def test_indicator(self):
i = Indicator()
i.title = UNICODE_STR
i.description = UNICODE_STR
i.short_description = UNICODE_STR
i2 = round_trip(i)
self._test_equal(i, i2)
def test_indicator(self):
i = Indicator()
i.title = UNICODE_STR
i.description = UNICODE_STR
i.short_description = UNICODE_STR
i2 = round_trip(i)
self._test_equal(i, i2)
def create_indicator(self, ce1sus_indicator, event_permissions, user):
indicator = Indicator()
indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid)
indicator.title = ce1sus_indicator.title
indicator.description = ce1sus_indicator.description
indicator.short_description = ce1sus_indicator.short_description
if ce1sus_indicator.confidence:
indicator.confidence = ce1sus_indicator.confidence.title()
else:
indicator.confidence = 'Low'
# TODO: handling
# TODO: markings
for type_ in ce1sus_indicator.types:
indicator.add_indicator_type(type_.name)
if ce1sus_indicator.operator:
indicator.observable_composition_operator = ce1sus_indicator.operator
# Todo Add confidence
# indicator_attachment.confidence = "Low"
creator = self.create_stix_identity(ce1sus_indicator)
time = self.cybox_mapper.get_time(
produced_time=ce1sus_indicator.created_at)
info_source = InformationSource(identity=creator, time=time)
indicator.producer = info_source
observables = ce1sus_indicator.get_observables_for_permissions(
event_permissions, user)
for obs in observables:
cybox_obs = self.create_observable(obs, event_permissions, user)
indicator.add_observable(cybox_obs)
valid_time = ValidTime(start_time=ce1sus_indicator.created_at,
end_time=ce1sus_indicator.created_at)
indicator.add_valid_time_position(valid_time)
return indicator
def to_stix_relationship(obj):
from stix.indicator import Indicator
ind_rel = []
for relationship in obj.relationships:
#if not relationship.private: #testing
ind = Indicator()
ind.title = "MARTI Relation"
ind.timestamp = relationship.relationship_date
ind.confidence = relationship.rel_confidence.title()
ind.id_ = relationship.url_key
ind.add_indicator_type(get_indicator_type(relationship.rel_type))
ind.description = relationship.rel_reason
ind.short_description = relationship.relationship
ind_rel.append(ind)
return ind_rel
def to_stix_comments(obj):
from crits.comments.handlers import get_comments
from stix.indicator import Indicator as S_Ind
comments = get_comments(obj.id, obj._meta['crits_type'], False)
ind_comments = []
for each in comments:
if not each.private:
ind = S_Ind()
ind.title = "CRITs Comment(s)"
ind.description = each.comment
ind.short_description = each.url_key
ind.producer = to_stix_information_source(each)
ind.timestamp = each.edit_date #should be date, but for some reason, it's not getting the correct value
ind_comments.append(ind)
return ind_comments
def __init__(self, alert):
self.__urls = set()
self.__domains = set()
self.__ipv4 = set()
self.__hashes = set()
self.__regkeys = set()
self.__files = set()
self.__emails = set()
PRODUCER_NAME = alert.product
# Domains
domain_indicator = Indicator()
domain_indicator.title = "Malware Artifacts - Domain"
domain_indicator.type = "Malware Artifacts"
domain_indicator.description = ("Domains derived from sandboxed malware sample. AlertID: %d" % alert.id)
domain_indicator.short_description = ("Domains from %d" % alert.id)
domain_indicator.set_producer_identity(PRODUCER_NAME)
domain_indicator.set_produced_time(utils.dates.now())
domain_indicator.indicator_types.append(IndicatorType_1_1.TERM_DOMAIN_WATCHLIST)
