def DNSRequestObj(dnsinfo):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "UDP"
networkconnection.layer7_protocol = "DNS"
ssocketaddress = SocketAddress()
sport = Port()
sport.port_value = dnsinfo[1]
sport.layer4_protocol = "UDP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = dnsinfo[2]
dport = Port()
dport.port_value = dnsinfo[3]
dport.layer4_protocol = "UDP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
layer7connections = Layer7Connections()
dqr = DNSQuery()
indicator = Indicator()
dnsques = DNSQuestion()
dnsques.qname = dnsinfo[4]
dnsques.qtype = translateType(dnsinfo[5])
dqr.question = dnsques
indicator.title = "DNS Request"
indicator.description = (
"An indicator containing information about a DNS Request")
layer7connections.dns_query = dqr
networkconnection.layer7_connections = layer7connections
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def TCPConnectionEstablishedObj(tcpinfo):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "TCP"
if tcpinfo[0] != VMIP: # incoming connection
networkconnection.destination_tcp_state = "ESTABLISHED"
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = tcpinfo[0]
sport = Port()
sport.port_value = tcpinfo[2]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif tcpinfo[1] != VMIP: # outgoing connection
networkconnection.source_tcp_state = "ESTABLISHED"
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = tcpinfo[1]
dport = Port()
dport.port_value = tcpinfo[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator = Indicator()
indicator.title = "TCP Connection Established"
indicator.description = (
"An indicator containing information about a successful TCP hand shake"
)
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def SSHObj(SSH):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "TCP"
networkconnection.layer7_protocol = "SSH"
if SSH[0] != VMIP and SSH[4] == 1 and SSH[5] == 0: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = SSH[0]
sport = Port()
sport.port_value = SSH[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif SSH[2] != VMIP and SSH[4] == 1 and SSH[5] == 0: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = SSH[2]
dport = Port()
dport.port_value = SSH[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator = Indicator()
if SSH[6] != '':
indicator.title = "SSH Request with pulic key"
indicator.description = ("SSH public key: " + SSH[6])
else:
indicator.title = "SSH Request"
indicator.description = (
"An indicator containing information about a SSH request")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def UDPRequestObj(udpinfo):
u = NetworkConnection()
u.layer3_protocol = "IPv4"
u.layer4_protocol = "UDP"
ssocketaddress = SocketAddress()
if udpinfo[3] != VMIP:
ssocketaddress.ip_address = udpinfo[3]
sport = Port()
sport.port_value = udpinfo[0]
sport.layer4_protocol = "UDP"
ssocketaddress.port = sport
u.source_socket_address = ssocketaddress
dsocketaddress = SocketAddress()
if udpinfo[2] != VMIP:
dsocketaddress.ip_address = udpinfo[2]
dport = Port()
dport.port_value = udpinfo[1]
dport.layer4_protocol = "UDP"
dsocketaddress.port = dport
u.destination_socket_address = dsocketaddress
indicator = Indicator()
indicator.title = "UDP connection"
indicator.description = (
"An indicator containing information about a UDP connection")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(u)
return indicator
def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def generateIPObservable(indicator, attribute):
indicator.add_indicator_type("IP Watchlist")
address_object = resolveIPType(attribute["value"], attribute["type"])
address_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":AddressObject-" + attribute[
"uuid"]
if ("|" in attribute["value"]):
port = attribute["value"].split('|')[1]
address_observable = Observable(address_object)
address_observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":Address-" + attribute[
"uuid"]
port_object = Port()
port_object.port_value = attribute["value"].split('|')[1]
port_object.port_value.condition = "Equals"
port_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":PortObject-" + attribute[
"uuid"]
port_observable = Observable(port_object)
port_observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":Port-" + attribute[
"uuid"]
compositeObject = ObservableComposition(
observables=[address_observable, port_observable])
compositeObject.operator = "AND"
observable = Observable(
id_=cybox.utils.idgen.__generator.namespace.prefix +
":ObservableComposition-" + attribute["uuid"])
observable.observable_composition = compositeObject
return observable
else:
return address_object
def generatePortObservable(indicator, attribute):
port_object = Port()
port_object.port_value = attribute["value"]
port_object.port_value.condition = "Equals"
port_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":PortObject-" + attribute[
"uuid"]
return port_object
def add_host(host_info):
uri_port = host_info.split(":")
hf = HostField()
if len(uri_port) > 1:
port = Port()
port.port_value = uri_port[1]
hf.port = port
hf.domain_name = URI(uri_port[0], URI.TYPE_DOMAIN)
return hf
def generate_ip_observable(self, indicator, attribute):
indicator.add_indicator_type("IP Watchlist")
address_object = self.resolve_ip_type(attribute.type, attribute.value)
