def url(ip,provider,reporttime):
vuln = Vulnerability()
vuln.cve_id = "IPV4-" + str(ip)
vuln.description = "maliciousURL"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
addr = Address(address_value=str(ip), category=Address.CAT_IPV4)
addr.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "URL-" + str(ip)
indicator.description = ("Malicious URL " + str(ip) + " reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(addr)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml','w')
f.write(stix_package.to_xml())
f.close()
def md5(hash,provider,reporttime):
vuln = Vulnerability()
vuln.cve_id = "MD5-" + hash
vuln.description = "maliciousMD5"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
# Create a CyboX File Object
f = File()
# This automatically detects that it's an MD5 hash based on the length
f.add_hash(hash)
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "MD5-" + hash
indicator.description = ("Malicious hash " + hash + " reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
# Add The File Object to the Indicator. This will promote the CybOX Object
# to a CybOX Observable internally.
indicator.add_observable(f)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml','w')
f.write(stix_package.to_xml())
f.close()
def url(ip, provider, reporttime):
vuln = Vulnerability()
vuln.cve_id = "IPV4-" + str(ip)
vuln.description = "maliciousURL"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
addr = Address(address_value=str(ip), category=Address.CAT_IPV4)
addr.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "URL-" + str(ip)
indicator.description = ("Malicious URL " + str(ip) + " reported from " +
provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(addr)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml', 'w')
f.write(stix_package.to_xml())
f.close()
def md5(hash, provider, reporttime):
vuln = Vulnerability()
vuln.cve_id = "MD5-" + hash
vuln.description = "maliciousMD5"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
# Create a CyboX File Object
f = File()
# This automatically detects that it's an MD5 hash based on the length
f.add_hash(hash)
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "MD5-" + hash
indicator.description = ("Malicious hash " + hash + " reported from " +
provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
# Add The File Object to the Indicator. This will promote the CybOX Object
# to a CybOX Observable internally.
indicator.add_observable(f)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml', 'w')
f.write(stix_package.to_xml())
f.close()
def generateTTP(incident, attribute, ttps, eventTags):
ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
setTLP(ttp, attribute["distribution"], mergeTags(eventTags, attribute["AttributeTag"]))
ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["type"] == "vulnerability":
vulnerability = Vulnerability()
vulnerability.cve_id = attribute["value"]
et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
et.id_= namespace[1] + ":et-" + attribute["uuid"]
if attribute["comment"] != "" and attribute["comment"] != "Imported via the freetext import.":
et.title = attribute["comment"]
else:
et.title = "Vulnerability " + attribute["value"]
et.add_vulnerability(vulnerability)
ttp.exploit_targets.append(et)
else:
malware = MalwareInstance()
malware.add_name(attribute["value"])
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware)
if attribute["comment"] != "":
ttp.description = attribute["comment"]
ttps.append(ttp)
rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp)
relatedTTP = RelatedTTP(rttp, relationship=attribute["category"])
incident.leveraged_ttps.append(relatedTTP)
def main():
pkg = STIXPackage()
vuln = Vulnerability()
vuln.cve_id = "CVE-2013-3893"
et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11")
et.add_vulnerability(vuln)
pkg.add_exploit_target(et)
print pkg.to_xml()
def main():
pkg = STIXPackage()
vuln = Vulnerability()
vuln.cve_id = "CVE-2013-3893"
et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11")
et.add_vulnerability(vuln)
pkg.add_exploit_target(et)
print pkg.to_xml()
def generate_vulnerability(self, incident, tags, attribute):
ttp = self.create_ttp(tags, attribute)
vulnerability = Vulnerability()
vulnerability.cve_id = attribute.value
ET = ExploitTarget(timestamp=attribute.timestamp)
ET.id_ = "{}:et-{}".format(namespace[1], attribute.uuid)
if attribute.comment and attribute.comment != "Imported via the freetext import.":
ET.title = attribute.comment
else:
ET.title = "Vulnerability {}".format(attribute.value)
ET.add_vulnerability(vulnerability)
ttp.exploit_targets.append(ET)
self.append_ttp(incident, attribute, ttp)
def main():
pkg = STIXPackage()
vuln = Vulnerability()
vuln.cve_id = "CVE-2013-3893"
vuln.add_reference(
"https://technet.microsoft.com/library/security/2887505")
et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11")
et.add_vulnerability(vuln)
pkg.add_exploit_target(et)
print(pkg.to_xml(encoding=None))
