def cybox_object_http(obj): http_session = HTTPSession() hh = HTTPRequestResponse() hc = HTTPClientRequest() if obj.client_request.message_body: hm = HTTPMessage() hm.lenght = len(obj.client_request.message_body) hm.message_body = String(obj.client_request.message_body) hc.http_message_body = hm rh = HTTPRequestHeader() if obj.client_request.raw_header: rh.raw_header = String(obj.client_request.raw_header) hhf = HTTPRequestHeaderFields() hhf.user_agent = String(obj.client_request.user_agent) host_field = HostField() host_field.domain_name = URI(value=obj.client_request.domain_name) port = Port() port.port_value = PositiveInteger(obj.client_request.port.port) host_field.port = port hhf.host = host_field rh.parsed_header = hhf hc.http_request_header = rh hl = HTTPRequestLine() hl.http_method = String(obj.client_request.request_method) hl.version = String(obj.client_request.request_version) hl.value = String(obj.client_request.request_uri) hc.http_request_line = hl hh.http_client_request = hc http_session.http_request_response = [hh] return http_session
def stix_xml(bldata): # Create the STIX Package and Header objects stix_package = STIXPackage() stix_header = STIXHeader() # Set the description stix_header.description = "RiskIQ Blacklist Data - STIX Format" # Set the namespace NAMESPACE = {"http://www.riskiq.com": "RiskIQ"} set_id_namespace(NAMESPACE) # Set the produced time to now stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() # Create the STIX Package stix_package = STIXPackage() # Build document stix_package.stix_header = stix_header # Build the Package Intent stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) # Build the indicator indicator = Indicator() indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam" indicator.add_indicator_type("URL Watchlist") for datum in bldata: url = URI() url.value = "" url.value = datum['url'] url.type_ = URI.TYPE_URL url.condition = "Equals" indicator.add_observable(url) stix_package.add_indicator(indicator) return stix_package.to_xml()
def genObject_URI(data): from cybox.core.observable import Observables, Observable from cybox.utils import create_id as CyboxID from cybox.objects.uri_object import URI objURI = URI() objURI.idref = None objURI.properties = None objURI.related_objects = [] objURI.domain_specific_object_properties = None objURI.value = escape(unicode(data['url'])) objURI.value.condition = 'Equals' objURI.type_ = "URL" obsURI = Observable(objURI) obsURI.idref = None obsURI.object = None objURI = None obsURI.title = "URL: " + escape(unicode(data['url']))[:70] + "..." # sDscrpt = "URL: " + data['url'] + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time'] # obsURI.description = "<![CDATA[" + sDscrpt + "]]>" # try: # obsURI.description = "URL: " + escape(unicode(data['url'])) + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time'] # except: # obsURI.description = "URL: " + " --[URL Not Displayed - Due to encoding issue]-- " + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time'] obsURI.description = "URL: " + escape(data['url']) + "| isOnline:" + data[ 'online'] + "| dateVerified:" + data['verification_time'] obsURI.event = None obsURI.observable_composition = None obsURI.sighting_count = 1 obsURI.observable_source = [] return (obsURI)
def main(): NAMESPACE = {"https://www.ncsc.gov.uk/": "ncscuk"} idgen.set_id_namespace(NAMESPACE) pkg = STIXPackage() coa = CourseOfAction() obj = file_to_obj('out.json') if obj.type == 'bundle': for _dict in obj.objects: object = dict_to_obj(_dict) if object.type == 'indicator': ind = Indicator() id_str = object.id.replace('--', '-') print id_str #ind.id_ = object.id pattern_type = object.pattern.split(':')[0] _value = re.sub("'", '', object.pattern.split(' = ')[1]) if pattern_type == 'ipv4-addr': obs = Observable( Address(address_value=_value, category=Address.CAT_IPV4)) elif pattern_type == 'url': obs = Observable(URI(value=_value, type_=URI.TYPE_URL)) pkg.add_observable(obs) obs_ref = Observable() obs_ref.id_ = None obs_ref.idref = obs.id_ ind.add_observable(obs_ref) pkg.add_indicator(ind) print pkg.to_xml()
def main(): v = AnyURI("http://www.example.com/index1.html") u = URI() u.value = v u.type_ = URI.TYPE_URL print(Observables(u).to_xml())
