def to_attack_pattern(r): """ Fungsi untuk mengubah menjadi objek stix attack-pattern """ uid = str(uuid.uuid4()) created = datetime.now() modified = created if type(r["src_ip"]) == list: name = r['alert_msg'] desc = 'attack from ' + " ".join(r['src_ip']) + ' to ' + r['dest_ip'] else: name = r['alert_msg'] desc = 'attack from ' + r['src_ip'] + ' to ' + r['dest_ip'] attack_pattern = stix2.AttackPattern( id="attack-pattern--" + uid, created=created, modified=modified, name=name, description=desc ) return attack_pattern
def test_attack_pattern_invalid_labels(): with pytest.raises(stix2.exceptions.InvalidValueError): stix2.AttackPattern( id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061", created="2016-05-12T08:17:27Z", modified="2016-05-12T08:17:27Z", name="Spear Phishing", labels=1)
def test_attack_pattern_example(): ap = stix2.AttackPattern( id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061", created="2016-05-12T08:17:27.000Z", modified="2016-05-12T08:17:27.000Z", name="Spear Phishing", external_references=[{ "source_name": "capec", "id": "CAPEC-163" }], description="...", ) assert str(ap) == EXPECTED
malware = stix2.Malware(id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4", created="2015-04-23T11:12:34.760Z", modified="2015-04-23T11:12:34.760Z", name="Poison Ivy Variant d1c6", labels=["remote-access-trojan"], kill_chain_phases=[init_comp]) ref = stix2.ExternalReference( source_name="capec", description="phishing", url="https://capec.mitre.org/data/definitions/98.html", external_id="CAPEC-98") attack_pattern = stix2.AttackPattern( id="attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5", created="2015-05-07T14:22:14.760Z", modified="2015-05-07T14:22:14.760Z", name="Phishing", description="Spear phishing used as a delivery mechanism for malware.", kill_chain_phases=[init_comp], external_references=[ref]) relationship1 = stix2.Relationship(threat_actor, 'uses', malware) relationship2 = stix2.Relationship(threat_actor, 'uses', attack_pattern) relationship3 = stix2.Relationship(threat_actor, 'attributed-to', identity) bundle = stix2.Bundle(objects=[ threat_actor, malware, attack_pattern, identity, relationship1, relationship2, relationship3 ])
def generate_report(): istihbarat_no = 0 cyber_threads_infos = [] attack_patterns = [] sti_list = [] records = get_all_records(settings.traffic_table_name, settings.prediction_column_name) unique_records = unique_lists_from_multidimensional_array(records) identity = stiv.Identity( name= "Veri Madenciligi Temelli Siber Tehdit Istihbarati Tez Calismasi Onerilen Sistemin Uygulamasi - Suleyman Muhammed ARIKAN", identity_class="individual") sti_list.append(identity) predictions = [record[1] for record in unique_records] unique_predictions = set(predictions) for attack in unique_predictions: attact_pattern = stiv.AttackPattern(name=attack, created_by_ref=identity.id) attack_patterns.append(attact_pattern) sti_list.append(attact_pattern) cyber_threads_infos.append( "intelligence_id-prediction-source_host-source_port-destination_port-protocol" + "\n") for record in records: if str(record[1]) != settings.unknown_class_value: cyber_thread_info = str(record[1]) + "-" + str( record[5]) + "-" + str(int(float(record[3]))) + "-" + str( int(float(record[4]))) + "-" + settings.protocols_list[ int(record[8]) - 1] + "\n" cyber_threads_infos.append(cyber_thread_info) istihbarat_no = istihbarat_no + 1 indicator_name = str( istihbarat_no) + " numaralı istihbarat - " + str(record[5]) indicator_label = ["malicious-activity"] indicator_pattern = "[network-traffic:src_ref.type = 'ipv4-addr' AND " indicator_pattern = indicator_pattern + "network-traffic:src_ref.value = '" + str( record[5]) + "' AND " indicator_pattern = indicator_pattern + "network-traffic:src_port = " + str( int(float(record[3]))) + " AND " indicator_pattern = indicator_pattern + "network-traffic:dst_port = " + str( int(float(record[4]))) + " AND " indicator_pattern = indicator_pattern + "network-traffic:protocols[*] = '" + settings.protocols_list[ int(record[8]) - 1] + "']" indicator = stiv.Indicator(name=indicator_name, labels=indicator_label, pattern=indicator_pattern, created_by_ref=identity.id) sti_list.append(indicator) attack_pattern = get_attack_pattern(attack_patterns, str(record[1])) relationship = stiv.Relationship(relationship_type='indicates', source_ref=indicator.id, target_ref=attack_pattern.id) sti_list.append(relationship) stiv_bundle = stiv.Bundle(sti_list) file_name = datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S-%f") fo = open("raporlar/" + file_name + ".txt", "x") istihbarat_no = 0 for cti in cyber_threads_infos: if (istihbarat_no != 0): cti = str(istihbarat_no) + "-" + cti fo.write(cti) istihbarat_no = istihbarat_no + 1 fo.close() fo_stiv = open("raporlar/" + file_name + ".json", "x") fo_stiv.write(stiv_bundle.serialize()) fo_stiv.close() return file_name
def attack_pattern_maker(**kwargs): attack_pattern = stix2.AttackPattern(**kwargs) flag = itemtofile(attack_pattern) return flag, attack_pattern
def stix_bundle(objs, rel=True, sight=True): objects = () ids = [] for o in objs: if not o.object_id.id in ids: ids.append(o.object_id.id) if o.object_type.name == "report": r = Report.objects.get(id=o.id) for i in r.object_refs.all().values_list("id", flat=True): if i in ids: ids.append(i) if rel: rels = Relationship.objects.filter( Q(source_ref=o.object_id)\ |Q(target_ref=o.object_id)\ ) lists = list(rels.values_list("object_id", flat=True)) + \ list(rels.values_list("source_ref", flat=True)) + \ list(rels.values_list("target_ref", flat=True)) for i in lists: if not i in ids: ids.append(i) if sight: sights = Sighting.objects.filter( Q(where_sighted_refs=o.object_id)\ |Q(sighting_of_ref=o.object_id)\ ) lists = list(sights.values_list("object_id", flat=True)) + \ list(sights.values_list("sighting_of_ref", flat=True)) for i in lists: if not i in ids: ids += i oids = STIXObjectID.objects.filter(id__in=ids) for oid in oids: obj = myforms.get_obj_from_id(oid) if obj.object_type.name == 'identity': i = stix2.Identity( id=obj.object_id.object_id, name=obj.name, identity_class=obj.identity_class, description=obj.description, #sectors=[str(s.value) for s in obj.sectors.all()], sectors=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, ) objects += (i, ) elif obj.object_type.name == 'attack-pattern': a = stix2.AttackPattern( id=obj.object_id.object_id, name=obj.name, description=obj.description, created=obj.created, modified=obj.modified, ) objects += (a, ) elif obj.object_type.name == 'malware': m = stix2.Malware( id=obj.object_id.object_id, name=obj.name, description=obj.description, labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, ) objects += (m, ) elif obj.object_type.name == 'indicator': i = stix2.Indicator( id=obj.object_id.object_id, name=obj.name, description=obj.description, labels=[str(l.value) for l in obj.labels.all()], pattern=[str(p.value) for p in obj.pattern.all()], created=obj.created, modified=obj.modified, ) objects += (i, ) elif obj.object_type.name == 'threat-actor': t = stix2.ThreatActor( id=obj.object_id.object_id, name=obj.name, description=obj.description, labels=[str(l.value) for l in obj.labels.all()], aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, ) objects += (t, ) elif obj.object_type.name == 'relationship': r = stix2.Relationship( id=obj.object_id.object_id, relationship_type=obj.relationship_type.name, description=obj.description, source_ref=obj.source_ref.object_id, target_ref=obj.target_ref.object_id, created=obj.created, modified=obj.modified, ) objects += (r, ) elif obj.object_type.name == 'sighting': s = stix2.Sighting( id=obj.object_id.object_id, sighting_of_ref=obj.sighting_of_ref.object_id, where_sighted_refs=[ str(w.object_id) for w in obj.where_sighted_refs.all() ], first_seen=obj.first_seen, last_seen=obj.last_seen, created=obj.created, modified=obj.modified, ) objects += (s, ) elif obj.object_type.name == 'report': r = stix2.Report( id=obj.object_id.object_id, labels=[str(l.value) for l in obj.labels.all()], name=obj.name, description=obj.description, published=obj.published, object_refs=[str(r.object_id) for r in obj.object_refs.all()], created=obj.created, modified=obj.modified, ) objects += (r, ) bundle = stix2.Bundle(*objects) return bundle