self.domain_indicator = domain_indicator
# IPs
ip_indicator = Indicator()
ip_indicator.title = "Malware Artifacts - IP"
ip_indicator.description = ("IPs derived from sandboxed malware sample. AlertID: %d" % alert.id)
ip_indicator.short_description = ("IPs from %d" % alert.id)
ip_indicator.set_producer_identity(PRODUCER_NAME)
ip_indicator.set_produced_time(utils.dates.now())
ip_indicator.indicator_types.append(IndicatorType_1_1.TERM_IP_WATCHLIST)
self.ip_indicator = ip_indicator
# URLs
url_indicator = Indicator()
url_indicator.title = "Malware Artifacts - URL"
url_indicator.description = ("URLs derived from sandboxed malware sample. AlertID: %d" % alert.id)
url_indicator.short_description = ("URLs from %d" % alert.id)
url_indicator.set_producer_identity(PRODUCER_NAME)
url_indicator.set_produced_time(utils.dates.now())
url_indicator.indicator_types.append(IndicatorType_1_1.TERM_URL_WATCHLIST)
self.url_indicator = url_indicator
# Hashs
hash_indicator = Indicator()
hash_indicator.title = "Malware Artifacts - Files"
hash_indicator.description = ("Files derived from sandboxed malware sample. AlertID: %d" % alert.id)
hash_indicator.short_description = ("File from %d" % alert.id)
hash_indicator.set_producer_identity(PRODUCER_NAME)
hash_indicator.set_produced_time(utils.dates.now())
hash_indicator.indicator_types.append(IndicatorType_1_1.TERM_FILE_HASH_WATCHLIST)
self.hash_indicator = hash_indicator
# Registry
reg_indicator = Indicator()
reg_indicator.title = "Malware Artifacts - Registry entries"
reg_indicator.description = ("File hashes derived from sandboxed malware sample. AlertID: %d" % alert.id)
reg_indicator.short_description = ("Registry entries from %d" % alert.id)
reg_indicator.set_producer_identity(PRODUCER_NAME)
reg_indicator.set_produced_time(utils.dates.now())
reg_indicator.indicator_types.append(IndicatorType_1_1.TERM_MALWARE_ARTIFACTS)
self.reg_indicator = reg_indicator
# email_indicator
email_indicator = Indicator()
email_indicator.title = "Malware Artifacts - Malicious "
email_indicator.description = ("Email headers. AlertID: %d" % alert.id)
email_indicator.short_description = ("Email headers from %d" % alert.id)
email_indicator.set_producer_identity(PRODUCER_NAME)
email_indicator.set_produced_time(utils.dates.now())
email_indicator.indicator_types.append(IndicatorType_1_1.TERM_MALICIOUS_EMAIL )
self.email_indicator = email_indicator
# Create a STIX Package
self.stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader({"Indicators - Malware Artifacts"})
stix_header.description = "FireEye Sample ID %d" % alert.id
self.stix_package.stix_header = stix_header
def genObject_Indicator(data):
from stix.indicator import Indicator
try:
sTitle = "phishTank.com id:" + data[
'phish_id'] + " with malicious URL:" + data['url']
sTitle = sTitle[:70] + "..."
except:
sTitle = "phishTank.com id:" + data[
'phish_id'] + " with malicious URL:--[URL Not Displayed - Due to encoding issue]--"
# try:
# sDscrpt = "This URL:[" + escape(unicode(srcDict[item]['url'])) + "] was identified by phishtank.com as part of a phishing email"
# except:
# sDscrpt = "This URL:--[URL Not Displayed - Due to encoding issue]-- was identified by phishtank.com as part of a phishing email"
sDscrpt = "This URL:[" + escape(
data['url']
) + "] was identified by phishtank.com as part of a phishing email"
if data['target'] and not data['target'] == 'Other':
sDscrpt += " which appears to be targeting " + data['target']
else:
sDscrpt += "."
