def to_identity(r):
""" Fungsi untuk mengubah rdd menjadi objek stix identity dengan cara lookup ip ke geoip maxmind"""
id = str(uuid.uuid4())
created = datetime.datetime.now()
modified = created
ip = r['objects']['0']['value']
geoip = lookup_ip(ip)
name = geoip['country'] + ' generic'
desc = 'Individual identity from ' + geoip['city'] + ', ' + geoip['country']
identity = stix2.Identity(id="identity--" + id,
created=created,
modified=modified,
name=name,
description=desc,
identity_class="individual")
# di jadikan json
identity_serialized = identity.serialize()
identity_json = json.loads(identity_serialized)
# dijadikan ke row rdd
return _rowify(identity_json, prototypes.identity_prototype)
def test_identity_with_custom():
identity = stix2.Identity(name="John Smith",
identity_class="individual",
custom_properties={'x_foo': 'bar'})
assert identity.x_foo == "bar"
assert "x_foo" in identity.object_properties()
def test_creator_of_not_found():
identity = stix2.Identity(**IDENTITY_KWARGS)
factory = stix2.ObjectFactory(created_by_ref=identity.id)
env = stix2.Environment(store=stix2.MemoryStore(), factory=factory)
ind = env.create(stix2.Indicator, **INDICATOR_KWARGS)
creator = env.creator_of(ind)
assert creator is None
def on_ok(self):
identity = stix2.Identity(
identity_class='individual',
name=self.name.value,
contact_information=self.email.value,
)
parent_app: IndicatorEvaluationApplication = self.find_parent_app()
parent_app.on_identity_selected(identity)
def test_creator_of_no_datasource():
identity = stix2.Identity(**IDENTITY_KWARGS)
factory = stix2.ObjectFactory(created_by_ref=identity.id)
env = stix2.Environment(factory=factory)
ind = env.create(stix2.Indicator, **INDICATOR_KWARGS)
with pytest.raises(AttributeError) as excinfo:
env.creator_of(ind)
assert 'Environment has no data source' in str(excinfo.value)
def ds():
cam = stix2.Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS)
idy = stix2.Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
ind = stix2.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
mal = stix2.Malware(id=MALWARE_ID, **MALWARE_KWARGS)
rel1 = stix2.Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0])
rel2 = stix2.Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1])
rel3 = stix2.Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2])
stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3]
yield stix2.MemoryStore(stix_objs)
def test_identity_example():
identity = stix2.Identity(
id="identity--311b2d2d-f010-5473-83ec-1edf84858f4c",
created="2015-12-21T19:59:11.000Z",
modified="2015-12-21T19:59:11.000Z",
name="John Smith",
identity_class="individual",
)
assert str(identity) == EXPECTED
def test_custom_properties_object_in_bundled_object():
obj = stix2.Identity(name="John Smith",
identity_class="individual",
custom_properties={
"x_foo": "bar",
})
bundle = stix2.Bundle(obj, allow_custom=True)
assert bundle.objects[0].x_foo == "bar"
assert '"x_foo": "bar"' in str(bundle)
def test_custom_property_in_bundled_object():
identity = stix2.Identity(
name="John Smith",
identity_class="individual",
x_foo="bar",
allow_custom=True,
)
bundle = stix2.Bundle(identity, allow_custom=True)
assert bundle.objects[0].x_foo == "bar"
assert '"x_foo": "bar"' in str(bundle)
def test_identity_custom_property_allowed():
identity = stix2.Identity(
id="identity--311b2d2d-f010-5473-83ec-1edf84858f4c",
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
identity_class="individual",
x_foo="bar",
allow_custom=True,
)
assert identity.x_foo == "bar"
def test_pickling():
"""
Ensure a pickle/unpickle cycle works okay.
