4_protocol = "UDP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = dnsinfo[2]
dport = Port()
dport.port_value = dnsinfo[3]
dport.layer4_protocol = "UDP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
layer7connections = Layer7Connections()
dqr = DNSQuery()
indicator = Indicator()
dnsques = DNSQuestion()
dnsques.qname = dnsinfo[4]
dnsques.qtype = translateType(dnsinfo[5])
dqr.question = dnsques
indicator.title = "DNS Request"
indicator.description = (
"An indicator containing information about a DNS Request")
layer7connections.dns_query = dqr
networkconnection.layer7_connections = layer7connections
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def UDPRequestObj(udpinfo):
u = NetworkConnection()
u.layer3_protocol = "IPv4"
u.layer4_protocol = "UDP"
ssocketaddress = SocketAddress()
if udpinfo[3] != VMIP:
ssocketaddress.ip_address = udpinfo[3]
sport = Port()
sport.port_value = udpinfo[0]
sport.layer4_protocol = "UDP"
ssocketaddress.port = sport
u.source_socket_address = ssocketaddress
dsocketaddress = SocketAddress()
if udpinfo[2] != VMIP:
dsocketaddress.ip_address = udpinfo[2]
dport = Port()
dport.port_value = udpinfo[1]
dport.layer4_protocol = "UDP"
dsocketaddress.port = dport
u.destination_socket_address = dsocketaddress
indicator = Indicator()
indicator.title = "UDP connection"
indicator.description = (
"An indicator containing information about a UDP connection")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(u)
return indicator
def TCPConnectionEstablishedObj(tcpinfo):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "TCP"
if tcpinfo[0] != VMIP: # incoming connection
networkconnection.destination_tcp_state = "ESTABLISHED"
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = tcpinfo[0]
sport = Port()
sport.port_value = tcpinfo[2]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif tcpinfo[1] != VMIP: # outgoing connection
networkconnection.source_tcp_state = "ESTABLISHED"
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = tcpinfo[1]
dport = Port()
dport.port_value = tcpinfo[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator = Indicator()
indicator.title = "TCP Connection Established"
indicator.description = (
"An indicator containing information about a successful TCP hand shake"
)
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
# if 'indicator' in data[sKey]['meta']['IDs']:
# objIndicator.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({objIndicator.id_:'indicator'})
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['IP Address']
if sAddr:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
# if 'address"' in data[sKey]['meta']['IDs']:
# obsAddr.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({objIndicator.id_:'address'})
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['Hostname']
if sDomain:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
# if 'domain' in data[sKey]['meta']['IDs']:
# obsDomain.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({obsDomain.id_:'domain'})
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
### Parsing Port Number
sPortList = data[sKey]['attrib']['Ports']
for item in sPortList:
if sPortList[item]:
objPort = Port()
sPort = sPortList[item]
objPort.port_value = int(sPort)
objPort.port_value.condition = 'Equals'
objPort.layer4_protocol = 'TCP'
obsPort = Observable(objPort)
objPort = None
obsPort.sighting_count = 1
obsPort.title = 'Port: ' + str(sPort)
sDscrpt = 'PortNumber: ' + str(sPort) + " | "
sDscrpt += "Protocol: TCP | "
obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsPort)
### Add Generated observable to Indicator
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
#infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
objIndicator.producer = infoSrc
# if data[sKey]['attrib']['lstDateVF']:
# objIndicator.set_produced_time(data[sKey]['attrib']['lstDateVF'][0]);
objIndicator.set_received_time(data[sKey]['meta']['dateDL'])
### Generate Indicator Title based on availbe data
lstContainng = []
lstIs = []
sTitle = ' This'
if data[sKey]['attrib']['Hostname']:
sTitle += ' domain ' + data[sKey]['attrib']['Hostname']
else:
sTitle += ' ipAddress ' + sKey
