Пример #1
0
def main():
    if len(sys.argv) <= 2:
        return_data({
            'status': 'error',
            'message': 'Missing argument to the Python script'
        })

    if sys.argv[1] == 'check':
        return_data({'status': 'success'})

    observable_type = sys.argv[1]
    observable_value = sys.argv[2]
    if observable_type in OPENCTISTIX2:
        if 'transform' in OPENCTISTIX2[observable_type]:
            if OPENCTISTIX2[observable_type]['transform'][
                    'operation'] == 'remove_string':
                observable_value = observable_value.replace(
                    OPENCTISTIX2[observable_type]['transform']['value'], '')

        lhs = ObjectPath(OPENCTISTIX2[observable_type]['type'],
                         OPENCTISTIX2[observable_type]['path'])
        ece = ObservationExpression(
            EqualityComparisonExpression(lhs, observable_value))
        return_data({'status': 'success', 'data': str(ece)})
    else:
        return_data({'status': 'unknown', 'data': None})
Пример #2
0
def _create_equality_observation_expression_str(
    object_path: ObjectPath, value: str
) -> str:
    """Create observation expression string with pattern equality comparison expression."""  # noqa: E501
    operand = EqualityComparisonExpression(object_path, StringConstant(value))
    observation_expression = ObservationExpression(str(operand))
    return str(observation_expression)
Пример #3
0
def generate_part(observable_type, observable_value):
    if observable_type in PATTERN_MAPPING:
        lhs = ObjectPath(
            observable_type.lower() if "_" not in observable_type else
            observable_type.split("_")[0].lower(),
            PATTERN_MAPPING[observable_type],
        )
        return EqualityComparisonExpression(lhs, observable_value)
    return None
Пример #4
0
 def _create_indicator_pattern(
         self, indicator_type: str,
         indicator_value: str) -> ObservationExpression:
     stix2_typing = self._OPENCTI_TO_STIX2[indicator_type]
     lhs = ObjectPath(stix2_typing["type"], stix2_typing["path"])
     operand = str(
         EqualityComparisonExpression(lhs, StringConstant(indicator_value)))
     observation_expression = ObservationExpression(operand)
     return observation_expression
Пример #5
0
def observable_AS_to_expr(number: str) -> EqualityComparisonExpression:
    """
    Autonomous Systems (AS) in STIX-2 have a 'number' property (as opposed to a
    'value'). This function returns a STIX-2 EqualityComparisonExpression for
    an AS number.
    """
    stix_obj = AutonomousSystem(number=int(number))
    return EqualityComparisonExpression(
        ObjectPath(stix_obj.type, ["number"]), stix_obj.number
    )
Пример #6
0
def observable_value_to_expr(stix2_type, value: str) -> EqualityComparisonExpression:
    """
    Most STIX-2 observables have a 'value' property. This function takes a
    STIX-2 observable type (e.g., DomainName) that uses a value property and
    invokes it's constructor for the given value. Returns a STIX-2
    EqualityComparisonExpression.
    """
    stix_obj = stix2_type(value=value)
    return EqualityComparisonExpression(
        ObjectPath(stix_obj.type, ["value"]), stix_obj.value
    )
Пример #7
0
 def create_stix_pattern(observable_type, observable_value):
     if observable_type in PATTERN_MAPPING:
         lhs = ObjectPath(
             observable_type.lower() if "_" not in observable_type else
             observable_type.split("_")[0].lower(),
             PATTERN_MAPPING[observable_type],
         )
         ece = ObservationExpression(
             EqualityComparisonExpression(lhs, observable_value))
         return str(ece)
     else:
         return None
Пример #8
0
def observable_x509_to_expr(
    stix2_type, hash_type: str, hash_str: str
) -> EqualityComparisonExpression:
    """
    x509 certificates in STIX-2 have no 'value' property, but an optional field
    'hashes'. This function creates a valid STIX-2 X509Certificate and wraps it
    in an EqualityComparisonExpression.
    """
    hashes = {hash_type: hash_str}  # e.g., {"SHA-256": "aec078..." }
    cert = X509Certificate(hashes=hashes)  # throws an error for invalid hashes
    hash_type = list(cert.hashes.keys())[0]  # STIX-2 corrects case and spelling
    return EqualityComparisonExpression(
        ObjectPath(cert.type, ["hashes", hash_type]), cert.hashes[hash_type]
    )
Пример #9
0
def main():
    if len(sys.argv) <= 2:
        return_data(
            {"status": "error", "message": "Missing argument to the Python script"}
        )

