def __init__(self,id=None,namespace=None,method=None,type=None,source=None,ordinal_position=None,
start_datetime=None,complete_datetime=None,lastupdate_datetime=None,analysts=None,summary=None,comments=None,tools=None,
dynamic_analysis_metadata=None,report=None,analysis_environment=None):
super(MaecAnalysis,self).__init__(id=id,method=method,type=type)
set_id_method(IDGenerator.METHOD_UUID)
if id is None:
if namespace is not None:
set_id_namespace(namespace)
self.id_ = create_id(prefix='analysis')
self.ordinal_position=ordinal_position
self.start_datetime=start_datetime
self.complete_datetime =complete_datetime
self.lastupdate_datetime =lastupdate_datetime
self.source=source
if analysts is not None:
self.analysts = Personnel()
for contr in analysts():
if isinstance(contr,Contributor):
self.analysts.append(contr)
self.summary =summary
if comments is not None:
self.comments = CommentList()
for comment in comments:
self.comments.append(comment)
if tools is not None:
for tool in tools:
if isinstance(tool,ToolInformation):
self.add_tool(tool)
if dynamic_analysis_metadata is not None and isinstance(dynamic_analysis_metadata,DynamicAnalysisMetadata):
self.dynamic_analysis_metadata =dynamic_analysis_metadata
self.report =report
if isinstance(analysis_environment,AnalysisEnvironment):
self.analysis_environment=analysis_environment
def __init__(self,id=None,namespace=None,malware_instance_object_attributes=None,relationships=None,minor_variants=None,labels=None,findings_bundles=None,
development_environment=None,configuration_details=None,compatible_platform=None,analyses=None):
super(MaecMalwareSubject, self).__init__(id=id,malware_instance_object_attributes=malware_instance_object_attributes)
if id is None and namespace is not None:
set_id_method(IDGenerator.METHOD_UUID)
set_id_namespace(namespace)
self.id_ = create_id(prefix="malware_subject")
self.relationships =MalwareSubjectRelationshipList()
if relationships is not None:
for relationship in relationships:
if isinstance(relationship,MalwareSubjectRelationship):
self.relationships.append(relationship)
self.minor_variants = MinorVariants()
if minor_variants is not None:
for minor_variant in minor_variants:
self.minor_variants.append(minor_variant)
self.label=[]
if labels is not None:
for label in labels:
self.label.append(VocabString(label))
self.findings_bundles = FindingsBundleList()
if findings_bundles is not None and isinstance(findings_bundles,FindingsBundleList):
self.findings_bundles = findings_bundles
self.development_environment = development_environment
self.configuration_details =configuration_details
self.compatible_platform =compatible_platform
self.analyses = analyses
def main(args):
if len(args) < 4:
sys.exit("Invalid parameters")
baseURL = args[1]
if not baseURL:
baseURL = 'https://www.misp-project.org'
orgname = args[2]
orgname = re.sub('[\W]+', '', orgname.replace(" ", "_"))
NS_DICT[baseURL] = orgname
try:
idgen.set_id_namespace(Namespace(baseURL, orgname))
except TypeError:
idgen.set_id_namespace(Namespace(baseURL, orgname, "MISP"))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Export from {} MISP".format(args[2])
stix_header.package_intents = "Threat Report"
stix_package.stix_header = stix_header
stix_package.version = "1.1.1"
stix_package.timestamp = datetime.datetime.now()
if args[3] == 'json':
stix_string = stix_package.to_json()[:-1]
stix_string += ', "related_packages": ['
else:
stix_string = stix_package.to_xml(auto_namespace=False,
ns_dict=NS_DICT,
schemaloc_dict=SCHEMALOC_DICT)
stix_string = stix_string.decode().replace("</stix:STIX_Package>\n",
"")
print(stix_string)
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("IP Watchlist")
for key in mydata["IOC"].keys():
myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4)
myip.condition = "Equals"
obsu = Observable(myip)
#if mydata[key].size:
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
myip.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def __init__(self):
# namespace dictionary
self.ns_dict = {
SNSConfig.get_stix_ns_url(): SNSConfig.get_stix_ns_name(),
}
ns_ctim_sns = Namespace(SNSConfig.get_stix_ns_url(), SNSConfig.get_stix_ns_name(), schema_location=None)
# id generator
idgen.set_id_namespace(ns_ctim_sns)
self.generator = idgen._get_generator()
def __init__(self,id =None,namespace=None,defined_subject=None,schema_version="4.1",content_type=None,timestamp=None,malware_instance_object=None):
if namespace is not None:
set_id_method(IDGenerator.METHOD_UUID)
set_id_namespace(namespace)
super(MaecBundle,self).__init__(id =id,defined_subject=defined_subject,schema_version=schema_version,content_type=content_type,malware_instance_object=malware_instance_object)
self.timestamp = timestamp
self.collections = Collections()
self.collections.action_collections = ActionCollectionList()
self.collections.behavior_collections = BehaviorCollectionList()
self.collections.object_collections = ObjectCollectionList()
self.collections.candidate_indicator_collections = CandidateIndicatorCollectionList()
def __init__(
self,
identity_name=DEFAULT_IDENTITY_NAME,
ns_url=DEFAULT_NS_URL,
ns_name=DEFAULT_NS_NAME,
):
self.identity_name = identity_name
self.events = []
ns_ctim_sns = Namespace(ns_url, ns_name, schema_location=None)
idgen.set_id_namespace(ns_ctim_sns)
self.generator = idgen._get_generator()
def _get_stix_package(ioc_xml):
if ioc_xml is not None and len(ioc_xml) > 0:
ns = namespaces.Namespace("http://openioc.org/openioc", "openioc", "")
idgen.set_id_namespace(ns)
stix_obj = to_stix(BytesIO(ioc_xml))
stix_package = STIXPackage_v1.from_xml(etree.fromstring(stix_obj.to_xml()))
return stix_package
else:
raise RuntimeError('request body is empty.')