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id): obj1x = HTTPSession() nc.layer7_connections = Layer7Connections() nc.layer7_connections.http_session = obj1x rr = HTTPRequestResponse() obj1x.http_request_response.append(rr) rr.http_client_request = HTTPClientRequest() request_line = HTTPRequestLine() request_line.http_method = http_request_ext["request_method"] request_line.value = http_request_ext["request_value"] if "request_version" in http_request_ext: request_line.version = http_request_ext["request_version"] rr.http_client_request.http_request_line = request_line if "request_header" in http_request_ext: rr.http_client_request.http_request_header = HTTPRequestHeader() rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields( ) convert_obj(http_request_ext["request_header"], rr.http_client_request.http_request_header.parsed_header, HTTP_REQUEST_HEADERS_MAP, obs20_id) if "Host" in http_request_ext["request_header"]: rr.http_client_request.http_request_header.parsed_header.host = \ add_host(http_request_ext["request_header"]["Host"]) if "From" in http_request_ext["request_header"]: rr.http_client_request.http_request_header.parsed_header.from_ = \ EmailAddress(http_request_ext["request_header"]["From"]) if "Referer" in http_request_ext["request_header"]: rr.http_client_request.http_request_header.parsed_header.referer = \ URI(http_request_ext["request_header"]["Referer"]) if "X_Wap_Profile" in http_request_ext["request_header"]: rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \ URI(http_request_ext["request_header"]["X_Wap_Profile"]) if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext: body = HTTPMessage() if "message_body_length" in http_request_ext: body.length = http_request_ext["message_body_length"] if "message_body_data_ref" in http_request_ext: if http_request_ext["message_body_length"] in _STIX1X_OBJS: artifact_obj = _STIX1X_OBJS[ http_request_ext["message_body_length"]] body.message_body = artifact_obj.packed_data else: warn("%s is not an index found in %s", 306, http_request_ext["message_body_length"], obs20_id) rr.http_client_request.http_message_body = body
def main(): v = AnyURI("http://www.example.com/index1.html") v.condition = "Equals" u = URI() u.value = v u.type_ = URI.TYPE_URL print(Observables(u).to_xml(encoding=None))
def __create_url_object(self, url): """ Creates a CybOX URIObjectType object """ if not url: return None if self.__verbose_output: sys.stderr.write("** creating uri object for: %s\n" % url) return URI(url)
def __create_domain_name_object(self, domain): """ Creates a CybOX URIObjectType object """ if not domain: return None if self.__verbose_output: sys.stderr.write("** creating domain name object for: %s\n" % domain) return URI(domain)
def create_maec(self, url_indicator): package = Package() ms = MalwareSubject() ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = URI( type_=URI.TYPE_URL) ms.malware_instance_object_attributes.properties.value = url_indicator package.add_malware_subject(ms) return package
def main(): mydata = loaddata() ''' Your Namespace ''' # NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])} # set_id_namespace(NAMESPACE) NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS'])) set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS" wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name=sanitizer(mydata["Identity"])) marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = sanitizer(mydata["TLP_COLOR"]) marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') MyTITLE = sanitizer(mydata["Title"]) SHORT = timestamp DESCRIPTION = sanitizer(mydata["Description"]) wrapper.stix_header = STIXHeader(information_source=info_src, title=MyTITLE, description=DESCRIPTION, short_description=SHORT) wrapper.stix_header.handling = handling indiDom = Indicator() indiDom.title = MyTITLE indiDom.add_indicator_type("Domain Watchlist") for key in mydata["IOC"].keys(): fqdn = URI() fqdn.value = sanitizer(key) fqdn.type_ = URI.TYPE_DOMAIN fqdn.condition = "Equals" obsu = Observable(fqdn) for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]): ioc = File() ioc.add_hash(sanitizer(mydata["IOC"][key])) fqdn.add_related(ioc, "Downloaded") indiDom.add_observable(obsu) wrapper.add_indicator(indiDom) print(wrapper.to_xml())
def gen_urls(self, count): '''Generate list of URLs''' urls = [] for i in range(0, count): uri = URI(type_='URL') uri.value = self.fake.uri() urls.append(uri) return urls