    if sys.argv[1] == "check":
        return_data({"status": "success"})

    observable_type = sys.argv[1]
    observable_value = sys.argv[2]
    if observable_type in PATTERN_MAPPING:
        lhs = ObjectPath(
            observable_type.lower()
            if "_" not in observable_type
            else observable_type.split("_")[0].lower(),
            PATTERN_MAPPING[observable_type],
        )
        ece = ObservationExpression(EqualityComparisonExpression(lhs, observable_value))
        return_data({"status": "success", "data": str(ece)})
    else:
        return_data({"status": "unknown", "data": None})
Пример #10
0
    def process_attribute(
        self,
        author,
        event_elements,
        event_markings,
        attribute_external_references,
        attribute,
    ):
        try:
            resolved_attributes = self.resolve_type(
                attribute["type"], attribute["value"]
            )
            if resolved_attributes is None:
                return None

            for resolved_attribute in resolved_attributes:
                ### Pre-process
                # Elements
                attribute_elements = self.prepare_elements(attribute["Galaxy"], author)
                # Markings & Tags
                attribute_tags = []
                if "Tag" in attribute:
                    attribute_markings = self.resolve_markings(
                        attribute["Tag"], with_default=False
                    )
                    attribute_tags = self.resolve_tags(attribute["Tag"])
                    if len(attribute_markings) == 0:
                        attribute_markings = event_markings
                else:
                    attribute_markings = event_markings

                ### Create the indicator
                observable_type = resolved_attribute["type"]
                observable_value = resolved_attribute["value"]
                name = resolved_attribute["value"]
                pattern_type = "stix"
                # observable type is yara for instance
                if observable_type in PATTERNTYPES:
                    pattern_type = observable_type
                    observable_type = "Unknown"
                    genuine_pattern = (
                        "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']"
                    )
                    pattern = observable_value
                    name = (
                        attribute["comment"]
                        if len(attribute["comment"]) > 0
                        else observable_type
                    )
                # observable type is not in stix 2
                elif observable_type not in OPENCTISTIX2:
                    return None
                # observable type is in stix
                else:
                    if "transform" in OPENCTISTIX2[observable_type]:
                        if (
                            OPENCTISTIX2[observable_type]["transform"]["operation"]
                            == "remove_string"
                        ):
                            observable_value = observable_value.replace(
                                OPENCTISTIX2[observable_type]["transform"]["value"], ""
                            )
                    lhs = ObjectPath(
                        OPENCTISTIX2[observable_type]["type"],
                        OPENCTISTIX2[observable_type]["path"],
                    )
                    genuine_pattern = str(
                        ObservationExpression(
                            EqualityComparisonExpression(lhs, observable_value)
                        )
                    )
                    pattern = genuine_pattern

                indicator = Indicator(
                    name=name,
                    description=attribute["comment"],
                    pattern=genuine_pattern,
                    valid_from=datetime.utcfromtimestamp(
                        int(attribute["timestamp"])
                    ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                    labels=["malicious-activity"],
                    created_by_ref=author,
                    object_marking_refs=attribute_markings,
                    external_references=attribute_external_references,
                    custom_properties={
                        "x_opencti_indicator_pattern": pattern,
                        "x_opencti_observable_type": observable_type,
                        "x_opencti_observable_value": observable_value,
                        "x_opencti_pattern_type": pattern_type,
                        "x_opencti_tags": attribute_tags,
                    },
                )

