def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(
identity=Identity(name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(
idref=coa['id'],
timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(identity=Identity(
name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(idref=coa['id'], timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from stix.utils import idgen
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
idgen.set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
# Add the vulnerability object to the package object
expt.add_vulnerability(vulnbuild(data))
# Do some TTP stuff with CAPEC objects
try:
for i in data['capec']:
ttp = TTP()
ttp.title = "CAPEC-" + str(i['id'])
ttp.description = i['summary']
ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
pkg.add_ttp(ttp)
except KeyError:
pass
# Do some weakness stuff
if data['cwe'] != 'Unknown':
weak = Weakness()
weak.cwe_id = data['cwe']
expt.add_weakness(weak)
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
title = pkg.id_.split(':', 1)[-1]
with open(title + ".xml", "w") as text_file:
text_file.write(xml)
return xml
def main():
pkg = STIXPackage()
vuln = Vulnerability()
vuln.cve_id = "CVE-2013-3893"
et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11")
et.add_vulnerability(vuln)
pkg.add_exploit_target(et)
print pkg.to_xml()
def main():
pkg = STIXPackage()
vuln = Vulnerability()
vuln.cve_id = "CVE-2013-3893"
et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11")
et.add_vulnerability(vuln)
pkg.add_exploit_target(et)
print pkg.to_xml()
def main():
pkg = STIXPackage()
vuln = Vulnerability()
vuln.cve_id = "CVE-2013-3893"
vuln.add_reference(
"https://technet.microsoft.com/library/security/2887505")
et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11")
et.add_vulnerability(vuln)
pkg.add_exploit_target(et)
print(pkg.to_xml(encoding=None))
def main():
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "CVE-2014-0160"
vuln.add_reference("http://heartbleed.com/")
et = ExploitTarget(title="Heartbleed")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="Generic Heartbleed Exploits")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature for Heartbleed")
indicator.confidence = Confidence("High")
tm = SnortTestMechanism()
tm.rules = [
"""alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""",
"""alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)"""
]
tm.efficacy = "Low"
tm.producer = InformationSource(identity=Identity(name="FOX IT"))
tm.producer.references = [
"http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/"
]
indicator.test_mechanisms = TestMechanisms([tm])
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def main():
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "CVE-2014-0160"
vuln.add_reference("http://heartbleed.com/")
et = ExploitTarget(title="Heartbleed")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="Generic Heartbleed Exploits")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature for Heartbleed")
indicator.confidence = Confidence("High")
tm = SnortTestMechanism()
tm.rules = [
"""alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""",
"""alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)"""
]
tm.efficacy = "Low"
tm.producer = InformationSource(identity=Identity(name="FOX IT"))
tm.producer.references = ["http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/"]
indicator.test_mechanisms = TestMechanisms([tm])
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def toStixXml(self, confidence, efficacy):
"""
This method converts a list of FASGuard generated Snort rules into a STIX
compliant XML string ready for output. It first converts the object
into a hash of the right format and then converts it into XML using
STIXPackage.from_dict and to_xml on the resulting object.
Arguments:
confidence - High, Medium or Low. High means low false alarm rate.
efficacy - High, Medium or Low. High means a low missed detection rate.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
logger = logging.getLogger('simple_example')
self.logger = logger
self.logger.debug('In asg.fasguardStixRule')
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "Unknown"
et = ExploitTarget(title="From FASGuard")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="FASGuard Produced Signatures")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature from FASGuard")
indicator.confidence = Confidence(confidence)
tm = SnortTestMechanism()
tm.rules = self.ruleList
tm.efficacy = efficacy
tm.producer = InformationSource(identity=Identity(name="FASGuard"))
tm.producer.references = ["http://fasguard.github.io/"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
return stix_package.to_xml()
# stixDict = {'campaigns': [{}],
# 'courses_of_action': [{}],
# 'exploit_targets': [{}],
# 'id': 'INSERT_PACKAGE_ID_HERE'}
# stixDict['indicators'] = [{'indicator':
# {'title':
# 'Automatically Generated FASGuard Signatures',
# 'test_mechanisms':
# {'test_mechanism':
# {'efficacy':'Low',
# 'producer':
# {'Identity':'FASGuard'},
# 'rule':'xyz'}}}}
# ]
stix_package = STIXPackage.from_dict(stixDict)
stix_xml = stix_package.to_xml()
return stix_xml
ttp2.victim_targeting = victim_targeting ttp2.related_ttps.append(related_ttp) # Related TTP (Exploit; by id) ttp3 = TTP(title='Remote Exploit of Server Software') exploit = Exploit(title='Exploit Apache') exploit.description = 'Exploit Description' exploit.short_description = 'Short Description' ttp3.behavior = Behavior() ttp3.behavior.add_exploit(exploit) vt3 = VictimTargeting() vt3.identity = Identity(name='Steve Franchak') ttp3.victim_targeting = vt3 # TTP 3 - Related Exploit Target et = ExploitTarget(title='Apache HTTP Vulnerability - CVE-2018-1312') ttp3.exploit_targets.append(ExploitTarget(idref=et.id_)) # Generate STIX Package stix_package = STIXPackage() stix_package.add_ttp(ttp) stix_package.add_ttp(ttp2) stix_package.add_ttp(ttp3) stix_package.add_threat_actor(ta) stix_package.add_observable(observable) stix_package.add_observable(observable2) stix_package.add_exploit_target(et) print(stix_package.to_xml().decode())
def toStixXml(self, confidence, efficacy):
"""
This method converts a list of FASGuard generated Snort rules into a STIX
compliant XML string ready for output. It first converts the object
into a hash of the right format and then converts it into XML using
STIXPackage.from_dict and to_xml on the resulting object.
Arguments:
confidence - High, Medium or Low. High means low false alarm rate.
efficacy - High, Medium or Low. High means a low missed detection rate.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
logger = logging.getLogger('simple_example')
self.logger = logger
self.logger.debug('In asg.fasguardStixRule')
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "Unknown"
et = ExploitTarget(title="From FASGuard")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="FASGuard Produced Signatures")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title = "Snort Signature from FASGuard")
indicator.confidence = Confidence(confidence)
tm = SnortTestMechanism()
tm.rules = self.ruleList
tm.efficacy = efficacy
tm.producer = InformationSource(identity=Identity(name="FASGuard"))
tm.producer.references = ["http://fasguard.github.io/"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
return stix_package.to_xml()
# stixDict = {'campaigns': [{}],
# 'courses_of_action': [{}],
# 'exploit_targets': [{}],
# 'id': 'INSERT_PACKAGE_ID_HERE'}
# stixDict['indicators'] = [{'indicator':
# {'title':
# 'Automatically Generated FASGuard Signatures',
# 'test_mechanisms':
# {'test_mechanism':
# {'efficacy':'Low',
# 'producer':
# {'Identity':'FASGuard'},
# 'rule':'xyz'}}}}
# ]
stix_package = STIXPackage.from_dict(stixDict)
stix_xml = stix_package.to_xml()
return stix_xml
