def build_stix(): # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Intrusion into enterprise network" breach.confidence = "High" # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime( "2014-03-11", "%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "Sample Investigations, LLC" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of CyberTech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime( "2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.effects = Effects("Unintended Access") breach.impact_assessment = impact # add the victim victim = Identity() victim.name = "CyberTech Dynamics" breach.add_victim(victim) # add the impact impact = ImpactAssessment() impact.effects = Effects("Financial Loss") breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.identity = Identity.from_dict(get('identity')) return_obj.types = _Types.from_dict(get('types')) return_obj.motivations = _Motivations.from_dict(get('motivations')) return_obj.sophistications = _Sophistications.from_dict(get('sophistications')) return_obj.intended_effects = _IntendedEffects.from_dict(get('intended_effects')) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports')) return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict(get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict(get('associated_actors')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def add_victim(self, victim): if not victim: return elif isinstance(victim, Identity): self.victims.append(victim) else: self.victims.append(Identity(name=victim))
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign.id_)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp.id_)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print(wrapper.to_xml())
def main(): rule = """ rule silent_banker : banker { meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: $a or $b or $c } """ stix_package = STIXPackage() indicator = Indicator(title="silent_banker", description="This is just an example") tm = YaraTestMechanism() tm.rule = rule tm.producer = InformationSource(identity=Identity(name="Yara")) tm.producer.references = ["http://plusvic.github.io/yara/"] indicator.test_mechanisms = TestMechanisms([tm]) stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def main(): ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc') stix_package = STIXPackage() ttp = TTP() malware_instance = MalwareInstance() malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos'] ttp = TTP(title="Zeus") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos") tm = OpenIOCTestMechanism() tm.ioc = ioc tm.producer = InformationSource(identity=Identity(name="Yara")) time = Time() time.produced_time = "0001-01-01T00:00:00" tm.producer.time = time tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print stix_package.to_xml()
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = _Types.from_obj(obj.Type) return_obj.motivations = _Motivations.from_obj(obj.Motivation) return_obj.sophistications = _Sophistications.from_obj( obj.Sophistication) return_obj.intended_effects = _IntendedEffects.from_obj( obj.Intended_Effect) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_obj(obj.Planning_And_Operational_Support) return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj( obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj( obj.Associated_Actors) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.related_packages = RelatedPackageRefs.from_obj( obj.Related_Packages) return return_obj
def main(): stix_package = STIXPackage() ttp_phishing = TTP(title="Phishing") attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-98" attack_pattern.description = ("Phishing") ttp_phishing.behavior = Behavior() ttp_phishing.behavior.add_attack_pattern(attack_pattern) ttp_pivy = TTP(title="Poison Ivy Variant d1c6") malware_instance = MalwareInstance() malware_instance.add_name("Poison Ivy Variant d1c6") malware_instance.add_type("Remote Access Trojan") ttp_pivy.behavior = Behavior() ttp_pivy.behavior.add_malware_instance(malware_instance) ta_bravo = ThreatActor(title="Adversary Bravo") ta_bravo.identity = Identity(name="Adversary Bravo") related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern") ta_bravo.observed_ttps.append(related_ttp_phishing) related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware") ta_bravo.observed_ttps.append(related_ttp_pivy) stix_package.add_ttp(ttp_phishing) stix_package.add_ttp(ttp_pivy) stix_package.add_threat_actor(ta_bravo) print stix_package.to_xml()
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.time = Time.from_dict(dict_repr.get('time')) return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])] return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])] return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(dict_repr.get('related_incidents')) return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps')) return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])] return_obj.discovery_methdos = [DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', [])] return_obj.reporter = InformationSource.from_dict(dict_repr.get('reporter')) return_obj.responders = [InformationSource.from_dict(x) for x in dict_repr.get('responders', [])] return_obj.coordinators = [InformationSource.from_dict(x) for x in dict_repr.get('coordinators', [])] return_obj.external_ids = [ExternalID.from_dict(x) for x in dict_repr.get('external_ids', [])] return_obj.impact_assessment = ImpactAssessment.from_dict(dict_repr.get('impact_assessment')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.security_compromise = SecurityCompromise.from_dict(dict_repr.get('security_compromise')) return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence')) return_obj.coa_taken = [COATaken.from_dict(x) for x in dict_repr.get('coa_taken', [])] return return_obj