                ### Create the relationships
                relationships = []
                # Event threats
                for threat in (
                    event_elements["intrusion_sets"]
                    + event_elements["malwares"]
                    + event_elements["tools"]
                ):
                    relationships.append(
                        Relationship(
                            relationship_type="indicates",
                            created_by_ref=author,
                            source_ref=indicator.id,
                            target_ref=threat.id,
                            description=attribute["comment"],
                            object_marking_refs=attribute_markings,
                            custom_properties={
                                "x_opencti_first_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_last_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_weight": self.helper.connect_confidence_level,
                            },
                        )
                    )
                # Attribute threats
                for threat in (
                    attribute_elements["intrusion_sets"]
                    + attribute_elements["malwares"]
                    + attribute_elements["tools"]
                ):
                    relationships.append(
                        Relationship(
                            relationship_type="indicates",
                            created_by_ref=author,
                            source_ref=indicator.id,
                            target_ref=threat.id,
                            description=attribute["comment"],
                            object_marking_refs=attribute_markings,
                            custom_properties={
                                "x_opencti_first_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_last_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_weight": self.helper.connect_confidence_level,
                            },
                        )
                    )
                # Event Attack Patterns
                for attack_pattern in event_elements["attack_patterns"]:
                    if len(event_elements["malwares"]) > 0:
                        threats = event_elements["malwares"]
                    elif len(event_elements["intrusion_sets"]) > 0:
                        threats = event_elements["intrusion_sets"]
                    else:
                        threats = []
                    for threat in threats:
                        relationship_uses = Relationship(
                            relationship_type="uses",
                            created_by_ref=author,
                            source_ref=threat.id,
                            target_ref=attack_pattern.id,
                            description=attribute["comment"],
                            object_marking_refs=attribute_markings,
                            custom_properties={
                                "x_opencti_first_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_last_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_weight": self.helper.connect_confidence_level,
                                "x_opencti_ignore_dates": True,
                            },
                        )
                        relationships.append(relationship_uses)
                        relationship_indicates = Relationship(
                            relationship_type="indicates",
                            created_by_ref=author,
                            source_ref=indicator.id,
                            target_ref="malware--fa42a846-8d90-4e51-bc29-71d5b4802168",  # Fake
                            description=attribute["comment"],
                            object_marking_refs=attribute_markings,
                            custom_properties={
                                "x_opencti_first_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_last_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_weight": self.helper.connect_confidence_level,
                                "x_opencti_source_ref": indicator.id,
                                "x_opencti_target_ref": relationship_uses.id,
                            },
                        )
                        relationships.append(relationship_indicates)
                # Attribute Attack Patterns
                for attack_pattern in attribute_elements["attack_patterns"]:
                    if len(attribute_elements["malwares"]) > 0:
                        threats = attribute_elements["malwares"]
                    elif len(attribute_elements["intrusion_sets"]) > 0:
                        threats = attribute_elements["intrusion_sets"]
                    else:
                        threats = []
                    for threat in threats:
                        relationship_uses = Relationship(
                            relationship_type="uses",
                            created_by_ref=author,
                            source_ref=threat.id,
                            target_ref=attack_pattern.id,
                            description=attribute["comment"],
                            object_marking_refs=attribute_markings,
                            custom_properties={
                                "x_opencti_first_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_last_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_weight": self.helper.connect_confidence_level,
                                "x_opencti_ignore_dates": True,
                            },
                        )
                        relationships.append(relationship_uses)
                        relationship_indicates = Relationship(
                            relationship_type="indicates",
                            created_by_ref=author,
                            source_ref=indicator.id,
                            target_ref="malware--fa42a846-8d90-4e51-bc29-71d5b4802168",  # Fake
                            description=attribute["comment"],
                            object_marking_refs=attribute_markings,
                            custom_properties={
                                "x_opencti_first_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_last_seen": datetime.utcfromtimestamp(
                                    int(attribute["timestamp"])
                                ).strftime("%Y-%m-%dT%H:%M:%SZ"),
                                "x_opencti_weight": self.helper.connect_confidence_level,
                                "x_opencti_source_ref": indicator.id,
                                "x_opencti_target_ref": relationship_uses.id,
                                "x_opencti_ignore_dates": True,
                            },
                        )
                        relationships.append(relationship_indicates)

