def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com" : "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def dns_queries(dnsqueries):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Query DNS"
a.type_ = "Query"
# hostnameの解決
quri = URI()
quri.value = dnsqueries["hostname"]
dns_question = DNSQuestion()
dns_question.qname = quri
ao.properties = DNSQuery()
ao.properties.question = dns_question
# resultの解決
if dnsqueries.has_key("results"):
records = []
for result in dnsqueries["results"]:
dnsrecord = DNSRecord()
dnsrecord.domain_name = quri.value
address = Address()
address.CAT_IPV4
address.address_value = result
dnsrecord.ip_address = address
records.append(dnsrecord)
ao.properties.answer_resource_records = DNSResourceRecords(records)
#print ao.properties.path # print for debug
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
#print a.associated_objects.to # debug print
return a
def main():
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml(encoding=None))
def main():
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml())
def test_no_type(self):
uri_dict = {
'value': "http://www.example.com",
'xsi:type': URI._XSI_TYPE
}
uri_obj = URI.object_from_dict(uri_dict)
uri_dict2 = URI.dict_from_object(uri_obj)
self.assertEqual(uri_dict, uri_dict2)
def gen_urls(self, count):
'''Generate list of URLs'''
urls = []
for i in range(0, count):
uri = URI(type_='URL')
uri.value = self.fake.uri()
urls.append(uri)
return urls
def main():
v = AnyURI("http://www.example.com/index1.html")
v.condition = "Equals"
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml())
def main():
v = AnyURI("http://www.example.com/index1.html")
v.condition = "Equals"
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml(encoding=None))
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print Observables(u).to_xml()
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print Observables(u).to_xml()
def test_round_trip(self):
uri_str = "http://www.example.com"
t = URI.TYPE_URL
uri = URI(AnyURI(uri_str), t)
uri2 = cybox.test.round_trip(uri)
self.assertEqual(uri.to_dict(), uri2.to_dict())
self.assertEqual(uri_str, str(uri2))
self.assertEqual(t, uri2.type_)
def test_round_trip(self):
u = "http://www.example.com"
t = URI.TYPE_URL
uri = URI(AnyURI(u), t)
uri2 = cybox.test.round_trip(uri)
self.assertEqual(uri.to_dict(), uri2.to_dict())
self.assertEqual(u, str(uri2))
self.assertEqual(t, uri2.type_)
def test_round_trip(self):
v = AnyURI("http://www.example.com")
t = URI.TYPE_URL
u = URI()
u.value = v
u.type_ = t
uri2 = round_trip(u, URI, output=False)
self.assertEqual(uri2.value, v)
self.assertEqual(uri2.type_, t)
def main():
print '<?xml version="1.0" encoding="UTF-8"?>'
v = AnyURI("www.sample1.com/index.html")
v.condition = "Equals"
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
o = Observables(u)
print o.to_xml()
def create_url_indicator(self, url_indicator):
indicator = Indicator()
indicator.title = 'URL of site hosting malware'
indicator.add_indicator_type('URL Watchlist')
url = URI()
url.value = url_indicator
url.type_ = URI.TYPE_URL
url.condition = 'Equals'
indicator.add_observable(url)
return indicator
def create_url_indicator(self, url_indicator):
indicator = Indicator()
indicator.title = 'URL of site hosting malware'
indicator.add_indicator_type('URL Watchlist')
url = URI()
url.value = url_indicator
url.type_ = URI.TYPE_URL
url.condition = 'Equals'
indicator.add_observable(url)
return indicator
def genObject_URI(data):
from cybox.core.observable import Observables, Observable
from cybox.utils import create_id as CyboxID
from cybox.objects.uri_object import URI
objURI = URI()
objURI.idref = None
objURI.properties = None
objURI.related_objects = []
objURI.domain_specific_object_properties = None
objURI.value = escape(unicode(data['url']))
objURI.value.condition = 'Equals'
objURI.type_ = "URL"
obsURI = Observable(objURI)
obsURI.idref = None
obsURI.object = None
objURI = None
obsURI.title = "URL: " + escape(unicode(data['url']))[:70] + "..."