"""
identity = stix2.Identity(
id="identity--d66cb89d-5228-4983-958c-fa84ef75c88c",
name="alice",
description="this is a pickle test",
identity_class="some_class"
)
pickle.loads(pickle.dumps(identity))
def test_identity_custom_property_invalid():
with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
stix2.Identity(
id="identity--311b2d2d-f010-5473-83ec-1edf84858f4c",
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
identity_class="individual",
x_foo="bar",
)
assert excinfo.value.cls == stix2.Identity
assert excinfo.value.properties == ['x_foo']
assert "Unexpected properties for" in str(excinfo.value)
def test_identity_custom_property():
with pytest.raises(ValueError) as excinfo:
stix2.Identity(
id="identity--311b2d2d-f010-5473-83ec-1edf84858f4c",
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
identity_class="individual",
custom_properties="foobar",
)
assert str(excinfo.value) == "'custom_properties' must be a dictionary"
with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
stix2.Identity(
id="identity--311b2d2d-f010-5473-83ec-1edf84858f4c",
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
identity_class="individual",
custom_properties={
"foo": "bar",
},
foo="bar",
)
assert "Unexpected properties for Identity" in str(excinfo.value)
identity = stix2.Identity(
id="identity--311b2d2d-f010-5473-83ec-1edf84858f4c",
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
identity_class="individual",
custom_properties={
"foo": "bar",
},
)
assert identity.foo == "bar"
import stix2
identityOscorp = stix2.Identity(
id="identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c",
created="2017-04-14T13:07:49.812Z",
modified="2017-04-14T13:07:49.812Z",
name="Oscorp Industries",
identity_class="organization",
contact_information="*****@*****.**",
sectors=["technology"])
identityPym = stix2.Identity(
id="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
created="2017-04-14T13:07:49.812Z",
modified="2017-04-14T13:07:49.812Z",
name="Pym Technologies",
identity_class="organization",
contact_information="*****@*****.**",
sectors=["technology"])
malware = stix2.Malware(
id="malware--ae560258-a5cb-4be8-8f05-013d6712295f",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
created_by_ref="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
name="Online Job Site Trojan",
description=
"Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.",
labels=["remote-access-trojan"])
observedDataFile = stix2.ObservedData(
def generate_report():
istihbarat_no = 0
cyber_threads_infos = []
attack_patterns = []
sti_list = []
records = get_all_records(settings.traffic_table_name,
settings.prediction_column_name)
unique_records = unique_lists_from_multidimensional_array(records)
identity = stiv.Identity(
name=
"Veri Madenciligi Temelli Siber Tehdit Istihbarati Tez Calismasi Onerilen Sistemin Uygulamasi - Suleyman Muhammed ARIKAN",
identity_class="individual")
sti_list.append(identity)
predictions = [record[1] for record in unique_records]
unique_predictions = set(predictions)
for attack in unique_predictions:
attact_pattern = stiv.AttackPattern(name=attack,
created_by_ref=identity.id)
attack_patterns.append(attact_pattern)
sti_list.append(attact_pattern)
cyber_threads_infos.append(
"intelligence_id-prediction-source_host-source_port-destination_port-protocol"
+ "\n")
for record in records:
if str(record[1]) != settings.unknown_class_value:
cyber_thread_info = str(record[1]) + "-" + str(
record[5]) + "-" + str(int(float(record[3]))) + "-" + str(
int(float(record[4]))) + "-" + settings.protocols_list[
int(record[8]) - 1] + "\n"
cyber_threads_infos.append(cyber_thread_info)
istihbarat_no = istihbarat_no + 1
indicator_name = str(
istihbarat_no) + " numaralı istihbarat - " + str(record[5])
indicator_label = ["malicious-activity"]
indicator_pattern = "[network-traffic:src_ref.type = 'ipv4-addr' AND "
indicator_pattern = indicator_pattern + "network-traffic:src_ref.value = '" + str(
record[5]) + "' AND "
indicator_pattern = indicator_pattern + "network-traffic:src_port = " + str(
int(float(record[3]))) + " AND "
indicator_pattern = indicator_pattern + "network-traffic:dst_port = " + str(
int(float(record[4]))) + " AND "
indicator_pattern = indicator_pattern + "network-traffic:protocols[*] = '" + settings.protocols_list[
int(record[8]) - 1] + "']"
indicator = stiv.Indicator(name=indicator_name,
labels=indicator_label,
pattern=indicator_pattern,
created_by_ref=identity.id)
sti_list.append(indicator)
attack_pattern = get_attack_pattern(attack_patterns,
str(record[1]))
relationship = stiv.Relationship(relationship_type='indicates',
source_ref=indicator.id,
target_ref=attack_pattern.id)
sti_list.append(relationship)
stiv_bundle = stiv.Bundle(sti_list)
file_name = datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S-%f")
fo = open("raporlar/" + file_name + ".txt", "x")
istihbarat_no = 0
for cti in cyber_threads_infos:
if (istihbarat_no != 0):
cti = str(istihbarat_no) + "-" + cti
fo.write(cti)
istihbarat_no = istihbarat_no + 1
fo.close()
fo_stiv = open("raporlar/" + file_name + ".json", "x")