def addAttackPattern(): attackPattern2 = stix2.AttackPattern(created = str(datetime.now()),modified = str(datetime.now()),name = "Compromised Account") return attackPattern2
created_by_ref=IDENTITY_ID) TOOL_KWARGS = dict(type='tool', id=TOOL_ID, labels=["remote-access"], name="VNC", created_by_ref=IDENTITY_ID, interoperability=True) VULNERABILITY_KWARGS = dict(type='vulnerability', id=VULNERABILITY_ID, name="Heartbleed", created_by_ref=IDENTITY_ID) if __name__ == '__main__': attack_pattern = stix2.AttackPattern(**ATTACK_PATTERN_KWARGS, interoperability=True) campaign = stix2.Campaign(**CAMPAIGN_KWARGS, interoperability=True) course_of_action = stix2.CourseOfAction(**COURSE_OF_ACTION_KWARGS, interoperability=True) identity = stix2.Identity(**IDENTITY_KWARGS, interoperability=True) indicator = stix2.Indicator(**INDICATOR_KWARGS, interoperability=True) intrusion_set = stix2.IntrusionSet(**INTRUSION_SET_KWARGS, interoperability=True) malware = stix2.Malware(**MALWARE_KWARGS, interoperability=True) marking_definition = stix2.MarkingDefinition(**MARKING_DEFINITION_KWARGS, interoperability=True) observed_data = stix2.ObservedData(**OBSERVED_DATA_KWARGS, interoperability=True) relationship = stix2.Relationship(**RELATIONSHIP_KWARGS, interoperability=True) sighting = stix2.Sighting(**SIGHTING_KWARGS, interoperability=True)
ref_capec1 = stix2.ExternalReference( source_name="capec", url="https://capec.mitre.org/data/definitions/148.html", external_id="CAPEC-148" ) ref_capec2 = stix2.ExternalReference( source_name="capec", url="https://capec.mitre.org/data/definitions/488.html", external_id="CAPEC-488" ) attack_pattern1 = stix2.AttackPattern( id="attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a", created="2016-08-08T15:50:10.983Z", modified="2017-01-30T21:15:04.127Z", name="Content Spoofing", external_references=[ref_capec1] ) attack_pattern2 = stix2.AttackPattern( id="attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c", created="2016-08-08T15:50:10.983Z", modified="2017-01-30T21:15:04.127Z", name="HTTP Flood", external_references=[ref_capec2] ) campaign1 = stix2.Campaign( id="campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e", created="2016-08-08T15:50:10.983Z",
def stix_bundle(rep): objects = () for ref in rep.object_refs.all(): obj = myforms.get_obj_from_id(ref) if obj.object_type.name == 'identity': i = stix2.Identity( id=obj.object_id.object_id, name=obj.name, identity_class=obj.identity_class, description=obj.description, #sectors=[str(s.value) for s in obj.sectors.all()], sectors=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, ) objects += (i, ) elif obj.object_type.name == 'attack-pattern': a = stix2.AttackPattern( id=obj.object_id.object_id, name=obj.name, description=obj.description, created=obj.created, modified=obj.modified, ) objects += (a, ) elif obj.object_type.name == 'malware': m = stix2.Malware( id=obj.object_id.object_id, name=obj.name, description=obj.description, labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, ) objects += (m, ) elif obj.object_type.name == 'threat-actor': t = stix2.ThreatActor( id=obj.object_id.object_id, name=obj.name, description=obj.description, labels=[str(l.value) for l in obj.labels.all()], aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, ) objects += (t, ) elif obj.object_type.name == 'relationship': r = stix2.Relationship( id=obj.object_id.object_id, relationship_type=obj.relationship_type.name, description=obj.description, source_ref=obj.source_ref.object_id, target_ref=obj.target_ref.object_id, created=obj.created, modified=obj.modified, ) objects += (r, ) elif obj.object_type.name == 'sighting': s = stix2.Sighting( id=obj.object_id.object_id, sighting_of_ref=obj.sighting_of_ref.object_id, where_sighted_refs=[ str(w.object_id) for w in obj.where_sighted_refs.all() ], first_seen=obj.first_seen, last_seen=obj.last_seen, created=obj.created, modified=obj.modified, ) objects += (s, ) report = stix2.Report( id=rep.object_id.object_id, labels=[str(l.value) for l in rep.labels.all()], name=rep.name, description=rep.description, published=rep.published, object_refs=[str(r.object_id) for r in rep.object_refs.all()], created=obj.created, modified=obj.modified, ) objects += (report, ) bundle = stix2.Bundle(*objects) return bundle
