def create_url_observable(url): url_object = URI.from_dict({"value": url, "type": URI.TYPE_URL}) url_observable = Observable(url_object) url_observable.title = "Malware Artifact - URL" url_observable.description = "URL derived from sandboxed malware sample." url_observable.short_description = "URL from malware." return url_observable
def create_domain_name_observable(domain_name): '''Create a CybOX Observable representing a domain name.''' domain_name_object = URI.from_dict({ 'value': domain_name, 'type': URI.TYPE_DOMAIN }) return Observable(domain_name_object)
def create_domain_name_observable(domain_name): domain_name_object = URI.from_dict({"value": domain_name, "type": URI.TYPE_DOMAIN}) domain_name_observable = Observable(domain_name_object) domain_name_observable.title = "Malware Artifact - Domain" domain_name_observable.description = "Domain derived from sandboxed malware sample." domain_name_observable.short_description = "Domain from malware." return domain_name_observable
def create_url_observable(url): url_object = URI.from_dict({'value': url, 'type': URI.TYPE_URL}) url_observable = Observable(url_object) url_observable.title = "Malware Artifact - URL" url_observable.description = "URL derived from sandboxed malware sample." url_observable.short_description = "URL from malware." return url_observable
def from_dict(registrar_dict): if not registrar_dict: return None registrar = WhoisRegistrar() registrar.registrar_id = String.from_dict(registrar_dict.get('registrar_id')) registrar.registrar_guid = String.from_dict(registrar_dict.get('registrar_guid')) registrar.name = String.from_dict(registrar_dict.get('name')) registrar.address = String.from_dict(registrar_dict.get('address')) registrar.email_address = Address.from_dict(registrar_dict.get('email_address'), Address.CAT_EMAIL) registrar.phone_number = String.from_dict(registrar_dict.get('phone_number')) registrar.whois_server = URI.from_dict(registrar_dict.get('whois_server')) registrar.referral_url = URI.from_dict(registrar_dict.get('referral_url')) registrar.contacts = WhoisContacts.from_list(registrar_dict.get('contacts')) return registrar
def from_dict(mal_conf_storage_dict): if not mal_conf_storage_dict: return None mal_conf_storage_ = MalwareConfigurationStorageDetails() mal_conf_storage_.malware_binary = MalwareBinaryConfigurationStorageDetails.from_dict(mal_conf_storage_dict['malware_binary']) mal_conf_storage_.file = File.from_dict(mal_conf_storage_dict['file']) if mal_conf_storage_dict['url']: mal_conf_storage_.url = [URI.from_dict(x) for x in mal_conf_storage_dict['configuration_parameter']] return mal_conf_storage_
def create_domain_name_observable(domain_name): domain_name_object = URI.from_dict({ 'value': domain_name, 'type': URI.TYPE_DOMAIN }) domain_name_observable = Observable(domain_name_object) domain_name_observable.title = "Malware Artifact - Domain" domain_name_observable.description = "Domain derived from sandboxed malware sample." domain_name_observable.short_description = "Domain from malware." return domain_name_observable
def add_url_observable(self, url): if url in self.__urls: return self.__urls.add(url) url_object = URI.from_dict({'value': url, 'type': URI.TYPE_URL}) url_observable = Observable(url_object) url_observable.title = "Malware Artifact - URL" url_observable.description = "URL derived from sandboxed malware sample." url_observable.short_description = "URL from malware." self.url_indicator.add_observable(url_observable)
def add_domain_name_observable(self, domain_name): if domain_name in self.__domains: return self.__domains.add(domain_name) domain_name_object = URI.from_dict({'value': domain_name, 'type': URI.TYPE_DOMAIN}) domain_name_observable = Observable(domain_name_object) domain_name_observable.title = "Malware Artifact - Domain" domain_name_observable.description = "Domain derived from sandboxed malware sample." domain_name_observable.short_description = "Domain from malware." self.domain_indicator.add_observable(domain_name_observable)
def from_dict(message_dict): message = EmailMessage() for attachment in message_dict.get('attachments', []): message.attachments.append(File.from_dict(attachment)) for link in message_dict.get('links', []): message.links.append(URI.from_dict(link)) message.header = EmailHeader.from_dict(message_dict.get('header')) message.optional_header = OptionalHeader.from_dict(message_dict.get('optional_header')) message.email_server = String.from_dict(message_dict.get('email_server')) message.raw_body = String.from_dict(message_dict.get('raw_body')) message.raw_header = String.from_dict(message_dict.get('raw_header')) return message