def add_host(host_info): uri_port = host_info.split(":") hf = HostField() if len(uri_port) > 1: port = Port() port.port_value = uri_port[1] hf.port = port hf.domain_name = URI(uri_port[0], URI.TYPE_DOMAIN) return hf
def test_round_trip(self): uri_str = "http://www.example.com" t = URI.TYPE_URL uri = URI(AnyURI(uri_str), t) uri2 = cybox.test.round_trip(uri) self.assertEqual(uri.to_dict(), uri2.to_dict()) self.assertEqual(uri_str, str(uri2)) self.assertEqual(t, uri2.type_)
def main(): NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) v = AnyURI("http://www.example.com/index1.html") u = URI() u.value = v u.type_ = URI.TYPE_URL print Observables(u).to_xml()
def create_url_indicator(self, url_indicator): indicator = Indicator() indicator.title = 'URL of site hosting malware' indicator.add_indicator_type('URL Watchlist') url = URI() url.value = url_indicator url.type_ = URI.TYPE_URL url.condition = 'Equals' indicator.add_observable(url) return indicator
def add_raw_indicator(self , orig_indicator, ts=None): indicator_value = orig_indicator if not self._is_ascii(indicator_value): return False indicator_type, _ = guess_type(indicator_value) # Create a CyboX File Object if indicator_type == StixItemType.IPADDR: title = "Malicious IPv4 - %s" % indicator_value descr = "Malicious IPv4 involved with %s" % self._pkg.stix_header.title cybox = Address(indicator_value , Address.CAT_IPV4) elif indicator_type == StixItemType.DOMAIN: title = "Malicious domain - %s" % indicator_value descr = "Malicious domain involved with %s" % self._pkg.stix_header.title cybox = DomainName() cybox.value = indicator_value elif indicator_type == StixItemType.MD5: title = "Malicious MD5 - %s" % indicator_value descr = "Malicious MD5 involved with %s" % self._pkg.stix_header.title cybox = File() cybox.add_hash(indicator_value ) elif indicator_type == StixItemType.SHA256: title = "Malicious SHA256 - %s" % indicator_value descr = "Malicious SHA256 involved with %s" % self._pkg.stix_header.title cybox = File() cybox.add_hash(indicator_value ) elif indicator_type == StixItemType.SHA1: title = "Malicious SHA1 - %s" % indicator_value descr = "Malicious SHA1 involved with %s" % self._pkg.stix_header.title cybox = File() cybox.add_hash(indicator_value ) elif indicator_type == StixItemType.URL: title = "Malicious URL - %s" % indicator_value descr = "Malicious URL involved with %s" % self._pkg.stix_header.title cybox = URI() cybox.value = indicator_value cybox.type_ = URI.TYPE_URL if indicator_type == StixItemType.UNKNOWN: return False indicator = Indicator() indicator.title = title indicator.description = descr indicator.add_object(cybox) indicator.set_producer_identity(self.__author) if ts: indicator.set_produced_time(ts) else: indicator.set_produced_time(utils.dates.now()) self._add(indicator) return True
def test_subject_TypedField(self): h = EmailHeader() # Set using actual object h.subject = String("Howdy") self.assertEqual(String, type(h.subject)) # Set using implied cast h.subject = "Howdy" self.assertEqual(String, type(h.subject)) s = "http://badsubject.com" bad_object = URI(s) self.assertRaises(ValueError, setattr, h, 'subject', bad_object)
def print_match(self, fpath, page, name, match): # Resolve all hashes to single HASH reference to avoid repetition if name == 'MD5' or name == 'SHA1' or name == 'SHA256': name = 'HASH' if name in ind_dict: indicator = ind_dict[name] add_ind_list.append(name) indicator.title = fpath #=========== # Add new object handlers here: if name == 'IP': new_obj = Address(address_value=match, category=Address.CAT_IPV4) elif name == 'HASH': new_obj = File() new_obj.add_hash(Hash(match)) elif name == 'URL': new_obj = URI(type_=URI.TYPE_URL, value=match) elif name == 'Host': new_obj = URI(type_=URI.TYPE_DOMAIN, value=match) elif name == 'Email': new_obj = Address( address_value=match, category=Address.CAT_EMAIL ) ## Not sure if this is right - should this be using the email_message_object? elif name == 'Registry': new_obj = WinRegistryKey(values=match) #=========== new_obs = Observable(new_obj) new_obs.title = "Page Ref: " + str(page) indicator.add_observable(new_obs)
def test_get_namespaces(self): m = EmailMessage() m.to = "*****@*****.**" m.subject = "Here's a cool picture" m.links = Links() u = URI("http://example.com/cool.jpg", URI.TYPE_URL) m.links.append(u.parent.id_) o = Observables([u, m]) print o.to_xml() actual_namespaces = o._get_namespaces() print "\n".join([str(x) for x in actual_namespaces]) self.assertEqual(5, len(actual_namespaces))