fo_stiv.write(stiv_bundle.serialize())
fo_stiv.close()
return file_name
def stix_bundle(objs, rel=True, sight=True):
objects = ()
ids = []
for o in objs:
if not o.object_id.id in ids:
ids.append(o.object_id.id)
if o.object_type.name == "report":
r = Report.objects.get(id=o.id)
for i in r.object_refs.all().values_list("id", flat=True):
if i in ids:
ids.append(i)
if rel:
rels = Relationship.objects.filter(
Q(source_ref=o.object_id)\
|Q(target_ref=o.object_id)\
)
lists = list(rels.values_list("object_id", flat=True)) + \
list(rels.values_list("source_ref", flat=True)) + \
list(rels.values_list("target_ref", flat=True))
for i in lists:
if not i in ids:
ids.append(i)
if sight:
sights = Sighting.objects.filter(
Q(where_sighted_refs=o.object_id)\
|Q(sighting_of_ref=o.object_id)\
)
lists = list(sights.values_list("object_id", flat=True)) + \
list(sights.values_list("sighting_of_ref", flat=True))
for i in lists:
if not i in ids:
ids += i
oids = STIXObjectID.objects.filter(id__in=ids)
for oid in oids:
obj = myforms.get_obj_from_id(oid)
if obj.object_type.name == 'identity':
i = stix2.Identity(
id=obj.object_id.object_id,
name=obj.name,
identity_class=obj.identity_class,
description=obj.description,
#sectors=[str(s.value) for s in obj.sectors.all()],
sectors=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
created=obj.created,
modified=obj.modified,
)
objects += (a, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (m, )
elif obj.object_type.name == 'indicator':
i = stix2.Indicator(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
pattern=[str(p.value) for p in obj.pattern.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=obj.object_id.object_id,
relationship_type=obj.relationship_type.name,
description=obj.description,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=obj.object_id.object_id,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id) for w in obj.where_sighted_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
elif obj.object_type.name == 'report':
r = stix2.Report(
id=obj.object_id.object_id,
labels=[str(l.value) for l in obj.labels.all()],
name=obj.name,
description=obj.description,
published=obj.published,
object_refs=[str(r.object_id) for r in obj.object_refs.all()],
created=obj.created,
modified=obj.modified,
)
objects += (r, )
bundle = stix2.Bundle(*objects)
return bundle
def fetch_and_send(self):
bundle_objects = list()
# create an identity for the coalition team
organization = stix2.Identity(
name="Cyber Threat Coalition Team",
identity_class="organization",
description="Team of Experts collecting and sharing pandemic related "
"cyber threat intelligence during the COVID-19 crisis time",
)
# add organization in bundle
bundle_objects.append(organization)
report_object_refs = list()
for collection in ["domain", "ip", "url", "hash"]:
# fetch backlist
url = self.cyber_threat_coalition_base_url + "/" + str(collection) + ".txt"
response = requests.get(url=url)
if response.status_code != 200:
raise Exception(
"Unable to fetch {0} blacklist, server returned status: {1}",
collection,
response.status_code,
)
opencti_type = None
pattern_type = "stix"
tags = [{"tag_type": "Event", "value": "COVID-19", "color": "#fc036b"}]
# parse content
for data in response.iter_lines(decode_unicode=True):
if data and not data.startswith("#"):
if collection == "domain":
opencti_type = "domain"
elif collection == "ip":
opencti_type = "ipv4-addr"
elif collection == "url":
opencti_type = "url"
data = urllib.parse.quote(data, "/:")
elif collection == "hash":
opencti_type = self.get_hash_type(data)
try:
indicator = stix2.Indicator(
name=data,
pattern=self._OPENCTI_TYPE[opencti_type].format(data),
labels=["malicious-activity"],
created_by_ref=organization,
object_marking_refs=[stix2.TLP_WHITE],
custom_properties={
CustomProperties.OBSERVABLE_TYPE: opencti_type,
CustomProperties.OBSERVABLE_VALUE: data,
CustomProperties.PATTERN_TYPE: pattern_type,
CustomProperties.TAG_TYPE: tags,
},
)
except Exception as ex:
self.helper.log_error(
"an exception occurred while converting data to STIX indicator "
"for data.value: {} , skipping IOC, exception: {}".format(
data, ex
)
)
continue
# add indicator in bundle and report_refs
bundle_objects.append(indicator)
report_object_refs.append(indicator["id"])
# create a global threat report
report_uuid = "report--552b3ae6-8522-409d-8b72-a739bc1926aa"
report_external_reference = stix2.ExternalReference(
source_name="Cyber Threat Coalition",
url="https://www.cyberthreatcoalition.org",
external_id="COVID19-CTC",
)
stix_report = stix2.Report(
id=report_uuid,
name="COVID-19 Cyber Threat Coalition (CTC) BlackList",
type="report",
description="This report represents the whole COVID-19 CTC blacklist.",
published=datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
created_by_ref=organization,
object_marking_refs=[stix2.TLP_WHITE],
labels=["threat-report"],
external_references=[report_external_reference],
object_refs=report_object_refs,
custom_properties={CustomProperties.TAG_TYPE: tags,},
)
# add report in bundle
bundle_objects.append(stix_report)