address_object.parent.id_ = "{}:AddressObject-{}".format(self.namespace_prefix, attribute.uuid)
if '|' in attribute.value:
port = attribute.value.split('|')[1]
address_observable = Observable(address_object)
address_observable.id_ = "{}:Address-{}".format(self.namespace_prefix, attribute.uuid)
port_object = Port()
port_object.port_value = port
port_object.port_value.condition = "Equals"
port_object.parent.id_ = "{}:PortObject-{}".format(self.namespace_prefix, attribute.uuid)
port_observable = Observable(port_object)
port_observable.id_ = "{}:Port-{}".format(self.namespace_prefix, attribute.uuid)
compositeObject = ObservableComposition(observables=[address_observable, port_observable])
compositeObject.operator = "AND"
observable = Observable(id_ = "{}:ObservableComposition-{}".format(self.namespace_prefix, attribute.uuid))
observable.observable_composition = compositeObject
return observable
else:
return address_object
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
# if 'indicator' in data[sKey]['meta']['IDs']:
# objIndicator.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({objIndicator.id_:'indicator'})
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['IP Address']
if sAddr:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
# if 'address"' in data[sKey]['meta']['IDs']:
# obsAddr.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({objIndicator.id_:'address'})
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['Hostname']
if sDomain:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
# if 'domain' in data[sKey]['meta']['IDs']:
# obsDomain.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({obsDomain.id_:'domain'})
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
### Parsing Port Number
sPortList = data[sKey]['attrib']['Ports']
for item in sPortList:
if sPortList[item]:
objPort = Port()
sPort = sPortList[item]
objPort.port_value = int(sPort)
objPort.port_value.condition = 'Equals'
objPort.layer4_protocol = 'TCP'
obsPort = Observable(objPort)
objPort = None
obsPort.sighting_count = 1
obsPort.title = 'Port: ' + str(sPort)
sDscrpt = 'PortNumber: ' + str(sPort) + " | "
sDscrpt += "Protocol: TCP | "
obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsPort)
### Add Generated observable to Indicator
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
#infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
objIndicator.producer = infoSrc
# if data[sKey]['attrib']['lstDateVF']:
# objIndicator.set_produced_time(data[sKey]['attrib']['lstDateVF'][0]);
objIndicator.set_received_time(data[sKey]['meta']['dateDL'])
### Generate Indicator Title based on availbe data
lstContainng = []
lstIs = []
sTitle = ' This'
if data[sKey]['attrib']['Hostname']:
sTitle += ' domain ' + data[sKey]['attrib']['Hostname']
else:
sTitle += ' ipAddress ' + sKey
sTitle += ' has been identified as a TOR network "Exit Point" router'
objIndicator.title = sTitle
### Generate Indicator Description based on availbe data
sDscrpt = ' torstatus.blutmagie.de has identified this'
if data[sKey]['attrib']['Hostname']:
sDscrpt += ' domain ' + data[sKey]['attrib']['Hostname']
else:
sDscrpt += ' ipAddress ' + sKey
# sDscrpt += ' with a router name of "' + data[sKey]['attrib']['Router Name'] + '"'
# if data[sKey]['attrib']['Ports']['ORPort']:
# sDscrpt += ' using ORPort: ' + str(data[sKey]['attrib']['Ports']['ORPort'])
# if data[sKey]['attrib']['Ports']['DirPort']:
# sDscrpt += ' and DirPort: ' + str(data[sKey]['attrib']['Ports']['DirPort'])
sDscrpt += ' as a TOR network "Exit Point" router'
if data[sKey]['attrib']['Country Code']:
sCntry_code = data[sKey]['attrib']['Country Code']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
sDscrpt += ', which appears to be located in ' + sCntry_name
sDscrpt += '. \n\n RawData: ' + str(data[sKey]['attrib'])
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
# objMalware = MalwareInstance()
# objMalware.add_type("Remote Access Trojan")
# ttpTitle = data[sKey]['attrib']['type']
# objTTP = TTP(title=ttpTitle)
# objTTP.behavior = Behavior()
# objTTP.behavior.add_malware_instance(objMalware)
# objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
# locDataFile = 'db_' + srcObj.fileName.split('.')[0] + '.json'
# sndFile_Dict2JSON(data,locDataFile);
# data = None
return (stix_package)
def make_cybox_object(type_, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == IndicatorTypes.USER_ID:
acct = Account()
acct.description = value
return acct
elif type_ in IPTypes.values():
if type_ == IPTypes.IPV4_ADDRESS:
name = 'ipv4-addr'
elif type_ == IPTypes.IPV6_ADDRESS:
name = 'ipv6-addr'
elif type_ == IPTypes.IPV4_SUBNET:
name = 'ipv4-net'
elif type_ == IPTypes.IPV6_SUBNET:
name = 'ipv6-net'
return Address(category=name, address_value=value)
elif type_ == IndicatorTypes.API_KEY:
api = API()
api.description = value
return api
elif type_ == IndicatorTypes.DOMAIN:
obj = DomainName()
obj.value = value
return obj
elif type_ == IndicatorTypes.USER_AGENT:
obj = HTTPRequestHeaderFields()
obj.user_agent = value
return obj
elif type_ == IndicatorTypes.MUTEX:
m = Mutex()
m.named = True
m.name = String(value)
return m
elif type_ in (IndicatorTypes.SOURCE_PORT,
IndicatorTypes.DEST_PORT):
p = Port()
try:
p.port_value = PositiveInteger(value)
except ValueError: # XXX: Raise a better exception...