def main(): pkg = STIXPackage() indicator = Indicator() indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50" indicator.title = "Malicious site hosting downloader" indicator.add_indicator_type("URL Watchlist") url = URI() url.value = "http://x4z9arb.cn/4712" url.type_ = URI.TYPE_URL url.value.condition = "Equals" indicator.add_observable(url) pkg.add_indicator(indicator) print pkg.to_xml()
def fqdn(fqdn, provider, reporttime): currentTime = time.time() parsed_uri = urlparse(str(fqdn)) domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri) if domain.startswith('https'): domain = domain[8:] else: domain = domain[7:] if domain.endswith('/'): domain = domain[:-1] vuln = Vulnerability() vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime) vuln.description = "maliciousIPV4" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) url = URI() url.value = fqdn url.type_ = URI.TYPE_URL url.condition = "Equals" # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "FQDN-" + str(fqdn) indicator.description = ("Malicious FQDN " + str(fqdn) + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) indicator.add_observable(url) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open( '/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' + str(currentTime) + '.xml', 'w') f.write(stix_package.to_xml()) f.close()
def make_cybox_object(type_, name=None, value=None): """ Converts type_, name, and value to a CybOX object instance. :param type_: The object type. :type type_: str :param name: The object name. :type name: str :param value: The object value. :type value: str :returns: CybOX object """ if type_ == "Address": return Address(category=name, address_value=value) elif type_ == "Email Message": e = EmailMessage() e.raw_body = value return e #TODO: Http Request Header Fields not implemented? #elif type_ == "Http Request Header Fields": #pass #TODO: Mutex object type is incomplete #elif type_ == "Mutex": #return Mutex.object_from_dict({'name': value}) #TODO: use Byte_Run object? #elif type_ == "String": #pass elif type_ == "URI": #return URI(type_=name, value=value) r = URI() r.type_ = name r.value = value return r #TODO: Win_File incomplete #elif type_ == "Win File": #TODO: Registry_Key incomplete #elif type_ == "Win Handle" and name == "RegistryKey": #return Registry_Key.object_from_dict({'key':value}) raise UnsupportedCybOXObjectTypeError(type_, name)
def get_observable(self): if self.type_ == 'md5': o_ = File() o_.md5 = self.value elif self.type_ == 'sha1': o_ = File() o_.sha1 = self.value elif self.type_ == 'sha256': o_ = File() o_.sha256 = self.value elif self.type_ == 'sha512': o_ = File() o_.sha256 = self.value elif self.type_ == 'url': o_ = URI(value=self.value, type_=URI.TYPE_URL) elif self.type_ == 'hostname': o_ = DomainName() o_.value = self.value o_.type_ = 'FQDN' elif self.type_ == 'domain': o_ = DomainName() o_.value = self.value o_.type_ = 'domain' elif self.type_ == 'ip-dst': o_ = Address(address_value=self.value, category=Address.CAT_IPV4) o_.is_destination = True o_.is_Source = False elif self.type_ == 'email-src': o_ = Address(address_value=self.value, category=Address.CAT_EMAIL) elif self.type_ == 'email-subject': o_ = EmailMessage() o_.subject = self.value else: # print 'skip>>>>: type_: ' + str(self.type_) o_ = None return o_
def get_indicator_from_json(indicator_json, user_timezone): type_ = indicator_json['type'] v = indicator_json['value'] title = indicator_json['title'] o_ = None # ipv4か? if type_ == JSON_OBJECT_TYPE_IPV4: o_ = Address() o_.address_value = v.replace('[', '').replace(']', '') # urlか? if type_ == JSON_OBJECT_TYPE_URI: o_ = URI() o_.value = v # md5か? if type_ == JSON_OBJECT_TYPE_MD5: o_ = File() o_.md5 = v # sha1か? if type_ == JSON_OBJECT_TYPE_SHA1: o_ = File() o_.sha1 = v # sha256か? if type_ == JSON_OBJECT_TYPE_SHA256: o_ = File() o_.sha256 = v # sha512か? if type_ == JSON_OBJECT_TYPE_SHA512: o_ = File() o_.sha512 = v # email-addressか? if type_ == JSON_OBJECT_TYPE_EMAIL_ADDRESS: o_ = EmailAddress() o_.address_value = v # domainか? if type_ == JSON_OBJECT_TYPE_DOMAIN: o_ = DomainName() o_.value = v.replace('[', '').replace(']', '') # file名か? if type_ == JSON_OBJECT_TYPE_FILE_NAME: o_ = File() o_.file_name = v # なにも該当していないので None if o_ is None: print('何も該当なし:' + str(type_) + ':' + str(v)) return None # indicator 作って返却 indicator_title = '%s (%s)' % (v, title) ind = CommonExtractor.get_indicator_from_object( o_, indicator_title, user_timezone) return ind