sTitle += ' has been identified as a TOR network "Exit Point" router'
objIndicator.title = sTitle
### Generate Indicator Description based on availbe data
sDscrpt = ' torstatus.blutmagie.de has identified this'
if data[sKey]['attrib']['Hostname']:
sDscrpt += ' domain ' + data[sKey]['attrib']['Hostname']
else:
sDscrpt += ' ipAddress ' + sKey
# sDscrpt += ' with a router name of "' + data[sKey]['attrib']['Router Name'] + '"'
# if data[sKey]['attrib']['Ports']['ORPort']:
# sDscrpt += ' using ORPort: ' + str(data[sKey]['attrib']['Ports']['ORPort'])
# if data[sKey]['attrib']['Ports']['DirPort']:
# sDscrpt += ' and DirPort: ' + str(data[sKey]['attrib']['Ports']['DirPort'])
sDscrpt += ' as a TOR network "Exit Point" router'
if data[sKey]['attrib']['Country Code']:
sCntry_code = data[sKey]['attrib']['Country Code']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
sDscrpt += ', which appears to be located in ' + sCntry_name
sDscrpt += '. \n\n RawData: ' + str(data[sKey]['attrib'])
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
# objMalware = MalwareInstance()
# objMalware.add_type("Remote Access Trojan")
# ttpTitle = data[sKey]['attrib']['type']
# objTTP = TTP(title=ttpTitle)
# objTTP.behavior = Behavior()
# objTTP.behavior.add_malware_instance(objMalware)
# objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
# locDataFile = 'db_' + srcObj.fileName.split('.')[0] + '.json'
# sndFile_Dict2JSON(data,locDataFile);
# data = None
return (stix_package)
def FTPObj(ftp):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "TCP"
networkconnection.layer7_protocol = "FTP"
indicator = Indicator()
if ftp[4] == '220':
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Service ready for new user: "******"TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("User logged in")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
elif ftp[4] == '250':
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Requested file action okay, completed.")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
elif ftp[5] == "USER":
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Requested username: "******"PASS":
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Requested Password: "******"STOR":
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Upload file to server: " + ftp[6])
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
elif ftp[5] == "RETR":
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Retrieve a copy of the file: " + ftp[6])
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def main():
# get args
parser = argparse.ArgumentParser ( description = "Parse a given CSV and output STIX XML"
, formatter_class=argparse.ArgumentDefaultsHelpFormatter )
parser.add_argument("--infile","-f", help="input CSV", default = "in.csv")
args = parser.parse_args()
# setup header
contain_pkg = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Indicators"
stix_header.add_package_intent ("Indicators")
# XXX add Information_Source and Handling
contain_pkg.stix_header = stix_header
# create kill chain with three options (pre, post, unknown), relate as needed
pre = KillChainPhase(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee", name="Pre-infection indicator", ordinality=1)
post = KillChainPhase(phase_id="stix:KillChainPhase-d5459305-1a27-4f50-9875-23793d75e4fe", name="Post-infection indicator", ordinality=2)
chain = KillChain(id_="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d", name="Degenerate Cyber Kill Chain" )
chain.definer = "U5"
chain.kill_chain_phases = [pre, post]
contain_pkg.ttps.kill_chains.append(chain)
# read input data
fd = open (args.infile, "rb")
infile = csv.DictReader(fd)
for row in infile:
# create indicator for each row
error = False
ind = Indicator()
ind.add_alternative_id(row['ControlGroupID'])
ind.title = "Indicator with ID " + row['IndicatorID']
ind.description = row['Notes']
ind.producer = InformationSource()
ind.producer.description = row['Reference']
# XXX unknown purpose for 'Malware' field - omitted
# if the field denotes a specific malware family, we might relate as 'Malware TTP' to the indicator
# set chain phase
if 'Pre' in row['Infection Type']:
ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
