def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com": "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def genObject_URI(data):
from cybox.core.observable import Observables, Observable
from cybox.utils import create_id as CyboxID
from cybox.objects.uri_object import URI
objURI = URI()
objURI.idref = None
objURI.properties = None
objURI.related_objects = []
objURI.domain_specific_object_properties = None
objURI.value = escape(unicode(data['url']))
objURI.value.condition = 'Equals'
objURI.type_ = "URL"
obsURI = Observable(objURI)
obsURI.idref = None
obsURI.object = None
objURI = None
obsURI.title = "URL: " + escape(unicode(data['url']))[:70] + "..."
# sDscrpt = "URL: " + data['url'] + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time']
# obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
# try:
# obsURI.description = "URL: " + escape(unicode(data['url'])) + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time']
# except:
# obsURI.description = "URL: " + " --[URL Not Displayed - Due to encoding issue]-- " + "| isOnline:" + data['online'] + "| dateVerified:" + data['verification_time']
obsURI.description = "URL: " + escape(data['url']) + "| isOnline:" + data[
'online'] + "| dateVerified:" + data['verification_time']
obsURI.event = None
obsURI.observable_composition = None
obsURI.sighting_count = 1
obsURI.observable_source = []
return (obsURI)
def main():
NAMESPACE = {"https://www.ncsc.gov.uk/": "ncscuk"}
idgen.set_id_namespace(NAMESPACE)
pkg = STIXPackage()
coa = CourseOfAction()
obj = file_to_obj('out.json')
if obj.type == 'bundle':
for _dict in obj.objects:
object = dict_to_obj(_dict)
if object.type == 'indicator':
ind = Indicator()
id_str = object.id.replace('--', '-')
print id_str
#ind.id_ = object.id
pattern_type = object.pattern.split(':')[0]
_value = re.sub("'", '', object.pattern.split(' = ')[1])
if pattern_type == 'ipv4-addr':
obs = Observable(
Address(address_value=_value,
category=Address.CAT_IPV4))
elif pattern_type == 'url':
obs = Observable(URI(value=_value, type_=URI.TYPE_URL))
pkg.add_observable(obs)
obs_ref = Observable()
obs_ref.id_ = None
obs_ref.idref = obs.id_
ind.add_observable(obs_ref)
pkg.add_indicator(ind)
print pkg.to_xml()
def main():
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml())
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id):
obj1x = HTTPSession()
nc.layer7_connections = Layer7Connections()
nc.layer7_connections.http_session = obj1x
rr = HTTPRequestResponse()
obj1x.http_request_response.append(rr)
rr.http_client_request = HTTPClientRequest()
request_line = HTTPRequestLine()
request_line.http_method = http_request_ext["request_method"]
request_line.value = http_request_ext["request_value"]
if "request_version" in http_request_ext:
request_line.version = http_request_ext["request_version"]
rr.http_client_request.http_request_line = request_line
if "request_header" in http_request_ext:
rr.http_client_request.http_request_header = HTTPRequestHeader()
rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields(
)
convert_obj(http_request_ext["request_header"],
rr.http_client_request.http_request_header.parsed_header,
HTTP_REQUEST_HEADERS_MAP, obs20_id)
if "Host" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.host = \
add_host(http_request_ext["request_header"]["Host"])
if "From" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.from_ = \
EmailAddress(http_request_ext["request_header"]["From"])
if "Referer" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.referer = \
URI(http_request_ext["request_header"]["Referer"])
if "X_Wap_Profile" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \
URI(http_request_ext["request_header"]["X_Wap_Profile"])
if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext:
body = HTTPMessage()
if "message_body_length" in http_request_ext:
body.length = http_request_ext["message_body_length"]
if "message_body_data_ref" in http_request_ext:
if http_request_ext["message_body_length"] in _STIX1X_OBJS:
artifact_obj = _STIX1X_OBJS[
http_request_ext["message_body_length"]]
body.message_body = artifact_obj.packed_data
else:
warn("%s is not an index found in %s", 306,
http_request_ext["message_body_length"], obs20_id)
rr.http_client_request.http_message_body = body
def main():
v = AnyURI("http://www.example.com/index1.html")
v.condition = "Equals"
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml(encoding=None))
def __create_url_object(self, url):
""" Creates a CybOX URIObjectType object """
if not url:
return None
if self.__verbose_output:
sys.stderr.write("** creating uri object for: %s\n" % url)
return URI(url)
