def test_memory_store_custom_object(mem_store):
@CustomObject('x-new-obj', [
('property1', properties.StringProperty(required=True)),
])
class NewObj():
pass
newobj = NewObj(property1='something')
mem_store.add(newobj, True)
newobj_r = mem_store.get(newobj.id)
assert newobj_r.id == newobj.id
assert newobj_r.property1 == 'something'
def test_filesystem_custom_object(fs_store):
@CustomObject('x-new-obj', [
('property1', properties.StringProperty(required=True)),
])
class NewObj():
pass
newobj = NewObj(property1='something')
fs_store.add(newobj, allow_custom=True)
newobj_r = fs_store.get(newobj.id, allow_custom=True)
assert newobj_r.id == newobj.id
assert newobj_r.property1 == 'something'
# remove dir
shutil.rmtree(os.path.join(FS_PATH, "x-new-obj"), True)
class AWSNACL(Command):
_type = 'x-aws-nacl'
_properties = OrderedDict([
('action',
properties.EnumProperty(allowed=["allow", "deny", "delete"],
required=True)),
('target', TargetProperty(required=True)),
('args', ArgsProperty(required=True)),
('actuator', ActuatorProperty(required=True)),
('command_id', properties.StringProperty())
])
def _check_object_constraints(self):
super(AWSNACL, self)._check_object_constraints()
if not isinstance(self.target, _Target) or \
not self.target.type in ['ipv4_connection', 'slpf']:
raise ValueError("Unsupported target (%s)" % self.target.type)
if not isinstance(self.actuator, AWSResourceActuator):
raise ValueError("Unsupported actuator (%s)" % self.actuator.type)
if not self.args.get("slpf") or not self.args.slpf.get("insert_rule") or \
not self.args.slpf.get("direction"):
raise ValueError("Missing required args (%s)" % self.args)
if self.target.type == 'slpf' and not self.target.slpf.get(
"rule_number"):
raise ValueError("Missing required target specifiers (%s)" %
self.target)
# 1-32766 is valid rule number range per AWS docs
if self.args.slpf.insert_rule < 1 or self.args.slpf.insert_rule > 32766:
raise ValueError("Invalid rule number requested")
if self.clean(self.target.protocol, {
'tcp': 6,
'udp': 17,
'icmp': 1
}) == None:
raise ValueError("Invalid protocol requested (%s)" %
self.target.protocol)
if self.clean(self.args.slpf.direction, {
'ingress': False,
'egress': True
}) == None:
raise ValueError("Invalid direction requested (%s)" %
self.args.slpf.direction)
def clean(self, value, valid):
if not isinstance(valid, dict):
raise ValueError("Valid values must be dictionary")
return valid.get(value)
class AWSSecurityGroup(Command):
_type = 'x-aws-sg'
_properties = OrderedDict([
('action', properties.EnumProperty(
allowed=[
"allow",
"delete"
], required=True
)),
('target', TargetProperty(required=True)),
('args', ArgsProperty()),
('actuator', ActuatorProperty(required=True)),
('command_id', properties.StringProperty())
])
def _check_object_constraints(self):
super(AWSSecurityGroup, self)._check_object_constraints()
if not isinstance(self.target, _Target) or \
not self.target.type in ['ipv4_connection']:
raise ValueError("Unsupported target (%s)"%self.target)
if not isinstance(self.actuator, AWSResourceActuator):
raise ValueError("Unsupported actuator (%s)"%self.actuator)
import yaml
from stix2 import CustomObject, properties, Bundle
def create_bundle(json):
"""
Writes the Sigma rules into a file.
