Added tests and a travis build

travis
Hannah Ward 2016-11-18 13:51:01 +00:00
parent 46444c0f00
commit 5ffd987a93
No known key found for this signature in database
GPG Key ID: 6F3BAD60DE190290
23 changed files with 1194 additions and 1 deletions

41
.travis.yml Normal file
View File

@ -0,0 +1,41 @@
language: python
python:
- "2.7"
- "3.5"
- "nightly"
cache: pip
services:
- mysql
env:
- OPENTAXII_CONFIG=$TRAVIS_BUILD_DIR/config.yaml
- URL="http://ec2-52-42-201-6.us-west-2.compute.amazonaws.com"
- APIKEY=Vjy0ra7wO6w6si7hbjxX52nARfVpaAO6Tm6lxeSm
install:
# Set up the deps
- git submodule init
- git submodule update
# Install OpenTAXII
- cd OpenTAXII
- python setup.py install
- cd ..
# Create databases
- mysql -u root -e 'create database taxiiauth; create database taxiipersist;'
- mysql -u root -e "grant all on taxiiauth.* to 'taxii'@'%' identified by 'some_password';"
- mysql -u root -e "grant all on taxiipersist.* to 'taxii'@'%' identified by 'some_password';"
# Populate databases
- opentaxii-create-services -c services.yaml
- opentaxii-create-collections -c collections.yaml
- opentaxii-create-acccount -u travis -p travis
#Configure hooks
- <misp_taxii_hooks/hooks.py sed 's@\[URL\]@'"$URL"'@; s@\[APIKEY\]@'"$APIKEY"'@' > misp_taxii_hooks/hooks.py
- python setup.py install
script:
- cd tests
- nosetests .
- cd ..

View File

@ -12,6 +12,6 @@ setup(
author="Hannah Ward",
author_email="hannah.ward2@baesystems.com",
packages=['misp_taxii_hooks'],
install_requires=["pymisp>=2.4.53", "pyaml>=3.11"],
install_requires=["pymisp>=2.4.53", "pyaml>=3.11", "cabby>=0.1", "nose>=1.3.7"],
)

View File

@ -0,0 +1,56 @@
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:example="http://example.com"
xmlns:coa="http://stix.mitre.org/CourseOfAction-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd
http://stix.mitre.org/CourseOfAction-1 http://stix.mitre.org/XMLSchema/course_of_action/1.2/course_of_action.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd"
id="example:Package-495c4c04-b5d8-11e3-b7bb-000c29789db9"
version="1.2">
<stix:Courses_Of_Action>
<stix:Course_Of_Action id="example:coa-495c9b28-b5d8-11e3-b7bb-000c29789db9" xsi:type='coa:CourseOfActionType' version="1.2">
<coa:Title>Block traffic to PIVY C2 Server (10.10.10.10)</coa:Title>
<coa:Stage xsi:type="stixVocabs:COAStageVocab-1.0">Response</coa:Stage>
<coa:Type xsi:type="stixVocabs:CourseOfActionTypeVocab-1.0">Perimeter Blocking</coa:Type>
<coa:Objective>
<coa:Description>Block communication between the PIVY agents and the C2 Server</coa:Description>
<coa:Applicability_Confidence>
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
</coa:Applicability_Confidence>
</coa:Objective>
<coa:Parameter_Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable id="example:Observable-356e3258-0979-48f6-9bcf-6823eecf9a7d">
<cybox:Object id="example:Address-df3c710c-f05c-4edb-a753-de4862048950">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>10.10.10.10</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</coa:Parameter_Observables>
<coa:Impact>
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
<stixCommon:Description>This IP address is not used for legitimate hosting so there should be no operational impact.</stixCommon:Description>
</coa:Impact>
<coa:Cost>
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
</coa:Cost>
<coa:Efficacy>
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
</coa:Efficacy>
</stix:Course_Of_Action>
</stix:Courses_Of_Action>
</stix:STIX_Package>

View File

@ -0,0 +1,47 @@
<stix:STIX_Package
xmlns:example="http://example.com"
xmlns:campaign="http://stix.mitre.org/Campaign-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://stix.mitre.org/Campaign-1 http://stix.mitre.org/XMLSchema/campaign/1.2/campaign.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/ThreatActor-1 http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-81810123-b298-40f6-a4e7-186efcd07670" version="1.2">
<stix:Campaigns>
<stix:Campaign id="example:Campaign-e5268b6e-4931-42f1-b379-87f48eb41b1e" timestamp="2014-08-08T15:50:10.983728+00:00" xsi:type='campaign:CampaignType' version="1.2">
<campaign:Title>Compromise of ATM Machines</campaign:Title>
<campaign:Related_TTPs>
<campaign:Related_TTP>
<stixCommon:TTP id="example:ttp-2d1c6ab3-5e4e-48ac-a32b-f0c01c2836a8" timestamp="2014-08-08T15:50:10.983464+00:00" xsi:type='ttp:TTPType' version="1.2">
<ttp:Title>Victim Targeting: Customer PII and Financial Data</ttp:Title>
<ttp:Victim_Targeting>
<ttp:Targeted_Information xsi:type="stixVocabs:InformationTypeVocab-1.0">Information Assets - Financial Data</ttp:Targeted_Information>
</ttp:Victim_Targeting>
</stixCommon:TTP>
</campaign:Related_TTP>
</campaign:Related_TTPs>
<campaign:Related_Incidents>
<campaign:Related_Incident><stixCommon:Incident idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"/></campaign:Related_Incident>
<campaign:Related_Incident><stixCommon:Incident idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"/></campaign:Related_Incident>
<campaign:Related_Incident><stixCommon:Incident idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"/></campaign:Related_Incident>
</campaign:Related_Incidents>
<campaign:Attribution>
<campaign:Attributed_Threat_Actor>
<stixCommon:Threat_Actor id="example:threatactor-56f3f0db-b5d5-431c-ae56-c18f02caf500" timestamp="2014-08-08T15:50:10.983629+00:00" xsi:type='ta:ThreatActorType' version="1.2">
<ta:Title>People behind the intrusion</ta:Title>
</stixCommon:Threat_Actor>
</campaign:Attributed_Threat_Actor>
</campaign:Attribution>
</stix:Campaign>
</stix:Campaigns>
</stix:STIX_Package>