def __init__(self,id=None,timestamp=None,schema_version="2.1",malware_subjects=None,grouping_relationships=None,namespace=None):
if namespace is not None:
set_id_method(IDGenerator.METHOD_UUID)
set_id_namespace(namespace)
super(MaecPackage,self).__init__(id=id,schema_version=schema_version,timestamp=timestamp)
if malware_subjects is not None:
for malware_subject in malware_subjects:
if isinstance(malware_subject,MaecMalwareSubject):
self.add_malware_subject(malware_subject=malware_subject)
if grouping_relationships is not None:
for grouping_relationship in grouping_relationships:
if isinstance(grouping_relationship,GroupingRelationship):
self.add_grouping_relationship(grouping_relationship=grouping_relationship)
def main():
# Parse command line arguments
argparser = get_arg_parser()
args = argparser.parse_args()
# initialize logging
init_logging(args.verbose)
# Set the namespace to be used in the STIX Package
ns = namespaces.Namespace("http://openioc.org/openioc", "openioc", "")
idgen.set_id_namespace(ns)
# Create Observables from binding object
stix_package = translate.to_stix(args.infile)
# Write the STIXPackage to a output file
write_package(stix_package, outfn=args.outfile)
def main():
# Parse command line arguments
argparser = get_arg_parser()
args = argparser.parse_args()
# initialize logging
init_logging(args.verbose)
# Set the namespace to be used in the STIX Package
ns = namespaces.Namespace("http://openioc.org/openioc", "openioc", "")
idgen.set_id_namespace(ns)
# Create Observables from binding object
stix_package = translate.to_stix(args.infile)
# Write the STIXPackage to a output file
write_package(stix_package, outfn=args.outfile)
def __init__(self, id=None, idref=None, namespace=None,type=None,observation_method=None,frequency=None,event=None,description=None):
super(CyboxEvent,self).__init__()
set_id_method(IDGenerator.METHOD_UUID)
if id is None and idref is None:
if namespace is not None:
set_id_namespace(namespace)
self.id_ = create_id(prefix='event')
self.actions = Actions()
self.type_= type
self.observation_method = observation_method
self.idref =idref
self.frequency = frequency
self.event =[]
if isinstance(event,CyboxEvent):
self.event.append(event)
self.description =description
self._namespace =namespace
def __init__(self, config, dom):
self.protocol_to_port_mapping = dict(
modbus=502,
snmp=161,
http=80,
s7comm=102,
)
port_path_list = map(lambda x: '//conpot_template/protocols/'+x+'/@port', self.protocol_to_port_mapping.keys())
for port_path in port_path_list:
try:
protocol_port = ast.literal_eval(dom.xpath(port_path)[0])
protocol_name = port_path.rsplit("/", 2)[1]
self.protocol_to_port_mapping[protocol_name] = protocol_port
except IndexError:
continue
conpot_namespace = Namespace(CONPOT_NAMESPACE_URL, CONPOT_NAMESPACE, '')
idgen.set_id_namespace(conpot_namespace)
def main(args):
if len(sys.argv) < 4:
sys.exit("Invalid parameters")
baseURL = sys.argv[1]
orgname = sys.argv[2]
namespace = [baseURL, orgname.replace(" ", "_")]
namespace[1] = re.sub('[\W]+', '', namespace[1])
NS_DICT[namespace[0]] = namespace[1]
try:
stix.utils.idgen.set_id_namespace({baseURL: orgname})
except ValueError:
# Some weird stix error that sometimes occurs if the stars
# align and Mixbox is being mean to us
# Glory to STIX, peace and good xmlns be upon it
try:
idgen.set_id_namespace(Namespace(baseURL, orgname))
except TypeError:
# Ok this only occurs if the script is being run under py3
# and if we're running a REALLY weird version of stix
# May as well catch it
idgen.set_id_namespace(Namespace(baseURL, orgname, "MISP"))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Export from {} MISP".format(orgname)
stix_header.package_intents = "Threat Report"
stix_package.stix_header = stix_header
if sys.argv[3] == 'json':
stix_string = stix_package.to_json()[:-1]
stix_string += ', "related_packages": ['
else:
stix_string = stix_package.to_xml(auto_namespace=False,
ns_dict=NS_DICT,
schemaloc_dict=SCHEMALOC_DICT)
stix_string = stix_string.replace("</stix:STIX_Package>\n", "")
print(stix_string)
def ioc2stix():
try:
data_dir = os.path.abspath(
os.path.join(os.path.dirname(os.path.abspath(__file__)),
'../data'))
in_xml = read2str(data_dir + '/stuxnet.ioc.xml')
# Set the namespace to be used in the STIX Package
ns = namespaces.Namespace("http://openioc.org/openioc", "openioc", "")
idgen.set_id_namespace(ns)
stix_package = to_stix(BytesIO(in_xml))
# print stix_package.to_xml()
out_fname = './stuxnet.xml'
write2file(out_fname, stix_package.to_xml())
except:
print traceback.format_exc().decode('utf-8')
def main(args):
if len(sys.argv) < 4:
sys.exit("Invalid parameters")
namespace = [sys.argv[1], sys.argv[2].replace(" ", "_")]
namespace[1] = re.sub('[\W]+', '', namespace[1])
NS_DICT[namespace[0]] = namespace[1]
idgen.set_id_namespace({namespace[0]: namespace[1]})
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Export from " + sys.argv[2] + " MISP"
stix_header.package_intents = "Threat Report"
stix_package.stix_header = stix_header
if sys.argv[3] == 'json':
stix_string = stix_package.to_json()[:-1]
stix_string += ', "related_packages": ['
else:
stix_string = stix_package.to_xml(auto_namespace=False,
ns_dict=NS_DICT,
schemaloc_dict=SCHEMALOC_DICT)
stix_string = stix_string.replace("</stix:STIX_Package>\n", "")
print(stix_string)
def main(args):
pathname = os.path.dirname(sys.argv[0])
if len(sys.argv) > 3:
namespace[0] = sys.argv[3]
if len(sys.argv) > 4:
namespace[1] = sys.argv[4].replace(" ", "_")
namespace[1] = re.sub('[\W]+', '', namespace[1])
try:
idgen.set_id_namespace({namespace[0]: namespace[1]})
except ValueError:
try:
idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
except TypeError:
idgen.set_id_namespace(
Namespace(namespace[0], namespace[1], "MISP"))
event = loadEvent(args, pathname)
if 'response' in event:
event = event['response'][0]['Event']
else:
event = event['Event']
# print(event['Galaxy'])
# sys.exit(0)
SDOs = []
object_refs = []
external_refs = []
identity = setIdentity(event)
SDOs.append(identity)
attributes = readAttributes(event, identity, object_refs, external_refs)
report = eventReport(event, identity, object_refs, external_refs)
SDOs.append(report)
for attribute in attributes:
SDOs.append(attribute)
stix_package = generateEventPackage(event, SDOs)
saveFile(args, pathname, stix_package)
def __init__(self, id=None, idref=None, namespace=None,name=None,action_status=None,context=None,description=None,discovery_method=None,frequency=None,action_aliases=None,
action_arguments=None,ordinal_position=None,timestamp=None,type=None,associated_objects=None,relationships=None
):
super(CyboxAction, self).__init__()
set_id_method(IDGenerator.METHOD_UUID)
if id is None and idref is None:
if namespace is not None:
set_id_namespace(namespace)
self.id_ = create_id(prefix='action')
self.action_arguments = action_arguments
self.action_aliases = action_aliases
self.discovery_method = discovery_method
self.name = name
self.action_status = action_status
self.associated_objects = associated_objects
self.type_ = type
self.timestamp = timestamp
self.relationships =relationships
self.ordinal_position = ordinal_position
self.frequency= frequency
self.description = description
self.context = context
def main(args):
pathname = os.path.dirname(sys.argv[0])
if len(sys.argv) > 3:
namespace[0] = sys.argv[3]
if len(sys.argv) > 4:
namespace[1] = sys.argv[4].replace(" ", "_")
namespace[1] = re.sub('[\W]+', '', namespace[1])
try:
idgen.set_id_namespace({namespace[0]: namespace[1]})
except ValueError:
try:
idgen.set_id_namespace(Namespace(namespace[0], namespace[1]))
except TypeError:
idgen.set_id_namespace(
Namespace(namespace[0], namespace[1], "MISP"))
event = loadEvent(args, pathname)
stix_package = generateEventPackage(event)
saveFile(args, pathname, stix_package)
print(json.dumps({'success': 1, 'message': ''}))
def setUp(self):
ioc_ns = Namespace("http://schemas.mandiant.com/2010/ioc",
"mandiant-openioc", '')
idgen.set_id_namespace(ioc_ns)
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
MyTITLE = "GandCrab"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "CERT-PA - Nuova campagna di Cyber-Estorsione basata su ransomware GandCrab - https://www.cert-pa.it/notizie/nuova-campagna-di-cyber-estorsione-basata-su-ransomware-gandcrab/"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "CERT-PA via Cyber Saiyan Community"
#
######################################################################
# Build STIX file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src, title=MyTITLE.encode(encoding='UTF-8', errors='replace'), description=DESCRIPTION.encode(encoding='UTF-8', errors='replace'), short_description=SHORT.encode(encoding='UTF-8', errors='replace'))
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
# Read IoC file
file_ioc = "CS-ioc.txt"
ioc = loaddata(file_ioc)
print "Reading IoC file..."