"""
file = open('sigma_rules_stix_bundle.json', 'w')
file.write(Bundle(json).serialize(pretty=False))
@CustomObject(
'x-sigma-rules',
[
('action', properties.StringProperty()
), ## needs updating its not part of the schema
('title', properties.StringProperty()),
('status', properties.StringProperty()),
('description', properties.StringProperty()),
('references', properties.ListProperty(
properties.StringProperty())), ##posible list here
('reference', properties.ListProperty(properties.StringProperty())
), ##should be looked at there are two differences
('author', properties.StringProperty()),
('date', properties.StringProperty()),
('logsource', properties.DictionaryProperty()),
('detection', properties.DictionaryProperty()),
('fields', properties.ListProperty(properties.StringProperty())),
('falsepositives', properties.ListProperty(
properties.StringProperty())),
"""Generate random stix id (uuid v1)
This id will stored and resolved by openCTI
We will stored only 5 stix of this type to prevent database flooding
:param stix_type: the stix type
"""
@staticmethod
def generate_random_stix_id(stix_type):
new_uuid = str(uuid.uuid1())
return stix_type + "--" + new_uuid
@CustomObservable(
"x-opencti-simple-observable",
[
("key", properties.StringProperty(required=True)),
("value", properties.StringProperty(required=True)),
("description", properties.StringProperty()),
(
"created_by_ref",
properties.ReferenceProperty(valid_types="identity",
spec_version="2.1"),
),
("x_opencti_score", properties.IntegerProperty()),
("x_opencti_create_indicator", properties.BooleanProperty()),
("labels", properties.ListProperty(properties.StringProperty)),
("external_references", properties.ListProperty(ExternalReference)),
(
"object_marking_refs",
properties.ListProperty(
properties.ReferenceProperty(valid_types="marking-definition",
from datetime import datetime
import pandas as pd
import os
import re
import json
import xlrd
from datetime import datetime
from dateutil import parser
import numpy as np
from stix2 import (Bundle, AttackPattern, ThreatActor, IntrusionSet, Relationship, CustomObject, properties,
Malware, Tool, Campaign, Identity, MarkingDefinition, ExternalReference, StatementMarking,
GranularMarking)
from stix2.properties import (ReferenceProperty, ListProperty, StringProperty, TimestampProperty)
@CustomObject('x-mitre-tactic', [
('name', properties.StringProperty(required=True)),
('description', properties.StringProperty(required=True)),
('x_mitre_shortname', properties.StringProperty(required=True))
])
class Tactic(object):
def __init__(self, x_mitre_shortname=None, **kwargs):
if x_mitre_shortname and x_mitre_shortname not in ["strategic-planning", "objective-planning", "develop-people",
"develop-networks", "microtargeting", "develop-content",
"channel-selection", "pump-priming", "exposure", "go-physical",
"persistence", "measure-effectiveness"]:
raise ValueError("'%s' is not a recognized AMITT Tactic." % x_mitre_shortname)
@CustomObject('x-amitt-narrative', [
('name', StringProperty(required=True)),
('description', StringProperty()),
('aliases', ListProperty(StringProperty)),
#! usr/bin/env python3
import praw # Reddit library
import csv
import json
from datetime import datetime, timedelta, date
from config import credentials
import boto3
import os
from stix2 import Bundle, ObservedData, IPv4Address, UserAccount, Bundle
from stix2 import CustomObservable, properties
@CustomObservable('x-csaware-social', [
('source', properties.StringProperty()),
('title', properties.StringProperty()),
('text', properties.StringProperty()),
('subject', properties.StringProperty()),
])
class CSAwareSocial():
pass
BUCKET_NAME = "cs-aware-data-collection"
USERS_FILE = './users.json'
FIELDS = ['subreddit', 'username', 'date', 'title', 'text', 'json']
PERIOD = 1 # Number of hours
POST_LIMIT = 50
# We want data from the last PERIOD hours
import re
from stix2 import CustomObject, properties, KillChainPhase
from yeti.core.errors import ValidationError
from .indicator_base import Indicator
@CustomObject('x-regex',
[('labels', properties.StringProperty(required=True)),
('name', properties.StringProperty()),
('description', properties.StringProperty()),
('pattern', properties.StringProperty(required=True)),
('valid_from', properties.TimestampProperty(required=True)),
('valid_until', properties.TimestampProperty()),
('kill_chain_phases', properties.ListProperty(KillChainPhase))])
class StixRegex():
def __init__(self, pattern=None, **_):
try:
re.compile(pattern)
except re.error as e:
raise ValidationError('{0:s} is not a valid regular expression:'
' {1:s}'.format(pattern, str(e)))
class Regex(Indicator):
"""STIX Indicator Yeti object.
Extends the Indicator STIX2 definition.