View File

@ -0,0 +1,61 @@
<?xml version="1.0"?>
<stix:STIX_Package
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:AddressObject="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:example="http://example.com/"
xsi:schemaLocation="
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd
http://stix.mitre.org/Campaign-1 http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/TTP-2 http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1.0/stix_default_vocabularies.xsd
http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd"
id="example:STIXPackage-cc0ca596-70e6-4dac-9bef-603166d17db8"
version="1.1.1"
>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="example:observable-c8c32b6e-2ea8-51c4-6446-7f5218072f27">
<cybox:Object id="example:object-d7fcce87-0e98-4537-81bf-1e7ca9ad3734">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value>198.51.100.2</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="example:observable-b57aa65f-9598-04fb-a9d1-5094c36d5dc4">
<cybox:Object id="example:object-f4fac80a-1239-47cc-b0e6-771b1a73f817">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value>198.51.100.17</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="example:observable-19c16346-0eb4-99e2-00bb-4ec3ed174cac">
<cybox:Object id="example:object-174bf9a3-f163-4919-9119-b52598f97ce3">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value>203.0.113.19</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="example:ttp-dd955e08-16d0-6f08-5064-50d9e7a3104d" timestamp="2014-05-08T09:00:00.000000Z">
<ttp:Title>Malware C2 Channel</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Type>Malware C2</ttp:Type>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable idref="example:observable-c8c32b6e-2ea8-51c4-6446-7f5218072f27"/>
<cybox:Observable idref="example:observable-b57aa65f-9598-04fb-a9d1-5094c36d5dc4"/>
<cybox:Observable idref="example:observable-19c16346-0eb4-99e2-00bb-4ec3ed174cac"/>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>

View File

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<stix:STIX_Package
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:example="http://example.com/"
xsi:schemaLocation="
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd
http://stix.mitre.org/ExploitTarget-1 http://stix.mitre.org/XMLSchema/exploit_target/1.2/exploit_target.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd"
id="example:STIXPackage-0196d980-60d9-4717-b7c5-bf7bc27a35d4"
version="1.2"
>
<stix:Exploit_Targets>
<stixCommon:Exploit_Target xsi:type="et:ExploitTargetType" id="example:et-48a276f7-a8d7-bba2-3575-e8a63fcd488" timestamp="2014-05-08T09:00:00.000000Z">
<et:Title>Javascript vulnerability in MSIE 6-11</et:Title>
<et:Vulnerability>
<et:CVE_ID>CVE-2013-3893</et:CVE_ID>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</stix:Exploit_Targets>
</stix:STIX_Package>

View File

@ -0,0 +1,44 @@
<stix:STIX_Package
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:example="http://example.com"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="example:Package-bc2955f8-f1bb-4f02-b2ed-339d7daf6d75" version="1.2">
<stix:STIX_Header>
<stix:Title>File Hash Reputation Service Results</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Malware Artifacts</stix:Package_Intent>
</stix:STIX_Header>
<stix:Indicators>
<stix:Indicator id="example:indicator-14975dea-86cd-4211-a5f8-9c2e4daab69a" timestamp="2015-07-20T19:52:13.853585+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>
<indicator:Observable id="example:Observable-7b97c8a2-2d0b-4af7-bcf0-cad28f2fea5a">
<cybox:Object id="example:File-b04bfc7c-04ae-4dfe-ba8e-a297f0717552">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP id="example:ttp-23e715a9-24c8-4b21-ba5b-f564d2edc660" timestamp="2015-07-20T19:52:13.854415+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Malicious file</ttp:Title>
</stixCommon:TTP>
</indicator:Indicated_TTP>
<indicator:Confidence timestamp="2015-07-20T19:52:13.854506+00:00">
<stixCommon:Value vocab_reference="https://en.wikipedia.org/wiki/Percentage" vocab_name="Percentage">75</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>

