mirror of https://github.com/MISP/MISP
Merge branch 'misp-stix' into develop
commit
20c453d970
|
@ -25,7 +25,7 @@
|
|||
path = misp-vagrant
|
||||
url = https://github.com/MISP/misp-vagrant.git
|
||||
[submodule "cti-python-stix2"]
|
||||
path = cti-python-stix2
|
||||
path = app/files/scripts/cti-python-stix2
|
||||
url = https://github.com/MISP/cti-python-stix2
|
||||
[submodule "app/files/noticelists"]
|
||||
path = app/files/noticelists
|
||||
|
@ -36,3 +36,19 @@
|
|||
[submodule "app/files/scripts/misp-opendata"]
|
||||
path = app/files/scripts/misp-opendata
|
||||
url = https://github.com/MISP/misp-opendata
|
||||
[submodule "app/files/scripts/misp-stix"]
|
||||
path = app/files/scripts/misp-stix
|
||||
url = git@github.com:misp/misp-stix.git
|
||||
branch = dev
|
||||
[submodule "app/files/scripts/python-stix"]
|
||||
path = app/files/scripts/python-stix
|
||||
url = https://github.com/STIXProject/python-stix
|
||||
[submodule "app/files/scripts/python-cybox"]
|
||||
path = app/files/scripts/python-cybox
|
||||
url = https://github.com/CybOXProject/python-cybox
|
||||
[submodule "app/files/scripts/mixbox"]
|
||||
path = app/files/scripts/mixbox
|
||||
url = https://github.com/CybOXProject/mixbox
|
||||
[submodule "app/files/scripts/python-maec"]
|
||||
path = app/files/scripts/python-maec
|
||||
url = https://github.com/MAECProject/python-maec
|
||||
|
|
|
@ -1403,15 +1403,6 @@ installCore () {
|
|||
sudo mkdir /var/www/.cache/
|
||||
sudo chown ${WWW_USER}:${WWW_USER} /var/www/.cache
|
||||
|
||||
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git clone https://github.com/${dependency}.git ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}; done
|
||||
${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} config core.filemode false
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
|
||||
done
|
||||
|
||||
debug "Install python-stix2"
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/cti-python-stix2
|
||||
|
||||
debug "Install PyMISP"
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/PyMISP
|
||||
|
||||
|
@ -1453,12 +1444,7 @@ installCore () {
|
|||
false; while [[ $? -ne 0 ]]; do ${SUDO_WWW} git -C ${PATH_TO_MISP} submodule update --progress --init --recursive; done
|
||||
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U setuptools pip lief zmq redis python-magic plyara
|
||||
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} pull; done
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
|
||||
done
|
||||
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/cti-python-stix2
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/PyMISP
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U git+https://github.com/kbandla/pydeep.git; done
|
||||
fi
|
||||
|
@ -2357,35 +2343,10 @@ installCoreRHEL7 () {
|
|||
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||
|
||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
UMASK=$(umask)
|
||||
umask 0022
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install mixbox to accommodate the new STIX dependencies:
|
||||
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install STIX2.0 library to support STIX 2.0 export:
|
||||
cd $PATH_TO_MISP/cti-python-stix2
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install maec
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec
|
||||
|
||||
# install zmq
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq
|
||||
|
||||
|
@ -2490,13 +2451,6 @@ installCoreRHEL8 () {
|
|||
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
([[ ${DISTRI} == 'fedora33' ]] || [[ ${DISTRI} == 'fedora34' ]] || [[ ${DISTRI} == 'rhel8.3' ]]) && sudo dnf install cmake3 -y && CMAKE_BIN='cmake3'
