示例#1
0
    def create_indicator(self, ce1sus_indicator, event_permissions, user):
        indicator = Indicator()
        indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid)
        indicator.title = ce1sus_indicator.title
        indicator.description = ce1sus_indicator.description
        indicator.short_description = ce1sus_indicator.short_description
        if ce1sus_indicator.confidence:
            indicator.confidence = ce1sus_indicator.confidence.title()
        else:
            indicator.confidence = 'Low'
        # TODO: handling
        # TODO: markings
        for type_ in ce1sus_indicator.types:
            indicator.add_indicator_type(type_.name)

        if ce1sus_indicator.operator:
            indicator.observable_composition_operator = ce1sus_indicator.operator
        # Todo Add confidence
        # indicator_attachment.confidence = "Low"
        creator = self.create_stix_identity(ce1sus_indicator)
        time = self.cybox_mapper.get_time(
            produced_time=ce1sus_indicator.created_at)
        info_source = InformationSource(identity=creator, time=time)
        indicator.producer = info_source
        observables = ce1sus_indicator.get_observables_for_permissions(
            event_permissions, user)
        for obs in observables:
            cybox_obs = self.create_observable(obs, event_permissions, user)
            indicator.add_observable(cybox_obs)
        valid_time = ValidTime(start_time=ce1sus_indicator.created_at,
                               end_time=ce1sus_indicator.created_at)
        indicator.add_valid_time_position(valid_time)
        return indicator
示例#2
0
def resolveObjects(incident, ttps, objects, eventTags, org):
    for obj in objects:
        tmp_incident = Incident()
        resolveAttributes(tmp_incident, ttps, obj["Attribute"], eventTags, org)
        indicator = Indicator(
            timestamp=getDateFromTimestamp(int(obj["timestamp"])))
        indicator.id_ = namespace[1] + ":MispObject-" + obj["uuid"]
        setProd(indicator, org)
        if obj["comment"] != "":
            indicator.description = obj["comment"]
        tlpTags = eventTags
        for attr in obj["Attribute"]:
            tlpTags = mergeTags(tlpTags, attr)
        setTLP(indicator, obj["distribution"], tlpTags, True)
        indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")"
        indicator.description = indicator.title
        indicator.add_indicator_type("Malware Artifacts")
        indicator.add_valid_time_position(ValidTime())
        indicator.observable_composition_operator = "AND"
        for rindicator in tmp_incident.related_indicators:
            if rindicator.item.observable:
                indicator.add_observable(rindicator.item.observable)
        relatedIndicator = RelatedIndicator(indicator,
                                            relationship=obj["meta-category"])
        incident.related_indicators.append(relatedIndicator)
示例#3
0
def generateIndicator(attribute):
    indicator = Indicator()
    indicator.id_="example:indicator-" + attribute["uuid"]
    setTLP(indicator, attribute["distribution"])
    indicator.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
    confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
    confidence_value = confidence_mapping.get(attribute["to_ids"], None)
    if confidence_value is None:
        return indicator
    indicator.confidence = Confidence(value=confidence_value, description=confidence_description)
    return indicator
示例#4
0
def generateIndicator(attribute):
    indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
    indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"]
    if attribute["comment"] != "":
        indicator.description = attribute["comment"]
    setTLP(indicator, attribute["distribution"])
    indicator.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
    confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
    confidence_value = confidence_mapping.get(attribute["to_ids"], None)
    if confidence_value is None:
        return indicator
    indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
    return indicator
示例#5
0
def generateIndicator(attribute):
    indicator = Indicator()
    indicator.id_ = "example:indicator-" + attribute["uuid"]
    setTLP(indicator, attribute["distribution"])
    indicator.title = "MISP Attribute #" + attribute[
        "id"] + " uuid: " + attribute["uuid"]
    confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
    confidence_value = confidence_mapping.get(attribute["to_ids"], None)
    if confidence_value is None:
        return indicator
    indicator.confidence = Confidence(value=confidence_value,
                                      description=confidence_description)
    return indicator
示例#6
0
 def generate_indicator(self, attribute, tags, org):
     indicator = Indicator(timestamp=attribute.timestamp)
     indicator.id_ = "{}:indicator-{}".format(namespace[1], attribute.uuid)
     self.set_prod(indicator, org)
     if attribute.comment:
         indicator.description = attribute.comment
     self.set_tlp(indicator, attribute.distribution, self.merge_tags(tags, attribute))
     indicator.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id)
     indicator.description = indicator.title
     confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
     confidence_value = confidence_mapping.get(attribute.to_ids, None)
     if confidence_value is None:
         return indicator
     indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=attribute.timestamp)
     return indicator
示例#7
0
def to_stix_rfi(obj):
    from stix.indicator import Indicator as S_Ind
    list_rfis = []