def __create_domain_name_object(self, domain):
""" Creates a CybOX URIObjectType object """
if not domain:
return None
if self.__verbose_output:
sys.stderr.write("** creating domain name object for: %s\n" % domain)
return URI(domain)
def create_maec(self, url_indicator):
package = Package()
ms = MalwareSubject()
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = URI(
type_=URI.TYPE_URL)
ms.malware_instance_object_attributes.properties.value = url_indicator
package.add_malware_subject(ms)
return package
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("Domain Watchlist")
for key in mydata["IOC"].keys():
fqdn = URI()
fqdn.value = sanitizer(key)
fqdn.type_ = URI.TYPE_DOMAIN
fqdn.condition = "Equals"
obsu = Observable(fqdn)
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
fqdn.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def gen_urls(self, count):
'''Generate list of URLs'''
urls = []
for i in range(0, count):
uri = URI(type_='URL')
uri.value = self.fake.uri()
urls.append(uri)
return urls
def add_host(host_info):
uri_port = host_info.split(":")
hf = HostField()
if len(uri_port) > 1:
port = Port()
port.port_value = uri_port[1]
hf.port = port
hf.domain_name = URI(uri_port[0], URI.TYPE_DOMAIN)
return hf
def test_round_trip(self):
uri_str = "http://www.example.com"
t = URI.TYPE_URL
uri = URI(AnyURI(uri_str), t)
uri2 = cybox.test.round_trip(uri)
self.assertEqual(uri.to_dict(), uri2.to_dict())
self.assertEqual(uri_str, str(uri2))
self.assertEqual(t, uri2.type_)
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print Observables(u).to_xml()
def create_url_indicator(self, url_indicator):
indicator = Indicator()
indicator.title = 'URL of site hosting malware'
indicator.add_indicator_type('URL Watchlist')
url = URI()
url.value = url_indicator
url.type_ = URI.TYPE_URL
url.condition = 'Equals'
indicator.add_observable(url)
return indicator
def add_raw_indicator(self , orig_indicator, ts=None):
indicator_value = orig_indicator
if not self._is_ascii(indicator_value):
return False
indicator_type, _ = guess_type(indicator_value)
# Create a CyboX File Object
if indicator_type == StixItemType.IPADDR:
title = "Malicious IPv4 - %s" % indicator_value
descr = "Malicious IPv4 involved with %s" % self._pkg.stix_header.title
cybox = Address(indicator_value , Address.CAT_IPV4)
elif indicator_type == StixItemType.DOMAIN:
title = "Malicious domain - %s" % indicator_value
descr = "Malicious domain involved with %s" % self._pkg.stix_header.title
cybox = DomainName()
cybox.value = indicator_value
elif indicator_type == StixItemType.MD5:
title = "Malicious MD5 - %s" % indicator_value
descr = "Malicious MD5 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.SHA256:
title = "Malicious SHA256 - %s" % indicator_value
descr = "Malicious SHA256 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.SHA1:
title = "Malicious SHA1 - %s" % indicator_value
descr = "Malicious SHA1 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.URL:
title = "Malicious URL - %s" % indicator_value
descr = "Malicious URL involved with %s" % self._pkg.stix_header.title
cybox = URI()
cybox.value = indicator_value
cybox.type_ = URI.TYPE_URL
if indicator_type == StixItemType.UNKNOWN:
return False
indicator = Indicator()
indicator.title = title
indicator.description = descr
indicator.add_object(cybox)
indicator.set_producer_identity(self.__author)
if ts:
indicator.set_produced_time(ts)
else:
indicator.set_produced_time(utils.dates.now())
self._add(indicator)
return True
def test_subject_TypedField(self):
h = EmailHeader()
# Set using actual object
h.subject = String("Howdy")
self.assertEqual(String, type(h.subject))
# Set using implied cast
h.subject = "Howdy"
self.assertEqual(String, type(h.subject))
s = "http://badsubject.com"
bad_object = URI(s)
self.assertRaises(ValueError, setattr, h, 'subject', bad_object)
def print_match(self, fpath, page, name, match):
# Resolve all hashes to single HASH reference to avoid repetition
if name == 'MD5' or name == 'SHA1' or name == 'SHA256':
name = 'HASH'
if name in ind_dict:
indicator = ind_dict[name]
add_ind_list.append(name)
indicator.title = fpath
#===========
# Add new object handlers here:
if name == 'IP':
new_obj = Address(address_value=match,
category=Address.CAT_IPV4)
elif name == 'HASH':
new_obj = File()
new_obj.add_hash(Hash(match))
elif name == 'URL':
new_obj = URI(type_=URI.TYPE_URL, value=match)
elif name == 'Host':
new_obj = URI(type_=URI.TYPE_DOMAIN, value=match)
elif name == 'Email':
new_obj = Address(
address_value=match, category=Address.CAT_EMAIL
) ## Not sure if this is right - should this be using the email_message_object?