View File

@ -0,0 +1,56 @@
<stix:STIX_Package
xmlns:example="http://example.com"
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix-ciqidentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xsi:schemaLocation="
http://stix.mitre.org/ThreatActor-1 http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.2/ciq_3.0_identity.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd
urn:oasis:names:tc:ciq:xal:3 http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xAL.xsd
urn:oasis:names:tc:ciq:xnl:3 http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xNL.xsd
urn:oasis:names:tc:ciq:xpil:3 http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd" id="example:Package-c9567f73-3803-415c-b06e-2b0622830e5d" version="1.2" >
<stix:Threat_Actors>
<stix:Threat_Actor id="example:threatactor-dfaa8d77-07e2-4e28-b2c8-92e9f7b04428" timestamp="2014-11-19T23:39:03.893348+00:00" xsi:type='ta:ThreatActorType' version="1.2">
<ta:Title>Disco Team Threat Actor Group</ta:Title>
<ta:Identity id="example:Identity-733c5838-34d9-4fbf-949c-62aba761184c" xsi:type='stix-ciqidentity:CIQIdentity3.0InstanceType'>
<ExtSch:Specification xmlns:ExtSch="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1">
<xpil:PartyName xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="CommonUse">
<xnl:NameElement>Disco Tean</xnl:NameElement>
</xnl:OrganisationName>
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="UnofficialName">
<xnl:NameElement>Equipo del Discoteca</xnl:NameElement>
</xnl:OrganisationName>
</xpil:PartyName>
<xpil:Addresses xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:Address>
<xal:Country xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
<xal:NameElement>United States</xal:NameElement>
</xal:Country>
<xal:AdministrativeArea xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
<xal:NameElement>California</xal:NameElement>
</xal:AdministrativeArea>
</xpil:Address>
</xpil:Addresses>
<xpil:ElectronicAddressIdentifiers xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:ElectronicAddressIdentifier>disco-team@stealthemail.com</xpil:ElectronicAddressIdentifier>
<xpil:ElectronicAddressIdentifier>facebook.com/thediscoteam</xpil:ElectronicAddressIdentifier>
</xpil:ElectronicAddressIdentifiers>
<xpil:Languages xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:Language>Spanish</xpil:Language>
</xpil:Languages>
</ExtSch:Specification>
</ta:Identity>
</stix:Threat_Actor>
</stix:Threat_Actors>
</stix:STIX_Package>

View File

@ -0,0 +1,42 @@
<stix:STIX_Package
xmlns:example="http://example.com"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd"
id="example:Package-65184e82-b693-11e3-bfd7-0800271e87d2"
version="1.2">
<stix:TTPs>
<stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType' timestamp="2014-05-08T09:00:00.000000Z">
<ttp:Title>Poison Ivy</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance id="example:malware-6516102c-b693-11e3-bfd7-0800271e87d2">
<ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
<ttp:Name>Poison Ivy</ttp:Name>
</ttp:Malware_Instance>
</ttp:Malware>
</ttp:Behavior>
</stix:TTP>
</stix:TTPs>
<stix:Incidents>
<stix:Incident id="example:incident-1b75ee8f-14d6-819a-d729-09ab52c91fdb" xsi:type='incident:IncidentType' timestamp="2014-05-08T09:00:00.000000Z">
<incident:Title>Detected Poison Ivy beaconing through perimeter firewalls</incident:Title>
<incident:Leveraged_TTPs>
<incident:Leveraged_TTP>
<stixCommon:Relationship>Uses Malware</stixCommon:Relationship>
<stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a"/>
</incident:Leveraged_TTP>
</incident:Leveraged_TTPs>
</stix:Incident>
</stix:Incidents>
</stix:STIX_Package>

View File

@ -0,0 +1,39 @@
<stix:STIX_Package
xmlns:example="http://example.com"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd"
id="example:Package-d1a8110e-b693-11e3-8747-0800271e87d2"
version="1.2">
<stix:Incidents>
<stix:Incident id="example:incident-081d344b-9fae-d182-9cc7-d2d103e7c64f" xsi:type='incident:IncidentType' timestamp="2014-05-08T09:00:00.000000Z">
<incident:Title>Exfiltration from hr-data1.example.com</incident:Title>
<incident:Affected_Assets>
<incident:Affected_Asset>
<incident:Type count_affected="1">Database</incident:Type>
<incident:Description>Database server at hr-data1.example.com</incident:Description>
<incident:Business_Function_Or_Role>Hosts the database for example.com</incident:Business_Function_Or_Role>
<incident:Ownership_Class xsi:type="stixVocabs:OwnershipClassVocab-1.0">Internally-Owned</incident:Ownership_Class>
<incident:Management_Class xsi:type="stixVocabs:ManagementClassVocab-1.0">Internally-Managed</incident:Management_Class>
<incident:Location_Class xsi:type="stixVocabs:LocationClassVocab-1.0">Internally-Located</incident:Location_Class>
<incident:Nature_Of_Security_Effect>
<incident:Property_Affected>
<incident:Property xsi:type="stixVocabs:LossPropertyVocab-1.0">Confidentiality</incident:Property>
<incident:Description_Of_Effect>Data was exfiltrated, has not been determined which data or how.</incident:Description_Of_Effect>
<incident:Non_Public_Data_Compromised data_encrypted="false">Yes</incident:Non_Public_Data_Compromised>
</incident:Property_Affected>
</incident:Nature_Of_Security_Effect>
</incident:Affected_Asset>
</incident:Affected_Assets>
</stix:Incident>
</stix:Incidents>
</stix:STIX_Package>

