def test_indicator(self): i = Indicator() i.title = UNICODE_STR i.description = UNICODE_STR i.short_description = UNICODE_STR i2 = round_trip(i) self._test_equal(i, i2)
def create_indicator(self, ce1sus_indicator, event_permissions, user): indicator = Indicator() indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid) indicator.title = ce1sus_indicator.title indicator.description = ce1sus_indicator.description indicator.short_description = ce1sus_indicator.short_description if ce1sus_indicator.confidence: indicator.confidence = ce1sus_indicator.confidence.title() else: indicator.confidence = 'Low' # TODO: handling # TODO: markings for type_ in ce1sus_indicator.types: indicator.add_indicator_type(type_.name) if ce1sus_indicator.operator: indicator.observable_composition_operator = ce1sus_indicator.operator # Todo Add confidence # indicator_attachment.confidence = "Low" creator = self.create_stix_identity(ce1sus_indicator) time = self.cybox_mapper.get_time( produced_time=ce1sus_indicator.created_at) info_source = InformationSource(identity=creator, time=time) indicator.producer = info_source observables = ce1sus_indicator.get_observables_for_permissions( event_permissions, user) for obs in observables: cybox_obs = self.create_observable(obs, event_permissions, user) indicator.add_observable(cybox_obs) valid_time = ValidTime(start_time=ce1sus_indicator.created_at, end_time=ce1sus_indicator.created_at) indicator.add_valid_time_position(valid_time) return indicator
def to_stix_relationship(obj): from stix.indicator import Indicator ind_rel = [] for relationship in obj.relationships: #if not relationship.private: #testing ind = Indicator() ind.title = "MARTI Relation" ind.timestamp = relationship.relationship_date ind.confidence = relationship.rel_confidence.title() ind.id_ = relationship.url_key ind.add_indicator_type(get_indicator_type(relationship.rel_type)) ind.description = relationship.rel_reason ind.short_description = relationship.relationship ind_rel.append(ind) return ind_rel
def to_stix_comments(obj): from crits.comments.handlers import get_comments from stix.indicator import Indicator as S_Ind comments = get_comments(obj.id, obj._meta['crits_type'], False) ind_comments = [] for each in comments: if not each.private: ind = S_Ind() ind.title = "CRITs Comment(s)" ind.description = each.comment ind.short_description = each.url_key ind.producer = to_stix_information_source(each) ind.timestamp = each.edit_date #should be date, but for some reason, it's not getting the correct value ind_comments.append(ind) return ind_comments
def __init__(self, alert): self.__urls = set() self.__domains = set() self.__ipv4 = set() self.__hashes = set() self.__regkeys = set() self.__files = set() self.__emails = set() PRODUCER_NAME = alert.product # Domains domain_indicator = Indicator() domain_indicator.title = "Malware Artifacts - Domain" domain_indicator.type = "Malware Artifacts" domain_indicator.description = ("Domains derived from sandboxed malware sample. AlertID: %d" % alert.id) domain_indicator.short_description = ("Domains from %d" % alert.id) domain_indicator.set_producer_identity(PRODUCER_NAME) domain_indicator.set_produced_time(utils.dates.now()) domain_indicator.indicator_types.append(IndicatorType_1_1.TERM_DOMAIN_WATCHLIST) self.domain_indicator = domain_indicator # IPs ip_indicator = Indicator() ip_indicator.title = "Malware Artifacts - IP" ip_indicator.description = ("IPs derived from sandboxed malware sample. AlertID: %d" % alert.id) ip_indicator.short_description = ("IPs from %d" % alert.id) ip_indicator.set_producer_identity(PRODUCER_NAME) ip_indicator.set_produced_time(utils.dates.now()) ip_indicator.indicator_types.append(IndicatorType_1_1.TERM_IP_WATCHLIST) self.ip_indicator = ip_indicator # URLs url_indicator = Indicator() url_indicator.title = "Malware Artifacts - URL" url_indicator.description = ("URLs derived from sandboxed malware sample. AlertID: %d" % alert.id) url_indicator.short_description = ("URLs from %d" % alert.id) url_indicator.set_producer_identity(PRODUCER_NAME) url_indicator.set_produced_time(utils.dates.now()) url_indicator.indicator_types.append(IndicatorType_1_1.TERM_URL_WATCHLIST) self.url_indicator = url_indicator # Hashs hash_indicator = Indicator() hash_indicator.title = "Malware Artifacts - Files" hash_indicator.description = ("Files derived from sandboxed malware sample. AlertID: %d" % alert.id) hash_indicator.short_description = ("File from %d" % alert.id) hash_indicator.set_producer_identity(PRODUCER_NAME) hash_indicator.set_produced_time(utils.dates.now()) hash_indicator.indicator_types.append(IndicatorType_1_1.TERM_FILE_HASH_WATCHLIST) self.hash_indicator = hash_indicator # Registry reg_indicator = Indicator() reg_indicator.title = "Malware Artifacts - Registry entries" reg_indicator.description = ("File hashes derived from sandboxed malware sample. AlertID: %d" % alert.id) reg_indicator.short_description = ("Registry entries from %d" % alert.id) reg_indicator.set_producer_identity(PRODUCER_NAME) reg_indicator.set_produced_time(utils.dates.now()) reg_indicator.indicator_types.append(IndicatorType_1_1.TERM_MALWARE_ARTIFACTS) self.reg_indicator = reg_indicator # email_indicator email_indicator = Indicator() email_indicator.title = "Malware Artifacts - Malicious " email_indicator.description = ("Email headers. AlertID: %d" % alert.id) email_indicator.short_description = ("Email headers from %d" % alert.id) email_indicator.set_producer_identity(PRODUCER_NAME) email_indicator.set_produced_time(utils.dates.now()) email_indicator.indicator_types.append(IndicatorType_1_1.TERM_MALICIOUS_EMAIL ) self.email_indicator = email_indicator # Create a STIX Package self.stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader({"Indicators - Malware Artifacts"}) stix_header.description = "FireEye Sample ID %d" % alert.id self.stix_package.stix_header = stix_header
def genObject_Indicator(data): from stix.indicator import Indicator try: sTitle = "phishTank.com id:" + data[ 'phish_id'] + " with malicious URL:" + data['url'] sTitle = sTitle[:70] + "..." except: sTitle = "phishTank.com id:" + data[ 'phish_id'] + " with malicious URL:--[URL Not Displayed - Due to encoding issue]--" # try: # sDscrpt = "This URL:[" + escape(unicode(srcDict[item]['url'])) + "] was identified by phishtank.com as part of a phishing email" # except: # sDscrpt = "This URL:--[URL Not Displayed - Due to encoding issue]-- was identified by phishtank.com as part of a phishing email" sDscrpt = "This URL:[" + escape( data['url'] ) + "] was identified by phishtank.com as part of a phishing email" if data['target'] and not data['target'] == 'Other': sDscrpt += " which appears to be targeting " + data['target'] else: sDscrpt += "." if data['online'] == 'yes': sDscrpt += " This URL appears to still be online as of " + data[ 'verification_time'] elif data['online'] == 'no': sDscrpt += " This URL appears to offline as of " + data[ 'verification_time'] sDscrpt += ". More detailed infomation can be found at " + data[ 'phish_detail_url'] objIndicator = Indicator() objIndicator.idref = None objIndicator.title = sTitle objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" objIndicator.short_description = "<![CDATA[" + sTitle + "]]>" if data['verified'] == 'yes': objIndicator.confidence = 'High' else: objIndicator.confidence = 'Low' objIndicator.test_mechanisms = None objIndicator.alternative_id = None objIndicator.composite_indicator_expression = None objIndicator.valid_time_positions = None objIndicator.related_indicators = None # objIndicator.suggested_coas = SuggestedCOAs() # objIndicator.kill_chain_phases = KillChainPhasesReference() # objIndicator.likely_impact = None ### Used/Defined Outside this funtion # objIndicator.indicator_types = ["URL Watchlist"] # objIndicator.observable_composition_operator = "OR" # objIndicator.producer = None # objIndicator.observables = obsList # objIndicator.handling = objMarking # objIndicator.sightings = None # objIndicator.set_received_time return (objIndicator)
def create_stix_file(): # List of indicators to be deduped hostnames = [] ips = [] urls = [] md5s = [] sha1s = [] # Set namespace NAMESPACE = {PRODUCER_URL: PRODUCER_NAME} set_id_namespace(NAMESPACE) # JSON load the POSTed request data try: data_recv = request.data data = json.loads(data_recv) except: return make_response( jsonify({'Error': "Unable to decode json object"}), 400) # Parse the JSON object try: # Get MD5 of sample malware_sample = data['alert']['explanation']['malware-detected'][ 'malware'] count = 0 sample_hash = "" try: for entry in malware_sample: if "md5sum" in malware_sample[count]: sample_hash = malware_sample[count]['md5sum'] count += 1 except: if "md5sum" in malware_sample: sample_hash = malware_sample['md5sum'] # If all else fails if sample_hash == "": sample_hash = "Unknown" # Indicators # Domains domain_indicator = Indicator() domain_indicator.title = "Malware Artifacts - Domain" domain_indicator.type = "Malware Artifacts" domain_indicator.description = ( "Domains derived from sandboxed malware sample. MD5 