def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com": "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com" : "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("Domain Watchlist")
for key in mydata["IOC"].keys():
fqdn = URI()
fqdn.value = sanitizer(key)
fqdn.type_ = URI.TYPE_DOMAIN
fqdn.condition = "Equals"
obsu = Observable(fqdn)
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
fqdn.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def create_url_indicator(self, url_indicator):
indicator = Indicator()
indicator.title = 'URL of site hosting malware'
indicator.add_indicator_type('URL Watchlist')
url = URI()
url.value = url_indicator
url.type_ = URI.TYPE_URL
url.condition = 'Equals'
indicator.add_observable(url)
return indicator
def create_url_indicator(self, url_indicator):
indicator = Indicator()
indicator.title = 'URL of site hosting malware'
indicator.add_indicator_type('URL Watchlist')
url = URI()
url.value = url_indicator
url.type_ = URI.TYPE_URL
url.condition = 'Equals'
indicator.add_observable(url)
return indicator
def fqdn(fqdn,provider,reporttime):
currentTime = time.time()
parsed_uri = urlparse( str(fqdn) )
domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
if domain.startswith('https'):
domain = domain[8:]
else:
domain = domain[7:]
if domain.endswith('/'):
domain = domain[:-1]
vuln = Vulnerability()
vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
vuln.description = "maliciousIPV4"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
url = URI()
url.value = fqdn
url.type_ = URI.TYPE_URL
url.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "FQDN-" + str(fqdn)
indicator.description = ("Malicious FQDN " + str(fqdn) + " reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(url)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open('/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' + str(currentTime) + '.xml','w')
f.write(stix_package.to_xml())
f.close()
def fqdn(fqdn, provider, reporttime):
currentTime = time.time()
parsed_uri = urlparse(str(fqdn))
domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
if domain.startswith('https'):
domain = domain[8:]
else:
domain = domain[7:]
if domain.endswith('/'):
domain = domain[:-1]
vuln = Vulnerability()
vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
vuln.description = "maliciousIPV4"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
url = URI()
url.value = fqdn
url.type_ = URI.TYPE_URL
url.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "FQDN-" + str(fqdn)
indicator.description = ("Malicious FQDN " + str(fqdn) +
" reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(url)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open(
'/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' +
str(currentTime) + '.xml', 'w')
f.write(stix_package.to_xml())
f.close()
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
MyTITLE = "GandCrab"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "CERT-PA - Nuova campagna di Cyber-Estorsione basata su ransomware GandCrab - https://www.cert-pa.it/notizie/nuova-campagna-di-cyber-estorsione-basata-su-ransomware-gandcrab/"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "CERT-PA via Cyber Saiyan Community"
#
######################################################################
# Build STIX file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src, title=MyTITLE.encode(encoding='UTF-8', errors='replace'), description=DESCRIPTION.encode(encoding='UTF-8', errors='replace'), short_description=SHORT.encode(encoding='UTF-8', errors='replace'))
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
# Read IoC file
file_ioc = "CS-ioc.txt"
ioc = loaddata(file_ioc)
print "Reading IoC file..."