for idx, ioc in enumerate(ioc):
notfound = 1
# sha256
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
print "SHA256: " + ioc
notfound = 0
#md5
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
print "MD5: " + ioc
notfound = 0
#sha1
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
print "SHA1: " + ioc
notfound = 0
#domains
if validators.domain(ioc) and notfound:
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
print "DOMAIN: " + ioc
notfound = 0
#url
if validators.url(ioc) and notfound:
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
print "URL: " + ioc
notfound = 0
#ip
if validators.ipv4(ioc) and notfound:
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
print "IP: " + ioc
notfound = 0
# add all indicators to STIX
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
# print STIX file to stdout
print "Writing STIX package: package.stix"
f = open ("package.stix", "w")
f.write (wrapper.to_xml())
f.close ()
print
def setUp(self):
ioc_ns = Namespace("http://schemas.mandiant.com/2010/ioc", "mandiant-openioc", "")
idgen.set_id_namespace(ioc_ns)
def set_default_namespace(prefix, ns_uri, schemaLocation=None):
"""Method to override the mixbox and slider 'example' namespace."""
new_namespace = namespaces.Namespace(ns_uri, prefix, schemaLocation)
idgen.set_id_namespace(new_namespace)
def tearDown(self):
idgen.set_id_namespace(idgen.EXAMPLE_NAMESPACE)
def __init__(self,item=None,id=None,idref=None,description=None,namespace=None):
set_id_method(IDGenerator.METHOD_UUID)
if namespace is not None:
set_id_namespace(namespace)
super(CyboxObservable,self).__init__(item=item,id_=id,idref=idref,title=None, description=description)
def tearDown(self):
idgen.set_id_namespace(idgen.EXAMPLE_NAMESPACE)
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
MyTITLE = "APT28 / Fancy Bear"
DESCRIPTION = "Emanuele De Lucia - APT28 / Fancy Bear still targeting military institutions - https://www.emanueledelucia.net/apt28-targeting-military-institutions/"
sha256 = []
md5 = [
'43D7FFD611932CF51D7150B176ECFC29', '549726B8BFB1919A343AC764D48FDC81'
]
sha1 = []
domains = ['beatguitar.com']
urls = [
'https://beatguitar.com/aadv/gJNn/X2/ep/VQOA/3.SMPTE292M/?ct=+lMQKtXi0kf+3MVk38U=',
'https://beatguitar.com/n2qqSy/HPSe0/SY/yAsFy8/mSaYZP/lw.sip/?n=VxL0BnijNmtTnSFIcoQ='
]
ips = ['185.99.133.72']
emails = []
######################################################################
# Costruzione STIX file
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="CyberSaiyan Community")
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
for idx, sha256 in enumerate(sha256):
filei = File()
filei.add_hash(Hash(sha256))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
for idx, md5 in enumerate(md5):
filej = File()
filej.add_hash(Hash(md5))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
for idx, sha1 in enumerate(sha1):
filek = File()
filek.add_hash(Hash(sha1))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
for idu, domains in enumerate(domains):
url = URI()
url.value = domains
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
for idu, urls in enumerate(urls):
url = URI()
url.value = urls
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
for idu, ips in enumerate(ips):
ip = Address()
ip.address_value = ips
obsu = Observable(ip)
indiIP.add_observable(obsu)
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
for idu, emails in enumerate(emails):
email = EmailAddress()
email.address_value = emails
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
# add all indicators
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
print(wrapper.to_xml())
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
MyTITLE = "Gootkit"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "D3Lab - Malspam Gootkit con dropper da 450+ MB - https://www.d3lab.net/malspam-gootkit-con-dropper-da-450-mb/"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "D3Lab via Cyber Saiyan Community"
#
######################################################################
# read IoC files
file_sha256 = "CS-sha256.txt"
sha256 = loaddata(file_sha256)
file_md5 = "CS-md5.txt"
md5 = loaddata(file_md5)
file_sha1 = "CS-sha1.txt"
sha1 = loaddata(file_sha1)
file_domains = "CS-domain.txt"
domains = loaddata(file_domains)
file_urls = "CS-url.txt"
urls = loaddata(file_urls)
file_ips = "CS-ipv4.txt"
ips = loaddata(file_ips)
file_emails = "CS-email.txt"
emails = loaddata(file_emails)
# Build STIX file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(
information_source=info_src,
title=MyTITLE.encode(encoding='UTF-8', errors='replace'),
description=DESCRIPTION.encode(encoding='UTF-8', errors='replace'),
short_description=SHORT.encode(encoding='UTF-8', errors='replace'))
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
print "Reading IoC sha256 file..."
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
for idx, sha256 in enumerate(sha256):
m = p.match(sha256)
if m:
filei = File()
filei.add_hash(Hash(sha256))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
else:
print " Malformed sha256: " + sha256
print
print "Reading IoC md5 file..."
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
for idx, md5 in enumerate(md5):
m = p.match(md5)
if m:
filej = File()
filej.add_hash(Hash(md5))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
else:
print " Malformed md5: " + md5
print
print "Reading IoC sha1 file..."
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
for idx, sha1 in enumerate(sha1):
m = p.match(sha1)
if m:
filek = File()
filek.add_hash(Hash(sha1))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
else:
print " Malformed sha1: " + sha1
print
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
print "Reading IoC domains file..."
for idu, domains in enumerate(domains):
if validators.domain(domains):
url = URI()
url.value = domains
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
else:
print " Malformed domain: " + domains
print
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
print "Reading IoC url file..."
for idu, urls in enumerate(urls):
if validators.url(urls):
url = URI()
url.value = urls
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
else:
print " Malformed url: " + urls
print
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
print "Reading IoC IP file..."
for idu, ips in enumerate(ips):
if validators.ipv4(ips):
ip = Address()
ip.address_value = ips
obsu = Observable(ip)
indiIP.add_observable(obsu)
else:
print " Malformed IP: " + ips
print
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
print "Reading IoC email file..."