elif name == 'Registry':
new_obj = WinRegistryKey(values=match)
#===========
new_obs = Observable(new_obj)
new_obs.title = "Page Ref: " + str(page)
indicator.add_observable(new_obs)
def test_get_namespaces(self):
m = EmailMessage()
m.to = "*****@*****.**"
m.subject = "Here's a cool picture"
m.links = Links()
u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
m.links.append(u.parent.id_)
o = Observables([u, m])
print o.to_xml()
actual_namespaces = o._get_namespaces()
print "\n".join([str(x) for x in actual_namespaces])
self.assertEqual(5, len(actual_namespaces))
def main():
pkg = STIXPackage()
indicator = Indicator()
indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50"
indicator.title = "Malicious site hosting downloader"
indicator.add_indicator_type("URL Watchlist")
url = URI()
url.value = "http://x4z9arb.cn/4712"
url.type_ = URI.TYPE_URL
url.value.condition = "Equals"
indicator.add_observable(url)
pkg.add_indicator(indicator)
print pkg.to_xml()
def fqdn(fqdn, provider, reporttime):
currentTime = time.time()
parsed_uri = urlparse(str(fqdn))
domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
if domain.startswith('https'):
domain = domain[8:]
else:
domain = domain[7:]
if domain.endswith('/'):
domain = domain[:-1]
vuln = Vulnerability()
vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
vuln.description = "maliciousIPV4"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
url = URI()
url.value = fqdn
url.type_ = URI.TYPE_URL
url.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "FQDN-" + str(fqdn)
indicator.description = ("Malicious FQDN " + str(fqdn) +
" reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(url)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open(
'/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' +
str(currentTime) + '.xml', 'w')
f.write(stix_package.to_xml())
f.close()
def make_cybox_object(type_, name=None, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param name: The object name.
:type name: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == "Address":
return Address(category=name, address_value=value)
elif type_ == "Email Message":
e = EmailMessage()
e.raw_body = value
return e
#TODO: Http Request Header Fields not implemented?
#elif type_ == "Http Request Header Fields":
#pass
#TODO: Mutex object type is incomplete
#elif type_ == "Mutex":
#return Mutex.object_from_dict({'name': value})
#TODO: use Byte_Run object?