# create stix bundle
bundle = stix2.Bundle(objects=bundle_objects)
# send data
self.helper.send_stix2_bundle(
bundle=bundle.serialize(), update=self.update_existing_data
)
import stix2
granular_red = stix2.GranularMarking(marking_ref=stix2.TLP_RED.id,
selectors=["description"])
granular_amber = stix2.GranularMarking(marking_ref=stix2.TLP_AMBER.id,
selectors=["labels.[1]"])
granular_green = stix2.GranularMarking(
marking_ref=stix2.TLP_GREEN.id,
selectors=["labels.[0]", "name", "pattern"])
identity = stix2.Identity(id="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
name="Gotham National Bank",
contact_information="*****@*****.**",
identity_class="organization",
sectors=["financial-services"])
threat_actor = stix2.ThreatActor(
id="threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
name="The Joker",
labels=["terrorist", "criminal"],
aliases=["Joe Kerr", "The Clown Prince of Crime"],
roles=["director"],
resource_level="team",
primary_motivation="personal-satisfaction",
import stix2
threat_actor = stix2.ThreatActor(
id="threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
created="2015-05-07T14:22:14.760Z",
modified="2015-05-07T14:22:14.760Z",
name="Adversary Bravo",
description=
"Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.",
labels=["spy", "criminal"])
identity = stix2.Identity(
id="identity--1621d4d4-b67d-41e3-9670-f01faf20d111",
created="2015-05-10T16:27:17.760Z",
modified="2015-05-10T16:27:17.760Z",
name="Adversary Bravo",
description=
"Adversary Bravo is a threat actor that utilizes phishing attacks.",
identity_class="unknown")
init_comp = stix2.KillChainPhase(
kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="initial-compromise")
malware = stix2.Malware(id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4",
created="2015-04-23T11:12:34.760Z",
modified="2015-04-23T11:12:34.760Z",
name="Poison Ivy Variant d1c6",
labels=["remote-access-trojan"],
kill_chain_phases=[init_comp])
def identity_maker(**kwargs):
identity = stix2.Identity(**kwargs)
flag = itemtofile(identity)
return flag, identity
name="VNC",
created_by_ref=IDENTITY_ID,
interoperability=True)
VULNERABILITY_KWARGS = dict(type='vulnerability',
id=VULNERABILITY_ID,
name="Heartbleed",
created_by_ref=IDENTITY_ID)
if __name__ == '__main__':
attack_pattern = stix2.AttackPattern(**ATTACK_PATTERN_KWARGS,
interoperability=True)
campaign = stix2.Campaign(**CAMPAIGN_KWARGS, interoperability=True)
course_of_action = stix2.CourseOfAction(**COURSE_OF_ACTION_KWARGS,
interoperability=True)
identity = stix2.Identity(**IDENTITY_KWARGS, interoperability=True)
indicator = stix2.Indicator(**INDICATOR_KWARGS, interoperability=True)
intrusion_set = stix2.IntrusionSet(**INTRUSION_SET_KWARGS,
interoperability=True)
malware = stix2.Malware(**MALWARE_KWARGS, interoperability=True)
marking_definition = stix2.MarkingDefinition(**MARKING_DEFINITION_KWARGS,
interoperability=True)
observed_data = stix2.ObservedData(**OBSERVED_DATA_KWARGS,
interoperability=True)
relationship = stix2.Relationship(**RELATIONSHIP_KWARGS,
interoperability=True)
sighting = stix2.Sighting(**SIGHTING_KWARGS, interoperability=True)
threat_actor = stix2.ThreatActor(**THREAT_ACTOR_KWARGS,
interoperability=True)
tool = stix2.Tool(**TOOL_KWARGS) #, interoperability=True),
vulnerability = stix2.Vulnerability(**VULNERABILITY_KWARGS,
import stix2
identityAlpha = stix2.Identity(
id="identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
created="2017-02-24T15:50:10.564Z",
modified="2017-02-24T15:50:10.564Z",
name="Alpha Threat Analysis Org.",
identity_class="organisation",
contact_information="*****@*****.**",
labels=["Cyber Security"],
sectors=["technology"]
)
identityBeta = stix2.Identity(
id="identity--5206ba14-478f-4b0b-9a48-395f690c20a2",
created="2017-02-26T17:55:10.442Z",
modified="2017-02-26T17:55:10.442Z",
name="Beta Cyber Intelligence Company",
identity_class="organisation",
contact_information="*****@*****.**",
labels=["Cyber Security"],
sectors=["technology"]
)
indicator = stix2.Indicator(
id="indicator--9299f726-ce06-492e-8472-2b52ccb53191",
created_by_ref="identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
created="2017-02-27T13:57:10.515Z",
modified="2017-02-27T13:57:10.515Z",
name="Malicious URL",
description="This URL is potentially associated with malicious activity and is listed on several blacklist sites.",
import stix2
identity = stix2.Identity(
id="identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
created="2017-04-14T13:07:49.812Z",
modified="2017-04-14T13:07:49.812Z",
name="Stark Industries",
contact_information="*****@*****.**",
identity_class="organisation",
sectors=["defence"]
)
marking_def_amber = stix2.MarkingDefinition(
id="marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
created="2017-01-20T00:00:00.000Z",
definition_type="tlp",
definition={
"tlp": "amber"
}
)
marking_def_statement = stix2.MarkingDefinition(
id="marking-definition--d81f86b9-975b-bc0b-775e-810c5ad45a4f",
created="2017-04-14T13:07:49.812Z",
definition_type="statement",
definition=stix2.StatementMarking("Copyright (c) Stark Industries 2017.")