def stix_bundle(objs, mask=True): objects = () for obj in objs: oid = obj.object_id.object_id dscr = "" if not mask and hasattr(obj, "description"): dscr = obj.description if obj.object_type.name == 'attack-pattern': a = stix2.AttackPattern( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (a, ) elif obj.object_type.name == 'campaign': c = stix2.Campaign( id=oid, name=obj.name, description=dscr, aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, first_seen=obj.first_seen, last_seen=obj.last_seen, ) objects += (c, ) elif obj.object_type.name == 'course-of-action': c = stix2.CourseOfAction( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, ) objects += (c, ) elif obj.object_type.name == 'identity': name = obj.name if mask: name = oid label = obj.labels.all() if label.count() >= 1: name = str(obj.id) if label[0].alias: name += '-' + label[0].alias else: name += '-' + label[0].value i = stix2.Identity( id=oid, name=name, identity_class=obj.identity_class, description=dscr, sectors=[str(s.value) for s in obj.sectors.all()], labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, ) objects += (i, ) elif obj.object_type.name == 'indicator': pattern = "[]" if not mask and obj.pattern: pattern = obj.pattern.pattern i = stix2.Indicator( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], pattern=pattern, created=obj.created, modified=obj.modified, valid_from=obj.valid_from, valid_until=obj.valid_until, ) objects += (i, ) elif obj.object_type.name == 'intrusion-set': i = stix2.IntrusionSet( id=oid, name=obj.name, description=dscr, aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, first_seen=obj.first_seen, #last_seen=obj.last_seen, ) objects += (i, ) elif obj.object_type.name == 'malware': m = stix2.Malware( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (m, ) elif obj.object_type.name == 'observed-data': obs = {} for o in obj.observable_objects.all(): ob = None if o.type.name == "file": f = FileObject.objects.get(id=o.id) ob = stix2.File(name=f.name) elif o.type.name == "ipv4-addr": i = IPv4AddressObject.objects.get(id=o.id) ob = stix2.IPv4Address(value=i.value) elif o.type.name == "url": u = URLObject.objects.get(id=o.id) ob = stix2.URL(value=u.value) elif o.type.name == "domain-name": dn = DomainNameObject.objects.get(id=o.id) ob = stix2.DomainName(value=dn.value) if ob and not mask: obs[str(o.id)] = json.loads(str(ob)) od = stix2.ObservedData( id=oid, created=obj.created, modified=obj.modified, first_observed=obj.first_observed, last_observed=obj.last_observed, number_observed=obj.number_observed, objects=obs, ) objects += (od, ) elif obj.object_type.name == 'report': created_by = None if obj.created_by_ref: created_by = obj.created_by_ref.object_id r = stix2.Report( id=oid, labels=[str(l.value) for l in obj.labels.all()], name=obj.name, description=dscr, published=obj.published, object_refs=[str(r.object_id) for r in obj.object_refs.all()], created_by_ref=created_by, created=obj.created, modified=obj.modified, ) objects += (r, ) elif obj.object_type.name == 'threat-actor': t = stix2.ThreatActor( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, ) objects += (t, ) elif obj.object_type.name == 'tool': t = stix2.Tool( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (t, ) elif obj.object_type.name == 'vulnerability': v = stix2.Vulnerability( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, ) objects += (v, ) elif obj.object_type.name == 'relationship': r = stix2.Relationship( id=oid, relationship_type=obj.relationship_type.name, description=dscr, source_ref=obj.source_ref.object_id, target_ref=obj.target_ref.object_id, created=obj.created, modified=obj.modified, ) objects += (r, ) elif obj.object_type.name == 'sighting': s = stix2.Sighting( id=oid, sighting_of_ref=obj.sighting_of_ref.object_id, where_sighted_refs=[ str(w.object_id.object_id) for w in obj.where_sighted_refs.all() ], observed_data_refs=[ str(od.object_id.object_id) for od in obj.observed_data_refs.all() ], first_seen=obj.first_seen, last_seen=obj.last_seen, created=obj.created, modified=obj.modified, ) objects += (s, ) bundle = stix2.Bundle(*objects) return bundle