def _make_stix_package_for_attached_file(self, file_, feed):
# package ID作成
package_id = self.generator.create_id(prefix='Package')
# 添付ファイルの中身を読み込み base64 で encode
with open(file_.file_path, 'rb') as fp:
content = base64.b64encode(fp.read())
# content作成
marking_specification_content = self._make_marking_specification_statement(
MARKING_STRUCTURE_STIP_ATTACHEMENT_CONTENT_PREFIX,
content.decode('utf-8'))
# filename作成
marking_specification_file_name = self._make_marking_specification_statement(
MARKING_STRUCTURE_STIP_ATTACHEMENT_FILENAME_PREFIX,
file_.file_name)
# header 作成
stix_header = STIXHeader()
stix_header.handling = self._get_stix_header_marking(feed)
stix_header.handling.add_marking(marking_specification_content)
stix_header.handling.add_marking(marking_specification_file_name)
stix_header.title = file_.file_name
stix_header.description = 'File "%s" encoded in BASE64.' % (
file_.file_name)
# Information Source 格納
stix_header.information_source = self._make_information_source()
# package作成
stix_package = STIXPackage(id_=package_id)
stix_package.timestamp = datetime.datetime.now(
tz=pytz.timezone(feed.user.timezone))
stix_package.stix_header = stix_header
return stix_package
def _make_stix_package(self, origin_feed, post, creator=None):
# package ID作成
package_id = self.generator.create_id(prefix='Package')
# package作成
stix_package = STIXPackage(id_=package_id)
stix_package.timestamp = datetime.datetime.now(tz=pytz.timezone(origin_feed.user.timezone))
# header格納
stix_package.stix_header = self._get_stix_header(origin_feed, post, creator)
# Comment元の Feed の Package ID を Related Package に追加する
stix_package.add_related_package(origin_feed.package_id)
return stix_package
def _make_stix_package(self, feed, indicators=[], ttps=[], tas=[]):
user_timezone = pytz.timezone(feed.user.timezone)
# package ID作成
package_id = self.generator.create_id(prefix='Package')
# package作成
stix_package = STIXPackage(id_=package_id)
stix_package.timestamp = datetime.datetime.now(tz=user_timezone)
# header格納
stix_package.stix_header = self._get_stix_header(feed)
# indicators 格納
# web 画面から取得した indicators (json) から stix indicators 作成する
stix_indicators = Indicators()
for indicator_json in indicators:
indicator = CommonExtractor.get_indicator_from_json(
indicator_json, user_timezone)
if indicator is not None:
stix_indicators.append(indicator)
stix_package.indicators = stix_indicators
# ExploitTargets格納
stix_exploit_targets = ExploitTargets()
for ttp_json in ttps:
et = CommonExtractor.get_exploit_target_from_json(ttp_json)
if et is not None:
stix_exploit_targets.append(et)
stix_package.exploit_targets = stix_exploit_targets
# ThreatActors 格納
for ta_json in tas:
value = ta_json['value']
if SNSConfig.get_cs_custid(
) is not None and SNSConfig.get_cs_custkey() is not None:
ta = self.get_ta_from_crowd_strike(value)
if ta is None:
# ATT&CK から ThreatActor 取得する
ta = self.get_ta_from_attck(value)
else:
ta = self.get_ta_from_attck(value)
stix_package.add_threat_actor(ta)
# 添付ファイル用の STIX 作成する
for file_ in feed.files.all():
attach_file_stix_package = self._make_stix_package_for_attached_file(
file_, feed)
self.attachment_files.append(attach_file_stix_package)
# 添付ファイル用の STIX を Related Pacakge に追加する
stix_package.add_related_package(attach_file_stix_package.id_)
return stix_package