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') stixObj = None ### Input Check if srcObj == None or data == None: #TODO: Needs error msg: Missing srcData Object return (False) ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() objIndicator = Indicator() ### Bulid Object Data for sKey in data: objIndicator = Indicator() listOBS = [] ### Parsing IP Address sAddr = data[sKey]['attrib']['ipAddr'] if len(sAddr) > 0: objAddr = Address() objAddr.is_source = True objAddr.address_value = sAddr objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = 'ipv4-addr' elif isIPv6(sAddr): objAddr.category = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) objAddr = None obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isSource: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) obsAddr = None objIndicator.add_indicator_type("IP Watchlist") ### Parsing Domain sDomain = data[sKey]['attrib']['domain'] if len(sDomain) > 0: objDomain = DomainName() objDomain.value = sDomain objDomain.value.condition = 'Equals' if isFQDN(sDomain): objDomain.type = 'FQDN' elif isTLD(sDomain): objDomain.type = 'TLD' else: continue obsDomain = Observable(objDomain) objDomain = None obsDomain.sighting_count = 1 obsDomain.title = 'Domain: ' + sDomain sDscrpt = 'Domain: ' + sDomain + " | " sDscrpt += "isFQDN: True | " obsDomain.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsDomain) obsDomain = None objIndicator.add_indicator_type("Domain Watchlist") #Parser URI sURI = data[sKey]['attrib']['URI'] if len(sURI) > 0: objURI = URI() objURI.value = sURI objURI.value.condition = 'Equals' objURI.type_ = URI.TYPE_URL obsURI = Observable(objURI) objURI = None obsURI.sighting_count = 1 obsURI.title = 'URI: ' + sURI sDscrpt = 'URI: ' + sURI + " | " sDscrpt += "Type: URL | " obsURI.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsURI) obsURI = None objIndicator.add_indicator_type("URL Watchlist") #Parser File Hash sHash = data[sKey]['attrib']['hash'] if len(sHash) > 0: objFile = File() sFileName = data[sKey]['attrib']['fileName'] if len(sFileName) > 0: objFile.file_name = sFileName objFile.file_format = sFileName.split('.')[1] objFile.add_hash(Hash(sHash, exact=True)) obsFile = Observable(objFile) objFile = None obsFile.sighting_count = 1 obsFile.title = 'File: ' + sFileName sDscrpt = 'FileName: ' + sFileName + " | " sDscrpt += "FileHash: " + sHash + " | " obsFile.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsFile) obsFile = None objIndicator.add_indicator_type("File Hash Watchlist") ### Add Generated observable to Indicator objIndicator.observables = listOBS objIndicator.observable_composition_operator = 'OR' #Parsing Producer sProducer = srcObj.Domain if len(sProducer) > 0: objIndicator.set_producer_identity(sProducer) objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']) objIndicator.set_received_time(data[sKey]['dateDL']) ### Old Title / Description Generator #objIndicator.title = data[sKey]['attrib']['title']; #objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>"; ### Generate Indicator Title based on availbe data sTitle = 'ZeuS Tracker (' + data[sKey]['attrib'][ 'status'] + ')| ' + data[sKey]['attrib']['title'] if len(sAddr) > 0: sAddLine = "This IP address has been identified as malicious" if len(sDomain) > 0: sAddLine = "This domain has been identified as malicious" if len(sAddLine) > 0: sTitle = sTitle + " | " + sAddLine if len(srcObj.Domain) > 0: sTitle = sTitle + " by " + srcObj.Domain else: sTitle = sTitle + "." if len(sTitle) > 0: objIndicator.title = sTitle #Generate Indicator Description based on availbe data sDscrpt = "" if len(sAddr) > 0: sAddLine = "This IP address " + sAddr if len(sDomain) > 0: sAddLine = "This domain " + sDomain if len(sAddr) > 0 and len(sDomain) > 0: sAddLine = "This domain " + sDomain + " (" + sAddr + ")" if len(sAddLine) > 0: sDscrpt = sDscrpt + sAddLine sDscrpt = sDscrpt + " has been identified as malicious" if len(srcObj.Domain) > 0: sDscrpt = sDscrpt + " by " + srcObj.Domain else: sDscrpt = sDscrpt + "." sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[ sKey]['attrib']['link'] + "]." if len(sDscrpt) > 0: objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" #Parse TTP objMalware = MalwareInstance() objMalware.add_name("ZeuS") objMalware.add_name("Zbot") objMalware.add_name("Zeus") objMalware.add_type("Remote Access Trojan") objMalware.short_description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware effects Microsoft Windows operating system" objMalware.description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.