View File

@ -0,0 +1,64 @@
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:example="http://example.com"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-035391ea-ef0d-48c9-ae9b-d50452fcb296" version="1.2">
<stix:Incidents>
<stix:Incident id="example:incident-84d86106-d801-489b-87b6-d56bac58e6c1" timestamp="2014-09-15T14:37:54.297669+00:00" xsi:type='incident:IncidentType' version="1.2">
<incident:Title>Malicious files detected</incident:Title>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Relationship>Malicious Artifact Detected</stixCommon:Relationship>
<stixCommon:Observable id="example:Observable-0fd77202-c962-41c7-b90f-a906ab3b5392">
<cybox:Object id="example:File-043d8340-0300-46ee-b3bd-27693c8f64b7">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>readme.doc.exe</FileObj:File_Name>
<FileObj:Size_In_Bytes>40891</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Malicious Artifact Detected</stixCommon:Relationship>
<stixCommon:Observable id="example:Observable-b74949f0-cf41-4094-9b80-240201a96b60">
<cybox:Object id="example:File-bc006562-2330-4fd1-a938-8f975eefbc71">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>readme.doc.exe</FileObj:File_Name>
<FileObj:Size_In_Bytes>40891</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
</stix:Incident>
</stix:Incidents>
</stix:STIX_Package>

View File

@ -0,0 +1,42 @@
<stix:STIX_Package
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:AddressObject="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:example="http://example.com/"
xsi:schemaLocation="
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/TTP-2 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd"
id="example:STIXPackage-33fe3b22-0201-47cf-85d0-97c02164528d"
version="1.2"
>
<stix:Indicators>
<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-33fe3b22-0201-47cf-85d0-97c02164528d" timestamp="2014-05-08T09:00:00.000000Z">
<indicator:Title>IP Address for known C2 channel</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
<indicator:Observable id="example:Observable-1c798262-a4cd-434d-a958-884d6980c459">
<cybox:Object id="example:Object-1980ce43-8e03-490b-863a-ea404d12242e">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="Equals">10.0.0.0</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:TTP-bc66360d-a7d1-4d8c-ad1a-ea3a13d62da9" />
</indicator:Indicated_TTP>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="example:TTP-bc66360d-a7d1-4d8c-ad1a-ea3a13d62da9" timestamp="2014-05-08T09:00:00.000000Z">
<ttp:Title>C2 Behavior</ttp:Title>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>

View File

@ -0,0 +1,37 @@
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"
xmlns:example="http://example.com"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://cybox.mitre.org/objects#URIObject-2 http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd"
id="example:Package-8fab937e-b694-11e3-b71c-0800271e87d2"
version="1.2">
<stix:Indicators>
<stix:Indicator id="example:Indicator-d81f86b9-975b-bc0b-775e-810c5ad45a4f" xsi:type='indicator:IndicatorType'>
<indicator:Title>Malicious site hosting downloader</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">URL Watchlist</indicator:Type>
<indicator:Observable id="example:Observable-ee59c28e-d922-480e-9b7b-a79502696505">
<cybox:Object id="example:URI-b13ae3fc-80af-49c2-9de9-f713abc070ba">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">http://x4z9arb.cn/4712</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>

45
tests/kill-chain.xml Normal file
View File

@ -0,0 +1,45 @@
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:example="http://example.com"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-91d9b5a2-b63b-431b-ab56-aba30ab36809" version="1.2">
<stix:Indicators>
<stix:Indicator id="example:indicator-f33c2b75-aa60-4ffb-9829-3746ef233311" timestamp="2014-10-21T21:10:09.423000+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase/>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</indicator:Kill_Chain_Phases>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:Kill_Chains>
<stixCommon:Kill_Chain id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" definer="LMCO" name="LM Cyber Kill Chain">
<stixCommon:Kill_Chain_Phase ordinality="1" name="Reconnaissance" phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a"/>
<stixCommon:Kill_Chain_Phase ordinality="2" name="Weaponization" phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16"/>
<stixCommon:Kill_Chain_Phase ordinality="3" name="Delivery" phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d"/>
<stixCommon:Kill_Chain_Phase ordinality="4" name="Exploitation" phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0"/>
<stixCommon:Kill_Chain_Phase ordinality="5" name="Installation" phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f"/>
<stixCommon:Kill_Chain_Phase ordinality="6" name="Command and Control" phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2"/>
<stixCommon:Kill_Chain_Phase ordinality="7" name="Actions on Objectives" phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6"/>
</stixCommon:Kill_Chain>
<stixCommon:Kill_Chain definer="Myself" name="Organization-specific Kill Chain">
<stixCommon:Kill_Chain_Phase name="Infect Machine"/>
<stixCommon:Kill_Chain_Phase name="Exfiltrate Data"/>
</stixCommon:Kill_Chain>
</stix:Kill_Chains>
</stix:TTPs>
</stix:STIX_Package>

