예제 #1
0
def url(ip,provider,reporttime):
    vuln = Vulnerability()
    vuln.cve_id = "IPV4-" + str(ip)
    vuln.description = "maliciousURL"
    et = ExploitTarget(title=provider + " observable")
    et.add_vulnerability(vuln)
    
    addr = Address(address_value=str(ip), category=Address.CAT_IPV4) 
    addr.condition = "Equals"
    
     # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "URL-" + str(ip)
    indicator.description = ("Malicious URL " + str(ip) + " reported from " + provider)
    indicator.set_producer_identity(provider)
    indicator.set_produced_time(reporttime)
    indicator.add_observable(addr)
    # Create a STIX Package
    stix_package = STIXPackage()
    
    stix_package.add(et)
    stix_package.add(indicator)
    
    # Print the XML!
    #print(stix_package.to_xml())
    f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml','w')
    f.write(stix_package.to_xml())
    f.close()
예제 #2
0
def md5(hash,provider,reporttime):
    vuln = Vulnerability()
    vuln.cve_id = "MD5-" + hash
    vuln.description = "maliciousMD5"
    et = ExploitTarget(title=provider + " observable")
    et.add_vulnerability(vuln) 
    # Create a CyboX File Object
    f = File()
    # This automatically detects that it's an MD5 hash based on the length
    f.add_hash(hash)
    
    # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "MD5-" + hash
    indicator.description = ("Malicious hash " + hash + " reported from " + provider)
    indicator.set_producer_identity(provider)
    indicator.set_produced_time(reporttime)

    
    # Add The File Object to the Indicator. This will promote the CybOX Object
    # to a CybOX Observable internally.
    
    indicator.add_observable(f)

    # Create a STIX Package
    stix_package = STIXPackage()
    
    stix_package.add(et)
    stix_package.add(indicator)
    
    # Print the XML!
    #print(stix_package.to_xml())
    f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml','w')
    f.write(stix_package.to_xml())
    f.close()
예제 #3
0
def url(ip, provider, reporttime):
    vuln = Vulnerability()
    vuln.cve_id = "IPV4-" + str(ip)
    vuln.description = "maliciousURL"
    et = ExploitTarget(title=provider + " observable")
    et.add_vulnerability(vuln)

    addr = Address(address_value=str(ip), category=Address.CAT_IPV4)
    addr.condition = "Equals"

    # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "URL-" + str(ip)
    indicator.description = ("Malicious URL " + str(ip) + " reported from " +
                             provider)
    indicator.set_producer_identity(provider)
    indicator.set_produced_time(reporttime)
    indicator.add_observable(addr)
    # Create a STIX Package
    stix_package = STIXPackage()

    stix_package.add(et)
    stix_package.add(indicator)

    # Print the XML!
    #print(stix_package.to_xml())
    f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml', 'w')
    f.write(stix_package.to_xml())
    f.close()
예제 #4
0
def md5(hash, provider, reporttime):
    vuln = Vulnerability()
    vuln.cve_id = "MD5-" + hash
    vuln.description = "maliciousMD5"
    et = ExploitTarget(title=provider + " observable")
    et.add_vulnerability(vuln)
    # Create a CyboX File Object
    f = File()
    # This automatically detects that it's an MD5 hash based on the length
    f.add_hash(hash)

    # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "MD5-" + hash
    indicator.description = ("Malicious hash " + hash + " reported from " +
                             provider)
    indicator.set_producer_identity(provider)
    indicator.set_produced_time(reporttime)

    # Add The File Object to the Indicator. This will promote the CybOX Object
    # to a CybOX Observable internally.

    indicator.add_observable(f)

    # Create a STIX Package
    stix_package = STIXPackage()

    stix_package.add(et)
    stix_package.add(indicator)

    # Print the XML!
    #print(stix_package.to_xml())
    f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml', 'w')
    f.write(stix_package.to_xml())
    f.close()
예제 #5
0
def vulnbuild(data):
    """Do some vulnerability stuff."""
    vuln = Vulnerability()
    vuln.cve_id = data['id']
    vuln.source = NVD_URL + data['id']
    vuln.title = data['id']
    vuln.description = data['summary']
    # The below has issues with python-stix 1.2 (https://github.com/STIXProject
    # /python-stix/issues/276)
    # vuln.published_datetime = data['Published']
    vuln.references = data['references']
    vuln.is_known = 1
    # Create the CVSS object and then assign it to the vuln object
    cvssvec = CVSSVector()
    cvssvec.overall_score = data['cvss']
    vuln.cvss_score = cvssvec
    return vuln
예제 #6
0
def fqdn(fqdn,provider,reporttime):
    currentTime = time.time()
    parsed_uri = urlparse( str(fqdn) )
    domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
    if domain.startswith('https'):
        domain = domain[8:]
    else:
        domain = domain[7:]
    if domain.endswith('/'):
        domain = domain[:-1]


    vuln = Vulnerability()
    vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
    vuln.description = "maliciousIPV4"
    et = ExploitTarget(title=provider + " observable")
    et.add_vulnerability(vuln)
    
    url = URI()
    url.value = fqdn
    url.type_ =  URI.TYPE_URL
    url.condition = "Equals"
    
     # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "FQDN-" + str(fqdn)
    indicator.description = ("Malicious FQDN " + str(fqdn) + " reported from " + provider)
    indicator.set_producer_identity(provider)
    indicator.set_produced_time(reporttime)
    indicator.add_observable(url)
    # Create a STIX Package
    stix_package = STIXPackage()
    
    stix_package.add(et)
    stix_package.add(indicator)
    
    # Print the XML!
    #print(stix_package.to_xml())
    
    
    f = open('/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' + str(currentTime) + '.xml','w')
    f.write(stix_package.to_xml())
    f.close()

    
예제 #7
0
def fqdn(fqdn, provider, reporttime):
    currentTime = time.time()
    parsed_uri = urlparse(str(fqdn))
    domain = '{uri.scheme}://{uri.netloc}/'.format(uri=parsed_uri)
    if domain.startswith('https'):
        domain = domain[8:]
    else:
        domain = domain[7:]
    if domain.endswith('/'):
        domain = domain[:-1]

    vuln = Vulnerability()
    vuln.cve_id = "FQDN-" + str(domain) + '_' + str(currentTime)
    vuln.description = "maliciousIPV4"
    et = ExploitTarget(title=provider + " observable")
    et.add_vulnerability(vuln)

    url = URI()
    url.value = fqdn
    url.type_ = URI.TYPE_URL
    url.condition = "Equals"

    # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "FQDN-" + str(fqdn)
    indicator.description = ("Malicious FQDN " + str(fqdn) +
                             " reported from " + provider)
    indicator.set_producer_identity(provider)
    indicator.set_produced_time(reporttime)
    indicator.add_observable(url)
    # Create a STIX Package
    stix_package = STIXPackage()

    stix_package.add(et)
    stix_package.add(indicator)

    # Print the XML!
    #print(stix_package.to_xml())

    f = open(
        '/opt/TARDIS/Observables/FQDN/' + str(domain) + '_' +
        str(currentTime) + '.xml', 'w')
    f.write(stix_package.to_xml())
    f.close()