def add_cve_info(pkg):
global cve_info
if cve_info != []:
processed_ttps = []
for x in cve_info:
et = ExploitTarget()
for cve in x.get('cves'):
v = Vulnerability()
v.cve_id = cve
et.add_vulnerability(v)
pkg.add_exploit_target(et)
ttp = x.get('related_ttp')
if ttp not in processed_ttps:
if not ttp.exploit_targets:
ttp.exploit_targets = ExploitTargets()
ttp.exploit_targets.append(RelatedExploitTarget(ExploitTarget(idref=et._id)))
processed_ttps.append(ttp)
def fqdn(fqdn,provider,reporttime):
currentTime = time.time()
parsed_uri = urlparse( str(fqdn) )
domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
if domain.startswith('https'):
domain = domain[8:]
else:
domain = domain[7:]
if domain.endswith('/'):
domain = domain[:-1]
vuln = Vulnerability()
vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
vuln.description = "maliciousIPV4"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
url = URI()
url.value = fqdn
url.type_ = URI.TYPE_URL
url.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "FQDN-" + str(fqdn)
indicator.description = ("Malicious FQDN " + str(fqdn) + " reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(url)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open('/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' + str(currentTime) + '.xml','w')
f.write(stix_package.to_xml())
f.close()
def generateTTP(incident, attribute):
ttp = TTP()
ttp.id_="example:ttp-" + attribute["uuid"]
setTLP(ttp, attribute["distribution"])
ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
if attribute["type"] == "vulnerability":
vulnerability = Vulnerability()
vulnerability.cve_id = attribute["value"]
et = ExploitTarget()
et.add_vulnerability(vulnerability)
ttp.exploit_targets.append(et)
else:
malware = MalwareInstance()
malware.add_name(attribute["value"])
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware)
relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
incident.leveraged_ttps.append(relatedTTP)
def _vulnbuild(data):
"""Do some vulnerability stuff."""
vuln = Vulnerability()
vuln.cve_id = data['id']
vuln.source = NVD_URL + data['id']
vuln.title = data['id']
vuln.description = data['summary']
# The below has issues with python-stix 1.2 and below
# (https://github.com/STIXProject/python-stix/issues/276)
# vuln.published_datetime = data['Published']
vuln.references = data['references']
vuln.is_known = 1
# Create the CVSS object and then assign it to the vulnerability object
cvssvec = CVSSVector()
cvssvec.overall_score = data['cvss']
vuln.affected_software = _affectsoft(data)
vuln.cvss_score = cvssvec
return vuln
def fqdn(fqdn, provider, reporttime):
currentTime = time.time()
parsed_uri = urlparse(str(fqdn))
domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
if domain.startswith('https'):
domain = domain[8:]
else:
domain = domain[7:]
if domain.endswith('/'):
domain = domain[:-1]
vuln = Vulnerability()
vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
vuln.description = "maliciousIPV4"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
url = URI()
url.value = fqdn
url.type_ = URI.TYPE_URL
url.condition = "Equals"
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "FQDN-" + str(fqdn)
indicator.description = ("Malicious FQDN " + str(fqdn) +
" reported from " + provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
indicator.add_observable(url)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open(
'/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' +
str(currentTime) + '.xml', 'w')
f.write(stix_package.to_xml())
f.close()
def generateTTP(incident, attribute):
ttp = TTP()
ttp.id_ = "example:ttp-" + attribute["uuid"]
setTLP(ttp, attribute["distribution"])
ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[
"uuid"]
if attribute["type"] == "vulnerability":
vulnerability = Vulnerability()
vulnerability.cve_id = attribute["value"]
et = ExploitTarget()
et.add_vulnerability(vulnerability)
ttp.exploit_targets.append(et)
else:
malware = MalwareInstance()
malware.add_name(attribute["value"])
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware)
relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
incident.leveraged_ttps.append(relatedTTP)
def generateTTP(incident, attribute):
ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
setTLP(ttp, attribute["distribution"])
ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["type"] == "vulnerability":
vulnerability = Vulnerability()
vulnerability.cve_id = attribute["value"]
et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
et.add_vulnerability(vulnerability)
ttp.exploit_targets.append(et)
else:
malware = MalwareInstance()
malware.add_name(attribute["value"])
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware)
if attribute["comment"] != "":
ttp.description = attribute["comment"]
relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
incident.leveraged_ttps.append(relatedTTP)
def _vulnbuild(data):
"""Do some vulnerability stuff."""
