def main(): from stix.coa import CourseOfAction, Objective from stix.common import Confidence from stix.core import STIXPackage from cybox.core import Observables from cybox.objects.address_object import Address pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication between the PIVY agents and the C2 Server" obj.applicability_confidence = Confidence("High") coa.objective = obj coa.impact = "Low" coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact." coa.cost = "Low" coa.efficacy = "High" addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4) coa.parameter_observables = Observables(addr) pkg.add_course_of_action(coa) print(pkg.to_xml(encoding=None))
def convert_coa(coa20): coa1x = CourseOfAction(id_=convert_id20(coa20["id"]), timestamp=text_type(coa20["modified"])) if "name" in coa20: coa1x.title = coa20["name"] if "description" in coa20: coa1x.add_description(coa20["description"]) if "labels" in coa20: coa_types = convert_open_vocabs_to_controlled_vocabs( coa20["labels"], COA_LABEL_MAP) coa1x.type_ = coa_types[0] for l in coa_types[1:]: warn( "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted", 401, "labels", l) if "object_marking_refs" in coa20: for m_id in coa20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(coa1x, ms, descendants=True) if "granular_markings" in coa20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, coa20["id"]) record_id_object_mapping(coa20["id"], coa1x) return coa1x
def main(): from stix.coa import CourseOfAction, Objective from stix.common import Confidence from stix.core import STIXPackage from cybox.core import Observables from cybox.objects.address_object import Address pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication between the PIVY agents and the C2 Server" obj.applicability_confidence = Confidence("High") coa.objective = obj coa.impact = "Low" coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact." coa.cost = "Low" coa.efficacy = "High" addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4) coa.parameter_observables = Observables(addr) pkg.add_course_of_action(coa) print pkg.to_xml()
def add_coa_items(corrective_action_item, cost_corrective_action_item, pkg): coa = CourseOfAction() if corrective_action_item: coa.title = corrective_action_item if cost_corrective_action_item: cost = Statement() cost.value = map_cost_corrective_action_item_to_high_medium_low(cost_corrective_action_item) coa.cost = cost pkg.coa = coa
def main(): fileIn = open('tor_exit_node_list.txt', 'r') fileOut = open('coa_tor.xml', 'w') #print("List of Tor Exit nodes as of 5/4/2018") ip_addr_list = [] for line in fileIn: ip_addr = re.search( '(([2][5][0-5]\.)|([2][0-4][0-9]\.)|([0-1]?[0-9]?[0-9]\.)){3}(([2][5][0-5])|([2][0-4][0-9])|([0-1]?[0-9]?[0-9]))', line) if ip_addr: ip_addr_list.append(ip_addr) #print(" ", ip_addr.group(0)) pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to Tor exit nodes" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication to Tor exit nodes" obj.applicability_confidence = Confidence("High") i = 0 observables_list = [] for ip_addr in ip_addr_list: addr = Address(address_value=ip_addr.group(0), category=Address.CAT_IPV4) observables_list.append(addr) print(i) i = i + 1 coa.parameter_observables = Observables(observables_list) pkg.add_course_of_action(coa) fileOut.write(pkg.to_xml(encoding=None))
def buildCoa(input_dict): # add incident and confidence coa = CourseOfAction() coa.title = input_dict['title'] coa.description = input_dict['description'] if input_dict['stage']: coa.stage = input_dict['stage'] if input_dict['type']: coa.type = input_dict['type'] if input_dict['objective']: coa.objective = Objective(input_dict['objective']) if input_dict['impact']: coa.impact = input_dict['impact'] if input_dict['cost']: coa.cost = input_dict['cost'] if input_dict['efficacy']: coa.efficacy = input_dict['efficacy'] if input_dict['informationSource']: coa.information_source = InformationSource(input_dict['informationSource']) return coa