def generate_indicators(self, count): '''Generate a list of STIX Indicators''' indicators = [] for i in range(0, count): indicator = Indicator(title='Multiple indicator types') indicator.set_producer_identity(Identity(name='Secret Source')) indicator.set_produced_time(datetime.today()) indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration'])) indicator.add_short_description('Short description...') indicator.add_description('Long description...') indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown'])) kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES) indicator.kill_chain_phases = KillChainPhasesReference( [KillChainPhaseReference(name=kill_chain_phase.name)]) ips = self.gen_ips(randint(0, 5)) for ip in ips: indicator.add_observable(ip) # user_agents = self.gen_user_agents(randint(0, 5)) # for ua in user_agents: # indicator.add_observable(ua) # fqnds = self.gen_fqdns(randint(0, 5)) # for f in fqnds: # indicator.add_observable(f) # urls = self.gen_urls(randint(0, 5)) # for u in urls: # indicator.add_observable(u) indicators.append(indicator) return indicators
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.get_version() if obj.get_version() else cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()] return_obj.motivations = [Statement.from_obj(x) for x in obj.get_Motivation()] return_obj.sophistications = [Statement.from_obj(x) for x in obj.get_Sophistication()] return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support()] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.get_Observed_TTPs()) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns()) return_obj.associated_actors = AssociatedActors.from_obj(obj.get_Associated_Actors()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.time = Time.from_obj(obj.get_Time()) if obj.get_Victim(): return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()] if obj.get_Categories(): return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()] if obj.get_Intended_Effect(): return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] if obj.get_Affected_Assets(): return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()] return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors()) return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.related_observables = RelatedObservable.from_obj(obj.get_Related_Observables()) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = [Statement.from_obj(x) for x in obj.Type] return_obj.motivations = [Statement.from_obj(x) for x in obj.Motivation] return_obj.sophistications = [Statement.from_obj(x) for x in obj.Sophistication] return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.Planning_And_Operational_Support] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.types = [Statement.from_dict(x) for x in dict_repr.get('types', [])] return_obj.motivations = [Statement.from_dict(x) for x in dict_repr.get('motivations', [])] return_obj.sophistications = [Statement.from_dict(x) for x in dict_repr.get('sophistications', [])] return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.planning_and_operational_supports = [Statement.from_dict(x) for x in dict_repr.get('planning_and_operational_supports', [])] return_obj.observed_ttps = ObservedTTPs.from_dict(dict_repr.get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict(dict_repr.get('associated_actors')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.related_packages = RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.identity = Identity.from_dict(get('identity')) return_obj.types = _Types.from_dict(get('types')) return_obj.motivations = _Motivations.from_dict(get('motivations')) return_obj.sophistications = _Sophistications.from_dict( get('sophistications')) return_obj.intended_effects = _IntendedEffects.from_dict( get('intended_effects')) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports')) return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict( get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict( get('associated_actors')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.related_packages = RelatedPackageRefs.from_dict( get('related_packages')) return return_obj
def add_persona(self, persona): if not persona: return elif isinstance(persona, Identity): self._personas.append(persona) else: self._personas.append(Identity(name=persona))
def to_source(obj): from stix.common import InformationSource, Identity mySource = InformationSource() mySource.time = Time(obj.request.date) mySource.description = obj.request.rfi mySource.identity = Identity(name=obj.request.source) for item in obj.response: itemSource = InformationSource() itemSource.time = Time(item.date) itemSource.identity = Identity(name=item.source) itemSource.description = item.rfi mySource.add_contributing_source(itemSource) return mySource
def main(): mydata = loaddata() ''' Your Namespace ''' # NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])} # set_id_namespace(NAMESPACE) NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS'])) set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS" wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name=sanitizer(mydata["Identity"])) marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = sanitizer(mydata["TLP_COLOR"]) marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') MyTITLE = sanitizer(mydata["Title"]) SHORT = timestamp DESCRIPTION = sanitizer(mydata["Description"]) wrapper.stix_header = STIXHeader(information_source=info_src, title=MyTITLE, description=DESCRIPTION, short_description=SHORT) wrapper.stix_header.handling = handling indiDom = Indicator() indiDom.title = MyTITLE indiDom.add_indicator_type("IP Watchlist") for key in mydata["IOC"].keys(): myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4) myip.condition = "Equals" obsu = Observable(myip) #if mydata[key].size: for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]): ioc = File() ioc.add_hash(sanitizer(mydata["IOC"][key])) myip.add_related(ioc, "Downloaded") indiDom.add_observable(obsu) wrapper.add_indicator(indiDom) print(wrapper.to_xml())