if data['online'] == 'yes':
sDscrpt += " This URL appears to still be online as of " + data[
'verification_time']
elif data['online'] == 'no':
sDscrpt += " This URL appears to offline as of " + data[
'verification_time']
sDscrpt += ". More detailed infomation can be found at " + data[
'phish_detail_url']
objIndicator = Indicator()
objIndicator.idref = None
objIndicator.title = sTitle
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
objIndicator.short_description = "<![CDATA[" + sTitle + "]]>"
if data['verified'] == 'yes':
objIndicator.confidence = 'High'
else:
objIndicator.confidence = 'Low'
objIndicator.test_mechanisms = None
objIndicator.alternative_id = None
objIndicator.composite_indicator_expression = None
objIndicator.valid_time_positions = None
objIndicator.related_indicators = None
# objIndicator.suggested_coas = SuggestedCOAs()
# objIndicator.kill_chain_phases = KillChainPhasesReference()
# objIndicator.likely_impact = None
### Used/Defined Outside this funtion
# objIndicator.indicator_types = ["URL Watchlist"]
# objIndicator.observable_composition_operator = "OR"
# objIndicator.producer = None
# objIndicator.observables = obsList
# objIndicator.handling = objMarking
# objIndicator.sightings = None
# objIndicator.set_received_time
return (objIndicator)
def create_stix_file():
# List of indicators to be deduped
hostnames = []
ips = []
urls = []
md5s = []
sha1s = []
# Set namespace
NAMESPACE = {PRODUCER_URL: PRODUCER_NAME}
set_id_namespace(NAMESPACE)
# JSON load the POSTed request data
try:
data_recv = request.data
data = json.loads(data_recv)
except:
return make_response(
jsonify({'Error': "Unable to decode json object"}), 400)
# Parse the JSON object
try:
# Get MD5 of sample
malware_sample = data['alert']['explanation']['malware-detected'][
'malware']
count = 0
sample_hash = ""
try:
for entry in malware_sample:
if "md5sum" in malware_sample[count]:
sample_hash = malware_sample[count]['md5sum']
count += 1
except:
if "md5sum" in malware_sample:
sample_hash = malware_sample['md5sum']
# If all else fails
if sample_hash == "":
sample_hash = "Unknown"
# Indicators
# Domains
domain_indicator = Indicator()
domain_indicator.title = "Malware Artifacts - Domain"
domain_indicator.type = "Malware Artifacts"
domain_indicator.description = (
"Domains derived from sandboxed malware sample. MD5 Hash: " +
sample_hash)
domain_indicator.short_description = ("Domainss from " + sample_hash)
domain_indicator.set_producer_identity(PRODUCER_NAME)
domain_indicator.set_produced_time(utils.dates.now())
domain_indicator.indicator_types.append("Domain Watchlist")
# IPs
ip_indicator = Indicator()
ip_indicator.title = "Malware Artifacts - IP"
ip_indicator.description = (
"IPs derived from sandboxed malware sample. MD5 Hash: " +
sample_hash)
ip_indicator.short_description = ("IPs from " + sample_hash)
ip_indicator.set_producer_identity(PRODUCER_NAME)
ip_indicator.set_produced_time(utils.dates.now())
ip_indicator.indicator_types.append("IP Watchlist")
# URLs
url_indicator = Indicator()
url_indicator.title = "Malware Artifacts - URL"
url_indicator.description = (
"URLs derived from sandboxed malware sample. MD5 Hash: " +
sample_hash)
url_indicator.short_description = ("URLs from " + sample_hash)
url_indicator.set_producer_identity(PRODUCER_NAME)
url_indicator.set_produced_time(utils.dates.now())
url_indicator.indicator_types.append("URL Watchlist")
# Hashs
hash_indicator = Indicator()
hash_indicator.title = "Malware Artifacts - File Hash"
hash_indicator.description = (
"File hashes derived from sandboxed malware sample. MD5 Hash: " +
sample_hash)
hash_indicator.short_description = ("Hash from " + sample_hash)
hash_indicator.set_producer_identity(PRODUCER_NAME)
hash_indicator.set_produced_time(utils.dates.now())
hash_indicator.indicator_types.append("File Hash Watchlist")