                return {
                    "indicator": indicator,
                    "relationships": relationships,
                    "attribute_elements": attribute_elements,
                    "markings": attribute_markings,
                }
        except:
            return None
Пример #11
0
    def process_attribute(self, author, event_elements, event_markings, attribute):
        resolved_attributes = self.resolve_type(attribute['type'], attribute['value'])
        if resolved_attributes is None:
            return None

        for resolved_attribute in resolved_attributes:
            ### Pre-process
            # Elements
            attribute_elements = self.prepare_elements(attribute['Galaxy'])
            # Markings
            if 'Tag' in attribute:
                attribute_markings = self.resolve_markings(attribute['Tag'], with_default=False)
                if len(attribute_markings) == 0:
                    attribute_markings = event_markings
            else:
                attribute_markings = event_markings

            ### Create the indicator
            observable_type = resolved_attribute['type']
            observable_value = resolved_attribute['value']
            pattern_type = 'stix'
            if observable_type in PATTERNTYPES:
                pattern_type = observable_type
            elif observable_type not in OPENCTISTIX2:
                return None
            else:
                if 'transform' in OPENCTISTIX2[observable_type]:
                    if OPENCTISTIX2[observable_type]['transform']['operation'] == 'remove_string':
                        observable_value = observable_value.replace(OPENCTISTIX2[observable_type]['transform']['value'], '')
                lhs = ObjectPath(OPENCTISTIX2[observable_type]['type'], OPENCTISTIX2[observable_type]['path'])
                observable_value = ObservationExpression(EqualityComparisonExpression(lhs, observable_value))
            try:
                indicator = Indicator(
                    name=resolved_attribute['value'],
                    description=attribute['comment'],
                    pattern=str(observable_value),
                    valid_from=datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime('%Y-%m-%dT%H:%M:%SZ'),
                    labels=['malicious-activity'],
                    created_by_ref=author,
                    object_marking_refs=attribute_markings,
                    custom_properties={
                        'x_opencti_observable_type': resolved_attribute['type'],
                        'x_opencti_observable_value': resolved_attribute['value'],
                        'x_opencti_pattern_type': pattern_type
                    }
                )
            except:
                return None

