def SSHObj(SSH): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "TCP" networkconnection.layer7_protocol = "SSH" if SSH[0] != VMIP and SSH[4] == 1 and SSH[5] == 0: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = SSH[0] sport = Port() sport.port_value = SSH[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif SSH[2] != VMIP and SSH[4] == 1 and SSH[5] == 0: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = SSH[2] dport = Port() dport.port_value = SSH[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator = Indicator() if SSH[6] != '': indicator.title = "SSH Request with pulic key" indicator.description = ("SSH public key: " + SSH[6]) else: indicator.title = "SSH Request" indicator.description = ( "An indicator containing information about a SSH request") indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def DNSRequestObj(dnsinfo): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "UDP" networkconnection.layer7_protocol = "DNS" ssocketaddress = SocketAddress() sport = Port() sport.port_value = dnsinfo[1] sport.layer4_protocol = "UDP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress dsocketaddress = SocketAddress() dsocketaddress.ip_address = dnsinfo[2] dport = Port() dport.port_value = dnsinfo[3] dport.layer4_protocol = "UDP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress layer7connections = Layer7Connections() dqr = DNSQuery() indicator = Indicator() dnsques = DNSQuestion() dnsques.qname = dnsinfo[4] dnsques.qtype = translateType(dnsinfo[5]) dqr.question = dnsques indicator.title = "DNS Request" indicator.description = ( "An indicator containing information about a DNS Request") layer7connections.dns_query = dqr networkconnection.layer7_connections = layer7connections indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def UDPRequestObj(udpinfo): u = NetworkConnection() u.layer3_protocol = "IPv4" u.layer4_protocol = "UDP" ssocketaddress = SocketAddress() if udpinfo[3] != VMIP: ssocketaddress.ip_address = udpinfo[3] sport = Port() sport.port_value = udpinfo[0] sport.layer4_protocol = "UDP" ssocketaddress.port = sport u.source_socket_address = ssocketaddress dsocketaddress = SocketAddress() if udpinfo[2] != VMIP: dsocketaddress.ip_address = udpinfo[2] dport = Port() dport.port_value = udpinfo[1] dport.layer4_protocol = "UDP" dsocketaddress.port = dport u.destination_socket_address = dsocketaddress indicator = Indicator() indicator.title = "UDP connection" indicator.description = ( "An indicator containing information about a UDP connection") indicator.set_produced_time(utils.dates.now()) indicator.add_object(u) return indicator
def TCPConnectionEstablishedObj(tcpinfo): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "TCP" if tcpinfo[0] != VMIP: # incoming connection networkconnection.destination_tcp_state = "ESTABLISHED" ssocketaddress = SocketAddress() ssocketaddress.ip_address = tcpinfo[0] sport = Port() sport.port_value = tcpinfo[2] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif tcpinfo[1] != VMIP: # outgoing connection networkconnection.source_tcp_state = "ESTABLISHED" dsocketaddress = SocketAddress() dsocketaddress.ip_address = tcpinfo[1] dport = Port() dport.port_value = tcpinfo[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator = Indicator() indicator.title = "TCP Connection Established" indicator.description = ( "An indicator containing information about a successful TCP hand shake" ) indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') stixObj = None ### Input Check if srcObj == None or data == None: #TODO: Needs error msg: Missing srcData Object return (False) ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() objIndicator = Indicator() ### Bulid Object Data for sKey in data: objIndicator = Indicator() # if 'indicator' in data[sKey]['meta']['IDs']: # objIndicator.id_ = data[sKey]['meta']['IDs'].key # else: # data[sKey]['meta']['IDs'].update({objIndicator.id_:'indicator'}) listOBS = [] ### Parsing IP Address sAddr = data[sKey]['attrib']['IP Address'] if sAddr: objAddr = Address() objAddr.is_source = True objAddr.address_value = sAddr objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = 'ipv4-addr' elif isIPv6(sAddr): objAddr.category = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) # if 'address"' in data[sKey]['meta']['IDs']: # obsAddr.id_ = data[sKey]['meta']['IDs'].key # else: # data[sKey]['meta']['IDs'].update({objIndicator.id_:'address'}) objAddr = None obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isSource: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) obsAddr = None objIndicator.add_indicator_type("IP Watchlist") ### Parsing Domain sDomain = data[sKey]['attrib']['Hostname'] if sDomain: objDomain = DomainName() objDomain.value = sDomain objDomain.value.condition = 'Equals' if isFQDN(sDomain): objDomain.type = 'FQDN' elif isTLD(sDomain): objDomain.type = 'TLD' else: continue obsDomain = Observable(objDomain) # if 'domain' in data[sKey]['meta']['IDs']: # obsDomain.id_ = data[sKey]['meta']['IDs'].key # else: # data[sKey]['meta']['IDs'].update({obsDomain.id_:'domain'}) objDomain = None obsDomain.sighting_count = 1 obsDomain.title = 'Domain: ' + sDomain sDscrpt = 'Domain: ' + sDomain + " | " sDscrpt += "isFQDN: True | " obsDomain.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsDomain) obsDomain = None objIndicator.add_indicator_type("Domain Watchlist") ### Parsing Port Number sPortList = data[sKey]['attrib']['Ports'] for item in sPortList: if sPortList[item]: objPort = Port() sPort = sPortList[item] objPort.port_value = int(sPort) objPort.port_value.condition = 'Equals' objPort.layer4_protocol = 'TCP' obsPort = Observable(objPort) objPort = None obsPort.sighting_count = 1 obsPort.title = 'Port: ' + str(sPort) sDscrpt = 'PortNumber: ' + str(sPort) + " | " sDscrpt += "Protocol: TCP | " obsPort.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsPort) ### Add Generated observable to Indicator objIndicator.observable_composition_operator = 'OR' objIndicator.observables = listOBS #Parsing Producer infoSrc = InformationSource(identity=Identity(name=srcObj.Domain)) #infoSrc.add_contributing_source(data[sKey]['attrib']['ref']) objIndicator.producer = infoSrc # if data[sKey]['attrib']['lstDateVF']: # objIndicator.set_produced_time(data[sKey]['attrib']['lstDateVF'][0]); objIndicator.set_received_time(data[sKey]['meta']['dateDL']) ### Generate Indicator Title based on availbe data lstContainng = [] lstIs = [] sTitle = ' This' if data[sKey]['attrib']['Hostname']: sTitle += ' domain ' + data[sKey]['attrib']['Hostname'] else: sTitle += ' ipAddress ' + sKey sTitle += ' has been identified as a TOR network "Exit Point" router' objIndicator.title = sTitle ### Generate Indicator Description based on availbe data sDscrpt = ' torstatus.blutmagie.de has identified this' if data[sKey]['attrib']['Hostname']: sDscrpt += ' domain ' + data[sKey]['attrib']['Hostname'] else: sDscrpt += ' ipAddress ' + sKey # sDscrpt += ' with a router name of "' + data[sKey]['attrib']['Router Name'] + '"' # if data[sKey]['attrib']['Ports']['ORPort']: # sDscrpt += ' using ORPort: ' + str(data[sKey]['attrib']['Ports']['ORPort']) # if data[sKey]['attrib']['Ports']['DirPort']: # sDscrpt += ' and DirPort: ' + str(data[sKey]['attrib']['Ports']['DirPort']) sDscrpt += ' as a TOR network "Exit Point" router' if data[sKey]['attrib']['Country Code']: sCntry_code = data[sKey]['attrib']['Country Code'] if sCntry_code in dictCC2CN: sCntry_name = dictCC2CN[sCntry_code] sDscrpt += ', which appears to be located in ' + sCntry_name sDscrpt += '. \n\n RawData: ' + str(data[sKey]['attrib']) objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" #Parse TTP # objMalware = MalwareInstance() # objMalware.add_type("Remote Access Trojan") # ttpTitle = data[sKey]['attrib']['type'] # objTTP = TTP(title=ttpTitle) # objTTP.behavior = Behavior() # objTTP.behavior.add_malware_instance(objMalware) # objIndicator.add_indicated_ttp(objTTP) #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_)) #stix_package.add_ttp(objTTP) stix_package.add_indicator(objIndicator) objIndicator = None ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = srcObj.Domain + " | " + sTOU marking_specification.marking_structures.append(objTOU) handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header stix_header = None ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) # locDataFile = 'db_' + srcObj.fileName.split('.')[0] + '.json' # sndFile_Dict2JSON(data,locDataFile); # data = None return (stix_package)
