trolldbois / fexml2stix Public

Notifications You must be signed in to change notification settings
Fork 1
Star 1

exports FireEye (CMS) alerts to STIX and malware object to Viper storage

GPL-3.0 license

1 star 1 fork Branches Tags Activity

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
LICENSE		LICENSE
README.md		README.md
app.py		app.py
config.py		config.py
fealerts.py		fealerts.py
fesubclasses.py		fesubclasses.py
fexml2stix.py		fexml2stix.py
fireeye.py		fireeye.py
requirements.txt		requirements.txt
viperapi.py		viperapi.py

Repository files navigation

app.py

a simple flash app that

collect FireEye (CMS) produced Extended XML notification
dispatches to fexml2stix.FireEyeXMLParser (STIX)
collects the malware object from FireEye Alerts
send malware objects to a Viper instance for storage

fexml2stix.FireEyeXMLParser (inspired from fe2stix https://github.com/BechtelCIRT/fe2stix )

Parses the XML, uses fireeye.* API, translates to STIX, and send to STIX server.

fireeye.py

a WS API and HTML API to collect additional alerts/reports from the CMS.

fesubclasses.py, fealerts.py

XML to Python bindings by generateDS. FireEye (~7.6) alerts XSD to python.

viperapi.py

Wrapper to push malware file object to a viper instance

Configuration

Set the variables in the config.py file

Configure FireEye Notification

Create HTTP Event
Add HTTP Server
Name it 'fexml2stix'
Set the server URL as 'http://youserver.com:5000/api/v1/fe'
Notify for all events and deliver per event
Leave it as the generic provider
Select 'JSON Normal' for the message format
Submit a malicious sample, and watch the magic happen

GPL License

About

exports FireEye (CMS) alerts to STIX and malware object to Viper storage

GPL-3.0 license

Report repository

Releases

No releases published

Packages

No packages published

Languages