#elif type_ == "String":
#pass
elif type_ == "URI":
#return URI(type_=name, value=value)
r = URI()
r.type_ = name
r.value = value
return r
#TODO: Win_File incomplete
#elif type_ == "Win File":
#TODO: Registry_Key incomplete
#elif type_ == "Win Handle" and name == "RegistryKey":
#return Registry_Key.object_from_dict({'key':value})
raise UnsupportedCybOXObjectTypeError(type_, name)
def get_observable(self):
if self.type_ == 'md5':
o_ = File()
o_.md5 = self.value
elif self.type_ == 'sha1':
o_ = File()
o_.sha1 = self.value
elif self.type_ == 'sha256':
o_ = File()
o_.sha256 = self.value
elif self.type_ == 'sha512':
o_ = File()
o_.sha256 = self.value
elif self.type_ == 'url':
o_ = URI(value=self.value, type_=URI.TYPE_URL)
elif self.type_ == 'hostname':
o_ = DomainName()
o_.value = self.value
o_.type_ = 'FQDN'
elif self.type_ == 'domain':
o_ = DomainName()
o_.value = self.value
o_.type_ = 'domain'
elif self.type_ == 'ip-dst':
o_ = Address(address_value=self.value, category=Address.CAT_IPV4)
o_.is_destination = True
o_.is_Source = False
elif self.type_ == 'email-src':
o_ = Address(address_value=self.value, category=Address.CAT_EMAIL)
elif self.type_ == 'email-subject':
o_ = EmailMessage()
o_.subject = self.value
else:
# print 'skip>>>>: type_: ' + str(self.type_)
o_ = None
return o_
def get_indicator_from_json(indicator_json, user_timezone):
type_ = indicator_json['type']
v = indicator_json['value']
title = indicator_json['title']
o_ = None
# ipv4か?
if type_ == JSON_OBJECT_TYPE_IPV4:
o_ = Address()
o_.address_value = v.replace('[', '').replace(']', '')
# urlか?
if type_ == JSON_OBJECT_TYPE_URI:
o_ = URI()
o_.value = v
# md5か?
if type_ == JSON_OBJECT_TYPE_MD5:
o_ = File()
o_.md5 = v
# sha1か?
if type_ == JSON_OBJECT_TYPE_SHA1:
o_ = File()
o_.sha1 = v
# sha256か?
if type_ == JSON_OBJECT_TYPE_SHA256:
o_ = File()
o_.sha256 = v
# sha512か?
if type_ == JSON_OBJECT_TYPE_SHA512:
o_ = File()
o_.sha512 = v
# email-addressか?
if type_ == JSON_OBJECT_TYPE_EMAIL_ADDRESS:
o_ = EmailAddress()
o_.address_value = v
# domainか?
if type_ == JSON_OBJECT_TYPE_DOMAIN:
o_ = DomainName()
o_.value = v.replace('[', '').replace(']', '')
# file名か?
if type_ == JSON_OBJECT_TYPE_FILE_NAME:
o_ = File()
o_.file_name = v
# なにも該当していないので None
if o_ is None:
print('何も該当なし:' + str(type_) + ':' + str(v))
return None
# indicator 作って返却
indicator_title = '%s (%s)' % (v, title)
ind = CommonExtractor.get_indicator_from_object(
o_, indicator_title, user_timezone)
return ind
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['ipAddr']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['URI']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
obsURI.title = 'URI: ' + sURI
sDscrpt = 'URI: ' + sURI + " | "
sDscrpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
#Parser File Hash
sHash = data[sKey]['attrib']['hash']
if len(sHash) > 0:
objFile = File()
sFileName = data[sKey]['attrib']['fileName']
if len(sFileName) > 0:
objFile.file_name = sFileName
objFile.file_format = sFileName.split('.')[1]
objFile.add_hash(Hash(sHash, exact=True))
obsFile = Observable(objFile)
objFile = None
obsFile.sighting_count = 1
obsFile.title = 'File: ' + sFileName
sDscrpt = 'FileName: ' + sFileName + " | "
sDscrpt += "FileHash: " + sHash + " | "
obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsFile)
obsFile = None
objIndicator.add_indicator_type("File Hash Watchlist")
### Add Generated observable to Indicator
objIndicator.observables = listOBS
objIndicator.observable_composition_operator = 'OR'
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Old Title / Description Generator
#objIndicator.title = data[sKey]['attrib']['title'];
#objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";
### Generate Indicator Title based on availbe data
sTitle = 'ZeuS Tracker (' + data[sKey]['attrib'][
'status'] + ')| ' + data[sKey]['attrib']['title']
if len(sAddr) > 0:
sAddLine = "This IP address has been identified as malicious"
if len(sDomain) > 0:
sAddLine = "This domain has been identified as malicious"
if len(sAddLine) > 0:
sTitle = sTitle + " | " + sAddLine
if len(srcObj.Domain) > 0:
sTitle = sTitle + " by " + srcObj.Domain
else:
sTitle = sTitle + "."