def FTPObj(ftp): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "TCP" networkconnection.layer7_protocol = "FTP" indicator = Indicator() if ftp[4] == '220': if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Service ready for new user: "******"TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("User logged in") indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator elif ftp[4] == '250': if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Requested file action okay, completed.") indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator elif ftp[5] == "USER": if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Requested username: "******"PASS": if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Requested Password: "******"STOR": if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Upload file to server: " + ftp[6]) indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator elif ftp[5] == "RETR": if ftp[0] != VMIP: # incoming connection ssocketaddress = SocketAddress() ssocketaddress.ip_address = ftp[0] sport = Port() sport.port_value = ftp[1] sport.layer4_protocol = "TCP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress elif ftp[2] != VMIP: # outgoing connection dsocketaddress = SocketAddress() dsocketaddress.ip_address = ftp[2] dport = Port() dport.port_value = ftp[3] dport.layer4_protocol = "TCP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress indicator.title = "FTP" indicator.description = ("Retrieve a copy of the file: " + ftp[6]) indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def main(): # get args parser = argparse.ArgumentParser ( description = "Parse a given CSV and output STIX XML" , formatter_class=argparse.ArgumentDefaultsHelpFormatter ) parser.add_argument("--infile","-f", help="input CSV", default = "in.csv") args = parser.parse_args() # setup header contain_pkg = STIXPackage() stix_header = STIXHeader() stix_header.title = "Indicators" stix_header.add_package_intent ("Indicators") # XXX add Information_Source and Handling contain_pkg.stix_header = stix_header # create kill chain with three options (pre, post, unknown), relate as needed pre = KillChainPhase(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee", name="Pre-infection indicator", ordinality=1) post = KillChainPhase(phase_id="stix:KillChainPhase-d5459305-1a27-4f50-9875-23793d75e4fe", name="Post-infection indicator", ordinality=2) chain = KillChain(id_="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d", name="Degenerate Cyber Kill Chain" ) chain.definer = "U5" chain.kill_chain_phases = [pre, post] contain_pkg.ttps.kill_chains.append(chain) # read input data fd = open (args.infile, "rb") infile = csv.DictReader(fd) for row in infile: # create indicator for each row error = False ind = Indicator() ind.add_alternative_id(row['ControlGroupID']) ind.title = "Indicator with ID " + row['IndicatorID'] ind.description = row['Notes'] ind.producer = InformationSource() ind.producer.description = row['Reference'] # XXX unknown purpose for 'Malware' field - omitted # if the field denotes a specific malware family, we might relate as 'Malware TTP' to the indicator # set chain phase if 'Pre' in row['Infection Type']: ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d")) elif 'Post' in row['Infection Type']: ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d")) ind_type = row['Indicator Type'] if 'IP' in ind_type: ind.add_indicator_type( "IP Watchlist") ind_obj = SocketAddress() ind_obj.ip_address = row['Indicator'] ind_obj.ip_address.condition= "Equals" if row['indValue']: port = Port() # pull port out, since it's in form "TCP Port 42" port.port_value = row['indValue'].split()[-1] port.layer4_protocol = row['indValue'].split()[0] port.port_value.condition= "Equals" ind_obj.port = port elif 'Domain' in ind_type: ind.add_indicator_type ("Domain Watchlist") ind_obj = DomainName() ind_obj.value = row['Indicator'] ind_obj.value.condition= "Equals" elif 'Email' in ind_type: # parse out which part of the email is being # i.e. "Sender: attach | Subject: whatever" tag = row['Indicator'].split(':')[0] val = row['Indicator'].split(':')[1] ind.add_indicator_type ("Malicious E-mail") ind_obj = EmailMessage() if "Subject" in tag: ind_obj.subject = val ind_obj.subject.condition= "Equals" elif "Sender" in tag: ind_obj.sender = val ind_obj.sender.condition= "Equals" elif "Attachment" in tag: # make inline File to store filename file_obj = File() file_obj.id_ = cybox.utils.create_id(prefix="File") file_obj.file_name = val file_obj.file_name.condition = "Equals" ind_obj.add_related(file_obj, "Contains") attach = Attachments() attach.append(file_obj.id_) ind_obj.attachments = attach elif 'User Agent' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) fields = HTTPRequestHeaderFields() fields.user_agent = row['Indicator'] fields.user_agent.condition = "Equals" header = HTTPRequestHeader() header.parsed_header = fields thing = HTTPRequestResponse() thing.http_client_request = HTTPClientRequest() thing.http_client_request.http_request_header = header ind_obj = HTTPSession() ind_obj.http_request_response = [thing] elif 'URI' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) thing = HTTPRequestResponse() thing.http_client_request = HTTPClientRequest() thing.http_client_request.http_request_line = HTTPRequestLine() thing.http_client_request.http_request_line.http_method = row['Indicator'].split()[0] thing.http_client_request.http_request_line.http_method.condition = "Equals" thing.http_client_request.http_request_line.value = row['Indicator'].split()[1] thing.http_client_request.http_request_line.value.condition = "Equals" ind_obj = HTTPSession() ind_obj.http_request_response = [thing] elif 'File' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) ind_obj = File() ind_obj.file_name = row['Indicator'] ind_obj.file_name.condition = "Equals" digest = Hash() # XXX assumes that hash digests are stored in this field in real data digest.simple_hash_value = row['indValue'].strip() digest.simple_hash_value.condition = "Equals" digest.type_.condition = "Equals" ind_obj.add_hash(digest) elif 'Registry' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) ind_obj = WinRegistryKey() keys = RegistryValues() key = RegistryValue() key.name = row['Indicator'] key.name.condition = "Equals" key.data = row['indValue'] key.data.condition = "Equals" keys.append(key) ind_obj.values = keys elif 'Mutex' in ind_type: ind.add_indicator_type (VocabString(row['Indicator Type'])) ind_obj = Mutex() ind_obj.name = row['Indicator'] ind_obj.name.condition= "Equals" else: print "ERR type not supported: " + ind_type + " <- will be omitted from output" error = True # finalize indicator if not error: ind.add_object(ind_obj) contain_pkg.add_indicator(ind) # DONE looping print contain_pkg.to_xml()
extf= ex.create_discovery_method_instance_extracted_feautures(functions=['f1','f2'],imports=['im1','im2'],codesnippets=['code1','code2'],extractedstrings=[string1]) evl1 = ex.create_discovery_method_env_var(name='Env1',value='124') evl2 = ex.create_discovery_method_env_var(name='Env2',value='125') sock1 = ex.create_socket_address(hostname='unix1',port=84,ip_address='192.168.1.1',hostname_value='uomgr',naming_system='default') sock2 = ex.create_socket_address(hostname='unix2',port=85,ip_address='192.168.1.2',hostname_value='uomg',naming_system='default') dnsq =DNSQuery() dnsq.service_used='example service1' dnsq1 =DNSQuery() dnsq1.service_used='example service2' l7c = ex.create_layer7_connections(dns_queries=[dnsq,dnsq1],http_session=HTTPSession()) nwc1 = ex.create_network_connection(creation_time=datetime.datetime.now(),destination_socket_address=sock1,source_socket_address=sock2,destination_tcp_state=502,source_tcp_state=400, tls_used='SSL',layer3_protocol='IP',layer4_protocol='TCP',layer7_protocol='HTTP',layer7_connections=l7c) port1 =Port() port1.port_value=15 port1.layer4_protocol ='UDP' port2 =Port() port2.port_value=25 port2.layer4_protocol ='UDP' prlst = ex.create_port_list([port1,port2]) inst1 = ex.create_discovery_method_instance(creation_time=datetime.datetime.now(),is_hidden=True,kernel_time=datetime.datetime.now(),parent_pid=124,name='Ps1',pid=304,start_time=datetime.datetime.now(), username='******',user_time=datetime.datetime.now(),child_pid_list=cpl,argument_list=argl,image_info=imin,extracted_features=extf, environment_variable_list=[evl1,evl2],network_connection_list=[nwc1],port_list=prlst) ex.add_discovery_method_instance(inst1) #################################################################################################################### #Add discovery method description ex.add_discovery_method_description('Use of Cuckoo sandbox') #################################################################################################################### #Add discovery method information source type ex.add_discovery_method_information_source_type('Application Logs') ####################################################################################################################