elif 'Post' in row['Infection Type']:
ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
ind_type = row['Indicator Type']
if 'IP' in ind_type:
ind.add_indicator_type( "IP Watchlist")
ind_obj = SocketAddress()
ind_obj.ip_address = row['Indicator']
ind_obj.ip_address.condition= "Equals"
if row['indValue']:
port = Port()
# pull port out, since it's in form "TCP Port 42"
port.port_value = row['indValue'].split()[-1]
port.layer4_protocol = row['indValue'].split()[0]
port.port_value.condition= "Equals"
ind_obj.port = port
elif 'Domain' in ind_type:
ind.add_indicator_type ("Domain Watchlist")
ind_obj = DomainName()
ind_obj.value = row['Indicator']
ind_obj.value.condition= "Equals"
elif 'Email' in ind_type:
# parse out which part of the email is being
# i.e. "Sender: attach | Subject: whatever"
tag = row['Indicator'].split(':')[0]
val = row['Indicator'].split(':')[1]
ind.add_indicator_type ("Malicious E-mail")
ind_obj = EmailMessage()
if "Subject" in tag:
ind_obj.subject = val
ind_obj.subject.condition= "Equals"
elif "Sender" in tag:
ind_obj.sender = val
ind_obj.sender.condition= "Equals"
elif "Attachment" in tag:
# make inline File to store filename
file_obj = File()
file_obj.id_ = cybox.utils.create_id(prefix="File")
file_obj.file_name = val
file_obj.file_name.condition = "Equals"
ind_obj.add_related(file_obj, "Contains")
attach = Attachments()
attach.append(file_obj.id_)
ind_obj.attachments = attach
elif 'User Agent' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
fields = HTTPRequestHeaderFields()
fields.user_agent = row['Indicator']
fields.user_agent.condition = "Equals"
header = HTTPRequestHeader()
header.parsed_header = fields
thing = HTTPRequestResponse()
thing.http_client_request = HTTPClientRequest()
thing.http_client_request.http_request_header = header
ind_obj = HTTPSession()
ind_obj.http_request_response = [thing]
elif 'URI' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
thing = HTTPRequestResponse()
thing.http_client_request = HTTPClientRequest()
thing.http_client_request.http_request_line = HTTPRequestLine()
thing.http_client_request.http_request_line.http_method = row['Indicator'].split()[0]
thing.http_client_request.http_request_line.http_method.condition = "Equals"
thing.http_client_request.http_request_line.value = row['Indicator'].split()[1]
thing.http_client_request.http_request_line.value.condition = "Equals"
ind_obj = HTTPSession()
ind_obj.http_request_response = [thing]
elif 'File' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
ind_obj = File()
ind_obj.file_name = row['Indicator']
ind_obj.file_name.condition = "Equals"
digest = Hash()
# XXX assumes that hash digests are stored in this field in real data
digest.simple_hash_value = row['indValue'].strip()
digest.simple_hash_value.condition = "Equals"
digest.type_.condition = "Equals"
ind_obj.add_hash(digest)
elif 'Registry' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
ind_obj = WinRegistryKey()
keys = RegistryValues()
key = RegistryValue()
key.name = row['Indicator']
key.name.condition = "Equals"
key.data = row['indValue']
key.data.condition = "Equals"
keys.append(key)
ind_obj.values = keys
elif 'Mutex' in ind_type:
ind.add_indicator_type (VocabString(row['Indicator Type']))
ind_obj = Mutex()
ind_obj.name = row['Indicator']
ind_obj.name.condition= "Equals"
else:
print "ERR type not supported: " + ind_type + " <- will be omitted from output"
error = True
# finalize indicator
if not error:
ind.add_object(ind_obj)
contain_pkg.add_indicator(ind)
# DONE looping
print contain_pkg.to_xml()
extf= ex.create_discovery_method_instance_extracted_feautures(functions=['f1','f2'],imports=['im1','im2'],codesnippets=['code1','code2'],extractedstrings=[string1])
evl1 = ex.create_discovery_method_env_var(name='Env1',value='124')
evl2 = ex.create_discovery_method_env_var(name='Env2',value='125')
sock1 = ex.create_socket_address(hostname='unix1',port=84,ip_address='192.168.1.1',hostname_value='uomgr',naming_system='default')
sock2 = ex.create_socket_address(hostname='unix2',port=85,ip_address='192.168.1.2',hostname_value='uomg',naming_system='default')
dnsq =DNSQuery()
dnsq.service_used='example service1'