raise UnsupportedCybOXObjectTypeError(type_, name)
return p
elif type_ == IndicatorTypes.PROCESS_NAME:
p = Process()
p.name = String(value)
return p
elif type_ == IndicatorTypes.URI:
r = URI()
r.type_ = 'URL'
r.value = value
return r
elif type_ in (IndicatorTypes.REGISTRY_KEY,
IndicatorTypes.REG_KEY_CREATED,
IndicatorTypes.REG_KEY_DELETED,
IndicatorTypes.REG_KEY_ENUMERATED,
IndicatorTypes.REG_KEY_MONITORED,
IndicatorTypes.REG_KEY_OPENED):
obj = WinRegistryKey()
obj.key = value
return obj
"""
The following are types that are listed in the 'Indicator Type' box of
the 'New Indicator' dialog in CRITs. These types, unlike those handled
above, cannot be written to or read from CybOX at this point.
The reason for the type being omitted is written as a comment inline.
This can (and should) be revisited as new versions of CybOX are released.
NOTE: You will have to update the corresponding make_crits_object function
with handling for the reverse direction.
In the mean time, these types will raise unsupported errors.
"""
#elif type_ == "Device": # No CybOX API
#elif type_ == "DNS Cache": # No CybOX API
#elif type_ == "GUI": # revisit when CRITs supports width & height specification
#elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
#elif type_ == "Linux Package": # No CybOX API
#elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
#elif type_ == "Network Route Entry": # No CybOX API
#elif type_ == "Network Route": # No CybOX API
#elif type_ == "Network Subnet": # No CybOX API
#elif type_ == "Semaphore": # No CybOX API
#elif type_ == "Socket": # No good mapping between CybOX/CRITs
#elif type_ == "UNIX File": # No CybOX API
#elif type_ == "UNIX Network Route Entry": # No CybOX API
#elif type_ == "UNIX Pipe": # No CybOX API
#elif type_ == "UNIX Process": # No CybOX API
#elif type_ == "UNIX User Account": # No CybOX API
#elif type_ == "UNIX Volume": # No CybOX API
#elif type_ == "User Session": # No CybOX API
#elif type_ == "Whois": # No good mapping between CybOX/CRITs
#elif type_ == "Win Computer Account": # No CybOX API
#elif type_ == "Win Critical Section": # No CybOX API
#elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
#elif type_ == "Win File": # No good mapping between CybOX/CRITs
#elif type_ == "Win Kernel": # No CybOX API
#elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
#elif type_ == "Win Network Route Entry": # No CybOX API
#elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
#elif type_ == "Win Prefetch": # No CybOX API
#elif type_ == "Win Semaphore": # No CybOX API
#elif type_ == "Win System Restore": # No CybOX API
#elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
#elif type_ == "Win Waitable Timer": # No CybOX API
raise UnsupportedCybOXObjectTypeError(type_)
def make_cybox_object(type_, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == IndicatorTypes.USER_ID:
acct = Account()
acct.description = value
return acct
elif type_ in IPTypes.values():
if type_ == IPTypes.IPV4_ADDRESS:
name = 'ipv4-addr'
elif type_ == IPTypes.IPV6_ADDRESS:
name = 'ipv6-addr'
elif type_ == IPTypes.IPV4_SUBNET:
name = 'ipv4-net'
elif type_ == IPTypes.IPV6_SUBNET:
name = 'ipv6-net'
return Address(category=name, address_value=value)
elif type_ == IndicatorTypes.API_KEY:
api = API()
api.description = value
return api
elif type_ == IndicatorTypes.DOMAIN:
obj = DomainName()
obj.value = value
elif type_ == IndicatorTypes.USER_AGENT:
obj = HTTPRequestHeaderFields()
obj.user_agent = value
return obj
elif type_ == IndicatorTypes.MUTEX:
m = Mutex()
m.named = True
m.name = String(value)
return m
elif type_ in (IndicatorTypes.SOURCE_PORT,
IndicatorTypes.DEST_PORT):
p = Port()
try:
p.port_value = PositiveInteger(value)
except ValueError: # XXX: Raise a better exception...
raise UnsupportedCybOXObjectTypeError(type_, name)
return p
elif type_ == IndicatorTypes.PROCESS_NAME:
p = Process()
p.name = String(value)
return p
elif type_ == IndicatorTypes.URI:
r = URI()
r.type_ = 'URL'
r.value = value
return r
elif type_ in (IndicatorTypes.REGISTRY_KEY,
IndicatorTypes.REG_KEY_CREATED,
IndicatorTypes.REG_KEY_DELETED,
IndicatorTypes.REG_KEY_ENUMERATED,
IndicatorTypes.REG_KEY_MONITORED,
IndicatorTypes.REG_KEY_OPENED):
obj = WinRegistryKey()
obj.key = value
return obj
"""
The following are types that are listed in the 'Indicator Type' box of
the 'New Indicator' dialog in CRITs. These types, unlike those handled
above, cannot be written to or read from CybOX at this point.
The reason for the type being omitted is written as a comment inline.
This can (and should) be revisited as new versions of CybOX are released.
NOTE: You will have to update the corresponding make_crits_object function
with handling for the reverse direction.
In the mean time, these types will raise unsupported errors.