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') stixObj = None ### Input Check if srcObj == None or data == None: #TODO: Needs error msg: Missing srcData Object return (False) ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() objIndicator = Indicator() ### Bulid Object Data for sKey in data: objIndicator = Indicator() listOBS = [] ### Parsing IP Address for sAddr in data[sKey]['attrib']['ipAddrList']: if len(sAddr) > 0: objAddr = Address() objAddr.is_destination = True objAddr.address_value = sAddr #objAddr.address_value.operator = 'Equals' objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = 'ipv4-addr' elif isIPv6(sAddr): objAddr.category = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) objAddr = None obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isDestination: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) obsAddr = None ### Parsing Port Number sPort = data[sKey]['attrib']['ipPort'] if len(sPort) > 0: objPort = Port() objPort.port_value = int(sPort) objPort.port_value.condition = 'Equals' sProtocol = data[sKey]['attrib']['ipProt'] if len(sProtocol) > 0: objPort.layer4_protocol = sProtocol.upper() obsPort = Observable(objPort) objPort = None obsPort.sighting_count = 1 obsPort.title = 'Port: ' + sPort sDscrpt = 'PortNumber' + ': ' + sPort + " | " sDscrpt += "Protocol: " + sProtocol.upper() + " | " obsPort.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsPort) ### Add Generated observable to Indicator objIndicator.add_indicator_type("IP Watchlist") objIndicator.observable_composition_operator = 'OR' objIndicator.observables = listOBS from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism from stix.common import InformationSource, Identity testMech = SnortTestMechanism() testMech.rules = [data[sKey]['attrib']['rule']] testMech.efficacy = "Unknown" infoSrc = InformationSource(identity=Identity(name=srcObj.Domain)) infoSrc.add_contributing_source("http://www.shadowserver.org") infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch") infoSrc.add_contributing_source("https://palevotracker.abuse.ch") infoSrc.add_contributing_source("https://zeustracker.abuse.ch") testMech.producer = infoSrc lstRef = data[sKey]['attrib']['reference'].split('|') testMech.producer.references = lstRef objIndicator.test_mechanisms = [testMech] #Parsing Producer sProducer = srcObj.Domain if len(sProducer) > 0: objIndicator.set_producer_identity(sProducer) #objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']); objIndicator.set_received_time(data[sKey]['dateDL']) ### Title / Description Generator objIndicator.set_received_time(data[sKey]['dateDL']) sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | " sTitle += data[sKey]['attrib']['msg'] + " | " sTitle += "rev:" + data[sKey]['attrib']['rev'] objIndicator.title = sTitle sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][ 'rule'] objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" #Parse TTP objMalware = MalwareInstance() nameList = data[sKey]['attrib']['flowbits'] if len(nameList) > 0: nameList = nameList.split("|") for sName in nameList: sName = sName.split(",")[1] objMalware.add_name(sName) #objMalware.add_type("Remote Access Trojan") objMalware.short_description = data[sKey]['attrib']['msg'] ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][ 'attrib']['msg'] objTTP = TTP(title=ttpTitle) objTTP.behavior = Behavior() objTTP.behavior.add_malware_instance(objMalware) objIndicator.add_indicated_ttp(objTTP) #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_)) #stix_package.add_ttp(objTTP) stix_package.add_indicator(objIndicator) objIndicator = None ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = sProducer + " | " + sTOU marking_specification.marking_structures.append(objTOU) handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header stix_header = None ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) return (stix_package)