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] expt.information_source = InformationSource(identity=Identity( name="National Vulnerability Database")) # Add the vulnerability object to the package object expt.add_vulnerability(_vulnbuild(data)) # Add the COA object to the ET object for coa in COAS: expt.potential_coas.append( CourseOfAction(idref=coa['id'], timestamp=expt.timestamp)) # Do some TTP stuff with CAPEC objects if TTPON is True: try: for i in data['capec']: pkg.add_ttp(_buildttp(i, expt)) except KeyError: pass expt.add_weakness(_weakbuild(data)) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] # If the function is not imported then output the xml to a file. if __name__ == '__main__': _postconstruct(xml, title) return xml else: sys.exit("[-] Error retrieving details for " + var)
def build_stix(): # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Intrusion into enterprise network" breach.confidence = "High" # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11", "%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "Sample Investigations, LLC" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of CyberTech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.effects = Effects("Unintended Access") breach.impact_assessment = impact # add the victim victim = Identity() victim.name = "CyberTech Dynamics" breach.add_victim(victim) # add the impact impact = ImpactAssessment() impact.effects = Effects("Financial Loss") breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.time = Time.from_obj(obj.get_Time()) if obj.get_Victim(): return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()] if obj.get_Categories(): return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()] if obj.get_Intended_Effect(): return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] if obj.get_Affected_Assets(): return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()] if obj.get_Discovery_Method(): return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.get_Discovery_Method()] if obj.get_Reporter(): return_obj.reporter = InformationSource.from_obj(obj.get_Reporter()) if obj.get_Responder(): return_obj.responders = [InformationSource.from_obj(x) for x in obj.get_Responder()] if obj.get_Coordinator(): return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.get_Coordinator()] if obj.get_External_ID(): return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.get_External_ID()] if obj.get_Impact_Assessment(): return_obj.impact_assessment = ImpactAssessment.from_obj(obj.get_Impact_Assessment()) if obj.get_Information_Source(): return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) if obj.get_Security_Compromise(): return_obj.security_compromise = SecurityCompromise.from_obj(obj.get_Security_Compromise()) return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.get_COA_Taken()] return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors()) return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables()) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs()) return_obj.related_incidents = RelatedIncidents.from_obj(obj.get_Related_Incidents()) return_obj.status = VocabString.from_obj(obj.get_Status()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.history = History.from_obj(obj.get_History()) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.tools = [ToolInformation.from_dict(x) for x in dict_repr.get('tools', [])] return_obj.infrastructure = Infrastructure.from_dict(dict_repr.get('infrastructure')) return_obj.personas = [Identity.from_dict(x) for x in dict_repr.get('personas', [])] return return_obj
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg): # IMPLEMENTATION WORKAROUND - # restConfid --> header.description # resteffect --> breach.description # resttype --> reporter.description # restasset --> reporter.identity.name # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = restconfid # "Example description" stix_package.stix_header = stix_header # add incident and confidence breach = Incident(id_=ident) breach.description = resteffect # "Intrusion into enterprise network" breach.confidence = Confidence() breach.confidence.value=confid print("confidence set to %s"%(str(breach.confidence.value))) breach._binding_class.xml_type = typeIncident print("incident set to %s"%(str(breach._binding_class.xml_type))) # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = resttype #"The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = restasset # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of Company Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = asset breach.affected_assets = affected_asset # add the victim breach.add_victim (hashPkg) # add the impact impact = ImpactAssessment() impact.add_effect(effect) breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.time = Time.from_obj(obj.Time) if obj.Victim: return_obj.victims = [Identity.from_obj(x) for x in obj.Victim] if obj.Categories: return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category] if obj.Intended_Effect: return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] if obj.Affected_Assets: return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset] if obj.Discovery_Method: return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method] if obj.Reporter: return_obj.reporter = InformationSource.from_obj(obj.Reporter) if obj.Responder: return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder] if obj.Coordinator: return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator] if obj.External_ID: return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID] if obj.Impact_Assessment: return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) if obj.Information_Source: return_obj.information_source = InformationSource.from_obj(obj.Information_Source) if obj.Security_Compromise: return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise) return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken] return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.history = History.from_obj(obj.History) return return_obj
def to_stix_sightings(obj): from stix.indicator.sightings import Sighting from stix.common import InformationSource, Identity mySighting = Sighting() mySighting.source = InformationSource() if obj.sightings.sighting: itemSighting = InformationSource() itemSighting.time = Time(obj.sightings.date) itemSighting.identity = Identity(name=settings.COMPANY_NAME) mySighting.source.add_contributing_source(itemSighting) for each in obj.sightings.instances: itemSighting = InformationSource() itemSighting.time = Time(each.date) itemSighting.identity = Identity(name=each.name) mySighting.source.add_contributing_source(itemSighting) return mySighting
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.targeted_systems = [VocabString.from_dict(x) for x in dict_repr.get('targeted_systems', [])] return_obj.targeted_information = [VocabString.from_dict(x) for x in dict_repr.get('targeted_information', [])] return_obj.targeted_technical_details = Observables.from_dict(dict_repr.get('targeted_technical_details')) return return_obj
def genData_VictimTargeting(data): from stix.common.vocabs import InformationType, SystemType from stix.common.identity import Identity from stix.ttp.victim_targeting import VictimTargeting objVictimTargeting = VictimTargeting() objVictimTargeting.identity = Identity(name=data['target']) objVictimTargeting.targeted_systems = [SystemType.TERM_USERS] objVictimTargeting.targeted_information = InformationType.TERM_INFORMATION_ASSETS_USER_CREDENTIALS return (objVictimTargeting)
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.Identity) return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details) return_obj.targeted_systems = TargetedSystems.from_obj(obj.Targeted_Systems) return_obj.targeted_information = TargetedInformation.from_obj(obj.Targeted_Information) return return_obj
def create_stix_identity(self, obj): idenfitier = 'ce1sus:Group-{0}'.format(obj.creator_group.uuid) if idenfitier in self.seen_groups: identity = Identity() identity.idref = idenfitier else: identity = Identity() identity.id_ = idenfitier identity.name = obj.creator_group.name self.seen_groups.append(idenfitier) return identity
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict( dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict( dict_repr.get('short_description')) return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.types = [ Statement.from_dict(x) for x in dict_repr.get('types', []) ] return_obj.motivations = [ Statement.from_dict(x) for x in dict_repr.get('motivations', []) ] return_obj.sophistications = [ Statement.from_dict(x) for x in dict_repr.get('sophistications', []) ] return_obj.intended_effects = [ Statement.from_dict(x) for x in dict_repr.get('intended_effects', []) ] return_obj.planning_and_operational_supports = [ Statement.from_dict(x) for x in dict_repr.get('planning_and_operational_supports', []) ] return_obj.observed_ttps = ObservedTTPs.from_dict( dict_repr.get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict( dict_repr.get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict( dict_repr.get('associated_actors')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.confidence = Confidence.from_dict( dict_repr.get('confidence')) return_obj.information_source = InformationSource.from_dict( dict_repr.get('information_source')) return_obj.related_packages = RelatedPackageRefs.from_dict( dict_repr.get('related_packages')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() get = dict_repr.get return_obj.identity = Identity.from_dict(get('identity')) return_obj.targeted_systems = TargetedSystems.from_dict(get('targeted_systems')) return_obj.targeted_information = TargetedInformation.from_dict(get('targeted_information')) return_obj.targeted_technical_details = Observables.from_dict(get('targeted_technical_details')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.infrastructure = Infrastructure.from_obj(obj.Infrastructure) if obj.Tools: return_obj.tools = [ToolInformation.from_obj(x) for x in obj.Tools.Tool] if obj.Personas: return_obj.personas = [Identity.from_obj(x) for x in obj.Personas.Persona] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.Identity) return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details) if obj.Targeted_Systems: return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.Targeted_Systems] if obj.Targeted_Information: return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.Targeted_Information] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.targeted_technical_details = Observables.from_obj(obj.get_Targeted_Technical_Details()) if obj.get_Targeted_Systems(): return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.get_Targeted_Systems()] if obj.get_Targeted_Information(): return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.get_Targeted_Information()] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.Identity) return_obj.targeted_technical_details = Observables.from_obj( obj.Targeted_Technical_Details) return_obj.targeted_systems = TargetedSystems.from_obj( obj.Targeted_Systems) return_obj.targeted_information = TargetedInformation.from_obj( obj.Targeted_Information) return return_obj