for idu, emails in enumerate(emails):
if validators.email(emails):
email = EmailAddress()
email.address_value = emails
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
else:
print " Malformed email: " + emails
print
# add all indicators
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
# print STIX file to stdout
print "Writing STIX package: package.stix"
f = open("package.stix", "w")
f.write(wrapper.to_xml())
f.close()
print
def stix_framing(*args):
import datetime, re
from stix.core import STIXPackage, STIXHeader
from cybox.utils import Namespace
# As python3 is forced anyway, mixbox is used and we don't need to try to import idgen from stix.utils
from mixbox import idgen
from stix import __version__ as STIXVER
NS_DICT = {
"http://cybox.mitre.org/common-2": 'cyboxCommon',
"http://cybox.mitre.org/cybox-2": 'cybox',
"http://cybox.mitre.org/default_vocabularies-2": 'cyboxVocabs',
"http://cybox.mitre.org/objects#AccountObject-2": 'AccountObj',
"http://cybox.mitre.org/objects#ASObject-1": 'ASObj',
"http://cybox.mitre.org/objects#AddressObject-2": 'AddressObj',
"http://cybox.mitre.org/objects#PortObject-2": 'PortObj',
"http://cybox.mitre.org/objects#DomainNameObject-1": 'DomainNameObj',
"http://cybox.mitre.org/objects#EmailMessageObject-2":
'EmailMessageObj',
"http://cybox.mitre.org/objects#FileObject-2": 'FileObj',
"http://cybox.mitre.org/objects#HTTPSessionObject-2": 'HTTPSessionObj',
"http://cybox.mitre.org/objects#HostnameObject-1": 'HostnameObj',
"http://cybox.mitre.org/objects#MutexObject-2": 'MutexObj',
"http://cybox.mitre.org/objects#PipeObject-2": 'PipeObj',
"http://cybox.mitre.org/objects#URIObject-2": 'URIObj',
"http://cybox.mitre.org/objects#WinRegistryKeyObject-2":
'WinRegistryKeyObj',
'http://cybox.mitre.org/objects#WinServiceObject-2': 'WinServiceObj',
"http://cybox.mitre.org/objects#NetworkConnectionObject-2":
'NetworkConnectionObj',
"http://cybox.mitre.org/objects#NetworkSocketObject-2":
'NetworkSocketObj',
"http://cybox.mitre.org/objects#SocketAddressObject-1":
'SocketAddressObj',
"http://cybox.mitre.org/objects#SystemObject-2": 'SystemObj',
"http://cybox.mitre.org/objects#ProcessObject-2": 'ProcessObj',
"http://cybox.mitre.org/objects#X509CertificateObject-2":
'X509CertificateObj',
"http://cybox.mitre.org/objects#WhoisObject-2": 'WhoisObj',
"http://cybox.mitre.org/objects#WinExecutableFileObject-2":
'WinExecutableFileObj',
"http://data-marking.mitre.org/Marking-1": 'marking',
"http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1":
'tlpMarking',
"http://stix.mitre.org/ExploitTarget-1": 'et',
"http://stix.mitre.org/Incident-1": 'incident',
"http://stix.mitre.org/Indicator-2": 'indicator',
"http://stix.mitre.org/TTP-1": 'ttp',
"http://stix.mitre.org/ThreatActor-1": 'ta',
"http://stix.mitre.org/common-1": 'stixCommon',
"http://stix.mitre.org/default_vocabularies-1": 'stixVocabs',
"http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1":
'ciqIdentity',
"http://stix.mitre.org/extensions/TestMechanism#Snort-1": 'snortTM',
"http://stix.mitre.org/stix-1": 'stix',
"http://www.w3.org/2001/XMLSchema-instance": 'xsi',
"urn:oasis:names:tc:ciq:xal:3": 'xal',
"urn:oasis:names:tc:ciq:xnl:3": 'xnl',
"urn:oasis:names:tc:ciq:xpil:3": 'xpil',
}
SCHEMALOC_DICT = {
'http://cybox.mitre.org/common-2':
'http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd',
'http://cybox.mitre.org/cybox-2':
'http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd',
'http://cybox.mitre.org/default_vocabularies-2':
'http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd',
'http://cybox.mitre.org/objects#AccountObject-2':
' http://cybox.mitre.org/XMLSchema/objects/Account/2.1/Account_Object.xsd',
'http://cybox.mitre.org/objects#ASObject-1':
'http://cybox.mitre.org/XMLSchema/objects/AS/1.0/AS_Object.xsd',
'http://cybox.mitre.org/objects#AddressObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd',
'http://cybox.mitre.org/objects#PortObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Port/2.1/Port_Object.xsd',
'http://cybox.mitre.org/objects#DomainNameObject-1':
'http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd',
'http://cybox.mitre.org/objects#EmailMessageObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd',
'http://cybox.mitre.org/objects#FileObject-2':
'http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd',
'http://cybox.mitre.org/objects#HTTPSessionObject-2':
'http://cybox.mitre.org/XMLSchema/objects/HTTP_Session/2.1/HTTP_Session_Object.xsd',
'http://cybox.mitre.org/objects#HostnameObject-1':
'http://cybox.mitre.org/XMLSchema/objects/Hostname/1.0/Hostname_Object.xsd',
'http://cybox.mitre.org/objects#MutexObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Mutex/2.1/Mutex_Object.xsd',
'http://cybox.mitre.org/objects#PipeObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Pipe/2.1/Pipe_Object.xsd',
'http://cybox.mitre.org/objects#URIObject-2':
'http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd',
'http://cybox.mitre.org/objects#WinServiceObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Win_Service/2.1/Win_Service_Object.xsd',
'http://cybox.mitre.org/objects#WinRegistryKeyObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Win_Registry_Key/2.1/Win_Registry_Key_Object.xsd',
'http://cybox.mitre.org/objects#NetworkConnectionObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.0.1/Network_Connection_Object.xsd',
'http://cybox.mitre.org/objects#NetworkSocketObject-2':
'https://cybox.mitre.org/XMLSchema/objects/Network_Socket/2.1/Network_Socket_Object.xsd',
'http://cybox.mitre.org/objects#SystemObject-2':
'http://cybox.mitre.org/XMLSchema/objects/System/2.1/System_Object.xsd',
'http://cybox.mitre.org/objects#SocketAddressObject-1':
'http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd',
'http://cybox.mitre.org/objects#ProcessObject-2':
'https://cybox.mitre.org/XMLSchema/objects/Process/2.1/Process_Object.xsd',
'http://cybox.mitre.org/objects#X509CertificateObject-2':
'http://cybox.mitre.org/XMLSchema/objects/X509_Certificate/2.1/X509_Certificate_Object.xsd',
'http://cybox.mitre.org/objects#WhoisObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Whois/2.1/Whois_Object.xsd',
'http://cybox.mitre.org/objects#WinExecutableFileObject-2':
'http://cybox.mitre.org/XMLSchema/objects/Win_Executable_File/2.1/Win_Executable_File_Object.xsd',
'http://data-marking.mitre.org/Marking-1':
'http://stix.mitre.org/XMLSchema/data_marking/1.1.1/data_marking.xsd',
'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1':
'http://stix.mitre.org/XMLSchema/extensions/marking/tlp/1.1.1/tlp_marking.xsd',
'http://stix.mitre.org/ExploitTarget-1':
'http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd',
'http://stix.mitre.org/Incident-1':
'http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd',
'http://stix.mitre.org/Indicator-2':
'http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd',
'http://stix.mitre.org/TTP-1':
'http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd',
'http://stix.mitre.org/ThreatActor-1':
'http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd',
'http://stix.mitre.org/common-1':
'http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd',
'http://stix.mitre.org/default_vocabularies-1':
'http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd',
'http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1':
'http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd',
'http://stix.mitre.org/extensions/TestMechanism#Snort-1':
'http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd',
'http://stix.mitre.org/stix-1':
'http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd',
'urn:oasis:names:tc:ciq:xal:3':
'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xAL.xsd',
'urn:oasis:names:tc:ciq:xnl:3':
'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xNL.xsd',
'urn:oasis:names:tc:ciq:xpil:3':
'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd',
}
baseurl, orgname, return_type = args
if not baseurl:
baseurl = 'https://www.misp-project.org'
real_orgname = args[1]
orgname = re.sub('[\W]+', '', orgname.replace(" ", "_"))
NS_DICT[baseurl] = orgname
try:
idgen.set_id_namespace(Namespace(baseurl, orgname))
except TypeError:
idgen.set_id_namespace(Namespace(baseurl, orgname, "MISP"))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Export from {} MISP".format(real_orgname)
stix_header.package_intents = "Threat Report"
stix_package.stix_header = stix_header
stix_package.version = "1.1.1"
stix_package.timestamp = datetime.datetime.now()
return stix_json_framing(
stix_package) if return_type == 'json' else stix_xml_framing(
stix_package, NS_DICT, SCHEMALOC_DICT)
from stix.exploit_target import Vulnerability
from cybox.objects.mutex_object import Mutex
from cybox.common import Hash
from stix.indicator import Indicator, CompositeIndicatorExpression
from stix.common import InformationSource, Identity
from cybox.common import Time
from lxml import etree as et
from stix.common.vocabs import PackageIntent
from stix.core import STIXPackage
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
from IPy import *
PULSE_SERVER_BASE = "https://otx.alienvault.com/"
STIXNAMESPACE = Namespace("https://otx.alienvault.com", "alienvault-otx")
set_id_namespace(STIXNAMESPACE)
class StixExport:
def __init__(self, pulse):
self.stix_package = STIXPackage()
self.stix_header = STIXHeader()
self.pulse = pulse
self.hash_translation = {
"FileHash-MD5": Hash.TYPE_MD5,
"FileHash-SHA1": Hash.TYPE_SHA1,
"FileHash-SHA256": Hash.TYPE_SHA256
}
self.address_translation = {
"IPv4": Address.CAT_IPV4,
"IPv6": Address.CAT_IPV6
def init_id_namespace():