for idx, ioc in enumerate(ioc):
notfound = 1
# sha256
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
print "SHA256: " + ioc
notfound = 0
#md5
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
print "MD5: " + ioc
notfound = 0
#sha1
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
print "SHA1: " + ioc
notfound = 0
#domains
if validators.domain(ioc) and notfound:
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
print "DOMAIN: " + ioc
notfound = 0
#url
if validators.url(ioc) and notfound:
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
print "URL: " + ioc
notfound = 0
#ip
if validators.ipv4(ioc) and notfound:
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
print "IP: " + ioc
notfound = 0
# add all indicators to STIX
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
# print STIX file to stdout
print "Writing STIX package: package.stix"
f = open ("package.stix", "w")
f.write (wrapper.to_xml())
f.close ()
print
def main(argv):
######################################################################
# Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
TITLE = "Test"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "Cyber Saiyan - Test - https://infosharing.cybersaiyan.it"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "Cyber Saiyan Community"
# File degli IoC
IOCFILE = "CS-ioc.txt"
# Prefisso STIX output files STIX 1.2 e STIX 2
OUTFILEPREFIX = "package"
# Short Description - UNUSED
SHORT = "unused"
######################################################################
VERBOSE = 0
# Parse ARGV[]
try:
opts, args = getopt.getopt(argv, "ht:d:i:f:o:v")
except getopt.GetoptError:
print(
"CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
sys.exit(2)
for opt, arg in opts:
if opt == "-h":
print(
"CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
sys.exit()
elif opt == "-t":
TITLE = arg
elif opt == "-d":
DESCRIPTION = arg
elif opt == "-i":
IDENTITY = arg
elif opt == "-f":
IOCFILE = arg
elif opt == "-o":
OUTFILEPREFIX = arg
elif opt == "-v":
VERBOSE = 1
print("---------------------")
print("TITLE: " + TITLE)
print("DESCRIPTION: " + DESCRIPTION)
print("IDENTITY: " + IDENTITY)
print("IOC FILE: " + IOCFILE)
print("---------------------")
########################
# Commond data
timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S")
########################
# Build STIX 1.2 file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "white"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src,
title=TITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = TITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = TITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = TITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = TITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = TITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
########################
# Build STIX 2 file
pattern_sha256 = []
pattern_md5 = []
pattern_sha1 = []
pattern_domain = []
pattern_url = []
pattern_ip = []
pattern_email = []
# Marking
marking_def_white = stix2.TLP_WHITE
# campagna
# [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY)
campaign_MAIN = stix2.Campaign(
created=timestamp,
modified=timestamp,
name=TITLE,
description=DESCRIPTION,
first_seen=timestamp,
objective="TBD"
)
########################
# Read IoC file
loaddata(IOCFILE)
if (VERBOSE): print("Reading IoC file " + IOCFILE + "...")
ioccount = 0
# sha256
for ioc in listSHA256:
# STIX 1.2
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
if (VERBOSE): print("SHA256: " + ioc)
ioccount += 1
# STIX 2
pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc + "'] OR ")
# md5
for ioc in listMD5:
# STIX 1.2
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
if (VERBOSE): print("MD5: " + ioc)
ioccount += 1
# STIX 2
pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ")
# sha1
for ioc in listSHA1:
# STIX 1.2
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
if (VERBOSE): print("SHA1: " + ioc)
ioccount += 1
# STIX 2
pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ")
# domains
for ioc in listDOMAIN:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
if (VERBOSE): print("DOMAIN: " + ioc)
ioccount += 1
# STIX 2
pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ")
# url
for ioc in listURL:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
if (VERBOSE): print("URL: " + ioc)
ioccount += 1
# STIX 2
pattern_url.append("[url:value = '" + ioc + "'] OR ")
# ip
for ioc in listIP:
# STIX 1.2
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
if (VERBOSE): print("IP: " + ioc)
ioccount += 1
# STIX 2
pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ")
# email
for ioc in listEMAIL:
# STIX 1.2
email = EmailAddress()
email.address_value = ioc
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print("Email: " + ioc)
ioccount += 1
# STIX 2
pattern_email.append("[email-message:from_ref.value = '" + ioc + "'] OR ")
# subject
for ioc in listSUBJECT:
# STIX 1.2
emailsubject = EmailMessage()
emailsubject.subject = ioc
