def main(): # Crea un objeto vía CybOX f = File() # Asocia el hash a dicho objeto, la tipología del hash la detecta automáticamente en función de su amplitud f.add_hash("8994a4713713e4683117e35d8689ea24") # Creamos el indicador con la información de la que disponemos indicator = Indicator() indicator.title = "Feeds and Risk Score" indicator.description = ( "An indicator containing the feed and the appropriate Risk Score" ) indicator.set_producer_identity("Malshare") indicator.set_produced_time("01/05/2019") indicator.likely_impact = ("Risk Score: 4(Critical)") # Asociamos el hash anterior a nuestro indicador indicator.add_object(f) # Creamos el reporte en STIX, con una brve descripción stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Feeds in STIX format with their Risk Scores" stix_package.stix_header = stix_header # Añadimos al reporte el indicador que hemos construido antes stix_package.add(indicator) # Imprimimos el xml en pantalla print(stix_package.to_xml())
def main(): # Creamos el indicador con la información de la que disponemos threatActor = ThreatActor() threatActor.title = "Ip/Domain/Hostname" threatActor.description = ("A threatActor commited with malicious tasks") threatActor.information_source = ("Malshare") threatActor.timestamp = ("01/05/2019") threatActor.identity = ("106.113.123.197") threatActor.types = ("eCrime Actor - Spam Service") # Creamos el indicador con la información de la que disponemos indicator = Indicator() indicator.title = "Risk Score" indicator.description = ( "An indicator containing the appropriate Risk Score") indicator.set_produced_time("01/05/2019") indicator.likely_impact = ("Risk Score: 2(Medium)") # Creamos el reporte en STIX, con una brve descripción stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Feeds in STIX format with their Risk Scores" stix_package.stix_header = stix_header # Añadimos al reporte el indicador que hemos construido antes stix_package.add(threatActor) stix_package.add(indicator) # Imprimimos el xml en pantalla print(stix_package.to_xml())
def main(): file_hash = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' badness = 0 # Value between 0-100, or None if the badness is unknown sp = STIXPackage() sp.stix_header = STIXHeader() sp.stix_header.title = "File Hash Reputation for %s" % file_hash sp.stix_header.add_package_intent("Indicators - Malware Artifacts") sp.stix_header.information_source = InformationSource() sp.stix_header.information_source.identity = Identity() sp.stix_header.information_source.identity.name = "TAXII Service Profile: File Hash Reputation" file_obj = File() file_obj.add_hash(file_hash) file_obj.hashes[0].simple_hash_value.condition = "Equals" indicator = Indicator(title="File Hash Reputation") indicator.indicator_type = "File Hash Reputation" indicator.add_observable(file_obj) if badness is None: indicator.likely_impact = "Unknown" else: vs = VocabString(str(badness)) vs.vocab_name = 'percentage' vs.vocab_reference = "http://en.wikipedia.org/wiki/Percentage" indicator.likely_impact = vs sp.add_indicator(indicator) stix_xml = sp.to_xml() poll_response = tm11.PollResponse(message_id=generate_message_id(), in_response_to="1234", collection_name='file_hash_reputation') cb = tm11.ContentBlock(content_binding=CB_STIX_XML_111, content=stix_xml) poll_response.content_blocks.append(cb) print poll_response.to_xml(pretty_print=True)
def buildIndicator(input_dict): indicator = Indicator() indicator.description = input_dict["description"] if input_dict["confidence"]: indicator.confidence = input_dict["confidence"] if input_dict["impact"]: indicator.likely_impact = input_dict["impact"] if input_dict["producer"]: indicator.producer = InformationSource() indicator.producer.identity = Identity(input_dict["producer"]) indicator.title = input_dict["title"] indicator.add_valid_time_position(valid_time.ValidTime(input_dict["starttime"], input_dict["endtime"])) if input_dict["type"]: indicator.add_indicator_type(input_dict["type"]) return indicator