# setup namespace...
short_namespace = "openioc"
namespace = Namespace("http://openioc.org/", short_namespace, "")
set_id_namespace(namespace)
def main(argv):
######################################################################
# Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
TITLE = raw_input("Insert Title Ioc:")
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = raw_input("Insert Decription:")
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = raw_input("Insert User Identity:")
# File degli IoC
IOCFILE = raw_input("Add IoC Source File:")
# Prefisso STIX output files STIX 1.2 e STIX 2
OUTFILEPREFIX = "package"
# Short Description - UNUSED
#SHORT = "Emotet"
######################################################################
VERBOSE = 0
# UTF8 encode
TITLE = TITLE.encode('utf8')
DESCRIPTION = DESCRIPTION.encode('utf8')
IDENTITY = IDENTITY.encode('utf8')
print "\nStix File generation in progress...."
#print (TITLE) #"TITLE: " + TITLE
#print (DESCRIPTION) #"DESCRIPTION: " + DESCRIPTION
#print (IDENTITY) #"IDENTITY: " + IDENTITY
#print (IOCFILE) #"IOC FILE: " + IOCFILE
#print "---------------------"
########################
# Commond data
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
########################
# Build STIX 1.2 file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = TITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = TITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = TITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = TITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = TITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
########################
# Build STIX 2 file
pattern_sha256 = []
pattern_md5 = []
pattern_sha1 = []
pattern_domain = []
pattern_url = []
pattern_ip = []
pattern_email = []
# Marking
marking_def_white = stix2.MarkingDefinition(definition_type="tlp",
definition={"tlp": "WHITE"})
# campagna
# [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY)
campaign_MAIN = stix2.Campaign(created=timestamp,
modified=timestamp,
name=TITLE,
description=DESCRIPTION,
first_seen=timestamp,
objective="TBD")
########################
# Read IoC file
ioc = loaddata(IOCFILE)
if (VERBOSE): print "Reading IoC file " + IOCFILE + "..."
for idx, ioc in enumerate(ioc):
notfound = 1
# sha256
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
if (VERBOSE): print "SHA256: " + ioc
notfound = 0
# STIX 2
pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc +
"'] OR ")
#md5
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
if (VERBOSE): print "MD5: " + ioc
notfound = 0
# STIX 2
pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ")
#sha1
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
if (VERBOSE): print "SHA1: " + ioc
notfound = 0
# STIX 2
pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ")
#domains
if validators.domain(ioc) and notfound:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
if (VERBOSE): print "DOMAIN: " + ioc
notfound = 0
# STIX 2
pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ")
#url
if validators.url(ioc) and notfound:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
if (VERBOSE): print "URL: " + ioc
notfound = 0
# STIX 2
pattern_url.append("[url:value = '" + ioc + "'] OR ")
#ip
if validators.ipv4(ioc) and notfound:
# STIX 1.2
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
if (VERBOSE): print "IP: " + ioc
notfound = 0
# STIX 2
pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ")
#email
if validators.email(ioc) and notfound:
# STIX 1.2
email = EmailAddress()
email.address_value = ioc
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print "Email: " + ioc
notfound = 0
# STIX 2
pattern_email.append("[email-message:from_ref.value = '" + ioc +
"'] OR ")
########################
# add all indicators to STIX 1.2
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
########################
# prepare for STIX 2
bundle_objects = [campaign_MAIN, marking_def_white]
if len(pattern_sha256) != 0:
stix2_sha256 = "".join(pattern_sha256)
stix2_sha256 = stix2_sha256[:-4]
indicator_SHA256 = stix2.Indicator(
name=TITLE + " - SHA256",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha256,
object_marking_refs=[marking_def_white])
relationship_indicator_SHA256 = stix2.Relationship(
indicator_SHA256, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_SHA256)
bundle_objects.append(relationship_indicator_SHA256)
if len(pattern_md5) != 0:
stix2_md5 = "".join(pattern_md5)
stix2_md5 = stix2_md5[:-4]
indicator_MD5 = stix2.Indicator(
name=TITLE + " - MD5",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_md5,
object_marking_refs=[marking_def_white])
relationship_indicator_MD5 = stix2.Relationship(
indicator_MD5, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_MD5)
bundle_objects.append(relationship_indicator_MD5)
if len(pattern_sha1) != 0:
stix2_sha1 = "".join(pattern_sha1)
stix2_sha1 = stix2_sha1[:-4]
indicator_SHA1 = stix2.Indicator(
name=TITLE + " - SHA1",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha1,
object_marking_refs=[marking_def_white])
relationship_indicator_SHA1 = stix2.Relationship(
indicator_SHA1, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_SHA1)
bundle_objects.append(relationship_indicator_SHA1)
if len(pattern_domain) != 0:
stix2_domain = "".join(pattern_domain)
stix2_domain = stix2_domain[:-4]
indicator_DOMAINS = stix2.Indicator(
name=TITLE + " - DOMAINS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_domain,
object_marking_refs=[marking_def_white])
relationship_indicator_DOMAINS = stix2.Relationship(
indicator_DOMAINS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_DOMAINS)
bundle_objects.append(relationship_indicator_DOMAINS)
if len(pattern_url) != 0:
stix2_url = "".join(pattern_url)
stix2_url = stix2_url[:-4]
indicator_URLS = stix2.Indicator(
name=TITLE + " - URL",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_url,
object_marking_refs=[marking_def_white])
relationship_indicator_URLS = stix2.Relationship(
indicator_URLS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_URLS)
bundle_objects.append(relationship_indicator_URLS)
if len(pattern_ip) != 0:
stix2_ip = "".join(pattern_ip)
stix2_ip = stix2_ip[:-4]
indicator_IPS = stix2.Indicator(
name=TITLE + " - IPS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_ip,
object_marking_refs=[marking_def_white])
relationship_indicator_IPS = stix2.Relationship(
indicator_IPS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_IPS)
bundle_objects.append(relationship_indicator_IPS)
if len(pattern_email) != 0:
stix2_email = "".join(pattern_email)
stix2_email = stix2_email[:-4]
indicator_EMAILS = stix2.Indicator(
name=TITLE + " - EMAILS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_email,
object_marking_refs=[marking_def_white])
relationship_indicator_EMAILS = stix2.Relationship(
indicator_EMAILS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_EMAILS)
bundle_objects.append(relationship_indicator_EMAILS)
# creo il bunble STIX 2
bundle = stix2.Bundle(objects=bundle_objects)
########################
# save to STIX 1.2 file
print
print "Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix"
f = open(OUTFILEPREFIX + ".stix", "w")
f.write(wrapper.to_xml())
f.close()
########################
# save to STIX 2 file
print "Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2"
g = open(OUTFILEPREFIX + ".stix2", "w")
sys.stdout = g
print bundle
def parse(self, argument_log):
"""
Parses Suricata IDS log lines into STIX/CybOX format.