# sDscrpt = "URL: " + data['url'] + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time']
# obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
# try:
# obsURI.description = "URL: " + escape(unicode(data['url'])) + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time']
# except:
# obsURI.description = "URL: " + " --[URL Not Displayed - Due to encoding issue]-- " + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time']
obsURI.description = "URL: " + escape(data['url']) + "| isOnline:" + data[
'online'] + "| dateVerified:" + data['verification_time']
obsURI.event = None
obsURI.observable_composition = None
obsURI.sighting_count = 1
obsURI.observable_source = []
return (obsURI)
def create_domain_name_observable(domain_name):
domain_name_object = URI.from_dict({"value": domain_name, "type": URI.TYPE_DOMAIN})
domain_name_observable = Observable(domain_name_object)
domain_name_observable.title = "Malware Artifact - Domain"
domain_name_observable.description = "Domain derived from sandboxed malware sample."
domain_name_observable.short_description = "Domain from malware."
return domain_name_observable
def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def create_domain_name_observable(domain_name):
'''Create a CybOX Observable representing a domain name.'''
domain_name_object = URI.from_dict({
'value': domain_name,
'type': URI.TYPE_DOMAIN
})
return Observable(domain_name_object)
def create_url_observable(url):
url_object = URI.from_dict({"value": url, "type": URI.TYPE_URL})
url_observable = Observable(url_object)
url_observable.title = "Malware Artifact - URL"
url_observable.description = "URL derived from sandboxed malware sample."
url_observable.short_description = "URL from malware."
return url_observable
def main():
pkg = STIXPackage()
indicator = Indicator()
indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50"
indicator.title = "Malicious site hosting downloader"
indicator.add_indicator_type("URL Watchlist")
url = URI()
url.value = "http://x4z9arb.cn/4712"
url.type_ = URI.TYPE_URL
indicator.add_observable(url)
pkg.add_indicator(indicator)
print pkg.to_xml()
def main():
NAMESPACE = {"https://www.ncsc.gov.uk/": "ncscuk"}
idgen.set_id_namespace(NAMESPACE)
pkg = STIXPackage()
coa = CourseOfAction()
obj = file_to_obj('out.json')
if obj.type == 'bundle':
for _dict in obj.objects:
object = dict_to_obj(_dict)
if object.type == 'indicator':
ind = Indicator()
id_str = object.id.replace('--', '-')
print id_str
#ind.id_ = object.id
pattern_type = object.pattern.split(':')[0]
_value = re.sub("'", '', object.pattern.split(' = ')[1])
if pattern_type == 'ipv4-addr':
obs = Observable(
Address(address_value=_value,
category=Address.CAT_IPV4))
elif pattern_type == 'url':
obs = Observable(URI(value=_value, type_=URI.TYPE_URL))
pkg.add_observable(obs)
obs_ref = Observable()
obs_ref.id_ = None
obs_ref.idref = obs.id_
ind.add_observable(obs_ref)
pkg.add_indicator(ind)
print pkg.to_xml()
def create_url_observable(url):
url_object = URI.from_dict({'value': url, 'type': URI.TYPE_URL})
url_observable = Observable(url_object)
url_observable.title = "Malware Artifact - URL"
url_observable.description = "URL derived from sandboxed malware sample."
url_observable.short_description = "URL from malware."
return url_observable
def main():
pkg = STIXPackage()
indicator = Indicator()
indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50"
indicator.title = "Malicious site hosting downloader"
indicator.add_indicator_type("URL Watchlist")
url = URI()
url.value = "http://x4z9arb.cn/4712"
url.type_ = URI.TYPE_URL
url.value.condition = "Equals"
indicator.add_observable(url)
pkg.add_indicator(indicator)
print pkg.to_xml()
def from_dict(registrar_dict):
if not registrar_dict:
return None
registrar = WhoisRegistrar()
registrar.registrar_id = String.from_dict(registrar_dict.get('registrar_id'))
registrar.registrar_guid = String.from_dict(registrar_dict.get('registrar_guid'))
registrar.name = String.from_dict(registrar_dict.get('name'))
registrar.address = String.from_dict(registrar_dict.get('address'))
registrar.email_address = Address.from_dict(registrar_dict.get('email_address'), Address.CAT_EMAIL)
registrar.phone_number = String.from_dict(registrar_dict.get('phone_number'))
registrar.whois_server = URI.from_dict(registrar_dict.get('whois_server'))
registrar.referral_url = URI.from_dict(registrar_dict.get('referral_url'))
registrar.contacts = WhoisContacts.from_list(registrar_dict.get('contacts'))
return registrar
def from_obj(registrar_obj):
if not registrar_obj:
return None
registrar = WhoisRegistrar()
registrar.registrar_id = String.from_obj(registrar_obj.get_Registrar_ID())
registrar.registrar_guid = String.from_obj(registrar_obj.get_Registrar_GUID())
registrar.name = String.from_obj(registrar_obj.get_Name())
registrar.address = String.from_obj(registrar_obj.get_Address())
registrar.email_address = Address.from_obj(registrar_obj.get_Email_Address())
registrar.phone_number = String.from_obj(registrar_obj.get_Phone_Number())
registrar.whois_server = URI.from_obj(registrar_obj.get_Whois_Server())
registrar.referral_url = URI.from_obj(registrar_obj.get_Referral_URL())
registrar.contacts = WhoisContacts.from_obj(registrar_obj.get_Contacts())
return registrar
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id):
obj1x = HTTPSession()
nc.layer7_connections = Layer7Connections()
nc.layer7_connections.http_session = obj1x
rr = HTTPRequestResponse()
obj1x.http_request_response.append(rr)
rr.http_client_request = HTTPClientRequest()
request_line = HTTPRequestLine()
request_line.http_method = http_request_ext["request_method"]