"""
#elif type_ == "Device": # No CybOX API
#elif type_ == "DNS Cache": # No CybOX API
#elif type_ == "GUI": # revisit when CRITs supports width & height specification
#elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
#elif type_ == "Linux Package": # No CybOX API
#elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
#elif type_ == "Network Route Entry": # No CybOX API
#elif type_ == "Network Route": # No CybOX API
#elif type_ == "Network Subnet": # No CybOX API
#elif type_ == "Semaphore": # No CybOX API
#elif type_ == "Socket": # No good mapping between CybOX/CRITs
#elif type_ == "UNIX File": # No CybOX API
#elif type_ == "UNIX Network Route Entry": # No CybOX API
#elif type_ == "UNIX Pipe": # No CybOX API
#elif type_ == "UNIX Process": # No CybOX API
#elif type_ == "UNIX User Account": # No CybOX API
#elif type_ == "UNIX Volume": # No CybOX API
#elif type_ == "User Session": # No CybOX API
#elif type_ == "Whois": # No good mapping between CybOX/CRITs
#elif type_ == "Win Computer Account": # No CybOX API
#elif type_ == "Win Critical Section": # No CybOX API
#elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
#elif type_ == "Win File": # No good mapping between CybOX/CRITs
#elif type_ == "Win Kernel": # No CybOX API
#elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
#elif type_ == "Win Network Route Entry": # No CybOX API
#elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
#elif type_ == "Win Prefetch": # No CybOX API
#elif type_ == "Win Semaphore": # No CybOX API
#elif type_ == "Win System Restore": # No CybOX API
#elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
#elif type_ == "Win Waitable Timer": # No CybOX API
raise UnsupportedCybOXObjectTypeError(type_, name)
def generate_port_observable(self, indicator, attribute):
port_object = Port()
port_object.port_value = attribute.value
port_object.port_value.condition = "Equals"
port_object.parent.id_ = "{}:PortObject-{}".format(self.namespace_prefix, attribute.uuid)
return port_object
def home(request):
"""
Name: home
Desc: Main GUI view
"""
# Forms:Job,target and relay creation
create_job_form = CreateJob(request=request, prefix="create_job")
create_target_form = CreateTarget(request=request, prefix="create_target")
create_relay_form = CreateRelay(request=request, prefix="create_relay")
if request.method == "POST":
# Remove a relay
if "delete_relay_id" in request.POST:
try:
Relay.objects.get(pk=request.POST["delete_relay_id"]).delete()
except ObjectDoesNotExist, e:
pass
# Create new relay
if "create_relay-name" in request.POST:
# Actuator creation
create_relay_form = CreateRelay(request.POST,
request=request,
prefix="create_relay")
if create_relay_form.is_valid():
host = create_relay_form.save()
host.save()
# TODO - Call a sync here
# Job Creations
if "create_job-raw_message" in request.POST:
new_job = Job(capability=Capability.objects.get(
pk=request.POST["create_job-capability"]),
target=Target.objects.get(
pk=request.POST["create_job-target"]),
raw_message="Pending",
status=JobStatus.objects.get(status="Pending"),
created_by=request.user)
new_job.save()
# Now we have a pk - update the id
command = json.loads(request.POST["create_job-raw_message"])
command["modifiers"]["command-ref"] = new_job.id
logger.info("Job Created\n%s" % json.dumps(command))
new_job.raw_message = json.dumps(command, sort_keys=True,
indent=4).replace(
"\t", u'\xa0\xa0\xa0\xa0\xa0')
new_job.save()
# Target Creations
namespace_url = getattr(settings, "NAMESPACE_URL", None)
namespace_id = getattr(settings, "NAMESPACE_ID", None)
set_id_namespace(Namespace(namespace_url, namespace_id))
if "create_target-cybox_type" in request.POST:
cybox_type = CybOXType.objects.get(
pk=request.POST["create_target-cybox_type"])
if cybox_type.identifier == "cybox:NetworkConnectionObjectType":
obs = NetworkConnection()
# Source
sock = SocketAddress()
sock.ip_address = request.POST["create_target-source_address"]
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
sport = Port()
sport.port_value = int(
request.POST["create_target-source_port"])
sock.port = sport
obs.source_socket_address = sock
# Dest
sock = SocketAddress()
sock.ip_address = request.POST[
"create_target-destination_address"]
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
dport = Port()
dport.port_value = int(
request.POST["create_target-destination_port"])
sock.port = dport
obs.destination_socket_address = sock
name = "Network Connection %s:%s -> %s:%s (%s)" % (
request.POST["create_target-source_address"],
request.POST["create_target-source_port"],
request.POST["create_target-destination_address"],
request.POST["create_target-destination_port"],
request.POST["create_target-protocol"])
raw_message = Observable(item=obs, title=name).to_json()
elif cybox_type.identifier == "cybox:AddressObjectType":
name = "Address %s " % (request.POST["create_target-address"])
raw_message = Observable(item=Address(
address_value=request.POST["create_target-address"],
category=Address.CAT_IPV4),
title=name).to_json()
elif cybox_type.identifier == "cybox:URIObjectType":
name = "URI %s " % (request.POST["create_target-uri"])
obs = URI()
obs.value = request.POST["create_target-uri"]
obs.type_ = URI.TYPE_URL
obs.condition = "Equals"
raw_message = Observable(item=obs, title=name).to_json()