def _buildttp(data): ttp = TTP() ttp.title = data['name'] ttp.description = data['description'] attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-" + str(data['id']) attack_pattern.title = data['name'] attack_pattern.description = data['description'] ttp.behavior = Behavior() ttp.behavior.add_attack_pattern(attack_pattern) ttp.information_source = InformationSource() ttp.information_source.identity = Identity() ttp.information_source.identity.name = "The MITRE Corporation" ttp.information_source.references = data['references'] return ttp
def to_stix_information_source(obj): from stix.common import InformationSource, Identity mySource = InformationSource() for item in obj.source: for each in item.instances: itemSource = InformationSource() itemSource.time = Time(each.date) itemSource.identity = Identity(name=item.name) itemSource.add_description(each.reference) itemSource.add_description(each.method) mySource.add_contributing_source(itemSource) return mySource
def set_producer_identity(self, identity): ''' Sets the name of the producer of this indicator. The identity param can be a string (name) or an Identity instance. ''' if not self.producer: self.producer = InformationSource() if isinstance(identity, Identity): self.producer.identity = identity else: if not self.producer.identity: self.producer.identity = Identity() self.producer.identity.name = identity # assume it's a string
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() get = dict_repr.get return_obj.identity = Identity.from_dict(get('identity')) return_obj.targeted_systems = TargetedSystems.from_dict( get('targeted_systems')) return_obj.targeted_information = TargetedInformation.from_dict( get('targeted_information')) return_obj.targeted_technical_details = Observables.from_dict( get('targeted_technical_details')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.get_version() if obj.get_version( ) else cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj( obj.get_Description()) return_obj.short_description = StructuredText.from_obj( obj.get_Short_Description()) return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()] return_obj.motivations = [ Statement.from_obj(x) for x in obj.get_Motivation() ] return_obj.sophistications = [ Statement.from_obj(x) for x in obj.get_Sophistication() ] return_obj.intended_effects = [ Statement.from_obj(x) for x in obj.get_Intended_Effect() ] return_obj.planning_and_operational_supports = [ Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support() ] return_obj.observed_ttps = ObservedTTPs.from_obj( obj.get_Observed_TTPs()) return_obj.associated_campaigns = AssociatedCampaigns.from_obj( obj.get_Associated_Campaigns()) return_obj.associated_actors = AssociatedActors.from_obj( obj.get_Associated_Actors()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.information_source = InformationSource.from_obj( obj.get_Information_Source()) return_obj.related_packages = RelatedPackageRefs.from_obj( obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = _Types.from_obj(obj.Type) return_obj.motivations = _Motivations.from_obj(obj.Motivation) return_obj.sophistications = _Sophistications.from_obj(obj.Sophistication) return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_obj(obj.Planning_And_Operational_Support) return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.time = Time.from_dict(dict_repr.get('time')) return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])] return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])] return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables')) return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps')) return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])] return return_obj
def main(): # get args parser = argparse.ArgumentParser ( description = "Parse a given CSV from Shadowserver and output STIX XML to stdout" , formatter_class=argparse.ArgumentDefaultsHelpFormatter ) parser.add_argument("--infile","-f", help="input CSV with bot data", default = "bots.csv") args = parser.parse_args() # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = "Bot Server IP addresses" stix_header.description = "IP addresses connecting to bot control servers at a given port" stix_header.add_package_intent ("Indicators - Watchlist") # add marking mark = Marking() markspec = MarkingSpecification() markstruct = SimpleMarkingStructure() markstruct.statement = "Usage of this information, including integration into security mechanisms implies agreement with the Shadowserver Terms of Service available at https://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/TermsOfService" markspec.marking_structures.append(markstruct) mark.add_marking(markspec) stix_header.handling = mark # include author info stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time =datetime.now(tzutc()) stix_header.information_source.tools = ToolInformationList() stix_header.information_source.tools.append("ShadowBotnetIP-STIXParser") stix_header.information_source.identity = Identity() stix_header.information_source.identity.name = "MITRE STIX