View File

@ -0,0 +1,104 @@
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:EmailMessageObj="http://cybox.mitre.org/objects#EmailMessageObject-2"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:example="http://example.com"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://cybox.mitre.org/objects#EmailMessageObject-2 http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd
http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-8b8ed1c1-f01d-4393-ac65-97017ed15876" version="1.2" >
<stix:Indicators>
<stix:Indicator id="example:indicator-8cf9236f-1b96-493d-98be-0c1c1e8b62d7" timestamp="2014-10-31T15:52:13.127931+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
<indicator:Title>Malicious E-mail</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malicious E-mail</indicator:Type>
<indicator:Observable id="example:Observable-437f0c20-ab26-4400-9f6a-fc395da3ddd9">
<cybox:Object id="example:EmailMessage-0dc3478e-153a-412f-8718-7e9ee65b8084">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:Subject condition="StartsWith">[IMPORTANT] Please Review Before</EmailMessageObj:Subject>
</EmailMessageObj:Header>
<EmailMessageObj:Attachments>
<EmailMessageObj:File object_reference="example:File-c182bcb6-8023-44a8-b340-157295abc8a6"/>
</EmailMessageObj:Attachments>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-d7b066aa-4091-4276-a142-29d5d81c3484" xsi:type='ttp:TTPType' version="1.2"/>
</indicator:Indicated_TTP>
<indicator:Confidence timestamp="2014-10-31T15:52:13.127950+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
<stix:Indicator id="example:indicator-b06b0eb7-61dd-4338-a094-0290c380fbd8" timestamp="2014-10-31T15:52:13.126999+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
<indicator:Title>Malicious E-mail Subject Line</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malicious E-mail</indicator:Type>
<indicator:Observable id="example:Observable-e9926796-6b52-463c-8be1-0ab66e9adb1c">
<cybox:Object id="example:EmailMessage-38afa5c9-ef26-4948-928b-0230521c67b7">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:Subject condition="StartsWith">[IMPORTANT] Please Review Before</EmailMessageObj:Subject>
</EmailMessageObj:Header>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-d7b066aa-4091-4276-a142-29d5d81c3484" xsi:type='ttp:TTPType' version="1.2"/>
</indicator:Indicated_TTP>
<indicator:Confidence timestamp="2014-10-31T15:52:13.127225+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
<stix:Indicator id="example:indicator-2e17f6fe-3a4d-438a-911a-e509ba1b9933" timestamp="2014-10-31T15:52:13.127668+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
<indicator:Title>Malicious E-mail Attachment</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malicious E-mail</indicator:Type>
<indicator:Observable id="example:Observable-9c9869a2-f822-4682-bda4-e89d31b18704">
<cybox:Object id="example:EmailMessage-9d56af8e-5588-4ed3-affd-bd769ddd7fe2">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Attachments>
<EmailMessageObj:File object_reference="example:File-c182bcb6-8023-44a8-b340-157295abc8a6"/>
</EmailMessageObj:Attachments>
</cybox:Properties>
<cybox:Related_Objects>
<cybox:Related_Object id="example:File-c182bcb6-8023-44a8-b340-157295abc8a6">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="StartsWith">Final Report</FileObj:File_Name>
<FileObj:File_Extension condition="Equals">doc.exe</FileObj:File_Extension>
</cybox:Properties>
<cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Contains</cybox:Relationship>
</cybox:Related_Object>
</cybox:Related_Objects>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-d7b066aa-4091-4276-a142-29d5d81c3484" xsi:type='ttp:TTPType' version="1.2"/>
</indicator:Indicated_TTP>
<indicator:Confidence timestamp="2014-10-31T15:52:13.127775+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP id="example:ttp-d7b066aa-4091-4276-a142-29d5d81c3484" timestamp="2014-10-31T15:52:13.126765+00:00" xsi:type='ttp:TTPType' version="1.2">
<ttp:Title>Phishing</ttp:Title>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>

View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<stix:STIX_Package
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:stix-maec="http://stix.mitre.org/extensions/Malware#MAEC4.1-1"
xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2"
xmlns:example="http://example.com"
xsi:schemaLocation="
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd
http://stix.mitre.org/extensions/Malware#MAEC4.1-1 http://stix.mitre.org/XMLSchema/extensions/malware/maec_4.1/1.0/maec_4.1_malware.xsd
http://maec.mitre.org/XMLSchema/maec-package-2 http://maec.mitre.org/language/version4.1/maec_package_schema.xsd"
id="example:Package-2b8fb66f-b6b3-4d40-865a-33e4a5ee1246"
version="1.2"
timestamp="2014-05-08T09:00:00.000000Z"
>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="example:ttp-7d9fe1f7-429d-077e-db51-92c70b8da45a">
<ttp:Title>Poison Ivy Variant v4392-acc</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance xsi:type="stix-maec:MAEC4.1InstanceType">
<ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
<ttp:Name>Poison Ivy Variant v4392-acc</ttp:Name>
<stix-maec:MAEC id="example:package-2fb96bef-1b11-436e-af4a-15588ac3198b" schema_version="2.1">
<!-- MAEC Content Here -->
<maecPackage:Malware_Subjects>
<maecPackage:Malware_Subject id="example:Subject-57cd4839-436e-1b11-af4a-15588ac3198b">
<maecPackage:Malware_Instance_Object_Attributes>
</maecPackage:Malware_Instance_Object_Attributes>
</maecPackage:Malware_Subject>
</maecPackage:Malware_Subjects>
</stix-maec:MAEC>
</ttp:Malware_Instance>
</ttp:Malware>
</ttp:Behavior>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>

