def main(): NAMESPACE = {"https://www.ncsc.gov.uk/": "ncscuk"} idgen.set_id_namespace(NAMESPACE) pkg = STIXPackage() coa = CourseOfAction() obj = file_to_obj('out.json') if obj.type == 'bundle': for _dict in obj.objects: object = dict_to_obj(_dict) if object.type == 'indicator': ind = Indicator() id_str = object.id.replace('--', '-') print id_str #ind.id_ = object.id pattern_type = object.pattern.split(':')[0] _value = re.sub("'", '', object.pattern.split(' = ')[1]) if pattern_type == 'ipv4-addr': obs = Observable( Address(address_value=_value, category=Address.CAT_IPV4)) elif pattern_type == 'url': obs = Observable(URI(value=_value, type_=URI.TYPE_URL)) pkg.add_observable(obs) obs_ref = Observable() obs_ref.id_ = None obs_ref.idref = obs.id_ ind.add_observable(obs_ref) pkg.add_indicator(ind) print pkg.to_xml()
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from stix.utils import idgen from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") idgen.set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] # Add the vulnerability object to the package object expt.add_vulnerability(vulnbuild(data)) # Do some TTP stuff with CAPEC objects try: for i in data['capec']: ttp = TTP() ttp.title = "CAPEC-" + str(i['id']) ttp.description = i['summary'] ttp.exploit_targets.append(ExploitTarget(idref=expt.id_)) pkg.add_ttp(ttp) except KeyError: pass # Do some weakness stuff if data['cwe'] != 'Unknown': weak = Weakness() weak.cwe_id = data['cwe'] expt.add_weakness(weak) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() # If the function is not imported then output the xml to a file. if __name__ == '__main__': title = pkg.id_.split(':', 1)[-1] with open(title + ".xml", "w") as text_file: text_file.write(xml) return xml
def _custom_namespace(url, alias): try: from stix.utils import set_id_namespace namespace = {url: alias} set_id_namespace(namespace) except ImportError: from mixbox.namespaces import Namespace from stix.utils import idgen namespace = Namespace(url, alias, "") idgen.set_id_namespace(namespace)
def __init__(self, args): self.misp_event = pymisp.MISPEvent() self.args = args if len(args) > 3: namespace[0] = args[3] if len(args) > 4: ns = args[4].replace(" ", "_") namespace[1] = re.sub('[\W]+', '', ns) if not namespace[0]: namespace[0] = 'https://www.misp-project.org' try: idgen.set_id_namespace({namespace[0]: namespace[1]}) except ValueError: try: idgen.set_id_namespace(Namespace(namespace[0], namespace[1])) except TypeError: idgen.set_id_namespace(Namespace(namespace[0], namespace[1], "MISP")) self.namespace_prefix = idgen.get_id_namespace_alias() self.simple_type_to_method = {"port": self.generate_port_observable, "domain|ip": self.generate_domain_ip_observable} self.simple_type_to_method.update(dict.fromkeys(hash_type_attributes["single"] + hash_type_attributes["composite"] + ["filename"] + ["attachment"], self.resolve_file_observable)) self.simple_type_to_method.update(dict.fromkeys(["ip-src", "ip-dst", "ip-src|port", "ip-dst|port"], self.generate_ip_observable)) self.simple_type_to_method.update(dict.fromkeys(["regkey", "regkey|value"], self.generate_regkey_observable)) self.simple_type_to_method.update(dict.fromkeys(["hostname", "domain", "url", "AS", "mutex", "named pipe", "link"], self.generate_simple_observable)) self.simple_type_to_method.update(dict.fromkeys(["email-src", "email-dst", "email-subject"], self.resolve_email_observable)) self.simple_type_to_method.update(dict.fromkeys(["http-method", "user-agent"], self.resolve_http_observable)) self.simple_type_to_method.update(dict.fromkeys(["pattern-in-file", "pattern-in-traffic", "pattern-in-memory"], self.resolve_pattern_observable))
def main(args): if len(args) < 4: sys.exit("Invalid parameters") baseURL = args[1] if not baseURL: baseURL = 'https://www.misp-project.org' orgname = args[2] namespace = [baseURL, orgname.replace(" ", "_")] namespace[1] = re.sub('[\W]+', '', namespace[1]) NS_DICT[namespace[0]] = namespace[1] try: idgen.set_id_namespace({baseURL: namespace[1]}) except ValueError: # Some weird stix error that sometimes occurs if the stars # align and Mixbox is being mean to us # Glory to STIX, peace and good xmlns be upon it try: idgen.set_id_namespace(Namespace(baseURL, namespace[1])) except TypeError: # Ok this only occurs if the script is being run under py3 # and if we're running a REALLY weird version of stix # May as well catch it idgen.set_id_namespace(Namespace(baseURL, namespace[1], "MISP")) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = "Export from {} MISP".format(orgname) stix_header.package_intents = "Threat Report" stix_package.stix_header = stix_header stix_package.version = "1.1.1" stix_package.timestamp = datetime.datetime.now() if args[3] == 'json': stix_string = stix_package.to_json()[:-1] stix_string += ', "related_packages": [' else: stix_string = stix_package.to_xml(auto_namespace=False, ns_dict=NS_DICT, schemaloc_dict=SCHEMALOC_DICT) stix_string = stix_string.decode() stix_string = stix_string.replace("</stix:STIX_Package>\n", "") print(stix_string)
def main(args): pathname = os.path.dirname(sys.argv[0]) if len(sys.argv) > 3: namespace[0] = sys.argv[3] if len(sys.argv) > 4: namespace[1] = sys.argv[4].replace(" ", "_") namespace[1] = re.sub('[\W]+', '', namespace[1]) try: idgen.set_id_namespace({namespace[0]: namespace[1]}) except ValueError: try: idgen.set_id_namespace(Namespace(namespace[0], namespace[1])) except TypeError: idgen.set_id_namespace(Namespace(namespace[0], namespace[1], "MISP")) event = loadEvent(args, pathname) stix_package = generateEventPackage(event) saveFile(args, pathname, stix_package) print(json.dumps({'success' : 1, 'message' : ''}))