            ### Create the relationships
            relationships = []
            # Event threats
            for threat in (event_elements['intrusion_sets'] + event_elements['malwares'] + event_elements['tools']):
                relationships.append(
                    Relationship(
                        relationship_type='indicates',
                        created_by_ref=author,
                        source_ref=indicator.id,
                        target_ref=threat.id,
                        description=attribute['comment'],
                        object_marking_refs=attribute_markings,
                        custom_properties={
                            'x_opencti_first_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_last_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_weight': self.helper.connect_confidence_level
                        }
                    )
                )
            # Attribute threats
            for threat in (attribute_elements['intrusion_sets'] + attribute_elements['malwares'] + attribute_elements[
                'tools']):
                relationships.append(
                    Relationship(
                        relationship_type='indicates',
                        created_by_ref=author,
                        source_ref=indicator.id,
                        target_ref=threat.id,
                        description=attribute['comment'],
                        object_marking_refs=attribute_markings,
                        custom_properties={
                            'x_opencti_first_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_last_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_weight': self.helper.connect_confidence_level
                        }
                    )
                )
            # Event Attack Patterns
            for attack_pattern in event_elements['attack_patterns']:
                if len(event_elements['malwares']) > 0:
                    threats = event_elements['malwares']
                elif len(event_elements['intrusion_sets']) > 0:
                    threats = event_elements['intrusion_sets']
                else:
                    threats = []
                for threat in threats:
                    relationship_uses = Relationship(
                        relationship_type='uses',
                        created_by_ref=author,
                        source_ref=threat.id,
                        target_ref=attack_pattern.id,
                        description=attribute['comment'],
                        object_marking_refs=attribute_markings,
                        custom_properties={
                            'x_opencti_first_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_last_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_weight': self.helper.connect_confidence_level,
                            'x_opencti_ignore_dates': True
                        }
                    )
                    relationships.append(relationship_uses)
                    relationship_indicates = Relationship(
                        relationship_type='indicates',
                        created_by_ref=author,
                        source_ref=indicator.id,
                        target_ref='malware--fa42a846-8d90-4e51-bc29-71d5b4802168',  # Fake
                        description=attribute['comment'],
                        object_marking_refs=attribute_markings,
                        custom_properties={
                            'x_opencti_first_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_last_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_weight': self.helper.connect_confidence_level,
                            'x_opencti_source_ref': indicator.id,
                            'x_opencti_target_ref': relationship_uses.id
                        }
                    )
                    relationships.append(relationship_indicates)
            # Attribute Attack Patterns
            for attack_pattern in attribute_elements['attack_patterns']:
                if len(attribute_elements['malwares']) > 0:
                    threats = attribute_elements['malwares']
                elif len(attribute_elements['intrusion_sets']) > 0:
                    threats = attribute_elements['intrusion_sets']
                else:
                    threats = []
                for threat in threats:
                    relationship_uses = Relationship(
                        relationship_type='uses',
                        created_by_ref=author,
                        source_ref=threat.id,
                        target_ref=attack_pattern.id,
                        description=attribute['comment'],
                        object_marking_refs=attribute_markings,
                        custom_properties={
                            'x_opencti_first_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_last_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_weight': self.helper.connect_confidence_level,
                            'x_opencti_ignore_dates': True
                        }
                    )
                    relationships.append(relationship_uses)
                    relationship_indicates = Relationship(
                        relationship_type='indicates',
                        created_by_ref=author,
                        source_ref=indicator.id,
                        target_ref='malware--fa42a846-8d90-4e51-bc29-71d5b4802168',  # Fake
                        description=attribute['comment'],
                        object_marking_refs=attribute_markings,
                        custom_properties={
                            'x_opencti_first_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_last_seen': datetime.utcfromtimestamp(int(attribute['timestamp'])).strftime(
                                '%Y-%m-%dT%H:%M:%SZ'),
                            'x_opencti_weight': self.helper.connect_confidence_level,
                            'x_opencti_source_ref': indicator.id,
                            'x_opencti_target_ref': relationship_uses.id,
                            'x_opencti_ignore_dates': True
                        }
                    )
                    relationships.append(relationship_indicates)

            return {
                'indicator': indicator,
                'relationships': relationships,
                'attribute_elements': attribute_elements,
                'markings': attribute_markings
            }
Пример #12
0
        id  # spoofed traffic, last enip entry
    )
    stix21_object_list_MITM.append(observed_data4)

    print(observed_data1, observed_data2, observed_data3, observed_data4)

    print('')

    print(
        'Custom generated Indicators based on duplicate IP to MAC resolving, ARP traffic and spoofed traffic:'
    )

    lhs1 = ObjectPath("ipv4-addr", ["resolves_to_refs[0]"])
    lhs1b = ObjectPath("ipv4-addr", ["resolves_to_refs[1]"])
    ob1 = EqualityComparisonExpression(lhs1,
                                       StringConstant('00:00:00:00:00:05'),
                                       True)
    ob1b = EqualityComparisonExpression(lhs1b,
                                        StringConstant('00:00:00:00:00:05'))
    pattern1 = ObservationExpression(AndBooleanExpression([ob1, ob1b]))

    indicator1 = Indicator(
        name='ARP spoofing indicator - duplicate IP address',
        description='IP address resolves to two different MAC addresses',
        pattern=pattern1,
        pattern_type='stix',
        valid_from=datetime.datetime.now())
    stix21_object_list_MITM.append(indicator1)