View File

@ -0,0 +1,62 @@
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:example="http://example.com"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd"
id="example:Package-fdd39a2e-b67c-11e3-bcc9-f01faf20d111"
version="1.2"
>
<stix:Indicators>
<stix:Indicator id="example:indicator-a932fcc6-e032-176c-126f-cb970a5a1ade" xsi:type='indicator:IndicatorType' timestamp="2014-05-08T09:00:00.000000Z">
<indicator:Title>File hash for Poison Ivy variant</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
<indicator:Observable id="example:Observable-7d6f87bb-b4cd-42dd-b655-72557e9ea79f">
<cybox:Object id="example:File-91040dc2-28d8-4925-bfe8-6b50d300afe1">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" />
</indicator:Indicated_TTP>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType' timestamp="2014-05-08T09:00:00.000000Z">
<ttp:Title>Poison Ivy</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance id="example:malware-fdd60b30-b67c-11e3-b0b9-f01faf20d111">
<ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
<ttp:Name>Poison Ivy</ttp:Name>
</ttp:Malware_Instance>
</ttp:Malware>
</ttp:Behavior>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>

View File

@ -0,0 +1,128 @@
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:example="http://example.com"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix-openioc="http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1 http://stix.mitre.org/XMLSchema/extensions/test_mechanism/open_ioc_2010/1.2/open_ioc_2010_test_mechanism.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-6ed0af26-fcb9-49be-9014-f119770f267a" version="1.2" >
<stix:Indicators>
<stix:Indicator id="example:indicator-b92194e0-da61-4a32-9034-1148123b0f7a" timestamp="2014-06-20T20:53:08.440812+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
<indicator:Title>Zeus</indicator:Title>
<indicator:Description>Finds Zeus variants, twexts, sdra64, ntos</indicator:Description>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-27884a06-e75c-4f35-b58d-f8cf2722f7d3" xsi:type='ttp:TTPType' version="1.2"/>
</indicator:Indicated_TTP>
<indicator:Test_Mechanisms>
<indicator:Test_Mechanism id="example:testmechanism-c7f7dad4-4835-4105-8a53-72149f721ec0" xmlns:stix-openioc='http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1' xsi:type='stix-openioc:OpenIOC2010TestMechanismType'>
<indicator:Producer>
<stixCommon:Identity id="example:Identity-1c06cffc-4c80-4005-8d82-075afea0ed41">
<stixCommon:Name>Mandiant</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:Time>
<cyboxCommon:Produced_Time>2001-01-01T00:00:00</cyboxCommon:Produced_Time>
</stixCommon:Time>
<stixCommon:References>
<stixCommon:Reference>http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc</stixCommon:Reference>
</stixCommon:References>
</indicator:Producer>
<stix-openioc:ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc" xmlns:stix-openioc="http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1" id="6d2a1b03-b216-4cd8-9a9e-8827af6ebf93" last-modified="2011-10-28T19:28:20">
<short_description>Zeus</short_description>
<description>Finds Zeus variants, twexts, sdra64, ntos</description>
<keywords/>
<authored_by>Mandiant</authored_by>
<authored_date>0001-01-01T00:00:00</authored_date>
<links/>
<definition>
<Indicator operator="OR" id="9c8df971-32a8-4ede-8a3a-c5cb2c1439c6">
<Indicator operator="AND" id="0781258f-6960-4da5-97a0-ec35fb403cac">
<IndicatorItem id="50455b63-35bf-4efa-9f06-aeba2980f80a" condition="contains">
<Context document="ProcessItem" search="ProcessItem/name" type="mir"/>
<Content type="string">winlogon.exe</Content>
</IndicatorItem>
<IndicatorItem id="b05d9b40-0528-461f-9721-e31d5651abdc" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/>
<Content type="string">File</Content>
</IndicatorItem>
<Indicator operator="OR" id="67505775-6577-43b2-bccd-74603223180a">
<IndicatorItem id="c5ae706f-c032-4da7-8acd-4523f1dae9f6" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/>
<Content type="string">system32\sdra64.exe</Content>
</IndicatorItem>
<IndicatorItem id="25ff12a7-665b-4e45-8b0f-6e5ca7b95801" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/>
<Content type="string">system32\twain_32\user.ds</Content>
</IndicatorItem>
<IndicatorItem id="fea11706-9ebe-469b-b30a-4047cfb7436b" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/>
<Content type="string">\WINDOWS\system32\twext.exe</Content>
</IndicatorItem>
<IndicatorItem id="94ac992c-8d6d-441f-bfc4-5235f9b09af8" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/>
<Content type="string">system32\twain32\local.ds</Content>
</IndicatorItem>
<IndicatorItem id="bc12f44e-7d93-47ea-9cc9-86a2beeaa04c" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/>
<Content type="string">system32\twext.exe</Content>
</IndicatorItem>
<IndicatorItem id="1c3f8902-d4e2-443a-a407-15be3951bef9" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/>
<Content type="string">system32\lowsec\user.ds</Content>
</IndicatorItem>
<IndicatorItem id="7fab12d1-67ed-4149-b46a-ec50fc622bee" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/>
<Content type="string">system32\lowsec\local.ds</Content>
</IndicatorItem>
</Indicator>
</Indicator>
<Indicator operator="AND" id="9f7a5703-8a26-45cf-b801-1c13f0f15d40">
<IndicatorItem id="cf77d82f-0ac9-4c81-af0b-d634f71525b5" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/>
<Content type="string">Mutant</Content>
</IndicatorItem>
<Indicator operator="OR" id="83f72cf7-6399-4620-b735-d08ce23ba517">
<IndicatorItem id="a1250d55-cd63-46cd-9436-e1741f5f42c7" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/>
<Content type="string">__SYSTEM__</Content>
</IndicatorItem>
<IndicatorItem id="e033b865-95ba-44ab-baa5-3b1e8e5f348c" condition="contains">
<Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/>
<Content type="string">_AVIRA_</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</definition>
</stix-openioc:ioc>
</indicator:Test_Mechanism>
</indicator:Test_Mechanisms>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP id="example:ttp-27884a06-e75c-4f35-b58d-f8cf2722f7d3" timestamp="2014-06-20T20:53:08.439607+00:00" xsi:type='ttp:TTPType' version="1.2">
<ttp:Title>Zeus</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance id="example:malware-19e1567c-a824-4af1-aeb2-0267ec934c53">
<ttp:Name>Zeus</ttp:Name>
<ttp:Name>twexts</ttp:Name>
<ttp:Name>sdra64</ttp:Name>
<ttp:Name>ntos</ttp:Name>
</ttp:Malware_Instance>
</ttp:Malware>
</ttp:Behavior>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>

