def to_observed_data(r):
""" Fungsi untuk mengubah menjadi objek stix observable """
uid = str(uuid.uuid4())
created = datetime.now()
modified = created
temp_first = float(r["first_observed"])
temp_last = float(r["last_observed"])
first_observed = datetime.fromtimestamp(temp_first)
last_observed = datetime.fromtimestamp(temp_last)
number_observed = int(r["number_observed"])
if type(r["src_ip"]) == list:
observed = stix2.ObservedData(
id="observed-data--" + uid,
created=created,
modified=modified,
first_observed=first_observed,
last_observed=last_observed,
number_observed=number_observed,
objects=
{
"0": {
"type": "ipv4-addr",
"value": " ".join(r["src_ip"])
},
"1": {
"type": "ipv4-addr",
"value": r["dest_ip"]
},
"2": {
"type": "network-traffic",
"src_ref": "0",
"dst_ref": "1",
# "src_port": r["src_port"],
"dst_port": r["dest_port"],
"protocols": [
"ipv4",
r["protocol"]
],
}
}
)
return observed
# for src_ip in r["src_ip"]:
# observed = stix2.ObservedData(
# id="observed-data--" + uid,
# created=created,
# modified=modified,
# first_observed=first_observed,
# last_observed=last_observed,
# number_observed=number_observed,
# objects=
# {
# "0": {
# "type": "ipv4-addr",
# "value": src_ip
# },
# "1": {
# "type": "ipv4-addr",
# "value": r["dest_ip"]
# },
# "2": {
# "type": "network-traffic",
# "src_ref": "0",
# "dst_ref": "1",
# "dst_port": r["dest_port"],
# "protocols": [
# "ipv4",
# r["protocol"]
# ],
# }
# }
# )
# observed_list.append(observed)
# return observed_list
else:
observed = stix2.ObservedData(
id="observed-data--" + uid,
created=created,
modified=modified,
first_observed=first_observed,
last_observed=last_observed,
number_observed=number_observed,
objects=
{
"0": {
"type": "ipv4-addr",
"value": r["src_ip"]
},
"1": {
"type": "ipv4-addr",
"value": r["dest_ip"]
},
"2": {
"type": "network-traffic",
"src_ref": "0",
"dst_ref": "1",
# "src_port": r["src_port"],
"dst_port": r["dest_port"],
"protocols": [
"ipv4",
r["protocol"]
],
}
}
)
return observed
def stix_bundle(objs, mask=True):
objects = ()
for obj in objs:
oid = obj.object_id.object_id
dscr = ""
if not mask and hasattr(obj, "description"):
dscr = obj.description
if obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (a, )
elif obj.object_type.name == 'campaign':
c = stix2.Campaign(
id=oid,
name=obj.name,
description=dscr,
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
first_seen=obj.first_seen,
last_seen=obj.last_seen,
)
objects += (c, )
elif obj.object_type.name == 'course-of-action':
c = stix2.CourseOfAction(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
)
objects += (c, )
elif obj.object_type.name == 'identity':
name = obj.name
if mask:
name = oid
label = obj.labels.all()
if label.count() >= 1:
name = str(obj.id)
if label[0].alias:
name += '-' + label[0].alias
else:
name += '-' + label[0].value
i = stix2.Identity(
id=oid,
name=name,
identity_class=obj.identity_class,
description=dscr,
sectors=[str(s.value) for s in obj.sectors.all()],
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'indicator':
pattern = "[]"
if not mask and obj.pattern:
pattern = obj.pattern.pattern
i = stix2.Indicator(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
pattern=pattern,
created=obj.created,
modified=obj.modified,
valid_from=obj.valid_from,
valid_until=obj.valid_until,
)
objects += (i, )
elif obj.object_type.name == 'intrusion-set':
i = stix2.IntrusionSet(
id=oid,
name=obj.name,
description=dscr,
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
first_seen=obj.first_seen,
#last_seen=obj.last_seen,
)
objects += (i, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (m, )
elif obj.object_type.name == 'observed-data':
obs = {}
for o in obj.observable_objects.all():
ob = None
if o.type.name == "file":
f = FileObject.objects.get(id=o.id)
ob = stix2.File(name=f.name)
elif o.type.name == "ipv4-addr":
i = IPv4AddressObject.objects.get(id=o.id)
ob = stix2.IPv4Address(value=i.value)
elif o.type.name == "url":
u = URLObject.objects.get(id=o.id)
ob = stix2.URL(value=u.value)
elif o.type.name == "domain-name":
dn = DomainNameObject.objects.get(id=o.id)
ob = stix2.DomainName(value=dn.value)
if ob and not mask:
obs[str(o.id)] = json.loads(str(ob))
od = stix2.ObservedData(
id=oid,
created=obj.created,
modified=obj.modified,
first_observed=obj.first_observed,
last_observed=obj.last_observed,
number_observed=obj.number_observed,
objects=obs,
)
objects += (od, )
elif obj.object_type.name == 'report':
created_by = None
if obj.created_by_ref:
created_by = obj.created_by_ref.object_id
r = stix2.Report(
id=oid,
labels=[str(l.value) for l in obj.labels.all()],
name=obj.name,
description=dscr,
published=obj.published,
object_refs=[str(r.object_id) for r in obj.object_refs.all()],
created_by_ref=created_by,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'tool':
t = stix2.Tool(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (t, )
elif obj.object_type.name == 'vulnerability':
v = stix2.Vulnerability(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
)
objects += (v, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=oid,
relationship_type=obj.relationship_type.name,
description=dscr,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=oid,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id.object_id)
for w in obj.where_sighted_refs.all()
],
observed_data_refs=[
str(od.object_id.object_id)
for od in obj.observed_data_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
bundle = stix2.Bundle(*objects)
return bundle