Hash: " + sample_hash) domain_indicator.short_description = ("Domainss from " + sample_hash) domain_indicator.set_producer_identity(PRODUCER_NAME) domain_indicator.set_produced_time(utils.dates.now()) domain_indicator.indicator_types.append("Domain Watchlist") # IPs ip_indicator = Indicator() ip_indicator.title = "Malware Artifacts - IP" ip_indicator.description = ( "IPs derived from sandboxed malware sample. MD5 Hash: " + sample_hash) ip_indicator.short_description = ("IPs from " + sample_hash) ip_indicator.set_producer_identity(PRODUCER_NAME) ip_indicator.set_produced_time(utils.dates.now()) ip_indicator.indicator_types.append("IP Watchlist") # URLs url_indicator = Indicator() url_indicator.title = "Malware Artifacts - URL" url_indicator.description = ( "URLs derived from sandboxed malware sample. MD5 Hash: " + sample_hash) url_indicator.short_description = ("URLs from " + sample_hash) url_indicator.set_producer_identity(PRODUCER_NAME) url_indicator.set_produced_time(utils.dates.now()) url_indicator.indicator_types.append("URL Watchlist") # Hashs hash_indicator = Indicator() hash_indicator.title = "Malware Artifacts - File Hash" hash_indicator.description = ( "File hashes derived from sandboxed malware sample. MD5 Hash: " + sample_hash) hash_indicator.short_description = ("Hash from " + sample_hash) hash_indicator.set_producer_identity(PRODUCER_NAME) hash_indicator.set_produced_time(utils.dates.now()) hash_indicator.indicator_types.append("File Hash Watchlist") # Create a STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader({"Indicators - Malware Artifacts"}) stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str( data['alert']['id']) stix_package.stix_header = stix_header if "network" in data['alert']['explanation']['os-changes']: # Add indicators for network for entry in data['alert']['explanation']['os-changes']['network']: if "hostname" in entry: hostnames.append(entry['hostname']) if "ipaddress" in entry: ips.append(entry['ipaddress']) if "http_request" in entry: domain = re.search('~~Host:\s(.*?)~~', entry['http_request']) url = re.search('^.*\s(.*?)\sHTTP', entry['http_request']) if domain: domain_name = domain.group(1) if url: url_string = url.group(1) urls.append(domain_name + url_string) # Add indicators for files for entry in data['alert']['explanation']['os-changes']['network']: if "md5sum" in entry['processinfo']: filename = re.search('([\w-]+\..*)', entry['processinfo']['imagepath']) if filename: md5s.append((filename.group(1), entry['processinfo']['md5sum'])) if "process" in data['alert']['explanation']['os-changes']: # Add indicators from process for entry in data['alert']['explanation']['os-changes']['process']: if "md5sum" in entry: filename = re.search('([\w-]+\..*)', entry['value']) if filename: md5s.append((filename.group(1), entry['md5sum'])) if "sha1sum" in entry: filename = re.search('([\w-]+\..*)', entry['value']) if filename: sha1s.append((filename.group(1), entry['sha1sum'])) # Dedupe lists for hostname in set(hostnames): hostname_observable = create_domain_name_observable(hostname) domain_indicator.add_observable(hostname_observable) for ip in set(ips): ip_observable = create_ipv4_observable(ip) ip_indicator.add_observable(ip_observable) for url in set(urls): url_observable = create_url_observable(url) url_indicator.add_observable(url_observable) for hash in set(md5s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) for hash in set(sha1s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) # Add those to the package stix_package.add(domain_indicator) stix_package.add(ip_indicator) stix_package.add(url_indicator) stix_package.add(hash_indicator) # Save to file save_as = SAVE_DIRECTORY + "/fireeye_" + str( data['alert']['id']) + ".xml" f = open(save_as, 'w') f.write(stix_package.to_xml()) f.close # Return success response return make_response( jsonify({'Success': "STIX document succesfully generated"}), 200) # Unable to parse object except: return make_response(jsonify({'Error': "Unable to parse JSON object"}), 400)