48
tests/sample.xml Normal file
View File

@ -0,0 +1,48 @@
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:example="http://example.com"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-ec96d2a6-5a95-48f2-93c0-b3b2198633ca" version="1.2" >
<stix:Incidents>
<stix:Incident id="example:incident-8236b4a2-abe0-4b56-9347-288005c4bb92" timestamp="2014-11-18T23:40:08.061362+00:00" xsi:type='incident:IncidentType' version="1.2">
<incident:Title>Breach of Cyber Tech Dynamics</incident:Title>
<incident:Time>
<incident:Initial_Compromise precision="second">2012-01-30T00:00:00</incident:Initial_Compromise>
<incident:Incident_Discovery precision="second">2012-05-10T00:00:00</incident:Incident_Discovery>
<incident:Restoration_Achieved precision="second">2012-08-10T00:00:00</incident:Restoration_Achieved>
<incident:Incident_Reported precision="second">2012-12-10T00:00:00</incident:Incident_Reported>
</incident:Time>
<incident:Description>Intrusion into enterprise network</incident:Description>
<incident:Reporter>
<stixCommon:Description>The person who reported it</stixCommon:Description>
<stixCommon:Identity id="example:Identity-cd64aaa6-b1c0-4026-8ea1-14ff5a19e5fb">
<stixCommon:Name>Sample Investigations, LLC</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:Time>
<cyboxCommon:Produced_Time>2014-03-11T00:00:00</cyboxCommon:Produced_Time>
</stixCommon:Time>
</incident:Reporter>
<incident:Victim id="example:Identity-dd8637b7-51b4-48f0-9e3c-a2b23b3a2dd7">
<stixCommon:Name>Cyber Tech Dynamics</stixCommon:Name>
</incident:Victim>
<incident:Impact_Assessment>
<incident:Effects>
<incident:Effect xsi:type="stixVocabs:IncidentEffectVocab-1.0">Financial Loss</incident:Effect>
</incident:Effects>
</incident:Impact_Assessment>
<incident:Confidence timestamp="2014-11-18T23:40:08.061379+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
</incident:Confidence>
</stix:Incident>
</stix:Incidents>
</stix:STIX_Package>

View File

@ -0,0 +1,68 @@
<stix:STIX_Package
xmlns:example="http://example.com"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:snortTM="http://stix.mitre.org/extensions/TestMechanism#Snort-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://stix.mitre.org/ExploitTarget-1 http://stix.mitre.org/XMLSchema/exploit_target/1.2/exploit_target.xsd
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/extensions/TestMechanism#Snort-1 http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.2/snort_test_mechanism.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-ea99d4d4-1ae7-4120-9ebe-67ed4783fb36" version="1.2" >
<stix:Indicators>
<stix:Indicator id="example:indicator-567b201c-4fd5-4bde-a5db-42abc340807a" timestamp="2014-06-20T15:16:56.987616+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
<indicator:Title>Snort Signature for Heartbleed</indicator:Title>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-8c12783d-3ebd-42bd-8dcd-e81dab56a47a" xsi:type='ttp:TTPType' version="1.2"/>
</indicator:Indicated_TTP>
<indicator:Test_Mechanisms>
<indicator:Test_Mechanism id="example:testmechanism-a1475567-50f7-4dae-b0d0-47c7ea8e79e1" xmlns:snortTM='http://stix.mitre.org/extensions/TestMechanism#Snort-1' xsi:type='snortTM:SnortTestMechanismType'>
<indicator:Efficacy timestamp="2014-06-20T15:16:56.987966+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
</indicator:Efficacy>
<indicator:Producer>
<stixCommon:Identity id="example:Identity-a0740d84-9fcd-44af-9033-94e76a53201e">
<stixCommon:Name>FOX IT</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:References>
<stixCommon:Reference>http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/</stixCommon:Reference>
</stixCommon:References>
</indicator:Producer>
<snortTM:Rule><![CDATA[alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)]]></snortTM:Rule>
<snortTM:Rule><![CDATA[alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)]]></snortTM:Rule>
</indicator:Test_Mechanism>
</indicator:Test_Mechanisms>
<indicator:Confidence timestamp="2014-06-20T15:16:56.987649+00:00">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP id="example:ttp-8c12783d-3ebd-42bd-8dcd-e81dab56a47a" timestamp="2014-06-20T15:16:56.986865+00:00" xsi:type='ttp:TTPType' version="1.2">
<ttp:Title>Generic Heartbleed Exploits</ttp:Title>
<ttp:Exploit_Targets>
<ttp:Exploit_Target>
<stixCommon:Exploit_Target idref="example:et-e77c1e36-5b43-4c5c-b8cb-7b36035f2b90" xsi:type='et:ExploitTargetType' version="1.2"/>
</ttp:Exploit_Target>
</ttp:Exploit_Targets>
</stix:TTP>
</stix:TTPs>
<stix:Exploit_Targets>
<stixCommon:Exploit_Target id="example:et-e77c1e36-5b43-4c5c-b8cb-7b36035f2b90" timestamp="2014-06-20T15:16:56.986650+00:00" xsi:type='et:ExploitTargetType' version="1.2">
<et:Title>Heartbleed</et:Title>
<et:Vulnerability>
<et:CVE_ID>CVE-2013-3893</et:CVE_ID>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</stix:Exploit_Targets>
</stix:STIX_Package>