)
indicator = stix2.Indicator(
id="indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
created="2017-04-14T13:07:49.812Z",
def test_stix_object_property():
prop = stix2.core.STIXObjectProperty()
identity = stix2.Identity(name="test", identity_class="individual")
assert prop.clean(identity) is identity
def test_object_factory_created_by_ref_obj():
id_obj = stix2.Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
factory = stix2.ObjectFactory(created_by_ref=id_obj)
ind = factory.create(stix2.Indicator, **INDICATOR_KWARGS)
assert ind.created_by_ref == IDENTITY_ID
import stix2
threat_actor = stix2.ThreatActor(
id="threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
created="2014-11-19T23:39:03.893Z",
modified="2014-11-19T23:39:03.893Z",
name="Disco Team Threat Actor Group",
description=
"This organized threat actor group operates to create profit from all types of crime.",
labels=["crime-syndicate"],
aliases=["Equipo del Discoteca"],
roles=["agent"],
goals=["Steal Credit Card Information"],
sophistication="expert",
resource_level="organization",
primary_motivation="personal-gain")
identity = stix2.Identity(
id="identity--733c5838-34d9-4fbf-949c-62aba761184c",
created="2016-08-23T18:05:49.307Z",
modified="2016-08-23T18:05:49.307Z",
name="Disco Team",
description=
"Disco Team is the name of an organized threat actor crime-syndicate.",
identity_class="organization",
contact_information="*****@*****.**")
relationship = stix2.Relationship(threat_actor, 'attributed-to', identity)
bundle = stix2.Bundle(objects=[threat_actor, identity, relationship])
def fetch_and_send(self):
timestamp = int(time.time())
now = datetime.utcfromtimestamp(timestamp)
friendly_name = "Cyber Threat Coalition run @ " + now.strftime(
"%Y-%m-%d %H:%M:%S"
)
work_id = self.helper.api.work.initiate_work(
self.helper.connect_id, friendly_name
)
bundle_objects = list()
# create an identity for the coalition team
organization = stix2.Identity(
id=OpenCTIStix2Utils.generate_random_stix_id("identity"),
name="Cyber Threat Coalition Team",
identity_class="organization",
description="Team of Experts collecting and sharing pandemic related "
"cyber threat intelligence during the COVID-19 crisis time",
)
# add organization in bundle
bundle_objects.append(organization)
report_object_refs = list()
for collection in ["domain", "ip", "url", "hash"]:
# fetch backlist
url = self.cyber_threat_coalition_base_url + "/" + str(collection) + ".txt"
response = requests.get(url=url)
if response.status_code != 200:
raise Exception(
"Unable to fetch {0} blacklist, server returned status: {1}",
collection,
response.status_code,
)
pattern_type = "stix"
labels = ["COVID-19", "malicious-activity"]
# parse content
for data in response.iter_lines(decode_unicode=True):
observable_type = None
observable_resolver = None
if data and not data.startswith("#"):
if collection == "domain":
observable_resolver = "Domain-Name"
observable_type = "Domain-Name"
elif collection == "ip":
observable_resolver = "IPv4-Addr"
observable_type = "IPv4-Addr"
elif collection == "url":
observable_resolver = "Url"
observable_type = "Url"
data = urllib.parse.quote(data, "/:")
elif collection == "hash":
observable_resolver = self.get_hash_type()
observable_type = "File"
indicator = None
if observable_resolver is None or observable_type is None:
return
if self.cyber_threat_coalition_create_indicators:
indicator = stix2.Indicator(
id=OpenCTIStix2Utils.generate_random_stix_id("indicator"),
name=data,
pattern_type=pattern_type,
pattern=self._INDICATOR_PATTERN[observable_resolver].format(
data
),
labels=labels,
created_by_ref=organization,
object_marking_refs=[stix2.TLP_WHITE],
custom_properties={
"x_opencti_main_observable_type": observable_type,
},
)
bundle_objects.append(indicator)
report_object_refs.append(indicator["id"])
if self.cyber_threat_coalition_create_observables:
observable = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key=observable_type
+ "."