    for each in obj.rfi:
        ind = S_Ind()
        ind.title = "CRITs RFI"
        ind.timestamp = each.date
        ind.description = each.topic
        ind.id_ = each.source

        list_rfis.append(ind)

        for item in each.instance:
            ind_2 = S_Ind()
            ind_2.title = "CRITs RFI"
            ind_2.timestamp = each.date
            ind_2.description = each.topic
            ind_2.producer = to_source(item)
            ind_2.id_ = each.source

            list_rfis.append(ind_2)

    return list_rfis
def main():
    pkg = STIXPackage()
    indicator = Indicator()
    indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50"
    indicator.title = "Malicious site hosting downloader"
    indicator.add_indicator_type("URL Watchlist")
    
    url = URI()
    url.value = "http://x4z9arb.cn/4712"
    url.type_ =  URI.TYPE_URL
    
    indicator.add_observable(url)

    pkg.add_indicator(indicator)
    
    print pkg.to_xml()
示例#9
0
def main():
    pkg = STIXPackage()
    indicator = Indicator()
    indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50"
    indicator.title = "Malicious site hosting downloader"
    indicator.add_indicator_type("URL Watchlist")

    url = URI()
    url.value = "http://x4z9arb.cn/4712"
    url.type_ = URI.TYPE_URL
    url.value.condition = "Equals"

    indicator.add_observable(url)

    pkg.add_indicator(indicator)

    print pkg.to_xml()
示例#10
0
def to_stix_relationship(obj):
    from stix.indicator import Indicator

    ind_rel = []

    for relationship in obj.relationships:
        #if not relationship.private: #testing
        ind = Indicator()
        ind.title = "MARTI Relation"
        ind.timestamp = relationship.relationship_date
        ind.confidence = relationship.rel_confidence.title()
        ind.id_ = relationship.url_key
        ind.add_indicator_type(get_indicator_type(relationship.rel_type))
        ind.description = relationship.rel_reason
        ind.short_description = relationship.relationship
        ind_rel.append(ind)