:param argument_log: The log line to try and identify
:return: STIX Incident
"""
argument_log = " ".join(argument_log.split(" ")[5:])
parsed_suricata_log = {}
for regex in self._regex:
try:
parsed_suricata_log[regex] = re.match(self._regex[regex], argument_log).group(1)
except:
print "Failed to parse %s" % (regex)
return False
#TODO: Time Zones
parsed_suricata_log["unix_timestamp"] = time.mktime(datetime.datetime.strptime(parsed_suricata_log["time"], "%m/%d/%Y-%H:%M:%S").timetuple())
# Find IP's of interest
if IPAddress(parsed_suricata_log["source_ip"]).is_private() == False or IPAddress(parsed_suricata_log["destination_ip"]).is_private() == False:
# NameSpace
set_id_namespace(Namespace(self._config["NAMESPACE"]["url"], self._config["NAMESPACE"]["name"]))
stix_package = STIXPackage()
# If the source is public
if not IPAddress(parsed_suricata_log["source_ip"]).is_private() and IPAddress(parsed_suricata_log["destination_ip"]).is_private():
incident = Incident(title="[IDS Alert] "+parsed_suricata_log["text"]+" From "+ parsed_suricata_log["source_ip"])
addr = Address(address_value=parsed_suricata_log["source_ip"], category=Address.CAT_IPV4)
elif IPAddress(parsed_suricata_log["source_ip"]).is_private() and not IPAddress(parsed_suricata_log["destination_ip"]).is_private():
incident = Incident(title="[IDS Alert] "+parsed_suricata_log["text"]+" To "+ parsed_suricata_log["destination_ip"])
addr = Address(address_value=parsed_suricata_log["destination_ip"], category=Address.CAT_IPV4)
else:
#public to public - i can't tell who the bad guy is
return False
observable = Observable(item=addr,
title="[IP Associated To IDS Alert] "+parsed_suricata_log["text"],
description="""This ip address was seen to be involved in triggering the IDS alert %s if
seen from multiple sources, this is a good indicator of a potential threat actor or compromised host""" % (parsed_suricata_log["text"]))
stix_package.add_observable(observable)
incident.time = Time()
incident.time.first_malicious_action = parsed_suricata_log["time"]
related_observable = RelatedObservable(Observable(idref=observable.id_))
incident.related_observables.append(related_observable)
stix_package.add_incident(incident)
return stix_package.to_xml()
def init_id_namespace():
# setup namespace...
short_namespace = "openioc"
namespace = Namespace("http://openioc.org/", short_namespace, "")
set_id_namespace(namespace)
def main(argv):
######################################################################
# Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
TITLE = "Test"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "Cyber Saiyan - Test - https://infosharing.cybersaiyan.it"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "Cyber Saiyan Community"
# File degli IoC
IOCFILE = "CS-ioc.txt"
# Prefisso STIX output files STIX 1.2 e STIX 2
OUTFILEPREFIX = "package"
# Short Description - UNUSED
SHORT = "unused"
######################################################################
VERBOSE = 0
# Parse ARGV[]
try:
opts, args = getopt.getopt(argv, "ht:d:i:f:o:v")
except getopt.GetoptError:
print(
"CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
sys.exit(2)
for opt, arg in opts:
if opt == "-h":
print(
"CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
sys.exit()
elif opt == "-t":
TITLE = arg
elif opt == "-d":
DESCRIPTION = arg
elif opt == "-i":
IDENTITY = arg
elif opt == "-f":
IOCFILE = arg
elif opt == "-o":
OUTFILEPREFIX = arg
elif opt == "-v":
VERBOSE = 1
print("---------------------")
print("TITLE: " + TITLE)
print("DESCRIPTION: " + DESCRIPTION)
print("IDENTITY: " + IDENTITY)
print("IOC FILE: " + IOCFILE)
print("---------------------")
########################
# Commond data
timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S")
########################
# Build STIX 1.2 file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "white"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src,
title=TITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = TITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = TITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = TITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = TITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = TITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
########################
# Build STIX 2 file
pattern_sha256 = []
pattern_md5 = []
pattern_sha1 = []
pattern_domain = []
pattern_url = []
pattern_ip = []
pattern_email = []
# Marking
marking_def_white = stix2.TLP_WHITE
# campagna
# [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY)
campaign_MAIN = stix2.Campaign(
created=timestamp,
modified=timestamp,
name=TITLE,
description=DESCRIPTION,
first_seen=timestamp,
objective="TBD"
)
########################
# Read IoC file
loaddata(IOCFILE)
if (VERBOSE): print("Reading IoC file " + IOCFILE + "...")
ioccount = 0
# sha256
for ioc in listSHA256:
# STIX 1.2
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
if (VERBOSE): print("SHA256: " + ioc)
ioccount += 1
# STIX 2
pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc + "'] OR ")
# md5
for ioc in listMD5:
# STIX 1.2
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
if (VERBOSE): print("MD5: " + ioc)
ioccount += 1
# STIX 2
pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ")
# sha1
for ioc in listSHA1:
# STIX 1.2
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
if (VERBOSE): print("SHA1: " + ioc)
ioccount += 1
# STIX 2
pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ")
# domains
for ioc in listDOMAIN:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
if (VERBOSE): print("DOMAIN: " + ioc)
ioccount += 1
# STIX 2
pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ")
# url
for ioc in listURL:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
if (VERBOSE): print("URL: " + ioc)
ioccount += 1
# STIX 2
pattern_url.append("[url:value = '" + ioc + "'] OR ")
# ip
for ioc in listIP:
# STIX 1.2
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
if (VERBOSE): print("IP: " + ioc)
ioccount += 1
# STIX 2
pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ")
# email
for ioc in listEMAIL:
# STIX 1.2
email = EmailAddress()
email.address_value = ioc
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print("Email: " + ioc)
ioccount += 1
# STIX 2
pattern_email.append("[email-message:from_ref.value = '" + ioc + "'] OR ")
# subject
for ioc in listSUBJECT:
# STIX 1.2
emailsubject = EmailMessage()
emailsubject.subject = ioc
obsu = Observable(emailsubject)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print("Subject: " + ioc)
ioccount += 1
# STIX 2 (http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html)
# Replace all quotes in a subject string with escaped quotes
pattern_email.append("[email-message:subject = '" + ioc.replace("'", "\\'") + "'] OR ")
########################
# add all indicators to STIX 1.2
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
########################
# prepare for STIX 2
bundle_objects = [campaign_MAIN, marking_def_white]
if len(pattern_sha256) != 0:
stix2_sha256 = "".join(pattern_sha256)
stix2_sha256 = stix2_sha256[:-4]
indicator_SHA256 = stix2.Indicator(
name=TITLE + " - SHA256",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha256,