request_line.value = http_request_ext["request_value"]
if "request_version" in http_request_ext:
request_line.version = http_request_ext["request_version"]
rr.http_client_request.http_request_line = request_line
if "request_header" in http_request_ext:
rr.http_client_request.http_request_header = HTTPRequestHeader()
rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields(
)
convert_obj(http_request_ext["request_header"],
rr.http_client_request.http_request_header.parsed_header,
HTTP_REQUEST_HEADERS_MAP, obs20_id)
if "Host" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.host = \
add_host(http_request_ext["request_header"]["Host"])
if "From" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.from_ = \
EmailAddress(http_request_ext["request_header"]["From"])
if "Referer" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.referer = \
URI(http_request_ext["request_header"]["Referer"])
if "X_Wap_Profile" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \
URI(http_request_ext["request_header"]["X_Wap_Profile"])
if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext:
body = HTTPMessage()
if "message_body_length" in http_request_ext:
body.length = http_request_ext["message_body_length"]
if "message_body_data_ref" in http_request_ext:
if http_request_ext["message_body_length"] in _STIX1X_OBJS:
artifact_obj = _STIX1X_OBJS[
http_request_ext["message_body_length"]]
body.message_body = artifact_obj.packed_data
else:
warn("%s is not an index found in %s", 306,
http_request_ext["message_body_length"], obs20_id)
rr.http_client_request.http_message_body = body
def fqdn(fqdn,provider,reporttime):
currentTime = time.time()
parsed_uri = urlparse( str(fqdn) )
domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
if domain.startswith('https'):
domain = domain[8:]
else:
domain = domain[7:]
if domain.endswith('/'):
domain = domain[:-1]
vuln = Vulnerability()
vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
vuln.description = "maliciousIPV4"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
url = URI()
url.value = fqdn
url.type_ = URI.TYPE_URL
url.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "FQDN-" + str(fqdn)
indicator.description = ("Malicious FQDN " + str(fqdn) + " reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(url)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open('/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' + str(currentTime) + '.xml','w')
f.write(stix_package.to_xml())
f.close()
def from_obj(mal_conf_storage_obj):
if not mal_conf_storage_obj:
return None
mal_conf_storage_ = MalwareConfigurationStorageDetails()
mal_conf_storage_.malware_binary = MalwareBinaryConfigurationStorageDetails.from_obj(mal_conf_storage_obj.get_Malware_Binary())
mal_conf_storage_.file = File.from_obj(mal_conf_storage_obj.get_File())
if mal_conf_storage_obj.get_URL():
mal_conf_storage_.url = [URI.from_obj(x) for x in mal_conf_obj.get_URL()]
return mal_conf_storage_
def add_host(host_info):
uri_port = host_info.split(":")
hf = HostField()
if len(uri_port) > 1:
port = Port()
port.port_value = uri_port[1]
hf.port = port
hf.domain_name = URI(uri_port[0], URI.TYPE_DOMAIN)
return hf
def from_dict(mal_conf_storage_dict):
if not mal_conf_storage_dict:
return None
mal_conf_storage_ = MalwareConfigurationStorageDetails()
mal_conf_storage_.malware_binary = MalwareBinaryConfigurationStorageDetails.from_dict(mal_conf_storage_dict['malware_binary'])
mal_conf_storage_.file = File.from_dict(mal_conf_storage_dict['file'])
if mal_conf_storage_dict['url']:
mal_conf_storage_.url = [URI.from_dict(x) for x in mal_conf_storage_dict['configuration_parameter']]
return mal_conf_storage_
def __create_domain_name_object(self, domain):
""" Creates a CybOX URIObjectType object """
if not domain:
return None
if self.__verbose_output:
sys.stderr.write("** creating domain name object for: %s\n" % domain)
return URI(domain)
def create_maec(self, url_indicator):
package = Package()
ms = MalwareSubject()
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = URI(
type_=URI.TYPE_URL)
ms.malware_instance_object_attributes.properties.value = url_indicator
package.add_malware_subject(ms)
return package
def __create_url_object(self, url):
""" Creates a CybOX URIObjectType object """
if not url:
return None
if self.__verbose_output:
sys.stderr.write("** creating uri object for: %s\n" % url)
return URI(url)
def fqdn(fqdn, provider, reporttime):
currentTime = time.time()
parsed_uri = urlparse(str(fqdn))
domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
if domain.startswith('https'):
domain = domain[8:]
else:
domain = domain[7:]
if domain.endswith('/'):
domain = domain[:-1]
vuln = Vulnerability()
vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
vuln.description = "maliciousIPV4"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
url = URI()
url.value = fqdn
url.type_ = URI.TYPE_URL
url.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "FQDN-" + str(fqdn)
indicator.description = ("Malicious FQDN " + str(fqdn) +
" reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(url)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open(
'/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' +
str(currentTime) + '.xml', 'w')
f.write(stix_package.to_xml())
f.close()
def add_url_observable(self, url):
if url in self.__urls:
return
self.__urls.add(url)
url_object = URI.from_dict({'value': url, 'type': URI.TYPE_URL})
url_observable = Observable(url_object)
url_observable.title = "Malware Artifact - URL"
url_observable.description = "URL derived from sandboxed malware sample."