61
tests/test.xml Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<stix:STIX_Package
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:AddressObject="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:example="http://example.com/"
xsi:schemaLocation="
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd
http://stix.mitre.org/Campaign-1 http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/TTP-2 http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1.0/stix_default_vocabularies.xsd
http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd"
id="example:STIXPackage-cc0ca596-70e6-4dac-9bef-603166d17db8"
version="1.1.1"
>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="example:observable-c8c32b6e-2ea8-51c4-6446-7f5218072f27">
<cybox:Object id="example:object-d7fcce87-0e98-4537-81bf-1e7ca9ad3734">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value>198.51.100.2</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="example:observable-b57aa65f-9598-04fb-a9d1-5094c36d5dc4">
<cybox:Object id="example:object-f4fac80a-1239-47cc-b0e6-771b1a73f817">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value>198.51.100.17</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="example:observable-19c16346-0eb4-99e2-00bb-4ec3ed174cac">
<cybox:Object id="example:object-174bf9a3-f163-4919-9119-b52598f97ce3">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value>203.0.113.19</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType" id="example:ttp-dd955e08-16d0-6f08-5064-50d9e7a3104d" timestamp="2014-05-08T09:00:00.000000Z">
<ttp:Title>Malware C2 Channel</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Type>Malware C2</ttp:Type>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable idref="example:observable-c8c32b6e-2ea8-51c4-6446-7f5218072f27"/>
<cybox:Observable idref="example:observable-b57aa65f-9598-04fb-a9d1-5094c36d5dc4"/>
<cybox:Observable idref="example:observable-19c16346-0eb4-99e2-00bb-4ec3ed174cac"/>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>

22
tests/test_upload.py Normal file
View File

@ -0,0 +1,22 @@
#!/usr/bin/env python
import subprocess
import glob
def test_push():
for fname in glob.glob("*.xml"):
proc = subprocess.Popen([
"taxii-push",
"--path", "http://localhost:9000/services/inbox",
"-f", fname,
"--dest", "collection",
"--username", "travis",
"--password", "travis"
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
out,err = proc.communicate()
print(out)
assert("Content block successfully pushed" in out.decode("utf-8"))

View File

@ -0,0 +1,57 @@
<stix:STIX_Package
xmlns:example="http://example.com"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:yaraTM="http://stix.mitre.org/extensions/TestMechanism#YARA-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://stix.mitre.org/ExploitTarget-1 http://stix.mitre.org/XMLSchema/exploit_target/1.2/exploit_target.xsd
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
http://stix.mitre.org/extensions/TestMechanism#YARA-1 http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.1.1/yara_test_mechanism.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-ea99d4d4-1ae7-4120-9ebe-67ed4783fb36" version="1.2">
<stix:Indicators>
<stix:Indicator id="example:indicator-567b201c-4fd5-4bde-a5db-42abc340807a" timestamp="2014-06-20T15:16:56.987616+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
<indicator:Title>silent_banker</indicator:Title>
<indicator:Description>This is just an example.</indicator:Description>
<indicator:Test_Mechanisms>
<indicator:Test_Mechanism id="example:testmechanism-a1475567-50f7-4dae-b0d0-47c7ea8e79e1" xsi:type='yaraTM:YaraTestMechanismType'>
<indicator:Producer>
<stixCommon:Identity id="example:Identity-a0740d84-9fcd-44af-9033-94e76a53201e">
<stixCommon:Name>Yara</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:References>
<stixCommon:Reference>http://plusvic.github.io/yara/</stixCommon:Reference>
</stixCommon:References>
</indicator:Producer>
<yaraTM:Rule><![CDATA[
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
]]></yaraTM:Rule>
</indicator:Test_Mechanism>
</indicator:Test_Mechanisms>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>