elif cybox_type.identifier == "cybox:EmailMessageObjectType":
name = "Email %s " % (
request.POST["create_target-email_subject"])
obs = EmailMessage()
obs.raw_body = request.POST["create_target-email_message"]
obs.header = EmailHeader()
obs.header.subject = request.POST[
"create_target-email_subject"]
obs.header.subject.condition = "StartsWith"
obs.header.to = request.POST["create_target-email_to"]
obs.header.from_ = request.POST["create_target-email_from"]
raw_message = Observable(item=obs, title=name).to_json()
else:
# Should never reach here
raw_message = {}
name = "Undefined Object"
create_target_form = CreateTarget(request.POST,
request=request,
prefix="create_target")
if create_target_form.is_valid():
target = create_target_form.save(commit=False)
target.name = name
target.raw_message = raw_message
target.save()
def FTPObj(ftp):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "TCP"
networkconnection.layer7_protocol = "FTP"
indicator = Indicator()
if ftp[4] == '220':
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Service ready for new user: "******"TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("User logged in")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
elif ftp[4] == '250':
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Requested file action okay, completed.")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
elif ftp[5] == "USER":
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Requested username: "******"PASS":
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Requested Password: "******"STOR":
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Upload file to server: " + ftp[6])
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
elif ftp[5] == "RETR":
if ftp[0] != VMIP: # incoming connection
ssocketaddress = SocketAddress()
ssocketaddress.ip_address = ftp[0]
sport = Port()
sport.port_value = ftp[1]
sport.layer4_protocol = "TCP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
elif ftp[2] != VMIP: # outgoing connection
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = ftp[2]
dport = Port()
dport.port_value = ftp[3]
dport.layer4_protocol = "TCP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
indicator.title = "FTP"
indicator.description = ("Retrieve a copy of the file: " + ftp[6])
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def create_port(prtvalue):
prt = Port()
prt.port_value = prtvalue
return prt
def main():
# get args
parser = argparse.ArgumentParser ( description = "Parse a given CSV from Shadowserver and output STIX XML to stdout"
, formatter_class=argparse.ArgumentDefaultsHelpFormatter )
parser.add_argument("--infile","-f", help="input CSV with bot data", default = "bots.csv")
args = parser.parse_args()
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Bot Server IP addresses"
stix_header.description = "IP addresses connecting to bot control servers at a given port"
stix_header.add_package_intent ("Indicators - Watchlist")
# add marking
mark = Marking()
markspec = MarkingSpecification()
markstruct = SimpleMarkingStructure()
markstruct.statement = "Usage of this information, including integration into security mechanisms implies agreement with the Shadowserver Terms of Service available at https://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/TermsOfService"
markspec.marking_structures.append(markstruct)
mark.add_marking(markspec)
stix_header.handling = mark
# include author info
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time =datetime.now(tzutc())
stix_header.information_source.tools = ToolInformationList()
stix_header.information_source.tools.append("ShadowBotnetIP-STIXParser")
stix_header.information_source.identity = Identity()
stix_header.information_source.identity.name = "MITRE STIX Team"
stix_header.information_source.add_role(VocabString("Format Transformer"))
src = InformationSource()
src.description = "https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP"
srcident = Identity()
srcident.name = "shadowserver.org"
src.identity = srcident
src.add_role(VocabString("Originating Publisher"))
stix_header.information_source.add_contributing_source(src)
stix_package.stix_header = stix_header
# add TTP for overall indicators
bot_ttp = TTP()
bot_ttp.title = 'Botnet C2'
bot_ttp.resources = Resource()
bot_ttp.resources.infrastructure = Infrastructure()
bot_ttp.resources.infrastructure.title = 'Botnet C2'
stix_package.add_ttp(bot_ttp)
# read input data
fd = open (args.infile, "rb")
infile = csv.DictReader(fd)
for row in infile:
# split indicators out, may be 1..n with positional storage, same port and channel, inconsistent delims
domain = row['Domain'].split()
country = row['Country'].split()
region = row['Region'].split('|')
state = row['State'].split('|')
asn = row['ASN'].split()
asname = row['AS Name'].split()
asdesc = row['AS Description'].split('|')
index = 0
for ip in row['IP Address'].split():
indicator = Indicator()
indicator.title = "IP indicator for " + row['Channel']
indicator.description = "Bot connecting to control server"
# point to overall TTP
indicator.add_indicated_ttp(TTP(idref=bot_ttp.id_))
# add our IP and port
sock = SocketAddress()
sock.ip_address = ip
# add sighting
sight = Sighting()