url_observable.short_description = "URL from malware."
self.url_indicator.add_observable(url_observable)
def add_domain_name_observable(self, domain_name):
if domain_name in self.__domains:
return
self.__domains.add(domain_name)
domain_name_object = URI.from_dict({'value': domain_name, 'type': URI.TYPE_DOMAIN})
domain_name_observable = Observable(domain_name_object)
domain_name_observable.title = "Malware Artifact - Domain"
domain_name_observable.description = "Domain derived from sandboxed malware sample."
domain_name_observable.short_description = "Domain from malware."
self.domain_indicator.add_observable(domain_name_observable)
def create_domain_name_observable(domain_name):
domain_name_object = URI.from_dict({
'value': domain_name,
'type': URI.TYPE_DOMAIN
})
domain_name_observable = Observable(domain_name_object)
domain_name_observable.title = "Malware Artifact - Domain"
domain_name_observable.description = "Domain derived from sandboxed malware sample."
domain_name_observable.short_description = "Domain from malware."
return domain_name_observable
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("Domain Watchlist")
for key in mydata["IOC"].keys():
fqdn = URI()
fqdn.value = sanitizer(key)
fqdn.type_ = URI.TYPE_DOMAIN
fqdn.condition = "Equals"
obsu = Observable(fqdn)
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
fqdn.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def add_raw_indicator(self , orig_indicator, ts=None):
indicator_value = orig_indicator
if not self._is_ascii(indicator_value):
return False
indicator_type, _ = guess_type(indicator_value)
# Create a CyboX File Object
if indicator_type == StixItemType.IPADDR:
title = "Malicious IPv4 - %s" % indicator_value
descr = "Malicious IPv4 involved with %s" % self._pkg.stix_header.title
cybox = Address(indicator_value , Address.CAT_IPV4)
elif indicator_type == StixItemType.DOMAIN:
title = "Malicious domain - %s" % indicator_value
descr = "Malicious domain involved with %s" % self._pkg.stix_header.title
cybox = DomainName()
cybox.value = indicator_value
elif indicator_type == StixItemType.MD5:
title = "Malicious MD5 - %s" % indicator_value
descr = "Malicious MD5 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.SHA256:
title = "Malicious SHA256 - %s" % indicator_value
descr = "Malicious SHA256 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.SHA1:
title = "Malicious SHA1 - %s" % indicator_value
descr = "Malicious SHA1 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.URL:
title = "Malicious URL - %s" % indicator_value
descr = "Malicious URL involved with %s" % self._pkg.stix_header.title
cybox = URI()
cybox.value = indicator_value
cybox.type_ = URI.TYPE_URL
if indicator_type == StixItemType.UNKNOWN:
return False
indicator = Indicator()
indicator.title = title
indicator.description = descr
indicator.add_object(cybox)
indicator.set_producer_identity(self.__author)
if ts:
indicator.set_produced_time(ts)
else:
indicator.set_produced_time(utils.dates.now())
self._add(indicator)
return True
def make_cybox_object(type_, name=None, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param name: The object name.
:type name: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == "Address":
return Address(category=name, address_value=value)
elif type_ == "Email Message":
e = EmailMessage()
e.raw_body = value
return e
#TODO: Http Request Header Fields not implemented?
#elif type_ == "Http Request Header Fields":
#pass
#TODO: Mutex object type is incomplete
#elif type_ == "Mutex":
#return Mutex.object_from_dict({'name': value})
#TODO: use Byte_Run object?
#elif type_ == "String":
#pass
elif type_ == "URI":
#return URI(type_=name, value=value)
r = URI()
r.type_ = name
r.value = value
return r
#TODO: Win_File incomplete
#elif type_ == "Win File":
#TODO: Registry_Key incomplete
#elif type_ == "Win Handle" and name == "RegistryKey":
#return Registry_Key.object_from_dict({'key':value})
raise UnsupportedCybOXObjectTypeError(type_, name)
def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com": "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def make_cybox_object(type_, name=None, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param name: The object name.