# Create a STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader({"Indicators - Malware Artifacts"})
stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str(
data['alert']['id'])
stix_package.stix_header = stix_header
if "network" in data['alert']['explanation']['os-changes']:
# Add indicators for network
for entry in data['alert']['explanation']['os-changes']['network']:
if "hostname" in entry:
hostnames.append(entry['hostname'])
if "ipaddress" in entry:
ips.append(entry['ipaddress'])
if "http_request" in entry:
domain = re.search('~~Host:\s(.*?)~~',
entry['http_request'])
url = re.search('^.*\s(.*?)\sHTTP', entry['http_request'])
if domain:
domain_name = domain.group(1)
if url:
url_string = url.group(1)
urls.append(domain_name + url_string)
# Add indicators for files
for entry in data['alert']['explanation']['os-changes']['network']:
if "md5sum" in entry['processinfo']:
filename = re.search('([\w-]+\..*)',
entry['processinfo']['imagepath'])
if filename:
md5s.append((filename.group(1),
entry['processinfo']['md5sum']))
if "process" in data['alert']['explanation']['os-changes']:
# Add indicators from process
for entry in data['alert']['explanation']['os-changes']['process']:
if "md5sum" in entry:
filename = re.search('([\w-]+\..*)', entry['value'])
if filename:
md5s.append((filename.group(1), entry['md5sum']))
if "sha1sum" in entry:
filename = re.search('([\w-]+\..*)', entry['value'])
if filename:
sha1s.append((filename.group(1), entry['sha1sum']))
# Dedupe lists
for hostname in set(hostnames):
hostname_observable = create_domain_name_observable(hostname)
domain_indicator.add_observable(hostname_observable)
for ip in set(ips):
ip_observable = create_ipv4_observable(ip)
ip_indicator.add_observable(ip_observable)
for url in set(urls):
url_observable = create_url_observable(url)
url_indicator.add_observable(url_observable)
for hash in set(md5s):
hash_observable = create_file_hash_observable(hash[0], hash[1])
hash_indicator.add_observable(hash_observable)
for hash in set(sha1s):
hash_observable = create_file_hash_observable(hash[0], hash[1])
hash_indicator.add_observable(hash_observable)
# Add those to the package
stix_package.add(domain_indicator)
stix_package.add(ip_indicator)
stix_package.add(url_indicator)
stix_package.add(hash_indicator)
# Save to file
save_as = SAVE_DIRECTORY + "/fireeye_" + str(
data['alert']['id']) + ".xml"
f = open(save_as, 'w')
f.write(stix_package.to_xml())
f.close
# Return success response
return make_response(
jsonify({'Success': "STIX document succesfully generated"}), 200)
# Unable to parse object
except:
return make_response(jsonify({'Error': "Unable to parse JSON object"}),
400)
def create_stix_file():
# List of indicators to be deduped
hostnames = []
ips = []
urls = []
md5s = []
sha1s = []
# Set namespace
NAMESPACE = {PRODUCER_URL: PRODUCER_NAME}
set_id_namespace(NAMESPACE)
# JSON load the POSTed request data
try:
data_recv = request.data
data = json.loads(data_recv)
except:
return make_response(jsonify({"Error": "Unable to decode json object"}), 400)
# Parse the JSON object
try:
# Get MD5 of sample
malware_sample = data["alert"]["explanation"]["malware-detected"]["malware"]
count = 0
sample_hash = ""
try:
for entry in malware_sample:
if "md5sum" in malware_sample[count]:
sample_hash = malware_sample[count]["md5sum"]
count += 1
except:
if "md5sum" in malware_sample:
sample_hash = malware_sample["md5sum"]
# If all else fails
if sample_hash == "":
sample_hash = "Unknown"
# Indicators
# Domains
domain_indicator = Indicator()
domain_indicator.title = "Malware Artifacts - Domain"
domain_indicator.type = "Malware Artifacts"
domain_indicator.description = "Domains derived from sandboxed malware sample. MD5 Hash: " + sample_hash
domain_indicator.short_description = "Domainss from " + sample_hash
domain_indicator.set_producer_identity(PRODUCER_NAME)
domain_indicator.set_produced_time(utils.dates.now())
domain_indicator.indicator_types.append("Domain Watchlist")