sight.timestamp = ""
obs = Observable(item=sock.ip_address)
obsref = Observable(idref=obs.id_)
sight.related_observables.append(obsref)
indicator.sightings.append(sight)
stix_package.add_observable(obs)
# add pattern for indicator
sock_pattern = SocketAddress()
sock_pattern.ip_address = ip
port = Port()
port.port_value = row['Port']
sock_pattern.port = port
sock_pattern.ip_address.condition= "Equals"
sock_pattern.port.port_value.condition= "Equals"
indicator.add_object(sock_pattern)
stix_package.add_indicator(indicator)
# add domain
domain_obj = DomainName()
domain_obj.value = domain[index]
domain_obj.add_related(sock.ip_address,"Resolved_To", inline=False)
stix_package.add_observable(domain_obj)
# add whois obs
whois_obj = WhoisEntry()
registrar = WhoisRegistrar()
registrar.name = asname[index]
registrar.address = state[index] + region[index] + country[index]
whois_obj.registrar_info = registrar
whois_obj.add_related(sock.ip_address,"Characterizes", inline=False)
stix_package.add_observable(whois_obj)
# add ASN obj
asn_obj = AutonomousSystem()
asn_obj.name = asname[index]
asn_obj.number = asn[index]
asn_obj.handle = "AS" + str(asn[index])
asn_obj.add_related(sock.ip_address,"Contains", inline=False)
stix_package.add_observable(asn_obj)
# iterate
index = index + 1
print stix_package.to_xml()
def __create_cybox_port_object(self, port):
if not port:
return None
pobj = Port()
pobj.port_value = int(port)
return pobj
def HTTPFullObj(http):
httprequestline = HTTPRequestLine()
httprequestline.http_method = http[0]
httprequestline.value = http[1]
httprequestline.version = http[2]
hostfield = HostField()
h = URI()
h.value = str(http[14])
hostfield.domain_name = h
port = Port()
port.port_value = http[3]
hostfield.port = port
httprequestheaderfields = HTTPRequestHeaderFields()
if http[4] != '':
httprequestheaderfields.accept = http[4]
if http[5] != '':
httprequestheaderfields.accept_language = http[5]
if http[6] != '':
httprequestheaderfields.accept_encoding = http[6]
if http[7] != '':
httprequestheaderfields.authorization = http[7]
if http[8] != '':
httprequestheaderfields.cache_control = http[8]
if http[9] != '':
httprequestheaderfields.connection = http[9]
if http[10] != '':
httprequestheaderfields.cookie = http[10]
if http[11] != '':
httprequestheaderfields.content_length = http[11] # integer
if http[12] != '':
httprequestheaderfields.content_type = http[12]
if http[13] != '':
httprequestheaderfields.date = http[13] # datetime
if http[14] != '':
httprequestheaderfields.host = hostfield
if http[15] != '':
httprequestheaderfields.proxy_authorization = http[15]
httprequestheader = HTTPRequestHeader()
httprequestheader.parsed_header = httprequestheaderfields
httpclientrequest = HTTPClientRequest()
httpclientrequest.http_request_line = httprequestline
httpclientrequest.http_request_header = httprequestheader
http_request_response = HTTPRequestResponse()
http_request_response.http_client_request = httpclientrequest
httpsession = HTTPSession()
httpsession.http_request_response = http_request_response
layer7connections = Layer7Connections()
layer7connections.http_session = httpsession
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "TCP"
networkconnection.layer7_protocol = "HTTP"
networkconnection.layer7_connections = layer7connections
indicator = Indicator()
indicator.title = "HTTP request"
indicator.description = (
"An indicator containing information about a HTTP request")
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def main():
# get args
parser = argparse.ArgumentParser ( description = "Parse a given CSV and output STIX XML"
, formatter_class=argparse.ArgumentDefaultsHelpFormatter )
parser.add_argument("--infile","-f", help="input CSV", default = "in.csv")
args = parser.parse_args()
# setup header
contain_pkg = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Indicators"
stix_header.add_package_intent ("Indicators")
# XXX add Information_Source and Handling
contain_pkg.stix_header = stix_header
# create kill chain with three options (pre, post, unknown), relate as needed
pre = KillChainPhase(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee", name="Pre-infection indicator", ordinality=1)
post = KillChainPhase(phase_id="stix:KillChainPhase-d5459305-1a27-4f50-9875-23793d75e4fe", name="Post-infection indicator", ordinality=2)
chain = KillChain(id_="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d", name="Degenerate Cyber Kill Chain" )
chain.definer = "U5"
chain.kill_chain_phases = [pre, post]
contain_pkg.ttps.kill_chains.append(chain)
# read input data
fd = open (args.infile, "rb")
infile = csv.DictReader(fd)
for row in infile:
# create indicator for each row
error = False
ind = Indicator()
ind.add_alternative_id(row['ControlGroupID'])
ind.title = "Indicator with ID " + row['IndicatorID']
ind.description = row['Notes']
ind.producer = InformationSource()
ind.producer.description = row['Reference']
# XXX unknown purpose for 'Malware' field - omitted
# if the field denotes a specific malware family, we might relate as 'Malware TTP' to the indicator
# set chain phase
if 'Pre' in row['Infection Type']:
ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
elif 'Post' in row['Infection Type']:
ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
