def setUpClass(cls):
indicator = Indicator(title="Indicator 1",
description="Description Indicator 1")
indicator.alternative_id = "indicator:example1"
indicator.observables = generate_observable()
cls.stix_package = STIXPackage()
cls.stix_package.add_indicator(indicator)
cls.cybox = (address_object.Address(), address_object.EmailAddress(),
disk_object.Disk(),
win_executable_file_object.DOSHeader(),
win_process_object.StartupInfo(),
network_packet_object.NetworkPacket())
sio = StringIO(cls.stix_package.to_xml().decode("utf-8"))
cls.PARSER = parser.MarkingParser(sio)
cls.msg = "For entity {0}: {1} not found in _FIELDS dictionary."
def genObject_Indicator(data):
from stix.indicator import Indicator
try:
sTitle = "phishTank.com id:" + data[
'phish_id'] + " with malicious URL:" + data['url']
sTitle = sTitle[:70] + "..."
except:
sTitle = "phishTank.com id:" + data[
'phish_id'] + " with malicious URL:--[URL Not Displayed - Due to encoding issue]--"
# try:
# sDscrpt = "This URL:[" + escape(unicode(srcDict[item]['url'])) + "] was identified by phishtank.com as part of a phishing email"
# except:
# sDscrpt = "This URL:--[URL Not Displayed - Due to encoding issue]-- was identified by phishtank.com as part of a phishing email"
sDscrpt = "This URL:[" + escape(
data['url']
) + "] was identified by phishtank.com as part of a phishing email"
if data['target'] and not data['target'] == 'Other':
sDscrpt += " which appears to be targeting " + data['target']
else:
sDscrpt += "."
if data['online'] == 'yes':
sDscrpt += " This URL appears to still be online as of " + data[
'verification_time']
elif data['online'] == 'no':
sDscrpt += " This URL appears to offline as of " + data[
'verification_time']
sDscrpt += ". More detailed infomation can be found at " + data[
'phish_detail_url']
objIndicator = Indicator()
objIndicator.idref = None
objIndicator.title = sTitle
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
objIndicator.short_description = "<![CDATA[" + sTitle + "]]>"
if data['verified'] == 'yes':
objIndicator.confidence = 'High'
else:
objIndicator.confidence = 'Low'
objIndicator.test_mechanisms = None
objIndicator.alternative_id = None
objIndicator.composite_indicator_expression = None
objIndicator.valid_time_positions = None
objIndicator.related_indicators = None
# objIndicator.suggested_coas = SuggestedCOAs()
# objIndicator.kill_chain_phases = KillChainPhasesReference()
# objIndicator.likely_impact = None
### Used/Defined Outside this funtion
# objIndicator.indicator_types = ["URL Watchlist"]
# objIndicator.observable_composition_operator = "OR"
# objIndicator.producer = None
# objIndicator.observables = obsList
# objIndicator.handling = objMarking
# objIndicator.sightings = None
# objIndicator.set_received_time
return (objIndicator)