def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print(pkg.to_xml(encoding=None))
def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print pkg.to_xml()
def main():
fileIn = open('tor_exit_node_list.txt', 'r')
fileOut = open('coa_tor.xml', 'w')
#print("List of Tor Exit nodes as of 5/4/2018")
ip_addr_list = []
for line in fileIn:
ip_addr = re.search(
'(([2][5][0-5]\.)|([2][0-4][0-9]\.)|([0-1]?[0-9]?[0-9]\.)){3}(([2][5][0-5])|([2][0-4][0-9])|([0-1]?[0-9]?[0-9]))',
line)
if ip_addr:
ip_addr_list.append(ip_addr)
#print(" ", ip_addr.group(0))
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to Tor exit nodes"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication to Tor exit nodes"
obj.applicability_confidence = Confidence("High")
i = 0
observables_list = []
for ip_addr in ip_addr_list:
addr = Address(address_value=ip_addr.group(0),
category=Address.CAT_IPV4)
observables_list.append(addr)
print(i)
i = i + 1
coa.parameter_observables = Observables(observables_list)
pkg.add_course_of_action(coa)
fileOut.write(pkg.to_xml(encoding=None))
obj.description = 'Block communication between the infected agents and the C2 Server'
obj.short_description = 'Block traffic'
obj.applicability_confidence = Confidence(HighMediumLow('High'))
coa.objective = obj
# Attributes
coa.impact = HighMediumLow('Medium')
coa.cost = HighMediumLow('Low')
coa.efficacy = HighMediumLow('High')
coa.stage = COAStage('Response')
coa.type_ = CourseOfActionType('Perimeter Blocking')
# Related Observable (by id)
addr = Address(address_value=ip, category=Address.CAT_IPV4)
observable = Observable(addr)
coa.parameter_observables = Observables(observables=Observable(
idref=observable.id_))
# Related CoA (basic; by id)
coa2 = CourseOfAction(title='Block domain traffic to {}'.format(domain))
related_coa = RelatedCOA(CourseOfAction(idref=coa2.id_))
coa.related_coas.append(related_coa)
# Indicator
indicator = Indicator(title='Indicator')
domain_name = DomainName()
domain_name.value = domain
indicator.add_observable(domain_name)
indicator.suggested_coas.append(CourseOfAction(idref=coa2.id_))
# Generate STIX Package
stix_package = STIXPackage()