    print(indicator1)
Пример #13
0
def generate_dos_stix21_report():
    root_dir = os.path.dirname(os.path.abspath(__file__))
    import_path = os.path.join(root_dir, 'data\\')
    export_path = os.path.join(root_dir, 'results\\')
    # sys.stdout = open(export_path+'console_output_DoS_use_case', 'w')

    stix21_object_list_DOS = list()

    print('\nUSE CASE 2 -- DoS Attack:\n')

    imported_stix21_data = import_static_stix21_data()
    imported_sro_list = imported_stix21_data[1]

    print('\n-------------------------------------------')

    get_static_mitm_sco_list()

    print('-------------------------------------------\n')

    converted_logs_DOS1 = convert_log_entries(
        import_simulation_output(import_path, "use_case_2_plc.log"))
    converted_logs_DOS2 = convert_log_entries(
        import_simulation_output(import_path, "use_case_2_hmi.log"))
    converted_pcap_DOS = convert_pcap_frames(
        import_simulation_output(import_path,
                                 "use_case_2_network_traffic.json"))

    print('')

    print(get_all_ip_addr(converted_logs_DOS1))
    print('')

    pretty_print_list(get_timespan(converted_logs_DOS1))
    print('')

    print(get_all_severity_level(converted_logs_DOS1))
    print('')

    print(get_all_ip_addr(converted_logs_DOS2))
    print('')

    pretty_print_list(get_timespan(converted_logs_DOS2))
    print('')

    print(get_all_severity_level(converted_logs_DOS2))

    print('\n-------------------------------------------\n')

    print('Generated STIX2.1 SCOs from log entries:')

    ip1dos = converted_logs_DOS1[0].generate_ipv4_addr()
    ip2dos = converted_logs_DOS2[0].generate_ipv4_addr()
    process_dos = converted_logs_DOS1[0].generate_process()
    stix21_object_list_DOS.append(ip1dos)
    stix21_object_list_DOS.append(ip2dos)
    stix21_object_list_DOS.append(process_dos)

    print(ip1dos, ip2dos, process_dos)

    print('\n-------------------------------------------\n')

    pretty_print_list(get_timespan(converted_pcap_DOS))
    print('')

    print(get_all_protocols(converted_pcap_DOS))

    print('\nDisplaying the last 10 pcap entries:')
    for element in converted_pcap_DOS[-10:]:
        print(element)

    ack_traffic = list()
    for element in converted_pcap_DOS:
        if element.eth_src == '00:00:00:00:00:02' or element.eth_dst == '00:00:00:00:00:02':
            ack_traffic.append(element)

    print('\nDisplaying 5 SYN/ACK pcap entries:')
    pretty_print_list(ack_traffic[:5])

    print('\n-------------------------------------------\n')

    mac3_dos = converted_pcap_DOS[0].generate_mac_addr('src')
    stix21_object_list_DOS.append(mac3_dos)
    mac1_dos = converted_pcap_DOS[0].generate_mac_addr('dst')
    stix21_object_list_DOS.append(mac1_dos)
    mac2_dos = ack_traffic[0].generate_mac_addr('dst')
    stix21_object_list_DOS.append(mac2_dos)

    print('Generated STIX2.1 MAC addresses from pcap frames:')
    print(mac1_dos, mac2_dos, mac3_dos)

    print(
        '\nGenerated STIX2.1 network traffic SCOs from pcap frames (excerpt shown):'
    )

    network_traffic_DOS_list = list()
    for element in converted_pcap_DOS[:100]:
        network_traffic_DOS = element.generate_network_traffic(
            stix21_object_list_DOS)
        network_traffic_DOS_list.append(network_traffic_DOS)
        stix21_object_list_DOS.append(network_traffic_DOS)

    pretty_print_list(network_traffic_DOS_list[:5])

    print('\n-------------------------------------------\n')
    get_static_stix21_objects_dos_round_1()

    print('\n-------------------------------------------\n')
    ip2dos_updated = IPv4Address(id=ip2dos.id,
                                 value=ip2dos.value,
                                 resolves_to_refs=[mac2_dos.id, mac3_dos.id])
    stix21_object_list_DOS.remove(ip2dos)
    stix21_object_list_DOS.append(ip2dos_updated)