object_marking_refs=[marking_def_white]
)
relationship_indicator_SHA256 = stix2.Relationship(indicator_SHA256, "indicates", campaign_MAIN)
bundle_objects.append(indicator_SHA256)
bundle_objects.append(relationship_indicator_SHA256)
if len(pattern_md5) != 0:
stix2_md5 = "".join(pattern_md5)
stix2_md5 = stix2_md5[:-4]
indicator_MD5 = stix2.Indicator(
name=TITLE + " - MD5",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_md5,
object_marking_refs=[marking_def_white]
)
relationship_indicator_MD5 = stix2.Relationship(indicator_MD5, "indicates", campaign_MAIN)
bundle_objects.append(indicator_MD5)
bundle_objects.append(relationship_indicator_MD5)
if len(pattern_sha1) != 0:
stix2_sha1 = "".join(pattern_sha1)
stix2_sha1 = stix2_sha1[:-4]
indicator_SHA1 = stix2.Indicator(
name=TITLE + " - SHA1",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha1,
object_marking_refs=[marking_def_white]
)
relationship_indicator_SHA1 = stix2.Relationship(indicator_SHA1, "indicates", campaign_MAIN)
bundle_objects.append(indicator_SHA1)
bundle_objects.append(relationship_indicator_SHA1)
if len(pattern_domain) != 0:
stix2_domain = "".join(pattern_domain)
stix2_domain = stix2_domain[:-4]
indicator_DOMAINS = stix2.Indicator(
name=TITLE + " - DOMAINS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_domain,
object_marking_refs=[marking_def_white]
)
relationship_indicator_DOMAINS = stix2.Relationship(indicator_DOMAINS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_DOMAINS)
bundle_objects.append(relationship_indicator_DOMAINS)
if len(pattern_url) != 0:
stix2_url = "".join(pattern_url)
stix2_url = stix2_url[:-4]
indicator_URLS = stix2.Indicator(
name=TITLE + " - URL",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_url,
object_marking_refs=[marking_def_white]
)
relationship_indicator_URLS = stix2.Relationship(indicator_URLS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_URLS)
bundle_objects.append(relationship_indicator_URLS)
if len(pattern_ip) != 0:
stix2_ip = "".join(pattern_ip)
stix2_ip = stix2_ip[:-4]
indicator_IPS = stix2.Indicator(
name=TITLE + " - IPS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_ip,
object_marking_refs=[marking_def_white]
)
relationship_indicator_IPS = stix2.Relationship(indicator_IPS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_IPS)
bundle_objects.append(relationship_indicator_IPS)
if len(pattern_email) != 0:
stix2_email = "".join(pattern_email)
stix2_email = stix2_email[:-4]
indicator_EMAILS = stix2.Indicator(
name=TITLE + " - EMAILS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_email,
object_marking_refs=[marking_def_white]
)
relationship_indicator_EMAILS = stix2.Relationship(indicator_EMAILS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_EMAILS)
bundle_objects.append(relationship_indicator_EMAILS)
# creo il bunble STIX 2
bundlestix2 = stix2.Bundle(objects=bundle_objects)
if (ioccount > 0):
########################
# save to STIX 1.2 file
print("Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix")
f = open(OUTFILEPREFIX + ".stix", "wb")
f.write(wrapper.to_xml())
f.close()
########################
# save to STIX 2 file
print("Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2")
g = open(OUTFILEPREFIX + ".stix2", "w")
g.write(str(bundlestix2))
g.close()
else:
print("No IoC found")
'title': stixTitle,
'desc': stixDescription,
'hash': file_hashes,
'fname': filenames,
'ips': ip_addresses,
'urls': urls,
'subject': email_subjects,
'senders': email_sender,
'domains': domain
}
# disable warning 'The use of this field has been deprecated' - STIXHeader()
warnings.filterwarnings("ignore")
NAMESPACE = Namespace("http://bimb.com/stix", "bimb")
set_id_namespace(NAMESPACE)
def main(iocs=iocs):
stix_header = STIXHeader(title=iocs['title'],
description=iocs['desc'],
package_intents=["Indicators - Watchlist"])
stix_package = STIXPackage(stix_header=stix_header)
# add indicator - file hash
if iocs.get('hash'):
indicator_file_hash = Indicator(title="Malicious File")
indicator_file_hash.add_indicator_type("File Hash Watchlist")
for file_hash in iocs['hash']:
def home(request):
"""
Name: home
Desc: Main GUI view
"""
# Forms:Job,target and relay creation
create_job_form = CreateJob(request=request, prefix="create_job")
create_target_form = CreateTarget(request=request, prefix="create_target")
create_relay_form = CreateRelay(request=request, prefix="create_relay")
if request.method == "POST":
# Remove a relay
if "delete_relay_id" in request.POST:
try:
Relay.objects.get(pk=request.POST["delete_relay_id"]).delete()
except ObjectDoesNotExist, e:
pass
# Create new relay
if "create_relay-name" in request.POST:
# Actuator creation
create_relay_form = CreateRelay(request.POST,
request=request,
prefix="create_relay")
if create_relay_form.is_valid():
host = create_relay_form.save()
host.save()
# TODO - Call a sync here
# Job Creations
if "create_job-raw_message" in request.POST:
new_job = Job(capability=Capability.objects.get(
pk=request.POST["create_job-capability"]),
target=Target.objects.get(
pk=request.POST["create_job-target"]),
raw_message="Pending",
status=JobStatus.objects.get(status="Pending"),
created_by=request.user)
new_job.save()
# Now we have a pk - update the id
command = json.loads(request.POST["create_job-raw_message"])
command["modifiers"]["command-ref"] = new_job.id
logger.info("Job Created\n%s" % json.dumps(command))
new_job.raw_message = json.dumps(command, sort_keys=True,
indent=4).replace(
"\t", u'\xa0\xa0\xa0\xa0\xa0')
new_job.save()
# Target Creations
namespace_url = getattr(settings, "NAMESPACE_URL", None)
namespace_id = getattr(settings, "NAMESPACE_ID", None)
set_id_namespace(Namespace(namespace_url, namespace_id))
if "create_target-cybox_type" in request.POST:
cybox_type = CybOXType.objects.get(
pk=request.POST["create_target-cybox_type"])
if cybox_type.identifier == "cybox:NetworkConnectionObjectType":
obs = NetworkConnection()
# Source
sock = SocketAddress()
sock.ip_address = request.POST["create_target-source_address"]
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
sport = Port()
sport.port_value = int(
request.POST["create_target-source_port"])
sock.port = sport
obs.source_socket_address = sock
# Dest
sock = SocketAddress()
sock.ip_address = request.POST[
"create_target-destination_address"]
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
dport = Port()
dport.port_value = int(
request.POST["create_target-destination_port"])
sock.port = dport
obs.destination_socket_address = sock
name = "Network Connection %s:%s -> %s:%s (%s)" % (
request.POST["create_target-source_address"],
request.POST["create_target-source_port"],
request.POST["create_target-destination_address"],
request.POST["create_target-destination_port"],
request.POST["create_target-protocol"])
raw_message = Observable(item=obs, title=name).to_json()
elif cybox_type.identifier == "cybox:AddressObjectType":
name = "Address %s " % (request.POST["create_target-address"])
raw_message = Observable(item=Address(
address_value=request.POST["create_target-address"],
category=Address.CAT_IPV4),
title=name).to_json()
elif cybox_type.identifier == "cybox:URIObjectType":
name = "URI %s " % (request.POST["create_target-uri"])
obs = URI()
obs.value = request.POST["create_target-uri"]
obs.type_ = URI.TYPE_URL
