def to_observed_data(r): """ Fungsi untuk mengubah menjadi objek stix observable """ uid = str(uuid.uuid4()) created = datetime.now() modified = created temp_first = float(r["first_observed"]) temp_last = float(r["last_observed"]) first_observed = datetime.fromtimestamp(temp_first) last_observed = datetime.fromtimestamp(temp_last) number_observed = int(r["number_observed"]) if type(r["src_ip"]) == list: observed = stix2.ObservedData( id="observed-data--" + uid, created=created, modified=modified, first_observed=first_observed, last_observed=last_observed, number_observed=number_observed, objects= { "0": { "type": "ipv4-addr", "value": " ".join(r["src_ip"]) }, "1": { "type": "ipv4-addr", "value": r["dest_ip"] }, "2": { "type": "network-traffic", "src_ref": "0", "dst_ref": "1", # "src_port": r["src_port"], "dst_port": r["dest_port"], "protocols": [ "ipv4", r["protocol"] ], } } ) return observed # for src_ip in r["src_ip"]: # observed = stix2.ObservedData( # id="observed-data--" + uid, # created=created, # modified=modified, # first_observed=first_observed, # last_observed=last_observed, # number_observed=number_observed, # objects= # { # "0": { # "type": "ipv4-addr", # "value": src_ip # }, # "1": { # "type": "ipv4-addr", # "value": r["dest_ip"] # }, # "2": { # "type": "network-traffic", # "src_ref": "0", # "dst_ref": "1", # "dst_port": r["dest_port"], # "protocols": [ # "ipv4", # r["protocol"] # ], # } # } # ) # observed_list.append(observed) # return observed_list else: observed = stix2.ObservedData( id="observed-data--" + uid, created=created, modified=modified, first_observed=first_observed, last_observed=last_observed, number_observed=number_observed, objects= { "0": { "type": "ipv4-addr", "value": r["src_ip"] }, "1": { "type": "ipv4-addr", "value": r["dest_ip"] }, "2": { "type": "network-traffic", "src_ref": "0", "dst_ref": "1", # "src_port": r["src_port"], "dst_port": r["dest_port"], "protocols": [ "ipv4", r["protocol"] ], } } ) return observed
def stix_bundle(objs, mask=True): objects = () for obj in objs: oid = obj.object_id.object_id dscr = "" if not mask and hasattr(obj, "description"): dscr = obj.description if obj.object_type.name == 'attack-pattern': a = stix2.AttackPattern( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (a, ) elif obj.object_type.name == 'campaign': c = stix2.Campaign( id=oid, name=obj.name, description=dscr, aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, first_seen=obj.first_seen, last_seen=obj.last_seen, ) objects += (c, ) elif obj.object_type.name == 'course-of-action': c = stix2.CourseOfAction( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, ) objects += (c, ) elif obj.object_type.name == 'identity': name = obj.name if mask: name = oid label = obj.labels.all() if label.count() >= 1: name = str(obj.id) if label[0].alias: name += '-' + label[0].alias else: name += '-' + label[0].value i = stix2.Identity( id=oid, name=name, identity_class=obj.identity_class, description=dscr, sectors=[str(s.value) for s in obj.sectors.all()], labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, ) objects += (i, ) elif obj.object_type.name == 'indicator': pattern = "[]" if not mask and obj.pattern: pattern = obj.pattern.pattern i = stix2.Indicator( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], pattern=pattern, created=obj.created, modified=obj.modified, valid_from=obj.valid_from, valid_until=obj.valid_until, ) objects += (i, ) elif obj.object_type.name == 'intrusion-set': i = stix2.IntrusionSet( id=oid, name=obj.name, description=dscr, aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, first_seen=obj.first_seen, #last_seen=obj.last_seen, ) objects += (i, ) elif obj.object_type.name == 'malware': m = stix2.Malware( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (m, ) elif obj.object_type.name == 'observed-data': obs = {} for o in obj.observable_objects.all(): ob = None if o.type.name == "file": f = FileObject.objects.get(id=o.id) ob = stix2.File(name=f.name) elif o.type.name == "ipv4-addr": i = IPv4AddressObject.objects.get(id=o.id) ob = stix2.IPv4Address(value=i.value) elif o.type.name == "url": u = URLObject.objects.get(id=o.id) ob = stix2.URL(value=u.value) elif o.type.name == "domain-name": dn = DomainNameObject.objects.get(id=o.id) ob = stix2.DomainName(value=dn.value) if ob and not mask: obs[str(o.id)] = json.loads(str(ob)) od = stix2.ObservedData( id=oid, created=obj.created, modified=obj.modified, first_observed=obj.first_observed, last_observed=obj.last_observed, number_observed=obj.number_observed, objects=obs, ) objects += (od, ) elif obj.object_type.name == 'report': created_by = None if obj.created_by_ref: created_by = obj.created_by_ref.object_id r = stix2.Report( id=oid, labels=[str(l.value) for l in obj.labels.all()], name=obj.name, description=dscr, published=obj.published, object_refs=[str(r.object_id) for r in obj.object_refs.all()], created_by_ref=created_by, created=obj.created, modified=obj.modified, ) objects += (r, ) elif obj.object_type.name == 'threat-actor': t = stix2.ThreatActor( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, ) objects += (t, ) elif obj.object_type.name == 'tool': t = stix2.Tool( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (t, ) elif obj.object_type.name == 'vulnerability': v = stix2.Vulnerability( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, ) objects += (v, ) elif obj.object_type.name == 'relationship': r = stix2.Relationship( id=oid, relationship_type=obj.relationship_type.name, description=dscr, source_ref=obj.source_ref.object_id, target_ref=obj.target_ref.object_id, created=obj.created, modified=obj.modified, ) objects += (r, ) elif obj.object_type.name == 'sighting': s = stix2.Sighting( id=oid, sighting_of_ref=obj.sighting_of_ref.object_id, where_sighted_refs=[ str(w.object_id.object_id) for w in obj.where_sighted_refs.all() ], observed_data_refs=[ str(od.object_id.object_id) for od in obj.observed_data_refs.all() ], first_seen=obj.first_seen, last_seen=obj.last_seen, created=obj.created, modified=obj.modified, ) objects += (s, ) bundle = stix2.Bundle(*objects) return bundle