[1] Zeus is spread mainly through drive-by downloads and phishing schemes. (2014(http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29))" objTTP = TTP(title="ZeuS") objTTP.behavior = Behavior() objTTP.behavior.add_malware_instance(objMalware) objIndicator.add_indicated_ttp(objTTP) #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_)) #stix_package.add_ttp(objTTP) stix_package.add_indicator(objIndicator) objIndicator = None ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = sProducer + " | " + sTOU marking_specification.marking_structures.append(objTOU) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header stix_header = None ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) return (stix_package)
def main(iocs=iocs): stix_header = STIXHeader(title=iocs['title'], description=iocs['desc'], package_intents=["Indicators - Watchlist"]) stix_package = STIXPackage(stix_header=stix_header) # add indicator - file hash if iocs.get('hash'): indicator_file_hash = Indicator(title="Malicious File") indicator_file_hash.add_indicator_type("File Hash Watchlist") for file_hash in iocs['hash']: file_object = File() file_object.add_hash(Hash(file_hash)) file_object.hashes[0].simple_hash_value.condition = "Equals" file_object.hashes[0].type_.condition = "Equals" indicator_file_hash.add_observable(file_object) stix_package.add_indicator(indicator_file_hash) # add indicator - file name if iocs.get('fname'): indicator_filename = Indicator(title="Malicious File Name") for file in iocs['fname']: file_object = File() file_object.file_name = file indicator_filename.add_observable(file_object) stix_package.add_indicator(indicator_filename) # add indicator - ip address if iocs.get('ips'): indicator_ip = Indicator(title="Malicious IP Address") indicator_ip.add_indicator_type("IP Watchlist") for ip in iocs['ips']: addr = Address(address_value=ip, category=Address.CAT_IPV4) addr.condition = "Equals" indicator_ip.add_observable(addr) stix_package.add_indicator(indicator_ip) # add indicator - domains if iocs.get('domains'): indicator_domains = Indicator(title="Malicious Domains") indicator_domains.add_indicator_type("Domain Watchlist") for domain in iocs['domains']: domain_name = DomainName() domain_name.value = domain indicator_domains.add_observable(domain_name) stix_package.add_indicator(indicator_domains) # add indicator - url if iocs.get('urls'): indicator_url = Indicator(title='Malicious URL') indicator_url.add_indicator_type("URL Watchlist") for _url in iocs['urls']: url = URI() url.value = _url url.type_ = URI.TYPE_URL url.value.condition = "Equals" # url.value.condition = "Contains" indicator_url.add_observable(url) stix_package.add_indicator(indicator_url) # add indicator - email subject if iocs.get('subject'): indicator_email_subject = Indicator(title='Malicious E-mail Subject') indicator_email_subject.add_indicator_type("Malicious E-mail") for subject in iocs['subject']: email_subject_object = EmailMessage() email_subject_object.header = EmailHeader() email_subject_object.header.subject = subject email_subject_object.header.subject.condition = "StartsWith" indicator_email_subject.add_observable(email_subject_object) stix_package.add_indicator(indicator_email_subject) # add indicator - email sender if iocs.get('senders'): indicator_email_sender = Indicator(title='Malicious E-mail Sender') indicator_email_sender.add_indicator_type("Malicious E-mail") for sender in iocs['senders']: email_sender_object = EmailMessage() email_sender_object.header = EmailHeader() email_sender_object.header.sender = sender email_sender_object.header.sender.condition = "Equals" indicator_email_sender.add_observable(email_sender_object) stix_package.add_indicator(indicator_email_sender) # print(stix_package.to_xml(encoding=None)) # print(type(stix_package.to_xml(encoding=None))) return stix_package.to_xml(encoding=None)
def setUp(self): set_id_method(2) self.ip = Address("192.168.1.1", Address.CAT_IPV4) self.domain = URI("example.local", URI.TYPE_DOMAIN)