if len(sTitle) > 0:
objIndicator.title = sTitle
#Generate Indicator Description based on availbe data
sDscrpt = ""
if len(sAddr) > 0:
sAddLine = "This IP address " + sAddr
if len(sDomain) > 0:
sAddLine = "This domain " + sDomain
if len(sAddr) > 0 and len(sDomain) > 0:
sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
if len(sAddLine) > 0:
sDscrpt = sDscrpt + sAddLine
sDscrpt = sDscrpt + " has been identified as malicious"
if len(srcObj.Domain) > 0:
sDscrpt = sDscrpt + " by " + srcObj.Domain
else:
sDscrpt = sDscrpt + "."
sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
sKey]['attrib']['link'] + "]."
if len(sDscrpt) > 0:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
objMalware.add_name("ZeuS")
objMalware.add_name("Zbot")
objMalware.add_name("Zeus")
objMalware.add_type("Remote Access Trojan")
objMalware.short_description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware effects Microsoft Windows operating system"
objMalware.description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.[1] Zeus is spread mainly through drive-by downloads and phishing schemes. (2014(http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29))"
objTTP = TTP(title="ZeuS")
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def main(iocs=iocs):
stix_header = STIXHeader(title=iocs['title'],
description=iocs['desc'],
package_intents=["Indicators - Watchlist"])
stix_package = STIXPackage(stix_header=stix_header)
# add indicator - file hash
if iocs.get('hash'):
indicator_file_hash = Indicator(title="Malicious File")
indicator_file_hash.add_indicator_type("File Hash Watchlist")
for file_hash in iocs['hash']:
file_object = File()
file_object.add_hash(Hash(file_hash))
file_object.hashes[0].simple_hash_value.condition = "Equals"
file_object.hashes[0].type_.condition = "Equals"
indicator_file_hash.add_observable(file_object)
stix_package.add_indicator(indicator_file_hash)
# add indicator - file name
if iocs.get('fname'):
indicator_filename = Indicator(title="Malicious File Name")
for file in iocs['fname']:
file_object = File()
file_object.file_name = file
indicator_filename.add_observable(file_object)
stix_package.add_indicator(indicator_filename)
# add indicator - ip address
if iocs.get('ips'):
indicator_ip = Indicator(title="Malicious IP Address")
indicator_ip.add_indicator_type("IP Watchlist")
for ip in iocs['ips']:
addr = Address(address_value=ip, category=Address.CAT_IPV4)
addr.condition = "Equals"
indicator_ip.add_observable(addr)
stix_package.add_indicator(indicator_ip)
# add indicator - domains
if iocs.get('domains'):
indicator_domains = Indicator(title="Malicious Domains")
indicator_domains.add_indicator_type("Domain Watchlist")
for domain in iocs['domains']:
domain_name = DomainName()
domain_name.value = domain
indicator_domains.add_observable(domain_name)
stix_package.add_indicator(indicator_domains)
# add indicator - url
if iocs.get('urls'):
indicator_url = Indicator(title='Malicious URL')
indicator_url.add_indicator_type("URL Watchlist")
for _url in iocs['urls']:
url = URI()
url.value = _url
url.type_ = URI.TYPE_URL
url.value.condition = "Equals"
# url.value.condition = "Contains"
indicator_url.add_observable(url)
stix_package.add_indicator(indicator_url)
# add indicator - email subject
if iocs.get('subject'):
indicator_email_subject = Indicator(title='Malicious E-mail Subject')
indicator_email_subject.add_indicator_type("Malicious E-mail")
for subject in iocs['subject']:
email_subject_object = EmailMessage()
email_subject_object.header = EmailHeader()
email_subject_object.header.subject = subject
email_subject_object.header.subject.condition = "StartsWith"
indicator_email_subject.add_observable(email_subject_object)
stix_package.add_indicator(indicator_email_subject)
# add indicator - email sender
if iocs.get('senders'):
indicator_email_sender = Indicator(title='Malicious E-mail Sender')