obsu = Observable(emailsubject)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print("Subject: " + ioc)
ioccount += 1
# STIX 2 (http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html)
# Replace all quotes in a subject string with escaped quotes
pattern_email.append("[email-message:subject = '" + ioc.replace("'", "\\'") + "'] OR ")
########################
# add all indicators to STIX 1.2
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
########################
# prepare for STIX 2
bundle_objects = [campaign_MAIN, marking_def_white]
if len(pattern_sha256) != 0:
stix2_sha256 = "".join(pattern_sha256)
stix2_sha256 = stix2_sha256[:-4]
indicator_SHA256 = stix2.Indicator(
name=TITLE + " - SHA256",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha256,
object_marking_refs=[marking_def_white]
)
relationship_indicator_SHA256 = stix2.Relationship(indicator_SHA256, "indicates", campaign_MAIN)
bundle_objects.append(indicator_SHA256)
bundle_objects.append(relationship_indicator_SHA256)
if len(pattern_md5) != 0:
stix2_md5 = "".join(pattern_md5)
stix2_md5 = stix2_md5[:-4]
indicator_MD5 = stix2.Indicator(
name=TITLE + " - MD5",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_md5,
object_marking_refs=[marking_def_white]
)
relationship_indicator_MD5 = stix2.Relationship(indicator_MD5, "indicates", campaign_MAIN)
bundle_objects.append(indicator_MD5)
bundle_objects.append(relationship_indicator_MD5)
if len(pattern_sha1) != 0:
stix2_sha1 = "".join(pattern_sha1)
stix2_sha1 = stix2_sha1[:-4]
indicator_SHA1 = stix2.Indicator(
name=TITLE + " - SHA1",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha1,
object_marking_refs=[marking_def_white]
)
relationship_indicator_SHA1 = stix2.Relationship(indicator_SHA1, "indicates", campaign_MAIN)
bundle_objects.append(indicator_SHA1)
bundle_objects.append(relationship_indicator_SHA1)
if len(pattern_domain) != 0:
stix2_domain = "".join(pattern_domain)
stix2_domain = stix2_domain[:-4]
indicator_DOMAINS = stix2.Indicator(
name=TITLE + " - DOMAINS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_domain,
object_marking_refs=[marking_def_white]
)
relationship_indicator_DOMAINS = stix2.Relationship(indicator_DOMAINS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_DOMAINS)
bundle_objects.append(relationship_indicator_DOMAINS)
if len(pattern_url) != 0:
stix2_url = "".join(pattern_url)
stix2_url = stix2_url[:-4]
indicator_URLS = stix2.Indicator(
name=TITLE + " - URL",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_url,
object_marking_refs=[marking_def_white]
)
relationship_indicator_URLS = stix2.Relationship(indicator_URLS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_URLS)
bundle_objects.append(relationship_indicator_URLS)
if len(pattern_ip) != 0:
stix2_ip = "".join(pattern_ip)
stix2_ip = stix2_ip[:-4]
indicator_IPS = stix2.Indicator(
name=TITLE + " - IPS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_ip,
object_marking_refs=[marking_def_white]
)
relationship_indicator_IPS = stix2.Relationship(indicator_IPS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_IPS)
bundle_objects.append(relationship_indicator_IPS)
if len(pattern_email) != 0:
stix2_email = "".join(pattern_email)
stix2_email = stix2_email[:-4]
indicator_EMAILS = stix2.Indicator(
name=TITLE + " - EMAILS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_email,
object_marking_refs=[marking_def_white]
)
relationship_indicator_EMAILS = stix2.Relationship(indicator_EMAILS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_EMAILS)
bundle_objects.append(relationship_indicator_EMAILS)
# creo il bunble STIX 2
bundlestix2 = stix2.Bundle(objects=bundle_objects)
if (ioccount > 0):
########################
# save to STIX 1.2 file
print("Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix")
f = open(OUTFILEPREFIX + ".stix", "wb")
f.write(wrapper.to_xml())
f.close()
########################
# save to STIX 2 file
print("Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2")
g = open(OUTFILEPREFIX + ".stix2", "w")
g.write(str(bundlestix2))
g.close()
else:
print("No IoC found")
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
MyTITLE = "APT28 / Fancy Bear"
DESCRIPTION = "Emanuele De Lucia - APT28 / Fancy Bear still targeting military institutions - https://www.emanueledelucia.net/apt28-targeting-military-institutions/"
sha256 = []
md5 = [
'43D7FFD611932CF51D7150B176ECFC29', '549726B8BFB1919A343AC764D48FDC81'
]
sha1 = []
domains = ['beatguitar.com']
urls = [
'https://beatguitar.com/aadv/gJNn/X2/ep/VQOA/3.SMPTE292M/?ct=+lMQKtXi0kf+3MVk38U=',
'https://beatguitar.com/n2qqSy/HPSe0/SY/yAsFy8/mSaYZP/lw.sip/?n=VxL0BnijNmtTnSFIcoQ='
]
ips = ['185.99.133.72']
emails = []
######################################################################
# Costruzione STIX file
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="CyberSaiyan Community")
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
for idx, sha256 in enumerate(sha256):
filei = File()
filei.add_hash(Hash(sha256))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
for idx, md5 in enumerate(md5):
filej = File()