+ ".".join(self._OBSERVABLE_PATH[observable_resolver]),
value=data,
labels=labels,
created_by_ref=organization,
object_marking_refs=[stix2.TLP_WHITE],
)
bundle_objects.append(observable)
report_object_refs.append(observable["id"])
if indicator is not None:
relationship = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
relationship_type="based-on",
created_by_ref=organization,
source_ref=indicator.id,
target_ref=observable.id,
)
bundle_objects.append(relationship)
report_object_refs.append(relationship["id"])
# create a global threat report
report_uuid = "report--552b3ae6-8522-409d-8b72-a739bc1926aa"
report_external_reference = stix2.ExternalReference(
source_name="Cyber Threat Coalition",
url="https://www.cyberthreatcoalition.org",
external_id="COVID19-CTC",
)
if report_object_refs:
stix_report = stix2.Report(
id=report_uuid,
name="COVID-19 Cyber Threat Coalition (CTC) BlackList",
type="report",
description="This report represents the whole COVID-19 CTC blacklist.",
published=datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
created_by_ref=organization,
object_marking_refs=[stix2.TLP_WHITE],
labels=labels,
external_references=[report_external_reference],
object_refs=report_object_refs,
)
# add report in bundle
bundle_objects.append(stix_report)
# create stix bundle
bundle = stix2.Bundle(objects=bundle_objects)
# send data
self.helper.send_stix2_bundle(
bundle=bundle.serialize(), update=self.update_existing_data, work_id=work_id
)
return work_id
def process_reports(self, reports):
if reports is None:
printer.error("No results")
return
for report in reports:
name = report["name"]
id = report["id"]
stix2_objects = []
stix2_object_refs = []
# FFS AV, consistency!
if 'tlp' in report:
tlp_id = REF_TLPS[report['tlp'].upper()]
elif 'TLP' in report:
tlp_id = REF_TLPS[report['TLP'].upper()]
else:
tlp_id = REF_TLPS['WHITE']
sectors = report['industries']
if sectors:
unmatched_sectors = []
added_sector = False
for sector in [html.unescape(x.upper()) for x in sectors]:
sector_name = None
sector_id = None
if sector in SECTOR_MAPPINGS:
# sector_ids.append(self.octi_sectors[SECTOR_MAPPINGS[sector]])
sector_name = SECTOR_MAPPINGS[sector]
try:
sector_id = self.octi_sectors[
SECTOR_MAPPINGS[sector]]
except Exception as e:
printer.error(e)
continue
else:
printer.debug(f"Looking for sector {sector}")
match = difflib.get_close_matches(
sector, self.octi_sectors.keys(), 1)
if not len(match):
printer.error(
f"Unable to determine a matching sector for {sector}"
)
unmatched_sectors.append(sector)
continue
# sector_ids.append(self.octi_sectors[match[0]])
sector_name = match[0]
sector_id = self.octi_sectors[match[0]]
if sector_name is not None:
s = stix2.Identity(id=sector_id,
name=sector_name,
identity_class='class',
custom_properties={
'x_opencti_identity_type':
'sector'
})
printer.debug(f"Adding sector {sector_name}")
stix2_objects.append(s)
stix2_object_refs.append(s)
added_sector = True
if not added_sector:
printer.warn("Adding 'UNKNOWN' placeholder sector")
s = stix2.Identity(id=self.octi_sectors["UNKNOWN"],
name="Unknown",
identity_class='class',
custom_properties={
'x_opencti_identity_type': 'sector'
})
stix2_objects.append(s)
stix2_object_refs.append(s)
description = report['description']
if len(unmatched_sectors):
description = description + "\n\n###\nUnable to find a match for the following sectors, " \
"please review manually:\n - " + '\n - '.join(unmatched_sectors)
printer.info(f"Generating STIX2 for {name} ({id})")
author = stix2.Identity(name=report['author_name'],
identity_class='organization')
stix2_objects.append(author)
adversary = None
if report['adversary']:
printer.debug("Adding adversary {}".format(
report['adversary']))
adversary = stix2.IntrusionSet(name=report['adversary'])
stix2_object_refs.append(adversary)
stix2_objects.append(adversary)
if report['targeted_countries']:
for country in report['targeted_countries']:
printer.debug(f"Adding country {country}")
c = stix2.Identity(name=country,
identity_class='organization',
custom_properties={
'x_opencti_identity_type':
'country'
})
stix2_objects.append(c)
stix2_object_refs.append(c)
external_refs = []
for eref in report['references']:
external_refs.append(
stix2.ExternalReference(source_name=tldextract.extract(
eref).registered_domain,
url=eref))
indicators = report["indicators"]
if indicators:
for indicator in indicators:
resolved_type = self.resolve_type(
indicator["type"].lower())
if resolved_type != None and indicator["is_active"]:
observable_type = resolved_type
observable_value = indicator["indicator"]
pattern_type = 'stix'
try:
if observable_type in PATTERNTYPES:
pattern_type = observable_type
elif observable_type not in OPENCTISTIX2:
printer.info("Not in stix2 dict")
else:
if 'transform' in OPENCTISTIX2[
observable_type]:
if OPENCTISTIX2[observable_type][
'transform'][
'operation'] == 'remove_string':
observable_value = observable_value.replace(
OPENCTISTIX2[observable_type]
['transform']['value'], '')
lhs = stix2.ObjectPath(
OPENCTISTIX2[observable_type]['type'],
OPENCTISTIX2[observable_type]['path'])
observable_value = stix2.ObservationExpression(
stix2.EqualityComparisonExpression(
lhs, observable_value))
except Exception as e:
printer.error(e)
printer.info(
"Could not determine suitable pattern")
try:
indicator_obj = stix2.Indicator(
name=indicator["indicator"],
description=indicator["description"],
pattern=str(observable_value),
valid_from=indicator["created"],
labels=['malicious-activity'],
created_by_ref=author,
object_marking_refs=[tlp_id],
custom_properties={
'x_opencti_observable_type':
resolved_type,
'x_opencti_observable_value':
indicator["indicator"],
'x_opencti_pattern_type':
pattern_type
})
stix2_object_refs.append(indicator_obj)
stix2_objects.append(indicator_obj)
except Exception as e:
printer.error(e)
printer.info("Couldn't fetch indicator")
else:
printer.error("No indicators")
report = stix2.Report(name=name,
description=description,
created_by_ref=author,
labels=['threat-report'],
published=report['created'],
created=report['created'],
modified=report['modified'],
object_refs=stix2_object_refs,
object_marking_refs=[tlp_id],
external_references=external_refs)
stix2_objects.append(report)
bundle = stix2.Bundle(stix2_objects).serialize()
if not self.dryrun:
self.opencti_connector_helper.send_stix2_bundle(
bundle, None, True, False)
printer.info("Sending to OpenCTI")
#printer.debug(str(bundle))
else:
printer.debug(f"No sectors, disregarding '{name}'")
def run(self):
self.helper.log_info("Fetching data CYBERCRIME-TRACKER.NET...")
tlp = self.helper.api.marking_definition.read(
filters=[
{"key": "definition", "values": "TLP:{}".format(self.connector_tlp)}
]
)
while True:
try:
# Get the current timestamp and check
timestamp = int(time.time())
current_state = self.helper.get_state()
if current_state is not None and "last_run" in current_state:
last_run = current_state["last_run"]
self.helper.log_info(
"Connector last run: {}".format(
datetime.datetime.utcfromtimestamp(last_run).strftime(
"%Y-%m-%d %H:%M:%S"
)
)
)
else:
last_run = None
self.helper.log_info("Connector has never run")
# Run if it is the first time or we are past the interval
if last_run is None or ((timestamp - last_run) > self.interval):
self.helper.log_info("Connector will run!")
