def hostchars_indicator(hostnames=[]):
hostchars = Indicator()
hostchars.add_indicator_type("Host Characteristics")
for h in hostnames:
hostname = Hostname()
hostname.hostname_value = h
hostchars.add_observable(hostname)
return hostchars
def create_host_indicator(self, host_indicator):
indicator = Indicator()
indicator.title = 'Hostname of site hosting malware'
indicator.add_indicator_type('Domain Watchlist')
host = Hostname()
host.value = host_indicator
host.condition = 'Equals'
indicator.add_observable(host)
return indicator
def create_host_indicator(self, host_indicator):
indicator = Indicator()
indicator.title = 'Hostname of site hosting malware'
indicator.add_indicator_type('Domain Watchlist')
host = Hostname()
host.value = host_indicator
host.condition = 'Equals'
indicator.add_observable(host)
return indicator
def add_obs_to_pkg(obs, pkg):
if "ip" in obs:
for i in obs["ip"]:
address = Address()
address.address_value = i
pkg.add_observable(address)
if "host" in obs:
for h in obs["host"]:
hostname = Hostname()
hostname.hostname_value = h
pkg.add_observable(hostname)
if "domain" in obs:
for d in obs["domain"]:
domain = DomainName()
domain.value = d
pkg.add_observable(domain)
return pkg
def _set_search_items_from_hostname_object(patterns, prop):
u'''
extract and set search key/value items from Cybox binding HostName Object
'''
if prop is None or type(prop) != HostnameObjectType:
return
# translate cybox.bindings object to cybox.objects object
obj = Hostname.from_obj(prop)
# Host Name
if obj.hostname_value is not None:
host = unicode(obj.hostname_value)
if host[0] == '[' and host[len(host) - 1] == ']':
_add_search_item(patterns, u"HostName",
host[1:len(host) - 2].split(','))
else:
_add_search_item(patterns, u"HostName", host)
def convert_address_ref(obj2x, direction, obs2x_id):
sa = None
add_property = direction + "_ref"
port_property = direction + "_port"
if add_property in obj2x:
if obj2x[add_property] in _STIX1X_OBJS:
sa = SocketAddress()
obj = _STIX1X_OBJS[obj2x[add_property]]
if isinstance(obj, Address):
sa.ip_address = obj
elif isinstance(obj, DomainName):
sa.hostname = Hostname()
sa.hostname.hostname_value = obj.value
else:
warn("%s is not an index found in %s", 306, obj2x[add_property], obs2x_id)
if port_property in obj2x:
if not sa:
sa = SocketAddress()
sa.port = Port()
sa.port.port_value = obj2x[port_property]
return sa
def test_missing_naming_system(self):
hn = Hostname.from_dict({'hostname_value': "www.example2.com"})
self.assertTrue("www.example2.com" in hn.to_xml())
def test_missing_naming_system(self):
hn = Hostname.from_dict({'hostname_value': "www.example2.com"})
self.assertTrue("www.example2.com" in hn.to_xml())
def addsec_to_cybox(as_obtype, as_obdata):
#
# Addition Security to CybOX mappings, for discrete/separate observables
#
# 30: DataTypeSymbolName
if as_obtype == 30:
a = API()
a.function_name = as_obdata
return a
# 32: DataTypeLibraryName
if as_obtype == 32:
l = Library()
l.name = as_obdata
l.path = as_obdata
return l
# 14: DataTypeUsername
if as_obtype == 14:
u = UserAccount()
u.username = as_obdata
return u
# 10: DataTypeFile
if as_obtype == 10:
f = File()
f.full_path = as_obdata
return f
# 23: DataTypeHostname
if as_obtype == 23:
h = Hostname()
h.hostname_value = as_obdata
return h
# 29: DataTypeEnvString
if as_obtype == 29:
# Here, Process is meant to represent the hosting process; then we
# attach the actual environment variable value
p = Process()
p.environment_variable_list = as_obdata
return p
# 17: DataTypeApplication
if as_obtype == 17:
# Particularly on Android, identification of an installed package fits
# somewhere between File and Process, but not quite either. The closest
# fit is around LinuxPackage, which is what we use. We should technically
# derive from it, but we're trying to keep things simple.
p = LinuxPackage()
p.name = as_obdata
return p
# 11: DataTypeX509
# 12: DataTypeX509Subject
# 13: DataTypeX509Issuer
if as_obtype == 11 or as_obtype == 12 or as_obtype == 13:
c = X509Certificate()
if as_obtype == 11: c.raw_certificate = as_obdata.encode('hex')
if as_obtype == 12: c.certificate.subject = as_obdata
if as_obtype == 13: c.certificate.issuer = as_obdata
return c
# 2: DataTypeSHA1Hash
# 7: DataTypeVersionString
# 18: DataTypeString
# 31: DataTypePropertyName
# TODO: find the proper CybOX to represent these; for now, we don't
# report them
return None
def transform(data, new_only=True):
"""
transform - The transforms are source specific.