|
||||
([[ ${DISTRI} == 'centos8stream' ]] || [[ ${DISTRI} == 'centos8' ]] || [[ ${DISTRI} == 'rocky8.4' ]]) && sudo dnf install cmake -y && CMAKE_BIN='cmake'
|
||||
|
@ -2504,25 +2458,8 @@ installCoreRHEL8 () {
|
|||
UMASK=$(umask)
|
||||
umask 0022
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install mixbox to accommodate the new STIX dependencies:
|
||||
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install STIX2.0 library to support STIX 2.0 export:
|
||||
cd $PATH_TO_MISP/cti-python-stix2
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install maec, zmq, redis
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec zmq redis
|
||||
# install zmq, redis
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq redis
|
||||
|
||||
# install magic, pydeep
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara
|
||||
|
|
|
@ -1,5 +1,13 @@
|
|||
<<<<<<< HEAD
|
||||
; Generated by RHash v1.3.9 on 2021-09-07 at 12:30.22
|
||||
; Written by Kravchenko Aleksey (Akademgorodok) - http://rhash.sf.net/
|
||||
;
|
||||
; 162425 12:30.22 2021-09-07 INSTALL.sh
|
||||
INSTALL.sh 703A2E500533F450DBC44A1F8A92E2FD43848A27 867CBAE82D2BC9D2794622BBAEEEE80D5EB6802E4602F4EB6B4F82677BB6A47D 8CCBFDF6D407C8F5E606DFB0F448EE138120561EFD2705749B57B3CD734E1D42DD94082D7598695FF8BC84E7AC361942 F357713AAAE1419420BDB6C805EA1A9738C3684FE85A26AF71F87F79FDAA15ECF8D7450BBD164532CFB8F70750EEB23BA2C735C3A489047B161D997257556153
|
||||
=======
|
||||
; Generated by RHash v1.3.9 on 2021-10-07 at 13:45.11
|
||||
; Written by Kravchenko Aleksey (Akademgorodok) - http://rhash.sf.net/
|
||||
;
|
||||
; 159443 13:45.11 2021-10-07 INSTALL.sh
|
||||
INSTALL.sh CAF32D243ADA252E3AC7031CCF42905B755675E8 59111904FEC4DADE7F9FB5D43B83B24D66D0AC66EAECF9C072A482B7B76FCFDE 99D652927259D23CD80AD79F1398AF71ACD108B1BA29800ED9E60705E1FF083763D22850882BA1C4A1163EDFB1E17D00 F6A7B4483D9C607F21FCC7EBAC8FF5160F549F641AD2E964E7157C5AF15A9CCEC45E437D3577684CE6EABFA5793506554C7DCAD30C6098C2521B08CF38BD028A
|
||||
>>>>>>> misp-stix
|
||||
|
|
|
@ -1 +1 @@
|
|||
703a2e500533f450dbc44a1f8a92e2fd43848a27 INSTALL.sh
|
||||
caf32d243ada252e3ac7031ccf42905b755675e8 INSTALL.sh
|
||||
|
|
|
@ -1 +1 @@
|
|||
867cbae82d2bc9d2794622bbaeeee80d5eb6802e4602f4eb6b4f82677bb6a47d INSTALL.sh
|
||||
59111904fec4dade7f9fb5d43b83b24d66d0ac66eaecf9c072a482b7b76fcfde INSTALL.sh
|
||||
|
|
|
@ -1 +1 @@
|
|||
8ccbfdf6d407c8f5e606dfb0f448ee138120561efd2705749b57b3cd734e1d42dd94082d7598695ff8bc84e7ac361942 INSTALL.sh
|
||||
99d652927259d23cd80ad79f1398af71acd108b1ba29800ed9e60705e1ff083763d22850882ba1c4a1163edfb1e17d00 INSTALL.sh
|
||||
|
|
|
@ -1 +1 @@
|
|||
f357713aaae1419420bdb6c805ea1a9738c3684fe85a26af71f87f79fdaa15ecf8d7450bbd164532cfb8f70750eeb23ba2c735c3a489047b161d997257556153 INSTALL.sh
|
||||
f6a7b4483d9c607f21fcc7ebac8ff5160f549f641ad2e964e7157c5af15a9ccec45e437d3577684ce6eabfa5793506554c7dcad30c6098c2521b08cf38bd028a INSTALL.sh
|
||||
|
|
|
@ -5,23 +5,24 @@ App::uses('StixExport', 'Export');
|
|||
class Stix1Export extends StixExport
|
||||
{
|
||||
protected $__attributes_limit = 15000;
|
||||
protected $__default_version = '1.1.1';
|
||||
protected $__sane_versions = array('1.1.1', '1.2');
|
||||
private $__script_name = 'misp2stix.py ';
|
||||
private $__baseurl = null;
|
||||
private $__org = null;
|
||||
|
||||
protected function initiate_framing_params()
|
||||
protected function __initiate_framing_params()
|
||||
{
|
||||
$this->__baseurl = escapeshellarg(Configure::read('MISP.baseurl'));
|
||||
$this->__org = escapeshellarg(Configure::read('MISP.org'));