Team" stix_header.information_source.add_role(VocabString("Format Transformer")) src = InformationSource() src.description = "https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP" srcident = Identity() srcident.name = "shadowserver.org" src.identity = srcident src.add_role(VocabString("Originating Publisher")) stix_header.information_source.add_contributing_source(src) stix_package.stix_header = stix_header # add TTP for overall indicators bot_ttp = TTP() bot_ttp.title = 'Botnet C2' bot_ttp.resources = Resource() bot_ttp.resources.infrastructure = Infrastructure() bot_ttp.resources.infrastructure.title = 'Botnet C2' stix_package.add_ttp(bot_ttp) # read input data fd = open (args.infile, "rb") infile = csv.DictReader(fd) for row in infile: # split indicators out, may be 1..n with positional storage, same port and channel, inconsistent delims domain = row['Domain'].split() country = row['Country'].split() region = row['Region'].split('|') state = row['State'].split('|') asn = row['ASN'].split() asname = row['AS Name'].split() asdesc = row['AS Description'].split('|') index = 0 for ip in row['IP Address'].split(): indicator = Indicator() indicator.title = "IP indicator for " + row['Channel'] indicator.description = "Bot connecting to control server" # point to overall TTP indicator.add_indicated_ttp(TTP(idref=bot_ttp.id_)) # add our IP and port sock = SocketAddress() sock.ip_address = ip # add sighting sight = Sighting() sight.timestamp = "" obs = Observable(item=sock.ip_address) obsref = Observable(idref=obs.id_) sight.related_observables.append(obsref) indicator.sightings.append(sight) stix_package.add_observable(obs) # add pattern for indicator sock_pattern = SocketAddress() sock_pattern.ip_address = ip port = Port() port.port_value = row['Port'] sock_pattern.port = port sock_pattern.ip_address.condition= "Equals" sock_pattern.port.port_value.condition= "Equals" indicator.add_object(sock_pattern) stix_package.add_indicator(indicator) # add domain domain_obj = DomainName() domain_obj.value = domain[index] domain_obj.add_related(sock.ip_address,"Resolved_To", inline=False) stix_package.add_observable(domain_obj) # add whois obs whois_obj = WhoisEntry() registrar = WhoisRegistrar() registrar.name = asname[index] registrar.address = state[index] + region[index] + country[index] whois_obj.registrar_info = registrar whois_obj.add_related(sock.ip_address,"Characterizes", inline=False) stix_package.add_observable(whois_obj) # add ASN obj asn_obj = AutonomousSystem() asn_obj.name = asname[index] asn_obj.number = asn[index] asn_obj.handle = "AS" + str(asn[index]) asn_obj.add_related(sock.ip_address,"Contains", inline=False) stix_package.add_observable(asn_obj) # iterate index = index + 1 print stix_package.to_xml()
def stix(json): """ Created a stix file based on a json file that is being handed over """ # Create a new STIXPackage stix_package = STIXPackage() # Create a new STIXHeader stix_header = STIXHeader() # Add Information Source. This is where we will add the tool information. stix_header.information_source = InformationSource() # Create a ToolInformation object. Use the initialization parameters # to set the tool and vendor names. # # Note: This is an instance of cybox.common.ToolInformation and NOT # stix.common.ToolInformation. tool = ToolInformation( tool_name="viper2stix", tool_vendor="The Viper group http://viper.li - developed by Alexander Jaeger https://github.com/deralexxx/viper2stix" ) #Adding your identity to the header identity = Identity() identity.name = Config.get('stix', 'producer_name') stix_header.information_source.identity=identity # Set the Information Source "tools" section to a # cybox.common.ToolInformationList which contains our tool that we # created above. stix_header.information_source.tools = ToolInformationList(tool) stix_header.title = Config.get('stix', 'title') # Set the produced time to now stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() marking_specification = MarkingSpecification() marking_specification.controlled_structure = "../../../descendant-or-self::node()" tlp = TLPMarkingStructure() tlp.color = Config.get('stix', 'TLP') marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) # Set the header description stix_header.description = Config.get('stix', 'description') # Set the STIXPackage header stix_package.stix_header = stix_header stix_package.stix_header.handling = handling try: pp = pprint.PrettyPrinter(indent=5) pp.pprint(json['default']) #for key, value in json['default'].iteritems(): # print key, value for item in json['default']: #logger.debug("item %s", item) indicator = Indicator() indicator.title = "File Hash" indicator.description = ( "An indicator containing a File observable with an associated hash" ) # Create a CyboX File Object f = File() sha_value = item['sha256'] if sha_value is not None: sha256 = Hash() sha256.simple_hash_value = sha_value h = Hash(sha256, Hash.TYPE_SHA256) f.add_hash(h) sha1_value = item['sha1'] if sha_value is not None: sha1 = Hash() sha1.simple_hash_value = sha1_value h = Hash(sha1, Hash.TYPE_SHA1) f.add_hash(h) sha512_value = item['sha512'] if sha_value is not None: sha512 = Hash() sha512.simple_hash_value = sha512_value h = Hash(sha512, Hash.TYPE_SHA512) f.add_hash(h) f.add_hash(item['md5']) #adding the md5 hash to the title as well stix_header.title+=' '+item['md5'] #print(item['type']) f.size_in_bytes=item['size'] f.file_format=item['type'] f.file_name = item['name'] indicator.description = "File hash served by a Viper instance" indicator.add_object(f) stix_package.add_indicator(indicator) except Exception, e: logger.error('Error: %s',format(e)) return False