"""
from scripts.atcutils import ATCutils
from stix2 import MemoryStore, CustomObject, properties
ATCconfig = ATCutils.load_config("scripts/config.yml")
stix_mem = MemoryStore()
@CustomObject('x-react-stage', [
( 'name', properties.StringProperty(required=True)),
( 'description', properties.StringProperty()),
( 'external_references', properties.ObjectReferenceProperty())] )
class ReactStage(object):
def __init__(self, name=None, **kwargs):
list_of_stages = ['Preparation','Identification','Containment','Eradication','Recovery','Lessons Learned']
if name and name not in list_of_stages:
raise ValueError("'%s' is not a recognized stage of RE&CT." % name)
@CustomObject( 'x-react-action', [
( 'name', properties.StringProperty(required=True)),
( 'description', properties.StringProperty()),
( 'external_references', properties.ObjectReferenceProperty()),
( 'kill_chain_phases', properties.ListProperty(properties.DictionaryProperty)) ] )
class ReactAction(object):
def __init__(self, name=None, **kwargs):
pass
@CustomObject('x-react-matrix', [
( 'name', properties.StringProperty(required=True)),
( 'description', properties.StringProperty()),
( 'tactic_refs', properties.ListProperty(properties.StringProperty)) ] )
@CustomExtension(NetworkTraffic, 'x-common-industrial-protocol',
[('service', properties.IntegerProperty()),
('class', properties.IntegerProperty()),
('epath', properties.HexProperty()),
('instance', properties.IntegerProperty()),
('logical_segment_format', properties.IntegerProperty()),
('logical_segment_type', properties.IntegerProperty()),
('path_segment', properties.IntegerProperty()),
('path_segment_type', properties.IntegerProperty()),
('request_path_size', properties.IntegerProperty()),
('cip_response', properties.IntegerProperty()),
('cip_service', properties.IntegerProperty()),
('addstat_size', properties.IntegerProperty()),
('genstat', properties.IntegerProperty()),
('id_product_name', properties.StringProperty()),
('data', properties.HexProperty()), *more])
class Cip:
pass
@CustomExtension(NetworkTraffic, 'x-cip-command-specific-data',
[('cip_data', properties.HexProperty())])
class CipData:
pass
# settings: GlobalSettings = GlobalSettings()
cmprops = [
'cip_cm_msg_req_size',
'cip_cm_priority',
('al_ctrq_b2', properties.BooleanProperty()),
('al_ctrq_b3', properties.BooleanProperty()),
('al_ctrq_b4', properties.BooleanProperty()),
('al_ctrq_b5', properties.BooleanProperty()),
('al_ctrq_b6', properties.BooleanProperty()),
('al_ctrq_b7', properties.BooleanProperty()),
('al_da_double', properties.FloatProperty()),
('al_da_float', properties.FloatProperty()),
('al_da_int16', properties.IntegerProperty()),
('al_da_int32', properties.IntegerProperty()),
('al_da_int8', properties.IntegerProperty()),
('al_da_length', properties.IntegerProperty()),
('al_da_uint16', properties.IntegerProperty()),
('al_da_uint32', properties.IntegerProperty()),
('al_da_uint8', properties.IntegerProperty()),
('al_da_value', properties.StringProperty()),
('al_datatype', properties.IntegerProperty()),
('al_file_auth', properties.IntegerProperty()),
('al_file_blocknum', properties.IntegerProperty()),
('al_file_data', properties.StringProperty()),
('al_file_handle', properties.IntegerProperty()),
('al_file_lastblock', properties.BooleanProperty()),
('al_file_maxblock', properties.IntegerProperty()),
('al_file_mode', properties.IntegerProperty()),
('al_file_perms', properties.IntegerProperty()),
('al_file_perms_exec_group', properties.BooleanProperty()),
('al_file_perms_exec_owner', properties.BooleanProperty()),
('al_file_perms_exec_world', properties.BooleanProperty()),
('al_file_perms_read_group', properties.BooleanProperty()),
('al_file_perms_read_owner', properties.BooleanProperty()),
('al_file_perms_read_world', properties.BooleanProperty()),
"arp.proto.type": "0x00000800",
"arp.hw.size": "6",
"arp.proto.size": "4",
"arp.opcode": "1",
"arp.src.hw_mac": "00:0c:29:b6:ad:47",
"arp.src.proto_ipv4": "192.168.1.200",
"arp.dst.hw_mac": "00:00:00:00:00:00",
"arp.dst.proto_ipv4": "192.168.1.1"
}
}
}
dst_hw_mac, dst_proto_ipv4, hw_size, hw_type, level, opcode, proto_size, proto_type, src_hw_mac, src_proto_ipv4
"""
@CustomExtension(NetworkTraffic, 'x-arp-ext', [
('src_hw_mac', properties.StringProperty(required=True)),
('dst_hw_mac', properties.StringProperty(required=True)),
('src_proto_ipv4', properties.StringProperty(required=True)),
('dst_proto_ipv4', properties.StringProperty(required=True)),
('hw_size', properties.StringProperty(required=True)),
('hw_type', properties.StringProperty(required=True)),
('level', properties.StringProperty(required=True)),
('opcode', properties.StringProperty(required=True)),