ind_type = row['Indicator Type']
if 'IP' in ind_type:
ind.add_indicator_type( "IP Watchlist")
ind_obj = SocketAddress()
ind_obj.ip_address = row['Indicator']
ind_obj.ip_address.condition= "Equals"
if row['indValue']:
port = Port()
# pull port out, since it's in form "TCP Port 42"
port.port_value = row['indValue'].split()[-1]
port.layer4_protocol = row['indValue'].split()[0]
port.port_value.condition= "Equals"
ind_obj.port = port
elif 'Domain' in ind_type:
ind.add_indicator_type ("Domain Watchlist")
ind_obj = DomainName()
ind_obj.value = row['Indicator']
ind_obj.value.condition= "Equals"
elif 'Email' in ind_type:
# parse out which part of the email is being
# i.e. "Sender: attach | Subject: whatever"
tag = row['Indicator'].split(':')[0]
val = row['Indicator'].split(':')[1]
ind.add_indicator_type ("Malicious E-mail")
ind_obj = EmailMessage()
if "Subject" in tag:
ind_obj.subject = val
ind_obj.subject.condition= "Equals"
elif "Sender" in tag:
ind_obj.sender = val
ind_obj.sender.condition= "Equals"
elif "Attachment" in tag:
# make inline File to store filename
file_obj = File()
file_obj.id_ = cybox.utils.create_id(prefix="File")
file_obj.file_name = val
file_obj.file_name.condition = "Equals"
ind_obj.add_related(file_obj, "Contains")
attach = Attachments()
attach.append(file_obj.id_)
ind_obj.attachments = attach
elif 'User Agent' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
fields = HTTPRequestHeaderFields()
fields.user_agent = row['Indicator']
fields.user_agent.condition = "Equals"
header = HTTPRequestHeader()
header.parsed_header = fields
thing = HTTPRequestResponse()
thing.http_client_request = HTTPClientRequest()
thing.http_client_request.http_request_header = header
ind_obj = HTTPSession()
ind_obj.http_request_response = [thing]
elif 'URI' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
thing = HTTPRequestResponse()
thing.http_client_request = HTTPClientRequest()
thing.http_client_request.http_request_line = HTTPRequestLine()
thing.http_client_request.http_request_line.http_method = row['Indicator'].split()[0]
thing.http_client_request.http_request_line.http_method.condition = "Equals"
thing.http_client_request.http_request_line.value = row['Indicator'].split()[1]
thing.http_client_request.http_request_line.value.condition = "Equals"
ind_obj = HTTPSession()
ind_obj.http_request_response = [thing]
elif 'File' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
ind_obj = File()
ind_obj.file_name = row['Indicator']
ind_obj.file_name.condition = "Equals"
digest = Hash()
# XXX assumes that hash digests are stored in this field in real data
digest.simple_hash_value = row['indValue'].strip()
digest.simple_hash_value.condition = "Equals"
digest.type_.condition = "Equals"
ind_obj.add_hash(digest)
elif 'Registry' in ind_type:
ind.add_indicator_type( VocabString(row['Indicator Type']))
ind_obj = WinRegistryKey()
keys = RegistryValues()
key = RegistryValue()
key.name = row['Indicator']
key.name.condition = "Equals"
key.data = row['indValue']
key.data.condition = "Equals"
keys.append(key)
ind_obj.values = keys
elif 'Mutex' in ind_type:
ind.add_indicator_type (VocabString(row['Indicator Type']))
ind_obj = Mutex()
ind_obj.name = row['Indicator']
ind_obj.name.condition= "Equals"
else:
print "ERR type not supported: " + ind_type + " <- will be omitted from output"
error = True
# finalize indicator
if not error:
ind.add_object(ind_obj)
contain_pkg.add_indicator(ind)
# DONE looping
print contain_pkg.to_xml()
string1= ex.create_extracted_string(string_value='Test string1')
extf= ex.create_discovery_method_instance_extracted_feautures(functions=['f1','f2'],imports=['im1','im2'],codesnippets=['code1','code2'],extractedstrings=[string1])
evl1 = ex.create_discovery_method_env_var(name='Env1',value='124')
evl2 = ex.create_discovery_method_env_var(name='Env2',value='125')
sock1 = ex.create_socket_address(hostname='unix1',port=84,ip_address='192.168.1.1',hostname_value='uomgr',naming_system='default')
sock2 = ex.create_socket_address(hostname='unix2',port=85,ip_address='192.168.1.2',hostname_value='uomg',naming_system='default')
dnsq =DNSQuery()
dnsq.service_used='example service1'
dnsq1 =DNSQuery()
dnsq1.service_used='example service2'
l7c = ex.create_layer7_connections(dns_queries=[dnsq,dnsq1],http_session=HTTPSession())
nwc1 = ex.create_network_connection(creation_time=datetime.datetime.now(),destination_socket_address=sock1,source_socket_address=sock2,destination_tcp_state=502,source_tcp_state=400,
tls_used='SSL',layer3_protocol='IP',layer4_protocol='TCP',layer7_protocol='HTTP',layer7_connections=l7c)
port1 =Port()
port1.port_value=15
port1.layer4_protocol ='UDP'
port2 =Port()
port2.port_value=25
port2.layer4_protocol ='UDP'
prlst = ex.create_port_list([port1,port2])
inst1 = ex.create_discovery_method_instance(creation_time=datetime.datetime.now(),is_hidden=True,kernel_time=datetime.datetime.now(),parent_pid=124,name='Ps1',pid=304,start_time=datetime.datetime.now(),
username='******',user_time=datetime.datetime.now(),child_pid_list=cpl,argument_list=argl,image_info=imin,extracted_features=extf,
environment_variable_list=[evl1,evl2],network_connection_list=[nwc1],port_list=prlst)
ex.add_discovery_method_instance(inst1)