:type name: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == "Address":
return Address(category=name, address_value=value)
elif type_ == "Email Message":
e = EmailMessage()
e.raw_body = value
return e
#TODO: Http Request Header Fields not implemented?
#elif type_ == "Http Request Header Fields":
#pass
#TODO: Mutex object type is incomplete
#elif type_ == "Mutex":
#return Mutex.object_from_dict({'name': value})
#TODO: use Byte_Run object?
#elif type_ == "String":
#pass
elif type_ == "URI":
#return URI(type_=name, value=value)
r = URI()
r.type_ = name
r.value = value
return r
#TODO: Win_File incomplete
#elif type_ == "Win File":
#TODO: Registry_Key incomplete
#elif type_ == "Win Handle" and name == "RegistryKey":
#return Registry_Key.object_from_dict({'key':value})
raise UnsupportedCybOXObjectTypeError(type_, name)
def from_dict(message_dict):
message = EmailMessage()
for attachment in message_dict.get('attachments', []):
message.attachments.append(File.from_dict(attachment))
for link in message_dict.get('links', []):
message.links.append(URI.from_dict(link))
message.header = EmailHeader.from_dict(message_dict.get('header'))
message.optional_header = OptionalHeader.from_dict(message_dict.get('optional_header'))
message.email_server = String.from_dict(message_dict.get('email_server'))
message.raw_body = String.from_dict(message_dict.get('raw_body'))
message.raw_header = String.from_dict(message_dict.get('raw_header'))
return message
def test_subject_TypedField(self):
h = EmailHeader()
# Set using actual object
h.subject = String("Howdy")
self.assertEqual(String, type(h.subject))
# Set using implied cast
h.subject = "Howdy"
self.assertEqual(String, type(h.subject))
s = "http://badsubject.com"
bad_object = URI(s)
self.assertRaises(ValueError, setattr, h, 'subject', bad_object)
def print_match(self, fpath, page, name, match):
# Resolve all hashes to single HASH reference to avoid repetition
if name == 'MD5' or name == 'SHA1' or name == 'SHA256':
name = 'HASH'
if name in ind_dict:
indicator = ind_dict[name]
add_ind_list.append(name)
indicator.title = fpath
#===========
# Add new object handlers here:
if name == 'IP':
new_obj = Address(address_value=match,
category=Address.CAT_IPV4)
elif name == 'HASH':
new_obj = File()
new_obj.add_hash(Hash(match))
elif name == 'URL':
new_obj = URI(type_=URI.TYPE_URL, value=match)
elif name == 'Host':
new_obj = URI(type_=URI.TYPE_DOMAIN, value=match)
elif name == 'Email':
new_obj = Address(
address_value=match, category=Address.CAT_EMAIL
) ## Not sure if this is right - should this be using the email_message_object?
elif name == 'Registry':
new_obj = WinRegistryKey(values=match)
#===========
new_obs = Observable(new_obj)
new_obs.title = "Page Ref: " + str(page)
indicator.add_observable(new_obs)
def from_dict(whois_dict):
if not whois_dict:
return None
whois = WhoisEntry()
ObjectProperties.from_dict(whois_dict, whois)
whois.domain_name = URI.from_dict(whois_dict.get('domain_name'))
whois.domain_id = String.from_dict(whois_dict.get('domain_id'))
whois.server_name = URI.from_dict(whois_dict.get('server_name'))
whois.ip_address = Address.from_dict(whois_dict.get('ip_address'), Address.CAT_IPV4)
whois.dnssec = whois_dict.get('dnssec')
whois.nameservers = WhoisNameservers.from_list(whois_dict.get('nameservers'))
whois.status = WhoisStatuses.from_list(whois_dict.get('status'))
whois.updated_date = DateTime.from_dict(whois_dict.get('updated_date'))
whois.creation_date = DateTime.from_dict(whois_dict.get('creation_date'))
whois.expiration_date = DateTime.from_dict(whois_dict.get('expiration_date'))
whois.regional_internet_registry = String.from_dict(whois_dict.get('regional_internet_registry'))
whois.sponsoring_registrar = String.from_dict(whois_dict.get('sponsoring_registrar'))
whois.registrar_info = WhoisRegistrar.from_dict(whois_dict.get('registrar_info'))
whois.registrants = WhoisRegistrants.from_list(whois_dict.get('registrants'))
whois.contact_info = WhoisContact.from_dict(whois_dict.get('contact_info'))
return whois
def test_get_namespaces(self):
m = EmailMessage()
m.to = "*****@*****.**"
m.subject = "Here's a cool picture"
m.links = Links()
u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
m.links.append(u.parent.id_)
o = Observables([u, m])
print o.to_xml()
actual_namespaces = o._get_namespaces()
print "\n".join([str(x) for x in actual_namespaces])