    print('Updated IPv4 address object (embedded relationship):\n{}\n'.format(
        ip2dos_updated))

    print('Custom selected and generated Infrastructure SDO and related SROs:')
    infrastructure_dos = Infrastructure(
        name='Conyeor belt digital twin',
        description=
        "Digital twin representing a conveyor belt with HMI and PLC. Target of the conducted attack"
    )
    stix21_object_list_DOS.append(infrastructure_dos)

    rel_infra_ip1_dos = Relationship(source_ref=infrastructure_dos,
                                     relationship_type='consists_of',
                                     target_ref=ip1dos)
    rel_infra_ip2_dos = Relationship(source_ref=infrastructure_dos,
                                     relationship_type='consists_of',
                                     target_ref=ip2dos_updated)
    rel_infra_process_dos = Relationship(source_ref=infrastructure_dos,
                                         relationship_type='consists_of',
                                         target_ref=process_dos)
    stix21_object_list_DOS.append(rel_infra_ip1_dos)
    stix21_object_list_DOS.append(rel_infra_ip2_dos)
    stix21_object_list_DOS.append(rel_infra_process_dos)

    print(infrastructure_dos, rel_infra_ip1_dos, rel_infra_ip2_dos,
          rel_infra_process_dos)

    print(
        '\nCustom generated Observed Data for IP addresses and spoofed SYN-flooding traffic:'
    )

    observed_data1_dos = ObservedData(
        first_observed=converted_logs_DOS2[0].timestamp,
        last_observed=converted_logs_DOS2[-1].timestamp,
        number_observed=1,
        object_refs=[ip2dos_updated]  # duplicate IP
    )
    stix21_object_list_DOS.append(observed_data1_dos)

    nw_traffic_dos_id_list = list()
    for element in network_traffic_DOS_list:
        nw_traffic_dos_id_list.append(element.id)

    observed_data2_dos = ObservedData(
        first_observed=converted_pcap_DOS[0].timestamp,
        last_observed=converted_pcap_DOS[len(converted_pcap_DOS) -
                                         1].timestamp,
        number_observed=100,
        object_refs=nw_traffic_dos_id_list  # SYN traffic excerpt
    )
    stix21_object_list_DOS.append(observed_data2_dos)

    print(observed_data1_dos, observed_data2_dos)

    print('\n-------------------------------------------\n')

    search_list1 = search_stix21_objects(imported_sro_list, "observed-data",
                                         'direct')
    print('The following direct relationships exist for Observed Data:')
    for entry in search_list1:
        print(entry)

    print(
        'Custom generated Indicators and relationships between Observed Data and Indicators:\n'
    )

    lhs1 = ObjectPath("ipv4-addr", ["resolves_to_refs[0]"])
    lhs1b = ObjectPath("ipv4-addr", ["resolves_to_refs[1]"])
    ob1 = EqualityComparisonExpression(lhs1,
                                       StringConstant('00:00:00:00:00:03'),
                                       True)
    ob1b = EqualityComparisonExpression(lhs1b,
                                        StringConstant('00:00:00:00:00:03'))
    pattern1_dos = ObservationExpression(AndBooleanExpression([ob1, ob1b]))

    indicator1_dos = Indicator(
        name='Spoofing indicator - duplicate IP address',
        description='IP address resolves to two different MAC addresses',
        pattern=pattern1_dos,
        pattern_type='stix',
        valid_from=datetime.datetime.now())
    stix21_object_list_DOS.append(indicator1_dos)

    print(indicator1_dos)