def create_stix_file(): # List of indicators to be deduped hostnames = [] ips = [] urls = [] md5s = [] sha1s = [] # Set namespace NAMESPACE = {PRODUCER_URL: PRODUCER_NAME} set_id_namespace(NAMESPACE) # JSON load the POSTed request data try: data_recv = request.data data = json.loads(data_recv) except: return make_response(jsonify({"Error": "Unable to decode json object"}), 400) # Parse the JSON object try: # Get MD5 of sample malware_sample = data["alert"]["explanation"]["malware-detected"]["malware"] count = 0 sample_hash = "" try: for entry in malware_sample: if "md5sum" in malware_sample[count]: sample_hash = malware_sample[count]["md5sum"] count += 1 except: if "md5sum" in malware_sample: sample_hash = malware_sample["md5sum"] # If all else fails if sample_hash == "": sample_hash = "Unknown" # Indicators # Domains domain_indicator = Indicator() domain_indicator.title = "Malware Artifacts - Domain" domain_indicator.type = "Malware Artifacts" domain_indicator.description = "Domains derived from sandboxed malware sample. MD5 Hash: " + sample_hash domain_indicator.short_description = "Domainss from " + sample_hash domain_indicator.set_producer_identity(PRODUCER_NAME) domain_indicator.set_produced_time(utils.dates.now()) domain_indicator.indicator_types.append("Domain Watchlist") # IPs ip_indicator = Indicator() ip_indicator.title = "Malware Artifacts - IP" ip_indicator.description = "IPs derived from sandboxed malware sample. MD5 Hash: " + sample_hash ip_indicator.short_description = "IPs from " + sample_hash ip_indicator.set_producer_identity(PRODUCER_NAME) ip_indicator.set_produced_time(utils.dates.now()) ip_indicator.indicator_types.append("IP Watchlist") # URLs url_indicator = Indicator() url_indicator.title = "Malware Artifacts - URL" url_indicator.description = "URLs derived from sandboxed malware sample. MD5 Hash: " + sample_hash url_indicator.short_description = "URLs from " + sample_hash url_indicator.set_producer_identity(PRODUCER_NAME) url_indicator.set_produced_time(utils.dates.now()) url_indicator.indicator_types.append("URL Watchlist") # Hashs hash_indicator = Indicator() hash_indicator.title = "Malware Artifacts - File Hash" hash_indicator.description = "File hashes derived from sandboxed malware sample. MD5 Hash: " + sample_hash hash_indicator.short_description = "Hash from " + sample_hash hash_indicator.set_producer_identity(PRODUCER_NAME) hash_indicator.set_produced_time(utils.dates.now()) hash_indicator.indicator_types.append("File Hash Watchlist") # Create a STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader({"Indicators - Malware Artifacts"}) stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str(data["alert"]["id"]) stix_package.stix_header = stix_header if "network" in data["alert"]["explanation"]["os-changes"]: # Add indicators for network for entry in data["alert"]["explanation"]["os-changes"]["network"]: if "hostname" in entry: hostnames.append(entry["hostname"]) if "ipaddress" in entry: ips.append(entry["ipaddress"]) if "http_request" in entry: domain = re.search("~~Host:\s(.*?)~~", entry["http_request"]) url = re.search("^.*\s(.*?)\sHTTP", entry["http_request"]) if domain: domain_name = domain.group(1) if url: url_string = url.group(1) urls.append(domain_name + url_string) # Add indicators for files for entry in data["alert"]["explanation"]["os-changes"]["network"]: if "md5sum" in entry["processinfo"]: filename = re.search("([\w-]+\..*)", entry["processinfo"]["imagepath"]) if filename: md5s.append((filename.group(1), entry["processinfo"]["md5sum"])) if "process" in data["alert"]["explanation"]["os-changes"]: # Add indicators from process for entry in data["alert"]["explanation"]["os-changes"]["process"]: if "md5sum" in entry: filename = re.search("([\w-]+\..*)", entry["value"]) if filename: md5s.append((filename.group(1), entry["md5sum"])) if "sha1sum" in entry: filename = re.search("([\w-]+\..*)", entry["value"]) if filename: sha1s.append((filename.group(1), entry["sha1sum"])) # Dedupe lists for hostname in set(hostnames): hostname_observable = create_domain_name_observable(hostname) domain_indicator.add_observable(hostname_observable) for ip in set(ips): ip_observable = create_ipv4_observable(ip) ip_indicator.add_observable(ip_observable) for url in set(urls): url_observable = create_url_observable(url) url_indicator.add_observable(url_observable) for hash in set(md5s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) for hash in set(sha1s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) # Add those to the package stix_package.add(domain_indicator) stix_package.add(ip_indicator) stix_package.add(url_indicator) stix_package.add(hash_indicator) # Save to file save_as = SAVE_DIRECTORY + "/fireeye_" + str(data["alert"]["id"]) + ".xml" f = open(save_as, "w") f.write(stix_package.to_xml()) f.close # Return success response return make_response(jsonify({"Success": "STIX document succesfully generated"}), 200) # Unable to parse object except: return make_response(jsonify({"Error": "Unable to parse JSON object"}), 400)