self.assertEqual(5, len(actual_namespaces))
def from_obj(whois_obj):
if not whois_obj:
return None
whois = WhoisEntry()
ObjectProperties.from_obj(whois_obj, whois)
whois.domain_name = URI.from_obj(whois_obj.get_Domain_Name())
whois.domain_id = String.from_obj(whois_obj.get_Domain_ID())
whois.server_name = URI.from_obj(whois_obj.get_Server_Name())
whois.ip_address = Address.from_obj(whois_obj.get_IP_Address())
whois.dnssec = whois_obj.get_DNSSEC()
whois.nameservers = WhoisNameservers.from_obj(whois_obj.get_Nameservers())
whois.status = WhoisStatuses.from_obj(whois_obj.get_Status())
whois.updated_date = DateTime.from_obj(whois_obj.get_Updated_Date())
whois.creation_date = DateTime.from_obj(whois_obj.get_Creation_Date())
whois.expiration_date = DateTime.from_obj(whois_obj.get_Expiration_Date())
whois.regional_internet_registry = String.from_obj(whois_obj.get_Regional_Internet_Registry())
whois.sponsoring_registrar = String.from_obj(whois_obj.get_Sponsoring_Registrar())
whois.registrar_info = WhoisRegistrar.from_obj(whois_obj.get_Registrar_Info())
whois.registrants = WhoisRegistrants.from_obj(whois_obj.get_Registrants())
whois.contact_info = WhoisContact.from_obj(whois_obj.get_Contact_Info())
return whois
def from_dict(dns_record_dict):
if not dns_record_dict:
return None
dns_record_ = DNSRecord()
dns_record_.description = StructuredText.from_dict(dns_record_dict.get('description'))
dns_record_.domain_name = URI.from_dict(dns_record_dict.get('domain_name'))
dns_record_.ip_address = Address.from_dict(dns_record_dict.get('ip_address'))
dns_record_.address_class = String.from_dict(dns_record_dict.get('address_class'))
dns_record_.entry_type = String.from_dict(dns_record_dict.get('entry_type'))
dns_record_.record_name = String.from_dict(dns_record_dict.get('record_name'))
dns_record_.record_type = String.from_dict(dns_record_dict.get('record_type'))
dns_record_.ttl = Integer.from_dict(dns_record_dict.get('record_type'))
dns_record_.flags = HexBinary.from_dict(dns_record_dict.get('flags'))
dns_record_.data_length = Integer.from_dict(dns_record_dict.get('data_length'))
dns_record_.record_data = dns_record_dict.get('record_data')
return dns_record_
def from_obj(dns_record_obj):
if not dns_record_obj:
return None
dns_record_ = DNSRecord()
dns_record_.description = StructuredText.from_obj(dns_record_obj.get_Description())
dns_record_.domain_name = URI.from_obj(dns_record_obj.get_Domain_Name())
dns_record_.ip_address = Address.from_obj(dns_record_obj.get_IP_Address())
dns_record_.address_class = String.from_obj(dns_record_obj.get_Address_Class())
dns_record_.entry_type = String.from_obj(dns_record_obj.get_Entry_Type())
dns_record_.record_name = String.from_obj(dns_record_obj.get_Record_Name())
dns_record_.record_type = String.from_obj(dns_record_obj.get_Record_Type())
dns_record_.ttl = Integer.from_obj(dns_record_obj.get_TTL())
dns_record_.flags = HexBinary.from_obj(dns_record_obj.get_Flags())
dns_record_.data_length = Integer.from_obj(dns_record_obj.get_Length())
dns_record_.record_data = dns_record_obj.get_Record_Data()
return dns_record_
def from_obj(message_obj):
message = EmailMessage()
attachments = message_obj.get_Attachments()
if attachments:
for attachment in attachments.get_File():
message.attachments.append(File.from_obj(attachment))
links = message_obj.get_Links()
if links:
for link in links.get_Link():
message.links.append(URI.from_obj(link))
message.header = EmailHeader.from_obj(message_obj.get_Header())
message.optional_header = OptionalHeader.from_obj(message_obj.get_Optional_Header())
message.email_server = String.from_obj(message_obj.get_Email_Server())
message.raw_body = String.from_obj(message_obj.get_Raw_Body())
message.raw_header = String.from_obj(message_obj.get_Raw_Header())
return message
def get_observable(self):
if self.type_ == 'md5':
o_ = File()
o_.md5 = self.value
elif self.type_ == 'sha1':
o_ = File()
o_.sha1 = self.value
elif self.type_ == 'sha256':
o_ = File()
o_.sha256 = self.value
elif self.type_ == 'sha512':
o_ = File()
o_.sha256 = self.value
elif self.type_ == 'url':
o_ = URI(value=self.value, type_=URI.TYPE_URL)
elif self.type_ == 'hostname':
o_ = DomainName()
o_.value = self.value
o_.type_ = 'FQDN'
elif self.type_ == 'domain':
o_ = DomainName()
o_.value = self.value
o_.type_ = 'domain'
elif self.type_ == 'ip-dst':
o_ = Address(address_value=self.value, category=Address.CAT_IPV4)