obs.condition = "Equals"
raw_message = Observable(item=obs, title=name).to_json()
elif cybox_type.identifier == "cybox:EmailMessageObjectType":
name = "Email %s " % (
request.POST["create_target-email_subject"])
obs = EmailMessage()
obs.raw_body = request.POST["create_target-email_message"]
obs.header = EmailHeader()
obs.header.subject = request.POST[
"create_target-email_subject"]
obs.header.subject.condition = "StartsWith"
obs.header.to = request.POST["create_target-email_to"]
obs.header.from_ = request.POST["create_target-email_from"]
raw_message = Observable(item=obs, title=name).to_json()
else:
# Should never reach here
raw_message = {}
name = "Undefined Object"
create_target_form = CreateTarget(request.POST,
request=request,
prefix="create_target")
if create_target_form.is_valid():
target = create_target_form.save(commit=False)
target.name = name
target.raw_message = raw_message
target.save()
def setUp(self):
ioc_ns = Namespace(
"http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1",
"stix-openioc", '')
idgen.set_id_namespace(ioc_ns)
def main():
mydata = loaddata()
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["filename"]) + ": " + sanitizer(
mydata["hashes"]["md5"])
ShortDescription = timestamp
DESCRIPTION = "STIX Report for: " + sanitizer(
mydata["filename"]) + " - " + sanitizer(mydata["hashes"]["md5"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=ShortDescription)
wrapper.stix_header.handling = handling
fileobj = File()
fileobj.file_name = sanitizer(mydata["filename"])
fileobj.file_format = sanitizer(mydata["file_type"])
fileobj.size_in_bytes = sanitizer(mydata["file_size"])
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["md5"])))
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["sha1"])))
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["sha256"])))
observable = Observable(fileobj)
if "URL_file_hosting" in mydata:
for idx, mydata["URL_file_hosting"] in enumerate(
mydata["URL_file_hosting"]):
url = URI()
url.value = sanitizer(mydata["URL_file_hosting"])
url.type_ = URI.TYPE_URL
url.condition = "Equals"
fileobj.add_related(url, "Downloaded_From")
indicator = Indicator()
indicator.title = MyTITLE
indicator.add_indicator_type("File Hash Watchlist")
indicator.add_observable(observable)
wrapper.add_indicator(indicator)
print(wrapper.to_xml())
def setUp(self):
# Reset the generator's count before each test
idgen.set_id_method(idgen.IDGenerator.METHOD_INT)
gen = idgen._get_generator()
gen.next_int = 1
idgen.set_id_namespace(TEST_NS)
def setUp(self):
# Reset the generator's count before each test
idgen.set_id_method(idgen.IDGenerator.METHOD_INT)
gen = idgen._get_generator()
gen.next_int = 1
idgen.set_id_namespace(TEST_NS)
def main():
# define constants
TI_REQUEST_URL = "https://api.intelgraph.idefense.com/rest/threatindicator/v0"
# iDefense API Key
# To avoid hard-coding creds, I'm using environment variables
if os.environ.get('IDEF_TOKEN') is None:
print(
"error: please store your iDefense IntelGraph API key in the IDEF_TOKEN environment"
)
sys.exit(1)
API_KEY = os.environ.get('IDEF_TOKEN')
API_SECRET = ''
# TODO: use command-line parameter
timestr = datetime.datetime.utcnow() - datetime.timedelta(days=1)
LAST_IMPORT = timestr.strftime("%Y-%m-%dT%H:%M:%S") + ".000Z"
HEADERS = {
"Content-Type": "application/json",
"auth-token": API_KEY,
"X-Api-Key-Proof": API_SECRET
}
print(HEADERS)
page = 1
more_data = True
count = 0
# Set namespace
NAMESPACE = Namespace("https://intelgraph.idefense.com", "idefense")
set_id_namespace(NAMESPACE)
# Create STIX Package
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "iDefense Threat Indicators Feed"
stix_package.stix_header = stix_header
ttps = {}
malware = {}
try:
while more_data:
request_payload = {
"start_date": LAST_IMPORT,
"page_size": 200,
"page": page
}
r = requests.post(TI_REQUEST_URL,
headers=HEADERS,
data=json.dumps(request_payload))
print(r)
response = []
if r.status_code == requests.codes.ok:
try:
# Read in response as json
response = r.json()
except (ValueError, KeyError):
print("Response couldn't be decoded :(")
more_data = False
continue
more_data = response.get('more', 'False')
print("Page %d ==> %s (%s)" %
(page, response['more'], response['total_size']))
page += 1
# Iterate the response
for indicatorD in response['results']:
count += 1
# Indicator value such as the value of the IP/Domain/URL
indicator = indicatorD.get('key')
print(indicator, indicatorD.get('type'))
if indicatorD.get('last_seen_as') is None:
last_seen_as = 'UNKNOWN'
else:
last_seen_as = ''.join(indicatorD.get('last_seen_as'))
# Identify TTP
if last_seen_as not in ttps:
ttps[last_seen_as] = TTP(title=last_seen_as)
stix_package.add_ttp(ttps[last_seen_as])
# Identify malware source
if 'files' in indicatorD:
for hashD in indicatorD['files']:
md5 = hashD.get('key')
# Malware Family classification of the hash if available
if hashD.get('malware_family') is None:
malware_family = "Unknown"
else:
malware_family = ''.join(
hashD.get('malware_family'))
if md5 not in malware:
malware[md5] = add_malware(
md5, malware_family, hashD.get('uuid'))
if indicatorD.get('type') == "url":
# Create indicator
indicator = Indicator(
id_="indicator-{0}".format(indicatorD.get('uuid')),
title=''.join(indicatorD.get('malware_family')),
timestamp=indicatorD.get('last_seen'))
indicator.add_indicator_type("URL Watchlist")
# Populate URL
url = URI()
url.value = indicatorD.get('key')
url.type_ = URI.TYPE_URL
url.value.condition = "Equals"
indicator.add_observable(url)
elif indicatorD.get('type') == "domain":
# Populate domain name
indicator = Indicator(
id_="indicator-{0}".format(indicatorD.get('uuid')),
title=''.join(indicatorD.get('malware_family')),
timestamp=indicatorD.get('last_seen'))
indicator.add_indicator_type("Domain Watchlist")
domain = DomainName()
domain.value = indicatorD.get('key')
domain.value.condition = "Equals"
indicator.add_observable(domain)
elif indicatorD.get('type') == "ip":
# Create indicator
indicator = Indicator(
id_="indicator-{0}".format(indicatorD.get('uuid')),
title=indicatorD.get('malware_family'),
timestamp=indicatorD.get('last_seen'))
indicator.add_indicator_type("IP Watchlist")
# Populate IP address
addr = Address(address_value=indicatorD.get('key'),
category=Address.CAT_IPV4)
addr.condition = "Equals"
indicator.add_observable(addr)
# Link TTP
indicator.add_indicated_ttp(
TTP(idref=ttps[last_seen_as].id_))
# Indicate confidence score
indicator.confidence = Confidence(
value=VocabString(indicatorD.get('confidence')))
# Add related indicator to malware
indicator.add_related_indicator(malware[md5])
# Add to package
stix_package.add_indicator(indicator)
else:
print("API request couldn't be fulfilled due status code: %d" %
r.status_code)
more_data = False
except requests.exceptions.ConnectionError as e:
print("Check your network connection\n %s" % str(e))
except requests.exceptions.HTTPError as e:
print("Bad HTTP response\n %s" % str(e))
except Exception as e:
print("Uncaught exception\n %s" % str(e))
# Output to XML
with open('stix-1.2.1.xml', 'wb') as f:
f.write(stix_package.to_xml())
def setUp(self):
ioc_ns = Namespace("http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1",
"stix-openioc", '')
idgen.set_id_namespace(ioc_ns)