    return ind_rel
示例#11
0
 def resolve_objects(self, incident, tags):
     for misp_object in self.misp_event.objects:
         tlp_tags = None
         tmp_incident = Incident()
         tlp_tags = deepcopy(tags)
         self.resolve_attributes(tmp_incident, misp_object.attributes, tags)
         indicator = Indicator(timestamp=self.get_date_from_timestamp(int(misp_object.timestamp)))
         indicator.id_ = "{}:MispObject-{}".format(namespace[1], misp_object.uuid)
         self.set_prod(indicator, self.orgc_name)
         for attribute in misp_object.attributes:
             tlp_tags = self.merge_tags(tlp_tags, attribute)
         self.set_tlp(indicator, misp_object.distribution, tlp_tags)
         title = "{} (MISP Object #{})".format(misp_object.name, misp_object.id)
         indicator.title = title
         indicator.description = misp_object.comment if misp_object.comment else title
         indicator.add_indicator_type("Malware Artifacts")
         indicator.add_valid_time_position(ValidTime())
         indicator.observable_composition_operator = "AND"
         for rindicator in tmp_incident.related_indicators:
             if rindicator.item.observable:
                 indicator.add_observable(rindicator.item.observable)
         relatedIndicator = RelatedIndicator(indicator, relationship=misp_object['meta-category'])
         incident.related_indicators.append(relatedIndicator)
示例#12
0
def json2indicator(config, src, dest, endpoint, json_, crits_id):
    '''transform crits indicators into stix indicators with embedded
    cybox observable composition'''
    try:
        set_id_method(IDGenerator.METHOD_UUID)
        xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
        xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
        set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
        if endpoint == 'indicators':
            endpoint_trans = {'Email': 'emails', 'IP': 'ips',
                              'Sample': 'samples', 'Domain': 'domains', 
                              'Indicator': 'indicators', 'Event': 'events'}
            if json_.get('type', None) not in ['Reference', 'Related_To']:
                config['logger'].error(
                    log.log_messages['unsupported_object_error'].format(
                        type_='crits', obj_type='indicator type ' + json_.get('type', 'None'),
                        id_=crits_id))
                return(None)
            indicator_ = Indicator()
            indicator_.id = xmlns_name + ':indicator-' + crits_id
            indicator_.id_ = indicator_.id
            indicator_.title = json_['value']
            indicator_.confidence = json_['confidence']['rating'].capitalize()
            indicator_.add_indicator_type('Malware Artifacts')
            observable_composition_ = ObservableComposition()
            observable_composition_.operator = \
                indicator_.observable_composition_operator
            for r in json_['relationships']:
                if r.get('relationship', None) not in ['Contains', 'Related_To']:
                    config['logger'].error(
                        log.log_messages['unsupported_object_error'].format(
                            type_='crits', obj_type='indicator relationship type '
                            + r.get('relationship', 'None'), id_=crits_id))
                    continue
                if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
                    observable_ = Observable()
                    observable_.idref = xmlns_name + ':observable-' + r['value']
                    observable_composition_.add(observable_)
                elif r['type'] == 'Indicator':
                    related_indicator = RelatedIndicator(Indicator(idref=xmlns_name + ':indicator-' + r['value']))
                    indicator_.related_indicators.append(related_indicator)
                # stix indicators don't support related_incident :-(
                # elif r['type'] == 'Event':
                #     related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
                #     indicator_.related_incidents.append(related_incident)
            indicator_.observable = Observable()
            indicator_.observable.observable_composition = \
                observable_composition_
            return(indicator_)
        else:
            config['logger'].error(
                log.log_messages['unsupported_object_error'].format(
                    type_='crits', obj_type=endpoint, id_=crits_id))
            return(None)
    except:
        e = sys.exc_info()[0]
        config['logger'].error(log.log_messages['obj_convert_error'].format(
            src_type='crits', src_obj='indicator', id_=crits_id,
            dest_type='stix', dest_obj='indicator'))
        config['logger'].exception(e)
        return(None)
示例#13
0
def json2indicator(config, src, dest, endpoint, json_, crits_id):
    '''transform crits indicators into stix indicators with embedded
    cybox observable composition'''
    try:
        set_id_method(IDGenerator.METHOD_UUID)
        xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
        xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
        set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
        if endpoint == 'indicators':
            endpoint_trans = {
                'Email': 'emails',
                'IP': 'ips',
                'Sample': 'samples',
                'Domain': 'domains',
                'Indicator': 'indicators',
                'Event': 'events'
            }
            if json_.get('type', None) not in ['Reference', 'Related_To']:
                config['logger'].error(
                    log.log_messages['unsupported_object_error'].format(
                        type_='crits',
                        obj_type='indicator type ' + json_.get('type', 'None'),
                        id_=crits_id))
                return (None)
            indicator_ = Indicator()
            indicator_.id = xmlns_name + ':indicator-' + crits_id
            indicator_.id_ = indicator_.id
            indicator_.title = json_['value']
            indicator_.confidence = json_['confidence']['rating'].capitalize()
            indicator_.add_indicator_type('Malware Artifacts')
            observable_composition_ = ObservableComposition()
            observable_composition_.operator = \
                indicator_.observable_composition_operator
            for r in json_['relationships']:
                if r.get('relationship',
                         None) not in ['Contains', 'Related_To']:
                    config['logger'].error(
                        log.log_messages['unsupported_object_error'].format(
                            type_='crits',
                            obj_type='indicator relationship type ' +
                            r.get('relationship', 'None'),
                            id_=crits_id))
                    continue
                if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
                    observable_ = Observable()
                    observable_.idref = xmlns_name + ':observable-' + r['value']
                    observable_composition_.add(observable_)
                elif r['type'] == 'Indicator':
                    related_indicator = RelatedIndicator(
                        Indicator(idref=xmlns_name + ':indicator-' +
                                  r['value']))
                    indicator_.related_indicators.append(related_indicator)
                # stix indicators don't support related_incident :-(
                # elif r['type'] == 'Event':
                #     related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
                #     indicator_.related_incidents.append(related_incident)
            indicator_.observable = Observable()
            indicator_.observable.observable_composition = \
                observable_composition_
            return (indicator_)
        else:
            config['logger'].error(
                log.log_messages['unsupported_object_error'].format(
                    type_='crits', obj_type=endpoint, id_=crits_id))
            return (None)
    except:
        e = sys.exc_info()[0]
        config['logger'].error(log.log_messages['obj_convert_error'].format(
            src_type='crits',
            src_obj='indicator',
            id_=crits_id,
            dest_type='stix',
            dest_obj='indicator'))
        config['logger'].exception(e)
        return (None)