o_.is_destination = True
o_.is_Source = False
elif self.type_ == 'email-src':
o_ = Address(address_value=self.value, category=Address.CAT_EMAIL)
elif self.type_ == 'email-subject':
o_ = EmailMessage()
o_.subject = self.value
else:
# print 'skip>>>>: type_: ' + str(self.type_)
o_ = None
return o_
def create_stix_package(reference,results):
stix_package = STIXPackage()
STIX_NAMESPACE = {"http://wapacklabs.com" : "wapack"}
OBS_NAMESPACE = Namespace("http://wapacklabs.com", "wapack")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
stix_header = STIXHeader()
fusionreport_title = reference
timestring = time.time()
formatted_timestring = datetime.fromtimestamp(timestring).strftime('%Y_%m_%d')
stix_file_name = fusionreport_title+'_stix_package_TR_'+formatted_timestring+'.xml'
stix_header.description = 'This STIX package includes indicators reported to the Red Sky community. Please send all inquiries to [email protected]'
stix_package.stix_header = stix_header
for item in results:
process_type = str(item["ProcessType"]).decode('utf-8')
if process_type == 'Direct':
indicator = str(item["Indicator"]).decode('utf-8')
#print indicator
item_reference = str(item["Reference"]).decode('utf-8')
source = str(item["Source"]).decode('utf-8')
killchain = str(item["KillChain"]).decode('utf-8')
first_seen = str(item["FirstSeen"]).decode('utf-8')
last_seen = str(item["LastSeen"]).decode('utf-8')
attribution = str(item["Attribution"]).decode('utf-8')
indicator_type = str(item["Type"]).decode('utf-8')
rrname = str(item["Rrname"])
rdata = str(item["Rdata"])
rootnode = str(item["RootNode"])
country = str(item["Country"]).decode('utf-8')
tags = str(item["Tags"]).decode('utf-8')
comment2 = item["Comment"]
comment = unicodedata.normalize('NFKD', comment2).encode('ascii','ignore')
confidence = str(item["Confidence"]).decode('utf-8')
if indicator_type == 'MD5' or indicator_type == 'SHA1':
f = File()
hashval = indicator
hashval2 = hashval.decode('utf8', 'ignore')
f.add_hash(hashval2)
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,f,stix_package)
if indicator_type == 'Registry':
reg = WinRegistryKey()
key = indicator
key_add = key.decode('utf8', 'ignore')
reg.key = key_add
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,reg,stix_package)
if indicator_type == 'Subject':
email_subj_obj = EmailMessage()
email_subj_obj.header = EmailHeader()
subj = indicator
subj_add = subj.decode('utf8', 'ignore')
email_subj_obj.header.subject = subj_add
indcator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,email_subj_obj,stix_package)
if indicator_type == 'File':
filename = File()
file_name_fix = indicator
file_name_fix2 = file_name_fix.decode('utf8', 'ignore')
filename.file_name = file_name_fix2
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,filename,stix_package)
if indicator_type == 'Email':
email = Address()
email.address_value = indicator.decode('utf8', 'ignore')
email.category = Address.CAT_EMAIL
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,email,stix_package)
if indicator_type == 'Domain':
domain = URI()
domainval = indicator.decode('utf8', 'ignore')
domain.value = domainval.decode('utf8', 'ignore')
domain.type_ = URI.TYPE_DOMAIN
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,domain,stix_package)
if indicator_type == 'IP':
ip = Address()
ip.address_value = indicator.decode('utf8', 'ignore')
ip.category = Address.CAT_IPV4
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,ip,stix_package)
if indicator_type == 'String':
strng = Memory()
string = indicator
strng.name = string.decode('utf8', 'ignore')
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,strng,stix_package)
if indicator_type == 'URL':
url = URI()
url_indicator = indicator
url.value = url_indicator.decode('utf8', 'ignore')
url.type_ = URI.TYPE_URL
indicator = Indicator()
add_stix_indicator_regular(indicator,indicator,item_reference,tags,source,last_seen,confidence,process_type,comment,killchain,attribution,url,stix_package)
f = open(stix_file_name, "w")
a = stix_package.to_xml()
f.write(a)
f.close()
def get_indicator_from_json(indicator_json, user_timezone):
type_ = indicator_json['type']
v = indicator_json['value']
title = indicator_json['title']
o_ = None
# ipv4か?
if type_ == JSON_OBJECT_TYPE_IPV4:
o_ = Address()
o_.address_value = v.replace('[', '').replace(']', '')
# urlか?
if type_ == JSON_OBJECT_TYPE_URI:
o_ = URI()