filej.add_hash(Hash(md5))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
for idx, sha1 in enumerate(sha1):
filek = File()
filek.add_hash(Hash(sha1))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
for idu, domains in enumerate(domains):
url = URI()
url.value = domains
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
for idu, urls in enumerate(urls):
url = URI()
url.value = urls
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
for idu, ips in enumerate(ips):
ip = Address()
ip.address_value = ips
obsu = Observable(ip)
indiIP.add_observable(obsu)
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
for idu, emails in enumerate(emails):
email = EmailAddress()
email.address_value = emails
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
# add all indicators
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
print(wrapper.to_xml())
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
MyTITLE = "Gootkit"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "D3Lab - Malspam Gootkit con dropper da 450+ MB - https://www.d3lab.net/malspam-gootkit-con-dropper-da-450-mb/"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "D3Lab via Cyber Saiyan Community"
#
######################################################################
# read IoC files
file_sha256 = "CS-sha256.txt"
sha256 = loaddata(file_sha256)
file_md5 = "CS-md5.txt"
md5 = loaddata(file_md5)
file_sha1 = "CS-sha1.txt"
sha1 = loaddata(file_sha1)
file_domains = "CS-domain.txt"
domains = loaddata(file_domains)
file_urls = "CS-url.txt"
urls = loaddata(file_urls)
file_ips = "CS-ipv4.txt"
ips = loaddata(file_ips)
file_emails = "CS-email.txt"
emails = loaddata(file_emails)
# Build STIX file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(
information_source=info_src,
title=MyTITLE.encode(encoding='UTF-8', errors='replace'),
description=DESCRIPTION.encode(encoding='UTF-8', errors='replace'),
short_description=SHORT.encode(encoding='UTF-8', errors='replace'))
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
print "Reading IoC sha256 file..."
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
for idx, sha256 in enumerate(sha256):
m = p.match(sha256)
if m:
filei = File()
filei.add_hash(Hash(sha256))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
else:
print " Malformed sha256: " + sha256
print
print "Reading IoC md5 file..."
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
for idx, md5 in enumerate(md5):
m = p.match(md5)
if m:
filej = File()
filej.add_hash(Hash(md5))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
else:
print " Malformed md5: " + md5
print
print "Reading IoC sha1 file..."
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
for idx, sha1 in enumerate(sha1):
m = p.match(sha1)
if m:
filek = File()
filek.add_hash(Hash(sha1))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
else:
print " Malformed sha1: " + sha1
print
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
print "Reading IoC domains file..."
for idu, domains in enumerate(domains):
if validators.domain(domains):
url = URI()
url.value = domains
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
else:
print " Malformed domain: " + domains
print
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
print "Reading IoC url file..."
for idu, urls in enumerate(urls):
if validators.url(urls):
url = URI()
url.value = urls
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
else:
print " Malformed url: " + urls
print
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
print "Reading IoC IP file..."
for idu, ips in enumerate(ips):
if validators.ipv4(ips):
ip = Address()
ip.address_value = ips
obsu = Observable(ip)
indiIP.add_observable(obsu)
else:
print " Malformed IP: " + ips
print
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
print "Reading IoC email file..."
for idu, emails in enumerate(emails):
if validators.email(emails):
email = EmailAddress()
email.address_value = emails
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
else:
print " Malformed email: " + emails
print
# add all indicators
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
# print STIX file to stdout
print "Writing STIX package: package.stix"
f = open("package.stix", "w")
f.write(wrapper.to_xml())
f.close()
print
def main(argv):
######################################################################
# Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
TITLE = raw_input("Insert Title Ioc:")
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = raw_input("Insert Decription:")
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = raw_input("Insert User Identity:")
# File degli IoC
IOCFILE = raw_input("Add IoC Source File:")
# Prefisso STIX output files STIX 1.2 e STIX 2
OUTFILEPREFIX = "package"
# Short Description - UNUSED
#SHORT = "Emotet"
######################################################################
VERBOSE = 0
# UTF8 encode
TITLE = TITLE.encode('utf8')
DESCRIPTION = DESCRIPTION.encode('utf8')
IDENTITY = IDENTITY.encode('utf8')
print "\nStix File generation in progress...."