####################################################################################################################
#Add discovery method description
ex.add_discovery_method_description('Use of Cuckoo sandbox')
####################################################################################################################
#Add discovery method information source type
ex.add_discovery_method_information_source_type('Application Logs')
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
for sAddr in data[sKey]['attrib']['ipAddrList']:
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
#objAddr.address_value.operator = 'Equals'
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isDestination: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Port Number
sPort = data[sKey]['attrib']['ipPort']
if len(sPort) > 0:
objPort = Port()
objPort.port_value = int(sPort)
objPort.port_value.condition = 'Equals'
sProtocol = data[sKey]['attrib']['ipProt']
if len(sProtocol) > 0:
objPort.layer4_protocol = sProtocol.upper()
obsPort = Observable(objPort)
objPort = None
obsPort.sighting_count = 1
obsPort.title = 'Port: ' + sPort
sDscrpt = 'PortNumber' + ': ' + sPort + " | "
sDscrpt += "Protocol: " + sProtocol.upper() + " | "
obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsPort)
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism
from stix.common import InformationSource, Identity
testMech = SnortTestMechanism()
testMech.rules = [data[sKey]['attrib']['rule']]
testMech.efficacy = "Unknown"
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
infoSrc.add_contributing_source("http://www.shadowserver.org")
infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch")
infoSrc.add_contributing_source("https://palevotracker.abuse.ch")
infoSrc.add_contributing_source("https://zeustracker.abuse.ch")
testMech.producer = infoSrc
lstRef = data[sKey]['attrib']['reference'].split('|')
testMech.producer.references = lstRef
objIndicator.test_mechanisms = [testMech]
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
#objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']);
objIndicator.set_received_time(data[sKey]['dateDL'])
### Title / Description Generator
objIndicator.set_received_time(data[sKey]['dateDL'])
sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | "
sTitle += data[sKey]['attrib']['msg'] + " | "
sTitle += "rev:" + data[sKey]['attrib']['rev']
objIndicator.title = sTitle
sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][
'rule']
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
nameList = data[sKey]['attrib']['flowbits']
if len(nameList) > 0:
nameList = nameList.split("|")
for sName in nameList:
sName = sName.split(",")[1]
objMalware.add_name(sName)
#objMalware.add_type("Remote Access Trojan")
objMalware.short_description = data[sKey]['attrib']['msg']
ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][
'attrib']['msg']
objTTP = TTP(title=ttpTitle)
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def http_conversations(httpconv):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Connect to URL"
a.type_ = "Connect"
ao.properties = NetworkConnection()
ao.properties.layer4_protocol = httpconv["protocol"]
header = HTTPResponseHeader()
headerfiled = HTTPResponseHeaderFields()
response = HTTPServerResponse()
if httpconv["response_headers"].has_key("Transfer-Encoding"):
headerfiled.transfer_encoding = httpconv["response_headers"]["Transfer-Encoding"]
headerfiled.content_type = httpconv["response_headers"]["Content-Type"]
headerfiled.server = httpconv["response_headers"]["Server"]
headerfiled.connection = httpconv["response_headers"]["Connection"]
#headerfiled.date = DateTime(httpconv["response_headers"]["Date"])
t = datetime.strptime(httpconv["response_headers"]["Date"],'%a, %d %b %Y %H:%M:%S %Z').replace(tzinfo=pytz.utc)
#print t
headerfiled.date = DateTime(t)
headerfiled.content_type = httpconv["response_headers"]["type"]
header.parsed_header = headerfiled
if httpconv.has_key("download_content"):
body = HTTPMessage()
body.message_body = str(httpconv["download_content"]).encode('string-escape')
response.http_message_body = body
line = HTTPStatusLine()
tmp = httpconv["response_headers"]["Status-Line"].split()
line.version = tmp[0]
line.status_code = PositiveInteger(tmp[1])
line.reason_phrase = tmp[2]
response.http_status_line = line
response.http_response_header = header
client = HTTPClientRequest()
line = HTTPRequestLine()
tmp = httpconv["url"].split()
line.http_method = tmp[0]
line.value = tmp[1]
line.version = tmp[2]
client.http_request_line = line
cheader = HTTPRequestHeader()
cheaderfiled = HTTPRequestHeaderFields()
host = HostField()
host.domain_name = URI(httpconv["dst_host"])
val = Port()
val.port_value = PositiveInteger(httpconv["dst_port"])
host.port = val
cheaderfiled.host = host
cheader.parsed_header = cheaderfiled
client.http_request_header = cheader
httpsession = HTTPSession()
requestresponse = HTTPRequestResponse()
requestresponse.http_client_request = client
requestresponse.http_server_response = response
httpsession.http_request_response = [requestresponse]
layer7 = Layer7Connections()
layer7.http_session = httpsession
ao.properties.layer7_connections = layer7
#print ao.properties.to_dict()
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