now = datetime.datetime.utcfromtimestamp(timestamp)
friendly_name = "MITRE run @ " + now.strftime("%Y-%m-%d %H:%M:%S")
work_id = self.helper.api.work.initiate_work(
self.helper.connect_id, friendly_name
)
# Get Feed Content
feed = feedparser.parse(self.feed_url)
self.helper.log_info(
"Found: {} entries.".format(len(feed["entries"]))
)
self.feed_summary = {
"Source": feed["feed"]["title"],
"Date": self._time_to_datetime(
feed["feed"]["published_parsed"]
),
"Details": feed["feed"]["subtitle"],
"Link": feed["feed"]["link"],
}
# Create the bundle
bundle_objects = list()
organization = stix2.Identity(
id=OpenCTIStix2Utils.generate_random_stix_id("identity"),
name="CYBERCRIME-TRACKER.NET",
identity_class="organization",
description="Tracker collecting and sharing daily updates of C2 IPs/Urls. http://cybercrime-tracker.net",
)
bundle_objects.append(organization)
for entry in feed["entries"]:
parsed_entry = self.parse_feed_entry(entry)
external_reference = stix2.ExternalReference(
source_name="{}".format(self.feed_summary["Source"]),
url=parsed_entry["ext_link"],
)
indicator_pattern = self.gen_indicator_pattern(parsed_entry)
malware = stix2.Malware(
id=OpenCTIStix2Utils.generate_random_stix_id("malware"),
is_family=True,
name=parsed_entry["type"],
description="{} malware.".format(parsed_entry["type"]),
)
bundle_objects.append(malware)
indicator = None
if self.create_indicators:
indicator = stix2.Indicator(
id=OpenCTIStix2Utils.generate_random_stix_id(
"indicator"
),
name=parsed_entry["url"],
description="C2 URL for: {}".format(
parsed_entry["type"]
),
labels=["C2 Server"],
pattern_type="stix",
pattern=indicator_pattern,
valid_from=parsed_entry["date"],
created=parsed_entry["date"],
modified=parsed_entry["date"],
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
external_references=[external_reference],
custom_properties={
"x_opencti_main_observable_type": "Url"
},
)
bundle_objects.append(indicator)
relation = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
source_ref=indicator.id,
target_ref=malware.id,
relationship_type="indicates",
start_time=self._time_to_datetime(
entry["published_parsed"]
),
stop_time=self._time_to_datetime(
entry["published_parsed"]
)
+ datetime.timedelta(0, 3),
description="URLs associated to: "
+ parsed_entry["type"],
confidence=self.confidence_level,
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
created=parsed_entry["date"],
modified=parsed_entry["date"],
external_references=[external_reference],
)
bundle_objects.append(relation)
if self.create_observables:
observable_url = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key="Url.value",
labels=["C2 Server"],
value=parsed_entry["url"],
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
external_references=[external_reference],
)
bundle_objects.append(observable_url)
observable_ip = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key="IPv4-Addr.value",
labels=["C2 Server"],
value=parsed_entry["ip"],
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
external_references=[external_reference],
)
bundle_objects.append(observable_ip)
observable_domain = None
if "domain" in parsed_entry.keys():
observable_domain = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key="Domain-Name.value",
labels=["C2 Server"],
value=parsed_entry["domain"],
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
external_references=[external_reference],
)
bundle_objects.append(observable_domain)
if indicator is not None:
relationship_1 = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
relationship_type="based-on",
created_by_ref=organization.id,
source_ref=indicator.id,
target_ref=observable_url.id,
)
bundle_objects.append(relationship_1)
relationship_2 = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
relationship_type="based-on",
created_by_ref=organization.id,
source_ref=indicator.id,
target_ref=observable_ip.id,
)
bundle_objects.append(relationship_2)
if observable_domain is not None:
relationship_3 = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
relationship_type="based-on",
created_by_ref=organization.id,
source_ref=indicator.id,
target_ref=observable_domain.id,
)
bundle_objects.append(relationship_3)
# create stix bundle
bundle = stix2.Bundle(objects=bundle_objects)
# send data
self.helper.send_stix2_bundle(
bundle=bundle.serialize(),
update=self.update_existing_data,
work_id=work_id,
)
# Store the current timestamp as a last run
message = (
"Connector successfully run, storing last_run as: {}".format(
str(timestamp)
)
)
self.helper.log_info(message)
self.helper.set_state({"last_run": timestamp})
self.helper.api.work.to_processed(work_id, message)
self.helper.log_info(
"Last_run stored, next run in: {} seconds.".format(
str(round(self.interval, 2))
)
)
time.sleep(60)
else:
new_interval = self.interval - (timestamp - last_run)
self.helper.log_info(
"Connector will not run. \
Next run in: {} seconds.".format(
str(round(new_interval, 2))
)
)
time.sleep(60)
except (KeyboardInterrupt, SystemExit):
self.helper.log_info("Connector stop")
exit(0)
except Exception as e:
self.helper.log_error(str(e))
time.sleep(60)
import pytest
import stix2
from .constants import FAKE_TIME, MARKING_DEFINITION_ID
IDENTITY_CUSTOM_PROP = stix2.Identity(
name="John Smith",
identity_class="individual",
x_foo="bar",
allow_custom=True,
)
def test_identity_custom_property():
with pytest.raises(ValueError) as excinfo:
stix2.Identity(
id="identity--311b2d2d-f010-5473-83ec-1edf84858f4c",
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
identity_class="individual",
custom_properties="foobar",
)
assert str(excinfo.value) == "'custom_properties' must be a dictionary"
with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
stix2.Identity(
id="identity--311b2d2d-f010-5473-83ec-1edf84858f4c",
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