Source: http://www.malwaredomainlist.com/hostslist/mdl.xml
data - must be source xml converted to a dictionary
:param data:
:param new_only:
:return:
"""
# Input validation
if not isinstance(data, dict):
return False
work = []
history = db('local_file', 'history', ADPTR_SRC_ID)
value2key = db('local_file', 'value_to_key', 'values')
items = data.get('rss', {}).get('channel', {}).get('item')
if items:
for item in items:
guid = item.get('guid', {}).get('#text')
if guid:
# Check to see if this item has been process before
# if not, add to work
if guid in history:
if not new_only:
work.append(item)
else:
work.append(item)
db('local_file', 'history', ADPTR_SRC_ID,
{guid: {
'date': str(datetime.now())
}})
if work:
### Generate STIXPackage and STIXHeader
set_ns_stix(ADPTR_NS_STIX)
set_ns_cybox(ADPTR_NS_CYBOX)
STIXPackage._version = ADPTR_VER_STIX
pkg = STIXPackage()
src_info, value2key = gen_info_src({}, 'www.malwaredomainlist.com',
value2key)
hdr = STIXHeader()
hdr.title = data.get('rss', {}).get('channel', {}).get('title')
hdr.description = data.get('rss', {}).get('channel',
{}).get('description')
hdr.information_source = src_info
pkg.stix_header = hdr
for item in work:
key = item.get('guid', {}).get('#text')
# Decompose data description
tmp = [x.strip() for x in item.get('description').split(',')]
decomp = {}
for x in tmp:
k, v = x.split(':')
decomp.update({k.strip(): v.strip()})
# Generate STIX Indicator
ind, history = gen_indicator(item, key, history)
ind.producer = src_info
ind.short_description = 'MDL RefID: %s | %s' % (
key, decomp.get('Description'))
# Decompose host
host = decomp.get('Host')
uri = None
file_ = None
if '/' in host:
host, uri = host.split('/', 1)
# TODO: parse out file Name
if host: # Generate Cybox HostName
obj = Hostname()
obj.is_domain_name = True
obj.naming_system = 'DNS'
obj.hostname_value = host
ob, value2key = gen_CyboxOb(obj, host, value2key)
ob.title = 'HostName: %s' % obj.hostname_value
ind.add_observable(CyboxOb(idref=ob.id_))
pkg.add_observable(ob)
if uri: # Generate Cybox URI
obj = URI()
obj.type_ = URI.TYPE_URL
url = AnyURI('%s/%s' % (host, uri))
obj.value = url
ob, value2key = gen_CyboxOb(obj, url, value2key)
ob.title = 'URL: %s' % url
ind.add_observable(CyboxOb(idref=ob.id_))
pkg.add_observable(ob)
if file_:
obj = File()
ip = decomp.get('IP address')
if ip:
obj_ip = Address()
if isIPv4(ip):
obj_ip.category = Address.CAT_IPV4
elif isIPv6(ip):
obj_ip.category = Address.CAT_IPV6
else:
break
obj_ip.is_source = True
obj_ip.address_value = ip
# if obj_host:
# obj_ip.add_related(obj_host,
# ObjectRelationship.TERM_RESOLVED_TO,
# inline=False)
ob = CyboxOb(obj_ip)
ob.title = 'IP: %s' % ip
ind.add_observable(CyboxOb(idref=ob.id_))
pkg.add_observable(ob)
asn = decomp.get('ASN')
if asn:
obj_asn = Address()
obj_asn.category = Address.CAT_ASN
obj_asn.address_value = asn
# if obj_host:
# obj_asn.add_related(obj_host,
# ObjectRelationship.TERM_CONNECTED_TO,
# inline=False)
# if obj_ip:
# obj_asn.add_related(obj_ip,
# ObjectRelationship.TERM_CONNECTED_TO,
# inline=False)
ob = CyboxOb(obj_asn)
ob.title = 'ASN: %s' % ip
ind.add_observable(CyboxOb(idref=ob.id_))
pkg.add_observable(ob)
pkg.add_indicator(ind)
db('local_file', 'value_to_key', 'values', value2key)
db('local_file', 'history', ADPTR_SRC_ID, history)
return pkg