dnsq1 =DNSQuery()
dnsq1.service_used='example service2'
l7c = ex.create_layer7_connections(dns_queries=[dnsq,dnsq1],http_session=HTTPSession())
nwc1 = ex.create_network_connection(creation_time=datetime.datetime.now(),destination_socket_address=sock1,source_socket_address=sock2,destination_tcp_state=502,source_tcp_state=400,
tls_used='SSL',layer3_protocol='IP',layer4_protocol='TCP',layer7_protocol='HTTP',layer7_connections=l7c)
port1 =Port()
port1.port_value=15
port1.layer4_protocol ='UDP'
port2 =Port()
port2.port_value=25
port2.layer4_protocol ='UDP'
prlst = ex.create_port_list([port1,port2])
inst1 = ex.create_discovery_method_instance(creation_time=datetime.datetime.now(),is_hidden=True,kernel_time=datetime.datetime.now(),parent_pid=124,name='Ps1',pid=304,start_time=datetime.datetime.now(),
username='******',user_time=datetime.datetime.now(),child_pid_list=cpl,argument_list=argl,image_info=imin,extracted_features=extf,
environment_variable_list=[evl1,evl2],network_connection_list=[nwc1],port_list=prlst)
ex.add_discovery_method_instance(inst1)
####################################################################################################################
#Add discovery method description
ex.add_discovery_method_description('Use of Cuckoo sandbox')
####################################################################################################################
#Add discovery method information source type
ex.add_discovery_method_information_source_type('Application Logs')
####################################################################################################################
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
for sAddr in data[sKey]['attrib']['ipAddrList']:
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
#objAddr.address_value.operator = 'Equals'
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isDestination: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Port Number
sPort = data[sKey]['attrib']['ipPort']
if len(sPort) > 0:
objPort = Port()
objPort.port_value = int(sPort)
objPort.port_value.condition = 'Equals'
sProtocol = data[sKey]['attrib']['ipProt']
if len(sProtocol) > 0:
objPort.layer4_protocol = sProtocol.upper()
obsPort = Observable(objPort)
objPort = None
obsPort.sighting_count = 1
obsPort.title = 'Port: ' + sPort
sDscrpt = 'PortNumber' + ': ' + sPort + " | "
sDscrpt += "Protocol: " + sProtocol.upper() + " | "
obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsPort)
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism
from stix.common import InformationSource, Identity
testMech = SnortTestMechanism()
testMech.rules = [data[sKey]['attrib']['rule']]
testMech.efficacy = "Unknown"
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
infoSrc.add_contributing_source("http://www.shadowserver.org")
infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch")
infoSrc.add_contributing_source("https://palevotracker.abuse.ch")
infoSrc.add_contributing_source("https://zeustracker.abuse.ch")
testMech.producer = infoSrc
lstRef = data[sKey]['attrib']['reference'].split('|')
testMech.producer.references = lstRef
objIndicator.test_mechanisms = [testMech]
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
#objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']);
objIndicator.set_received_time(data[sKey]['dateDL'])
### Title / Description Generator
objIndicator.set_received_time(data[sKey]['dateDL'])
sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | "
sTitle += data[sKey]['attrib']['msg'] + " | "
sTitle += "rev:" + data[sKey]['attrib']['rev']
objIndicator.title = sTitle
sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][
'rule']
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
nameList = data[sKey]['attrib']['flowbits']
if len(nameList) > 0:
nameList = nameList.split("|")
for sName in nameList:
sName = sName.split(",")[1]
objMalware.add_name(sName)
#objMalware.add_type("Remote Access Trojan")
objMalware.short_description = data[sKey]['attrib']['msg']
ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][
'attrib']['msg']
objTTP = TTP(title=ttpTitle)
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