def __create_whois_object(self, domain): """ Creates a CybOX WHOISObjectType object """ if not domain: return None if(self.__verbose_output): sys.stderr.write("** creating Whois object for: %s\n" % domain) if self.http_whois: record = self.__get_whois_record_http(domain) else: record = self.__get_whois_record(domain) if not record: return None whois = WhoisEntry() record['status'] = ['OK' if status == 'ACTIVE' else status for status in record['status']] #Only build registrar info objects if we have the relevant info if (record['registrar'] or record['whois_server'] or record['registrar_address'] or record['referral_url'] or record['registrar_contacts']): registrar = WhoisRegistrar() registrar.name = String(record.get('registrar')) registrar.address = String(record.get('registrar_address')) registrar.whois_server = URI(record.get('whois_server')) registrar.referral_url = URI(record.get('referral_url')) contacts = WhoisContacts() for email in record['registrar_contacts']: contact = WhoisContact() contact.contact_type = 'ADMIN' contact.name = String(record.get('registrar')) contact.email_address = EmailAddress(email) contacts.append(contact) registrar.contacts = contacts whois.registrar_info = registrar whois.domain_name = self.__create_domain_name_object(record.get('domain_name')) nservers = WhoisNameservers() for url in record.get('name_servers', []): nservers.append(self.__create_url_object(url)) if nservers: whois.nameservers = nservers status = WhoisStatuses() for s in record.get('status', []): status.append(WhoisStatus(s)) if status: whois.status = status whois.updated_date = DateTime(record.get('updated_date')) whois.creation_date = DateTime(record.get('creation_date')) whois.expiration_date = DateTime(record.get('expiration_date')) return whois
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') stixObj = None ### Input Check if srcObj == None or data == None: #TODO: Needs error msg: Missing srcData Object return (False) ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() objIndicator = Indicator() ### Bulid Object Data for sKey in data: objIndicator = Indicator() listOBS = [] oObsSrcData = genObsSrcData(srcObj, data[sKey]) ### Parsing IP Address sAddr = data[sKey]['attrib']['ip'] if len(sAddr) > 0: objAddr = Address() objAddr.is_destination = True objAddr.address_value = sAddr objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.type = 'ipv4-addr' elif isIPv6(sAddr): objAddr.type = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) objAddr = None obsAddr.sighting_count = 1 oObsSrcData.sighting_count = 1 obsAddr.observable_source.append(oObsSrcData) sTitle = 'IP: ' + sAddr obsAddr.title = sTitle sDscpt = 'ipv4-addr' + ': ' + sAddr + " | " sDscpt += "is_destination: True | " if data[sKey]['attrib']['first']: sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | " if data[sKey]['attrib']['last']: sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | " obsAddr.description = "<![CDATA[" + sDscpt + "]]>" listOBS.append(obsAddr) obsAddr = None ### Parsing Network Address sAddr = data[sKey]['attrib']['inetnum'] if sAddr: objAddr = Address() objAddr.is_destination = True sAddrNet = sAddr.split("-") objAddr.address_value = sAddrNet[0].strip( ) + "##comma##" + sAddrNet[1].strip() objAddr.address_value.condition = 'InclusiveBetween' objAddr.category = 'ipv4-net' obsAddr = Observable(objAddr) objAddr = None obsAddr.sighting_count = 1 oObsSrcData.sighting_count = 1 obsAddr.observable_source.append(oObsSrcData) sTitle = 'NETWORK_range: ' + sAddr obsAddr.title = sTitle sDscpt = 'ipv4-net' + ': ' + sAddr + " | " if data[sKey]['attrib']['netname']: sDscpt += 'netName' + ': ' + data[sKey]['attrib'][ 'netname'] + " | " obsAddr.description = "<![CDATA[" + sDscpt + "]]>" listOBS.append(obsAddr) obsAddr = None ### Parsing Email Address sEMAIL = data[sKey]['attrib']['email'] if sEMAIL: objEmail = EmailAddress() #objEmail.is_source = True objEmail.address_value = sEMAIL objEmail.address_value.condition = 'Equals' objEmail.category = 'e-mail' obsEmail = Observable(objEmail) objEmail = None obsEmail.sighting_count = 1 oObsSrcData.sighting_count = 1 if len(data[sKey]['attrib']['source']) > 0: oObsSrcData.name = data[sKey]['attrib']['source'] obsEmail.observable_source.append(oObsSrcData) sTitle = 'REGISTRAR_email: ' + sEMAIL obsEmail.title = sTitle sDscrpt = 'REGISTRAR_email: ' + sEMAIL if data[sKey]['attrib']['descr']: sDscrpt += " | REGISTRAR_name: " + data[sKey]['attrib'][ 'descr'] + " | " obsEmail.