#print (TITLE) #"TITLE: " + TITLE
#print (DESCRIPTION) #"DESCRIPTION: " + DESCRIPTION
#print (IDENTITY) #"IDENTITY: " + IDENTITY
#print (IOCFILE) #"IOC FILE: " + IOCFILE
#print "---------------------"
########################
# Commond data
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
########################
# Build STIX 1.2 file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = TITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = TITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = TITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = TITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = TITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
########################
# Build STIX 2 file
pattern_sha256 = []
pattern_md5 = []
pattern_sha1 = []
pattern_domain = []
pattern_url = []
pattern_ip = []
pattern_email = []
# Marking
marking_def_white = stix2.MarkingDefinition(definition_type="tlp",
definition={"tlp": "WHITE"})
# campagna
# [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY)
campaign_MAIN = stix2.Campaign(created=timestamp,
modified=timestamp,
name=TITLE,
description=DESCRIPTION,
first_seen=timestamp,
objective="TBD")
########################
# Read IoC file
ioc = loaddata(IOCFILE)
if (VERBOSE): print "Reading IoC file " + IOCFILE + "..."
for idx, ioc in enumerate(ioc):
notfound = 1
# sha256
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
if (VERBOSE): print "SHA256: " + ioc
notfound = 0
# STIX 2
pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc +
"'] OR ")
#md5
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
if (VERBOSE): print "MD5: " + ioc
notfound = 0
# STIX 2
pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ")
#sha1
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
if (VERBOSE): print "SHA1: " + ioc
notfound = 0
# STIX 2
pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ")
#domains
if validators.domain(ioc) and notfound:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
if (VERBOSE): print "DOMAIN: " + ioc
notfound = 0
# STIX 2
pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ")
#url
if validators.url(ioc) and notfound:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
if (VERBOSE): print "URL: " + ioc
notfound = 0
# STIX 2
pattern_url.append("[url:value = '" + ioc + "'] OR ")
#ip
if validators.ipv4(ioc) and notfound:
# STIX 1.2
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
if (VERBOSE): print "IP: " + ioc
notfound = 0
# STIX 2
pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ")
#email
if validators.email(ioc) and notfound:
# STIX 1.2
email = EmailAddress()
email.address_value = ioc
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print "Email: " + ioc
notfound = 0
# STIX 2
pattern_email.append("[email-message:from_ref.value = '" + ioc +
"'] OR ")
########################
# add all indicators to STIX 1.2
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
########################
# prepare for STIX 2
bundle_objects = [campaign_MAIN, marking_def_white]
if len(pattern_sha256) != 0:
stix2_sha256 = "".join(pattern_sha256)
stix2_sha256 = stix2_sha256[:-4]
indicator_SHA256 = stix2.Indicator(
name=TITLE + " - SHA256",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha256,
object_marking_refs=[marking_def_white])
relationship_indicator_SHA256 = stix2.Relationship(
indicator_SHA256, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_SHA256)
bundle_objects.append(relationship_indicator_SHA256)
if len(pattern_md5) != 0:
stix2_md5 = "".join(pattern_md5)
stix2_md5 = stix2_md5[:-4]
indicator_MD5 = stix2.Indicator(
name=TITLE + " - MD5",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_md5,
object_marking_refs=[marking_def_white])
relationship_indicator_MD5 = stix2.Relationship(
indicator_MD5, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_MD5)
bundle_objects.append(relationship_indicator_MD5)
if len(pattern_sha1) != 0:
stix2_sha1 = "".join(pattern_sha1)
stix2_sha1 = stix2_sha1[:-4]