o_.value = v
# md5か?
if type_ == JSON_OBJECT_TYPE_MD5:
o_ = File()
o_.md5 = v
# sha1か?
if type_ == JSON_OBJECT_TYPE_SHA1:
o_ = File()
o_.sha1 = v
# sha256か?
if type_ == JSON_OBJECT_TYPE_SHA256:
o_ = File()
o_.sha256 = v
# sha512か?
if type_ == JSON_OBJECT_TYPE_SHA512:
o_ = File()
o_.sha512 = v
# email-addressか?
if type_ == JSON_OBJECT_TYPE_EMAIL_ADDRESS:
o_ = EmailAddress()
o_.address_value = v
# domainか?
if type_ == JSON_OBJECT_TYPE_DOMAIN:
o_ = DomainName()
o_.value = v.replace('[', '').replace(']', '')
# file名か?
if type_ == JSON_OBJECT_TYPE_FILE_NAME:
o_ = File()
o_.file_name = v
# なにも該当していないので None
if o_ is None:
print('何も該当なし:' + str(type_) + ':' + str(v))
return None
# indicator 作って返却
indicator_title = '%s (%s)' % (v, title)
ind = CommonExtractor.get_indicator_from_object(
o_, indicator_title, user_timezone)
return ind
def test_no_type(self):
uri_dict = {'value': "http://www.example.com",
'xsi:type': URI._XSI_TYPE}
uri_obj = URI.object_from_dict(uri_dict)
uri_dict2 = URI.dict_from_object(uri_obj)
self.assertEqual(uri_dict, uri_dict2)
def test_unicode(self):
u = u"www.\u0395\u03a7\u0391\u039c\u03a1LE.com"
uri = URI(u, URI.TYPE_DOMAIN)
uri2 = cybox.test.round_trip(uri)
self.assertEqual(uri.to_dict(), uri2.to_dict())
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['ipAddr']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['URI']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
obsURI.title = 'URI: ' + sURI
sDscrpt = 'URI: ' + sURI + " | "
sDscrpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
#Parser File Hash
sHash = data[sKey]['attrib']['hash']
if len(sHash) > 0:
objFile = File()
sFileName = data[sKey]['attrib']['fileName']
if len(sFileName) > 0:
objFile.file_name = sFileName
objFile.file_format = sFileName.split('.')[1]
objFile.add_hash(Hash(sHash, exact=True))
obsFile = Observable(objFile)
objFile = None
obsFile.sighting_count = 1
obsFile.title = 'File: ' + sFileName
sDscrpt = 'FileName: ' + sFileName + " | "
sDscrpt += "FileHash: " + sHash + " | "
obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsFile)
obsFile = None
objIndicator.add_indicator_type("File Hash Watchlist")
### Add Generated observable to Indicator
objIndicator.observables = listOBS
objIndicator.observable_composition_operator = 'OR'
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Old Title / Description Generator
#objIndicator.title = data[sKey]['attrib']['title'];
#objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";
### Generate Indicator Title based on availbe data
sTitle = 'ZeuS Tracker (' + data[sKey]['attrib'][
'status'] + ')| ' + data[sKey]['attrib']['title']
if len(sAddr) > 0:
sAddLine = "This IP address has been identified as malicious"
if len(sDomain) > 0:
sAddLine = "This domain has been identified as malicious"
if len(sAddLine) > 0:
sTitle = sTitle + " | " + sAddLine
if len(srcObj.Domain) > 0:
sTitle = sTitle + " by " + srcObj.Domain
else:
sTitle = sTitle + "."
if len(sTitle) > 0:
objIndicator.title = sTitle
#Generate Indicator Description based on availbe data
sDscrpt = ""
if len(sAddr) > 0:
sAddLine = "This IP address " + sAddr
if len(sDomain) > 0:
sAddLine = "This domain " + sDomain
if len(sAddr) > 0 and len(sDomain) > 0:
sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
if len(sAddLine) > 0:
sDscrpt = sDscrpt + sAddLine
sDscrpt = sDscrpt + " has been identified as malicious"
if len(srcObj.Domain) > 0:
sDscrpt = sDscrpt + " by " + srcObj.Domain
else:
sDscrpt = sDscrpt + "."
sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
sKey]['attrib']['link'] + "]."
if len(sDscrpt) > 0:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
objMalware.add_name("ZeuS")
objMalware.add_name("Zbot")
objMalware.add_name("Zeus")
objMalware.add_type("Remote Access Trojan")
objMalware.short_description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware effects Microsoft Windows operating system"
objMalware.description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.[1] Zeus is spread mainly through drive-by downloads and phishing schemes. (2014(http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29))"
objTTP = TTP(title="ZeuS")
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def create_url_observable(url):
url_object = URI.from_dict({'value': url, 'type': URI.TYPE_URL})
return Observable(url_object)