indicator_email_sender.add_indicator_type("Malicious E-mail")
for sender in iocs['senders']:
email_sender_object = EmailMessage()
email_sender_object.header = EmailHeader()
email_sender_object.header.sender = sender
email_sender_object.header.sender.condition = "Equals"
indicator_email_sender.add_observable(email_sender_object)
stix_package.add_indicator(indicator_email_sender)
# print(stix_package.to_xml(encoding=None))
# print(type(stix_package.to_xml(encoding=None)))
return stix_package.to_xml(encoding=None)
def setUp(self):
set_id_method(2)
self.ip = Address("192.168.1.1", Address.CAT_IPV4)
self.domain = URI("example.local", URI.TYPE_DOMAIN)
def __create_whois_object(self, domain):
""" Creates a CybOX WHOISObjectType object """
if not domain:
return None
if(self.__verbose_output):
sys.stderr.write("** creating Whois object for: %s\n" % domain)
if self.http_whois:
record = self.__get_whois_record_http(domain)
else:
record = self.__get_whois_record(domain)
if not record:
return None
whois = WhoisEntry()
record['status'] = ['OK' if status == 'ACTIVE' else status for status in record['status']]
#Only build registrar info objects if we have the relevant info
if (record['registrar'] or record['whois_server'] or
record['registrar_address'] or record['referral_url'] or
record['registrar_contacts']):
registrar = WhoisRegistrar()
registrar.name = String(record.get('registrar'))
registrar.address = String(record.get('registrar_address'))
registrar.whois_server = URI(record.get('whois_server'))
registrar.referral_url = URI(record.get('referral_url'))
contacts = WhoisContacts()
for email in record['registrar_contacts']:
contact = WhoisContact()
contact.contact_type = 'ADMIN'
contact.name = String(record.get('registrar'))
contact.email_address = EmailAddress(email)
contacts.append(contact)
registrar.contacts = contacts
whois.registrar_info = registrar
whois.domain_name = self.__create_domain_name_object(record.get('domain_name'))
nservers = WhoisNameservers()
for url in record.get('name_servers', []):
nservers.append(self.__create_url_object(url))
if nservers:
whois.nameservers = nservers
status = WhoisStatuses()
for s in record.get('status', []):
status.append(WhoisStatus(s))
if status:
whois.status = status
whois.updated_date = DateTime(record.get('updated_date'))
whois.creation_date = DateTime(record.get('creation_date'))
whois.expiration_date = DateTime(record.get('expiration_date'))
return whois
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
oObsSrcData = genObsSrcData(srcObj, data[sKey])
### Parsing IP Address
sAddr = data[sKey]['attrib']['ip']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.type = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.type = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
oObsSrcData.sighting_count = 1
obsAddr.observable_source.append(oObsSrcData)
sTitle = 'IP: ' + sAddr
obsAddr.title = sTitle
sDscpt = 'ipv4-addr' + ': ' + sAddr + " | "
sDscpt += "is_destination: True | "
if data[sKey]['attrib']['first']:
sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | "
if data[sKey]['attrib']['last']:
sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | "
obsAddr.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Network Address
sAddr = data[sKey]['attrib']['inetnum']
if sAddr:
objAddr = Address()
objAddr.is_destination = True
sAddrNet = sAddr.split("-")
objAddr.address_value = sAddrNet[0].strip(
) + "##comma##" + sAddrNet[1].strip()
objAddr.address_value.condition = 'InclusiveBetween'
objAddr.category = 'ipv4-net'
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
oObsSrcData.sighting_count = 1
obsAddr.observable_source.append(oObsSrcData)
sTitle = 'NETWORK_range: ' + sAddr
obsAddr.title = sTitle
sDscpt = 'ipv4-net' + ': ' + sAddr + " | "
if data[sKey]['attrib']['netname']:
sDscpt += 'netName' + ': ' + data[sKey]['attrib'][
'netname'] + " | "