def from_dict(whois_dict): if not whois_dict: return None whois = WhoisEntry() ObjectProperties.from_dict(whois_dict, whois) whois.domain_name = URI.from_dict(whois_dict.get('domain_name')) whois.domain_id = String.from_dict(whois_dict.get('domain_id')) whois.server_name = URI.from_dict(whois_dict.get('server_name')) whois.ip_address = Address.from_dict(whois_dict.get('ip_address'), Address.CAT_IPV4) whois.dnssec = whois_dict.get('dnssec') whois.nameservers = WhoisNameservers.from_list(whois_dict.get('nameservers')) whois.status = WhoisStatuses.from_list(whois_dict.get('status')) whois.updated_date = DateTime.from_dict(whois_dict.get('updated_date')) whois.creation_date = DateTime.from_dict(whois_dict.get('creation_date')) whois.expiration_date = DateTime.from_dict(whois_dict.get('expiration_date')) whois.regional_internet_registry = String.from_dict(whois_dict.get('regional_internet_registry')) whois.sponsoring_registrar = String.from_dict(whois_dict.get('sponsoring_registrar')) whois.registrar_info = WhoisRegistrar.from_dict(whois_dict.get('registrar_info')) whois.registrants = WhoisRegistrants.from_list(whois_dict.get('registrants')) whois.contact_info = WhoisContact.from_dict(whois_dict.get('contact_info')) return whois
def from_dict(dns_record_dict): if not dns_record_dict: return None dns_record_ = DNSRecord() dns_record_.description = StructuredText.from_dict(dns_record_dict.get('description')) dns_record_.domain_name = URI.from_dict(dns_record_dict.get('domain_name')) dns_record_.ip_address = Address.from_dict(dns_record_dict.get('ip_address')) dns_record_.address_class = String.from_dict(dns_record_dict.get('address_class')) dns_record_.entry_type = String.from_dict(dns_record_dict.get('entry_type')) dns_record_.record_name = String.from_dict(dns_record_dict.get('record_name')) dns_record_.record_type = String.from_dict(dns_record_dict.get('record_type')) dns_record_.ttl = Integer.from_dict(dns_record_dict.get('record_type')) dns_record_.flags = HexBinary.from_dict(dns_record_dict.get('flags')) dns_record_.data_length = Integer.from_dict(dns_record_dict.get('data_length')) dns_record_.record_data = dns_record_dict.get('record_data') return dns_record_
def create_url_observable(url): url_object = URI.from_dict({'value': url, 'type': URI.TYPE_URL}) return Observable(url_object)
def create_domain_name_observable(domain_name): '''Create a CybOX Observable representing a domain name.''' domain_name_object = URI.from_dict({'value': domain_name, 'type': URI.TYPE_DOMAIN}) return Observable(domain_name_object)
def create_domain_name_observable(domain_name): """Create a CybOX Observable representing a domain name.""" domain_name_object = URI.from_dict({"value": domain_name, "type": URI.TYPE_DOMAIN}) return Observable(domain_name_object)
def create_url_observable(url): url_object = URI.from_dict({"value": url, "type": URI.TYPE_URL}) return Observable(url_object)
def build(self): self.stix_header.title = self.pulse["name"] self.stix_header.description = self.pulse["description"] self.stix_header.short_description = "%spulse/%s" % ( PULSE_SERVER_BASE, str(self.pulse["id"])) self.stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) self.stix_header.information_source = InformationSource() self.stix_header.information_source.time = Time() self.stix_header.information_source.description = "Alienvault OTX - https://otx.alienvault.com/" self.stix_header.information_source.time.produced_time = self.pulse[ "modified"] self.stix_header.information_source.identity = Identity() self.stix_header.information_source.identity.name = "Alienvault OTX" self.stix_package.stix_header = self.stix_header hashes = [] addresses = [] domains = [] urls = [] mails = [] for p_indicator in self.pulse["indicators"]: if p_indicator["type"] in self.hash_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % ( p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) file_ = File() hash_ = Hash(p_indicator["indicator"], self.hash_translation[p_indicator["type"]]) file_.add_hash(hash_) observable_ = Observable(file_) elif p_indicator["type"] in self.address_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % ( p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) ipv4_ = Address.from_dict({ 'address_value': p_indicator["indicator"], 'category': self.address_translation[p_indicator["type"]] }) observable_ = Observable(ipv4_) elif p_indicator["type"] in