# IPs
ip_indicator = Indicator()
ip_indicator.title = "Malware Artifacts - IP"
ip_indicator.description = "IPs derived from sandboxed malware sample. MD5 Hash: " + sample_hash
ip_indicator.short_description = "IPs from " + sample_hash
ip_indicator.set_producer_identity(PRODUCER_NAME)
ip_indicator.set_produced_time(utils.dates.now())
ip_indicator.indicator_types.append("IP Watchlist")
# URLs
url_indicator = Indicator()
url_indicator.title = "Malware Artifacts - URL"
url_indicator.description = "URLs derived from sandboxed malware sample. MD5 Hash: " + sample_hash
url_indicator.short_description = "URLs from " + sample_hash
url_indicator.set_producer_identity(PRODUCER_NAME)
url_indicator.set_produced_time(utils.dates.now())
url_indicator.indicator_types.append("URL Watchlist")
# Hashs
hash_indicator = Indicator()
hash_indicator.title = "Malware Artifacts - File Hash"
hash_indicator.description = "File hashes derived from sandboxed malware sample. MD5 Hash: " + sample_hash
hash_indicator.short_description = "Hash from " + sample_hash
hash_indicator.set_producer_identity(PRODUCER_NAME)
hash_indicator.set_produced_time(utils.dates.now())
hash_indicator.indicator_types.append("File Hash Watchlist")
# Create a STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader({"Indicators - Malware Artifacts"})
stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str(data["alert"]["id"])
stix_package.stix_header = stix_header
if "network" in data["alert"]["explanation"]["os-changes"]:
# Add indicators for network
for entry in data["alert"]["explanation"]["os-changes"]["network"]:
if "hostname" in entry:
hostnames.append(entry["hostname"])
if "ipaddress" in entry:
ips.append(entry["ipaddress"])
if "http_request" in entry:
domain = re.search("~~Host:\s(.*?)~~", entry["http_request"])
url = re.search("^.*\s(.*?)\sHTTP", entry["http_request"])
if domain:
domain_name = domain.group(1)
if url:
url_string = url.group(1)
urls.append(domain_name + url_string)
# Add indicators for files
for entry in data["alert"]["explanation"]["os-changes"]["network"]:
if "md5sum" in entry["processinfo"]:
filename = re.search("([\w-]+\..*)", entry["processinfo"]["imagepath"])
if filename:
md5s.append((filename.group(1), entry["processinfo"]["md5sum"]))
if "process" in data["alert"]["explanation"]["os-changes"]:
# Add indicators from process
for entry in data["alert"]["explanation"]["os-changes"]["process"]:
if "md5sum" in entry:
filename = re.search("([\w-]+\..*)", entry["value"])
if filename:
md5s.append((filename.group(1), entry["md5sum"]))
if "sha1sum" in entry:
filename = re.search("([\w-]+\..*)", entry["value"])
if filename:
sha1s.append((filename.group(1), entry["sha1sum"]))
# Dedupe lists
for hostname in set(hostnames):
hostname_observable = create_domain_name_observable(hostname)
domain_indicator.add_observable(hostname_observable)
for ip in set(ips):
ip_observable = create_ipv4_observable(ip)
ip_indicator.add_observable(ip_observable)
for url in set(urls):
url_observable = create_url_observable(url)
url_indicator.add_observable(url_observable)
for hash in set(md5s):
hash_observable = create_file_hash_observable(hash[0], hash[1])
hash_indicator.add_observable(hash_observable)
for hash in set(sha1s):
hash_observable = create_file_hash_observable(hash[0], hash[1])
hash_indicator.add_observable(hash_observable)
# Add those to the package
stix_package.add(domain_indicator)
stix_package.add(ip_indicator)
stix_package.add(url_indicator)
stix_package.add(hash_indicator)
# Save to file
save_as = SAVE_DIRECTORY + "/fireeye_" + str(data["alert"]["id"]) + ".xml"
f = open(save_as, "w")
f.write(stix_package.to_xml())
f.close
# Return success response
return make_response(jsonify({"Success": "STIX document succesfully generated"}), 200)
# Unable to parse object
except:
return make_response(jsonify({"Error": "Unable to parse JSON object"}), 400)