obsAddr.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Email Address
sEMAIL = data[sKey]['attrib']['email']
if sEMAIL:
objEmail = EmailAddress()
#objEmail.is_source = True
objEmail.address_value = sEMAIL
objEmail.address_value.condition = 'Equals'
objEmail.category = 'e-mail'
obsEmail = Observable(objEmail)
objEmail = None
obsEmail.sighting_count = 1
oObsSrcData.sighting_count = 1
if len(data[sKey]['attrib']['source']) > 0:
oObsSrcData.name = data[sKey]['attrib']['source']
obsEmail.observable_source.append(oObsSrcData)
sTitle = 'REGISTRAR_email: ' + sEMAIL
obsEmail.title = sTitle
sDscrpt = 'REGISTRAR_email: ' + sEMAIL
if data[sKey]['attrib']['descr']:
sDscrpt += " | REGISTRAR_name: " + data[sKey]['attrib'][
'descr'] + " | "
obsEmail.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsEmail)
obsEmail = None
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
objDomain.is_destination = True
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
oObsSrcData.sighting_count = 1
obsDomain.observable_source.append(oObsSrcData)
obsDomain.title = 'Domain: ' + sDomain
sDscpt = 'Domain: ' + sDomain + " | "
sDscpt += "isDestination: True | "
if data[sKey]['attrib']['first']:
sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | "
if data[sKey]['attrib']['last']:
sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | "
#if
obsDomain.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['url']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
oObsSrcData.sighting_count = 1
obsURI.observable_source.append(oObsSrcData)
obsURI.title = 'URI: ' + sURI
sDscpt = 'URI: ' + sURI + " | "
sDscpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
sDscrpt = None
sCntry_code = None
sCntry_name = None
sRgstra_email = None
sRgstra_name = None
# add Phishing Email Target
# add Phishing email Details phishtank_ID
if data[sKey]['attrib']['country']:
sCntry_code = data[sKey]['attrib']['country']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
if data[sKey]['attrib']['email'] > 0:
sRgstra_email = data[sKey]['attrib']['email']
if data[sKey]['attrib']['descr']:
sRgstra_name = data[sKey]['attrib']['descr']
sDscrpt = " clean-mx.de has identified this "
if isIPv4(data[sKey]['attrib']['domain']):
sDscrpt += "ip address " + data[sKey]['attrib']['domain'] + " "
else:
sDscrpt += "domain " + data[sKey]['attrib']['domain'] + " "
sDscrpt += "as malicious "
if data[sKey]['attrib']['target']:
sDscrpt += "and uses phishing email(s) targeting " + data[sKey][
'attrib']['target'] + " users with "
else:
sDscrpt += "and sent out "
sDscrpt += "email containg this url <-Do Not Connect-> {" + data[sKey][
'attrib']['url'] + "} <-Do Not Connect-> link. "
if data[sKey]['attrib']['phishtank']:
sDscrpt += "For more detail on the specific phisihing email use this phishtank ID [" + data[
sKey]['attrib']['phishtank'] + "]. "
if sCntry_code:
sDscrpt += " This url appears to originated in " + sCntry_code
if sCntry_name:
sDscrpt += " (" + sCntry_name + ")"
if sCntry_code and (sRgstra_email or sRgstra_name):
sDscrpt += " and is "
if sRgstra_email:
sDscrpt += "register to " + sRgstra_email
if sRgstra_email and sRgstra_name:
sDscrpt += " of " + sRgstra_name
elif sRgstra_name:
sDscrpt += "register to " + sRgstra_name
sDscrpt += "."
if sCntry_code or sRgstra_email or sRgstra_name:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
sTitle = 'Phishing ID:' + sKey + " "
if data[sKey]['attrib']["target"]:
sTitle += "Target: " + data[sKey]['attrib']["target"] + " "
if data[sKey]['attrib']["url"]:
sTitle += "URL: " + data[sKey]['attrib']["url"] + " "
objIndicator.title = sTitle
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['first'])
objIndicator.set_received_time(data[sKey]['dateDL'])
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
#sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + srcObj.srcTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
