def generate_indicators(self, count): '''Generate a list of STIX Indicators''' indicators = [] for i in range(0, count): indicator = Indicator(title='Multiple indicator types') indicator.set_producer_identity(Identity(name='Secret Source')) indicator.set_produced_time(datetime.today()) indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration'])) indicator.add_short_description('Short description...') indicator.add_description('Long description...') indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown'])) kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES) indicator.kill_chain_phases = KillChainPhasesReference( [KillChainPhaseReference(name=kill_chain_phase.name)]) ips = self.gen_ips(randint(0, 5)) for ip in ips: indicator.add_observable(ip) # user_agents = self.gen_user_agents(randint(0, 5)) # for ua in user_agents: # indicator.add_observable(ua) # fqnds = self.gen_fqdns(randint(0, 5)) # for f in fqnds: # indicator.add_observable(f) # urls = self.gen_urls(randint(0, 5)) # for u in urls: # indicator.add_observable(u) indicators.append(indicator) return indicators
c.close() response = buffer.getvalue().decode("utf-8") response = response.strip('OK:') response = response.strip('\r\n') stxf = File() stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Malicious File Hash Indicator" stix_package.stix_header = stix_header indicator = Indicator() indicator.title = "File Observable" indicator.description = ( "An indicator containing a File observable with an associated hash") root = ElementTree.fromstring(response) for child in root: for child2 in child: for child3 in child2: for filenames in child3.iter('fileJoined.filename'): indicator.add_short_description(filenames.text) for hashes in child3.iter('fileJoined.md5'): stxf.add_hash(hashes.text) indicator.set_producer_identity("McAfee LLC.") indicator.set_produced_time(utils.dates.now()) indicator.add_object(stxf) stix_package.add(indicator) stxout = open(stixfilename, "wb") stxout.write(stix_package.to_xml()) stxout.close()