    lhs2 = ObjectPath('network-traffic', ['scr_ref'])
    ob2 = EqualityComparisonExpression(lhs2,
                                       StringConstant('00:00:00:00:00:03'))
    lhs2a = ObjectPath('network-traffic', ['dst_ref'])
    ob2a = EqualityComparisonExpression(lhs2a,
                                        StringConstant('00:00:00:00:00:01'))
    lhs2b = ObjectPath('network-traffic', ['protocols[1]'])
    ob2b = EqualityComparisonExpression(lhs2b, StringConstant('tcp'))
    obe2 = ObservationExpression(AndBooleanExpression([ob2, ob2a, ob2b]))
    pattern2_dos = QualifiedObservationExpression(
        QualifiedObservationExpression(obe2, RepeatQualifier(100)),
        WithinQualifier(1))

    indicator2_dos = Indicator(
        name='SYN flooding indicator',
        description=
        'Highly repetitive tcp network traffic originating from malicious MAC address',
        pattern=pattern2_dos,
        pattern_type='stix',
        valid_from=datetime.datetime.now())
    stix21_object_list_DOS.append(indicator2_dos)

    print(indicator2_dos)

    rel_indicator_observed1_dos = Relationship(source_ref=indicator1_dos,
                                               relationship_type='based-on',
                                               target_ref=observed_data1_dos)
    rel_indicator_observed2_dos = Relationship(source_ref=indicator2_dos,
                                               relationship_type='based-on',
                                               target_ref=observed_data2_dos)

    stix21_object_list_DOS.append(rel_indicator_observed1_dos)
    stix21_object_list_DOS.append(rel_indicator_observed2_dos)

    print(rel_indicator_observed1_dos, rel_indicator_observed2_dos)

    print('\n-------------------------------------------\n')
    print(
        'Custom generated Attack Pattern, Tool and additional relationships:')

    attack_pattern_dos = AttackPattern(
        name='DoS SYN flooding attack',
        description=
        'The attacker executes a Denial of Service attack with TCP SYN requests consuming the resources of'
        ' its target',
        external_references=[
            ExternalReference(source_name='capec', external_id='CAPEC-125'),
            ExternalReference(source_name='capec', external_id='CAPEC-482')
        ],
        kill_chain_phases=KillChainPhase(
            kill_chain_name='lockheed-martin-cyber-kill-chain',
            phase_name='actions-on-objective'))
    stix21_object_list_DOS.append(attack_pattern_dos)

    tool_dos = Tool(name='hping3')
    stix21_object_list_DOS.append(tool_dos)

    print(attack_pattern_dos, tool_dos)

    rel_indicator_attack1_dos = Relationship(source_ref=indicator1_dos,
                                             relationship_type='indicates',
                                             target_ref=attack_pattern_dos)
    rel_indicator_attack2_dos = Relationship(source_ref=indicator2_dos,
                                             relationship_type='indicates',
                                             target_ref=attack_pattern_dos)
    rel_attack_tool_dos = Relationship(source_ref=attack_pattern_dos,
                                       relationship_type='uses',
                                       target_ref=tool_dos)
    stix21_object_list_DOS.append(rel_indicator_attack1_dos)
    stix21_object_list_DOS.append(rel_indicator_attack2_dos)
    stix21_object_list_DOS.append(rel_attack_tool_dos)

    print(rel_indicator_attack1_dos, rel_indicator_attack2_dos,
          rel_attack_tool_dos)

    DOS_id_list = list()
    for element in stix21_object_list_DOS:
        DOS_id_list.append(element.id)

    print('\n-------------------------------------------\n')
    print('Generated Report for the Digital Twin DoS simulation use case:')

    report_DOS = Report(
        name='Digital Twin based DoS attack simulation with SYN flooding',
        description=
        'This report describes a simulated DoS attack on a conveyor belt using a digital twin in'
        ' simulation mode. The attack is based on repeatedly spoofed TCP traffic.',
        published=datetime.datetime.now(),
        object_refs=DOS_id_list)
    stix21_object_list_DOS.append(report_DOS)

    print(report_DOS)

    bundle_DOS = Bundle(objects=stix21_object_list_DOS)

    print('\n-------------------------------------------')

    mem = MemoryStore()
    mem.add(bundle_DOS)
    # mem.save_to_file(export_path+'STIX21_output_DoS_use_case.json')

    print('-------------------------------------------')