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsEmail) obsEmail = None ### Parsing Domain sDomain = data[sKey]['attrib']['domain'] if len(sDomain) > 0: objDomain = DomainName() objDomain.value = sDomain objDomain.value.condition = 'Equals' objDomain.is_destination = True if isFQDN(sDomain): objDomain.type = 'FQDN' elif isTLD(sDomain): objDomain.type = 'TLD' else: continue obsDomain = Observable(objDomain) objDomain = None obsDomain.sighting_count = 1 oObsSrcData.sighting_count = 1 obsDomain.observable_source.append(oObsSrcData) obsDomain.title = 'Domain: ' + sDomain sDscpt = 'Domain: ' + sDomain + " | " sDscpt += "isDestination: True | " if data[sKey]['attrib']['first']: sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | " if data[sKey]['attrib']['last']: sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | " #if obsDomain.description = "<![CDATA[" + sDscpt + "]]>" listOBS.append(obsDomain) obsDomain = None objIndicator.add_indicator_type("Domain Watchlist") #Parser URI sURI = data[sKey]['attrib']['url'] if len(sURI) > 0: objURI = URI() objURI.value = sURI objURI.value.condition = 'Equals' objURI.type_ = URI.TYPE_URL obsURI = Observable(objURI) objURI = None obsURI.sighting_count = 1 oObsSrcData.sighting_count = 1 obsURI.observable_source.append(oObsSrcData) obsURI.title = 'URI: ' + sURI sDscpt = 'URI: ' + sURI + " | " sDscpt += "Type: URL | " obsURI.description = "<![CDATA[" + sDscpt + "]]>" listOBS.append(obsURI) obsURI = None objIndicator.add_indicator_type("URL Watchlist") sDscrpt = None sCntry_code = None sCntry_name = None sRgstra_email = None sRgstra_name = None # add Phishing Email Target # add Phishing email Details phishtank_ID if data[sKey]['attrib']['country']: sCntry_code = data[sKey]['attrib']['country'] if sCntry_code in dictCC2CN: sCntry_name = dictCC2CN[sCntry_code] if data[sKey]['attrib']['email'] > 0: sRgstra_email = data[sKey]['attrib']['email'] if data[sKey]['attrib']['descr']: sRgstra_name = data[sKey]['attrib']['descr'] sDscrpt = " clean-mx.de has identified this " if isIPv4(data[sKey]['attrib']['domain']): sDscrpt += "ip address " + data[sKey]['attrib']['domain'] + " " else: sDscrpt += "domain " + data[sKey]['attrib']['domain'] + " " sDscrpt += "as malicious " if data[sKey]['attrib']['target']: sDscrpt += "and uses phishing email(s) targeting " + data[sKey][ 'attrib']['target'] + " users with " else: sDscrpt += "and sent out " sDscrpt += "email containg this url <-Do Not Connect-> {" + data[sKey][ 'attrib']['url'] + "} <-Do Not Connect-> link. " if data[sKey]['attrib']['phishtank']: sDscrpt += "For more detail on the specific phisihing email use this phishtank ID [" + data[ sKey]['attrib']['phishtank'] + "]. " if sCntry_code: sDscrpt += " This url appears to originated in " + sCntry_code if sCntry_name: sDscrpt += " (" + sCntry_name + ")" if sCntry_code and (sRgstra_email or sRgstra_name): sDscrpt += " and is " if sRgstra_email: sDscrpt += "register to " + sRgstra_email if sRgstra_email and sRgstra_name: sDscrpt += " of " + sRgstra_name elif sRgstra_name: sDscrpt += "register to " + sRgstra_name sDscrpt += "." if sCntry_code or sRgstra_email or sRgstra_name: objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" sTitle = 'Phishing ID:' + sKey + " " if data[sKey]['attrib']["target"]: sTitle += "Target: " + data[sKey]['attrib']["target"] + " " if data[sKey]['attrib']["url"]: sTitle += "URL: " + data[sKey]['attrib']["url"] + " " objIndicator.title = sTitle ### Add Generated observable to Indicator objIndicator.add_indicator_type("IP Watchlist") objIndicator.observable_composition_operator = 'OR' objIndicator.observables = listOBS #Parsing Producer sProducer = srcObj.Domain if len(sProducer) > 0: objIndicator.set_producer_identity(sProducer) objIndicator.set_produced_time(data[sKey]['attrib']['first']) objIndicator.set_received_time(data[sKey]['dateDL']) stix_package.add_indicator(objIndicator) objIndicator = None ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) objTOU = TermsOfUseMarkingStructure() #sTOU = open('tou.txt').read() objTOU.terms_of_use = sProducer + " | " + srcObj.srcTOU marking_specification.marking_structures.append(objTOU) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header stix_header = None ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) return (stix_package)