indicator_SHA1 = stix2.Indicator(
name=TITLE + " - SHA1",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha1,
object_marking_refs=[marking_def_white])
relationship_indicator_SHA1 = stix2.Relationship(
indicator_SHA1, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_SHA1)
bundle_objects.append(relationship_indicator_SHA1)
if len(pattern_domain) != 0:
stix2_domain = "".join(pattern_domain)
stix2_domain = stix2_domain[:-4]
indicator_DOMAINS = stix2.Indicator(
name=TITLE + " - DOMAINS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_domain,
object_marking_refs=[marking_def_white])
relationship_indicator_DOMAINS = stix2.Relationship(
indicator_DOMAINS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_DOMAINS)
bundle_objects.append(relationship_indicator_DOMAINS)
if len(pattern_url) != 0:
stix2_url = "".join(pattern_url)
stix2_url = stix2_url[:-4]
indicator_URLS = stix2.Indicator(
name=TITLE + " - URL",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_url,
object_marking_refs=[marking_def_white])
relationship_indicator_URLS = stix2.Relationship(
indicator_URLS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_URLS)
bundle_objects.append(relationship_indicator_URLS)
if len(pattern_ip) != 0:
stix2_ip = "".join(pattern_ip)
stix2_ip = stix2_ip[:-4]
indicator_IPS = stix2.Indicator(
name=TITLE + " - IPS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_ip,
object_marking_refs=[marking_def_white])
relationship_indicator_IPS = stix2.Relationship(
indicator_IPS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_IPS)
bundle_objects.append(relationship_indicator_IPS)
if len(pattern_email) != 0:
stix2_email = "".join(pattern_email)
stix2_email = stix2_email[:-4]
indicator_EMAILS = stix2.Indicator(
name=TITLE + " - EMAILS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_email,
object_marking_refs=[marking_def_white])
relationship_indicator_EMAILS = stix2.Relationship(
indicator_EMAILS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_EMAILS)
bundle_objects.append(relationship_indicator_EMAILS)
# creo il bunble STIX 2
bundle = stix2.Bundle(objects=bundle_objects)
########################
# save to STIX 1.2 file
print
print "Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix"
f = open(OUTFILEPREFIX + ".stix", "w")
f.write(wrapper.to_xml())
f.close()
########################
# save to STIX 2 file
print "Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2"
g = open(OUTFILEPREFIX + ".stix2", "w")
sys.stdout = g
print bundle
def cybox_object_uri(obj):
u = URI()
u.value = obj.uri_value
u.type_ = obj.uri_type
u.condition = obj.condition
return u
def main():
mydata = loaddata()
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["filename"]) + ": " + sanitizer(
mydata["hashes"]["md5"])
ShortDescription = timestamp
DESCRIPTION = "STIX Report for: " + sanitizer(
mydata["filename"]) + " - " + sanitizer(mydata["hashes"]["md5"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=ShortDescription)
wrapper.stix_header.handling = handling
fileobj = File()
fileobj.file_name = sanitizer(mydata["filename"])
fileobj.file_format = sanitizer(mydata["file_type"])
fileobj.size_in_bytes = sanitizer(mydata["file_size"])
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["md5"])))
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["sha1"])))
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["sha256"])))
observable = Observable(fileobj)
if "URL_file_hosting" in mydata:
for idx, mydata["URL_file_hosting"] in enumerate(
mydata["URL_file_hosting"]):
url = URI()
url.value = sanitizer(mydata["URL_file_hosting"])
url.type_ = URI.TYPE_URL
url.condition = "Equals"
fileobj.add_related(url, "Downloaded_From")
indicator = Indicator()
indicator.title = MyTITLE
indicator.add_indicator_type("File Hash Watchlist")
indicator.add_observable(observable)
wrapper.add_indicator(indicator)
print(wrapper.to_xml())
def cybox_object_uri(obj):
u = URI()
u.value = obj.uri_value
u.type_ = obj.uri_type
u.condition = obj.condition
return u