vuln = Vulnerability()
vuln.cve_id = data['id']
vuln.source = NVD_URL + data['id']
vuln.title = data['id']
vuln.description = data['summary']
# The below has issues with python-stix 1.2 and below
# (https://github.com/STIXProject/python-stix/issues/276)
# vuln.published_datetime = data['Published']
vuln.references = data['references']
vuln.is_known = 1
# Create the CVSS object and then assign it to the vulnerability object
cvssvec = CVSSVector()
cvssvec.overall_score = data['cvss']
vuln.affected_software = _affectsoft(data)
vuln.cvss_score = cvssvec
return vuln
def main():
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "CVE-2014-0160"
vuln.add_reference("http://heartbleed.com/")
et = ExploitTarget(title="Heartbleed")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="Generic Heartbleed Exploits")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature for Heartbleed")
indicator.confidence = Confidence("High")
tm = SnortTestMechanism()
tm.rules = [
"""alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""",
"""alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)"""
]
tm.efficacy = "Low"
tm.producer = InformationSource(identity=Identity(name="FOX IT"))
tm.producer.references = [
"http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/"
]
indicator.test_mechanisms = TestMechanisms([tm])
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def main():
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "CVE-2014-0160"
vuln.add_reference("http://heartbleed.com/")
et = ExploitTarget(title="Heartbleed")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="Generic Heartbleed Exploits")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature for Heartbleed")
indicator.confidence = Confidence("High")
tm = SnortTestMechanism()
tm.rules = [
"""alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""",
"""alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)"""
]
tm.efficacy = "Low"
tm.producer = InformationSource(identity=Identity(name="FOX IT"))
tm.producer.references = ["http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/"]
indicator.test_mechanisms = TestMechanisms([tm])
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def toStixXml(self, confidence, efficacy):
"""
This method converts a list of FASGuard generated Snort rules into a STIX
compliant XML string ready for output. It first converts the object
into a hash of the right format and then converts it into XML using
STIXPackage.from_dict and to_xml on the resulting object.
Arguments:
confidence - High, Medium or Low. High means low false alarm rate.
efficacy - High, Medium or Low. High means a low missed detection rate.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
logger = logging.getLogger('simple_example')
self.logger = logger
self.logger.debug('In asg.fasguardStixRule')
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "Unknown"
et = ExploitTarget(title="From FASGuard")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="FASGuard Produced Signatures")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title = "Snort Signature from FASGuard")
indicator.confidence = Confidence(confidence)
tm = SnortTestMechanism()
tm.rules = self.ruleList
tm.efficacy = efficacy
tm.producer = InformationSource(identity=Identity(name="FASGuard"))
tm.producer.references = ["http://fasguard.github.io/"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
return stix_package.to_xml()
# stixDict = {'campaigns': [{}],
# 'courses_of_action': [{}],
# 'exploit_targets': [{}],
# 'id': 'INSERT_PACKAGE_ID_HERE'}
# stixDict['indicators'] = [{'indicator':
# {'title':
# 'Automatically Generated FASGuard Signatures',
# 'test_mechanisms':
# {'test_mechanism':
# {'efficacy':'Low',
# 'producer':
# {'Identity':'FASGuard'},
# 'rule':'xyz'}}}}
# ]
stix_package = STIXPackage.from_dict(stixDict)
stix_xml = stix_package.to_xml()
return stix_xml
def toStixXml(self, confidence, efficacy):
"""
This method converts a list of FASGuard generated Snort rules into a STIX
compliant XML string ready for output. It first converts the object
into a hash of the right format and then converts it into XML using
STIXPackage.from_dict and to_xml on the resulting object.
Arguments:
confidence - High, Medium or Low. High means low false alarm rate.
efficacy - High, Medium or Low. High means a low missed detection rate.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
logger = logging.getLogger('simple_example')
self.logger = logger
self.logger.debug('In asg.fasguardStixRule')
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "Unknown"
et = ExploitTarget(title="From FASGuard")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="FASGuard Produced Signatures")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature from FASGuard")
indicator.confidence = Confidence(confidence)
tm = SnortTestMechanism()
tm.rules = self.ruleList
tm.efficacy = efficacy
tm.producer = InformationSource(identity=Identity(name="FASGuard"))
tm.producer.references = ["http://fasguard.github.io/"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
return stix_package.to_xml()
# stixDict = {'campaigns': [{}],
# 'courses_of_action': [{}],
# 'exploit_targets': [{}],
# 'id': 'INSERT_PACKAGE_ID_HERE'}
# stixDict['indicators'] = [{'indicator':
# {'title':
# 'Automatically Generated FASGuard Signatures',
# 'test_mechanisms':
# {'test_mechanism':
# {'efficacy':'Low',
# 'producer':
# {'Identity':'FASGuard'},
# 'rule':'xyz'}}}}
# ]
stix_package = STIXPackage.from_dict(stixDict)
stix_xml = stix_package.to_xml()
return stix_xml