('proto_size', properties.StringProperty(required=True)),
('proto_type', properties.StringProperty(required=True)),
('isgratuitous', properties.StringProperty())
])
class ArpPacket:
pass
from stix2 import ObservedData, MemorySink, CustomObservable, properties
from os import listdir
from os.path import isfile, join
@CustomObservable('command-executed', [
('command', properties.StringProperty(required=True)),
])
class NewObservable():
pass
def command_observable(comm, timestamp):
com = NewObservable(command=comm)
obs = ObservedData(first_observed=timestamp,
last_observed=timestamp,
number_observed=1,
objects={'0': com})
wrt.add(obs)
def main_mapper(blutus):
file = open(good[blutus], 'r')
global wrt
wrt = MemorySink()
for line in file:
a = line.split(':')
if a[0].__contains__('Command Executed'):
b = a[0].split(' ')
c = str(b[0].replace('_', ''))
"""Generate random stix id (uuid v1)
This id will stored and resolved by openCTI
We will stored only 5 stix of this type to prevent database flooding
:param stix_type: the stix type
"""
@staticmethod
def generate_random_stix_id(stix_type):
new_uuid = str(uuid.uuid1())
return stix_type + "--" + new_uuid
@CustomObservable(
"x-opencti-simple-observable",
[
("key", properties.StringProperty(required=True)),
("value", properties.StringProperty(required=True)),
("description", properties.StringProperty()),
(
"created_by_ref",
properties.ReferenceProperty(valid_types="identity",
spec_version="2.1"),
),
("x_opencti_score", properties.IntegerProperty()),
("x_opencti_create_indicator", properties.BooleanProperty()),
("labels", properties.ListProperty(properties.StringProperty)),
("external_references", properties.ListProperty(ExternalReference)),
(
"object_marking_refs",
properties.ListProperty(
properties.ReferenceProperty(valid_types="marking-definition",
"""Detail Yeti's incident object structure."""
from stix2 import CustomObject, properties
from .entity import Entity
@CustomObject('x-incident', [
('x_internal_references', properties.ListProperty(
properties.StringProperty)),
('name', properties.StringProperty()),
('description', properties.StringProperty()),
])
class StixIncident():
_collection_name = 'entities'
type = 'x-incident'
@property
def internal_references(self):
return self._stix_object.internal_references
class Incident(Entity):
"""Incident Yeti object."""
_collection_name = 'entities'
type = 'x-incident'
@property
def name(self):
return self._stix_object.name
from flask import Flask, render_template, request, abort
from svalid import svalid
from mock import patch
from openc2 import Command, Response, CustomTarget
from stix2 import properties
import itertools
import json
import openc2
import pha
import requests
import uuid
@CustomTarget('x-newcontext-com:aws', [
('image', properties.StringProperty()),
('instance', properties.StringProperty()),
])
class NewContextAWS(object):
pass
CREATE = 'create'
QUERY = 'query'
START = 'start'
STOP = 'stop'
DELETE = 'delete'
app = Flask(__name__)
_instcmds = ('Query', 'Start', 'Stop', 'Delete')
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
'''
from stix2 import properties
from openc2.properties import TargetProperty, ActuatorProperty, ArgsProperty
from openc2.base import _OpenC2Base, _Actuator, _Target
from openc2 import Command, CustomActuator
from collections import OrderedDict
@CustomActuator('x-aws-resource',
[('aws_account', properties.StringProperty(required=True)),
('aws_region', properties.StringProperty(required=True)),
('aws_resource_id', properties.StringProperty(required=True))]
)
class AWSResourceActuator:
pass
class AWSNACL(Command):
_type = 'x-aws-nacl'
_properties = OrderedDict([
('action',
properties.EnumProperty(allowed=["allow", "deny", "delete"],
required=True)),
('target', TargetProperty(required=True)),
('args', ArgsProperty(required=True)),
from stix2.v21 import Campaign, CustomObject, Identity, LanguageContent
from stix2.v21.bundle import Bundle
from stix2 import properties
import stix2
import unittest
__copyright__ = 'Copyright 2018 New Context Services, Inc.'
__license__ = '2-clause BSD'
__maintainer__ = 'John-Mark Gurney'
__email__ = '*****@*****.**'
__all__ = ['stixlangwrap']
@CustomObject('x-bogus-lc', [
('object_ref', properties.StringProperty()),
])
class _BogusLC(object):
pass
class stixlangwrap(object):
'''Wrapper to make accessining and setting languages on STIX objects.'''
def __init__(self, lang, obj, no_default=False):
'''lang: either a string that is the default language, or a
list of strings, with the earlier one preferred over
the later ones.
obj: A STIX object from the STIX 2 framework.
no_default: Raise an Attribute error if one of the specified
languages is not available.
'''