self.name_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % ( p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) domain_ = DomainName.from_dict({ 'value': p_indicator["indicator"], 'type': 'FQDN' }) observable_ = Observable(domain_) elif p_indicator["type"] == "URL": new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % ( p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) url_ = URI.from_dict({ 'value': p_indicator["indicator"], 'type': URI.TYPE_URL }) observable_ = Observable(url_) elif p_indicator["type"] == "email": email_ = Address.from_dict({ 'address_value': p_indicator["indicator"], 'category': Address.CAT_EMAIL }) observable_ = Observable(email_) #elif p_indicator["type"] == "CVE": # vuln_ = Vulnerability() # vuln_.cveid = p_indicator["indicator"].upper() # observable_ = Observable(vuln_) elif p_indicator["type"] == "Mutex": mutex_ = Mutex.from_dict({ 'named': True, 'name': p_indicator["indicator"] }) observable_ = Observable(mutex_) elif p_indicator["type"] == "CIDR": nrange = IP(p_indicator["indicator"]) nrange_values = nrange.strNormal(3).replace("-", ",") ipv4_ = Address.from_dict({ 'address_value': nrange_values, 'category': Address.CAT_IPV4 }) ipv4_.address_value.condition = "InclusiveBetween" observable_ = Observable(ipv4_) else: continue mind = Indicator() mind.description = p_indicator["description"] mind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) observable_.title = "%s - %s" % (p_indicator["type"], p_indicator["indicator"]) mind.add_observable(observable_) self.stix_package.add_indicator(mind)
def build(self): self.stix_header.title = self.pulse["name"] self.stix_header.description = self.pulse["description"] self.stix_header.short_description = "%spulse/%s" % (PULSE_SERVER_BASE, str(self.pulse["id"])) self.stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) self.stix_header.information_source = InformationSource() self.stix_header.information_source.time = Time() self.stix_header.information_source.description = "Alienvault OTX - https://otx.alienvault.com/" self.stix_header.information_source.time.produced_time = self.pulse["modified"] self.stix_header.information_source.identity = Identity() self.stix_header.information_source.identity.name = "Alienvault OTX" self.stix_package.stix_header = self.stix_header hashes = [] addresses = [] domains = [] urls = [] mails = [] for p_indicator in self.pulse["indicators"]: if p_indicator["type"] in self.hash_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) file_ = File() hash_ = Hash(p_indicator["indicator"], self.hash_translation[p_indicator["type"]]) file_.add_hash(hash_) observable_ = Observable(file_) elif p_indicator["type"] in self.address_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) ipv4_ = Address.from_dict({'address_value': p_indicator["indicator"], 'category': self.address_translation[p_indicator["type"]]}) observable_ = Observable(ipv4_) elif p_indicator["type"] in self.name_translation: new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) domain_ = DomainName.from_dict({'value': p_indicator["indicator"], 'type':'FQDN'}) observable_ = Observable(domain_) elif p_indicator["type"] == "URL": new_ind = Indicator() new_ind.description = p_indicator["description"] new_ind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) url_ = URI.from_dict({'value': p_indicator["indicator"], 'type': URI.TYPE_URL}) observable_ = Observable(url_) elif p_indicator["type"] == "email": email_ = Address.from_dict({'address_value': p_indicator["indicator"], 'category': Address.CAT_EMAIL}) observable_ = Observable(email_) #elif p_indicator["type"] == "CVE": # vuln_ = Vulnerability() # vuln_.cveid = p_indicator["indicator"].upper() # observable_ = Observable(vuln_) elif p_indicator["type"] == "Mutex": mutex_ = Mutex.from_dict({'named': True, 'name': p_indicator["indicator"]}) observable_ = Observable(mutex_) elif p_indicator["type"] == "CIDR": nrange = IP(p_indicator["indicator"]) nrange_values = nrange.strNormal(3).replace("-", ",") ipv4_ = Address.from_dict({'address_value': nrange_values, 'category': Address.CAT_IPV4}) ipv4_.address_value.condition = "InclusiveBetween" observable_ = Observable(ipv4_) else: continue mind = Indicator() mind.description = p_indicator["description"] mind.title = "%s from %spulse/%s" % (p_indicator["indicator"], PULSE_SERVER_BASE, str(self.pulse["id"])) observable_.title = "%s - %s" % (p_indicator["type"], p_indicator["indicator"]) mind.add_observable(observable_) self.stix_package.add_indicator(mind)