|
||||
$framing_file = $this->__scripts_dir . 'misp_framing.py ';
|
||||
$my_server = ClassRegistry::init('Server');
|
||||
return $my_server->getPythonVersion() . ' ' . $framing_file . $this->__return_type . ' ' . $this->__baseurl . ' ' . $this->__org . ' ' . $this->__return_format . ' ' . $this->__end_of_cmd;
|
||||
return $my_server->getPythonVersion() . ' ' . $this->__framing_script . ' stix1 -v ' . $this->__version . ' -n ' . $this->__baseurl . ' -o ' . $this->__org . ' -f ' . $this->__return_format . ' ' . $this->__end_of_cmd;
|
||||
}
|
||||
|
||||
protected function __parse_misp_events($filename)
|
||||
protected function __parse_misp_events($filenames)
|
||||
{
|
||||
$scriptFile = $this->__scripts_dir . $this->__script_name;
|
||||
$my_server = ClassRegistry::init('Server');
|
||||
return shell_exec($my_server->getPythonVersion() . ' ' . $scriptFile . ' ' . $filename . ' ' . $this->__return_format . ' ' . $this->__baseurl . ' ' . $this->__org . $this->__end_of_cmd);
|
||||
return shell_exec($my_server->getPythonVersion() . ' ' . $scriptFile . '-v ' . $this->__version . ' -f ' . $this->__return_format . ' -o ' . $this->__org . ' -i ' . $this->__tmp_dir . $filenames . $this->__end_of_cmd);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,21 +5,22 @@ App::uses('StixExport', 'Export');
|
|||
class Stix2Export extends StixExport
|
||||
{
|
||||
protected $__attributes_limit = 15000;
|
||||
protected $__default_version = '2.0';
|
||||
protected $__sane_versions = array('2.0', '2.1');
|
||||
private $__script_name = 'stix2/misp2stix2.py ';
|
||||
|
||||
protected function initiate_framing_params()
|
||||
protected function __initiate_framing_params()
|
||||
{
|
||||
$framing_file = $this->__scripts_dir . 'misp_framing.py ';
|
||||
$my_server = ClassRegistry::init('Server');
|
||||
return $my_server->getPythonVersion() . ' ' . $framing_file . $this->__return_type . ' ' . escapeshellarg(CakeText::uuid()) . $this->__end_of_cmd;
|
||||
return $my_server->getPythonVersion() . ' ' . $this->__framing_script . ' stix2 -v ' . $this->__version . ' --uuid ' . escapeshellarg(CakeText::uuid()) . $this->__end_of_cmd;
|
||||
}
|
||||
|
||||
protected function __parse_misp_events($filename)
|
||||
protected function __parse_misp_events($filenames)
|
||||
{
|
||||
$scriptFile = $this->__scripts_dir . $this->__script_name;
|
||||
$filename = $this->__scripts_dir . 'tmp/' . $filename;
|
||||
$filenames = implode(' ' . $this->__tmp_dir, $this->__filenames);
|
||||
$my_server = ClassRegistry::init('Server');
|
||||
$result = shell_exec($my_server->getPythonVersion() . ' ' . $scriptFile . ' ' . $filename . $this->__end_of_cmd);
|
||||
$result = shell_exec($my_server->getPythonVersion() . ' ' . $scriptFile . '-v ' . $this->__version . ' -i ' . $this->__tmp_dir . $filenames . $this->__end_of_cmd);
|
||||
$result = preg_split("/\r\n|\n|\r/", trim($result));
|
||||
return end($result);
|
||||
}
|
||||
|
|
|
@ -8,19 +8,29 @@ class StixExport
|
|||
);
|
||||
protected $__return_format = 'json';
|
||||
protected $__scripts_dir = APP . 'files/scripts/';
|
||||
protected $__tmp_dir = APP . 'files/scripts/tmp/';
|
||||
protected $__framing_script = APP . 'files/scripts/misp_framing.py';
|
||||
protected $__end_of_cmd = ' 2>' . APP . 'tmp/logs/exec-errors.log';
|
||||
protected $__return_type = null;
|
||||
protected $__filenames = array();
|
||||
protected $__default_filters = null;
|
||||
protected $__version = null;
|
||||
|
||||
private $__current_filename = null;
|
||||
private $__empty_file = null;
|
||||
private $__framing = null;
|
||||
private $__stix_file = null;
|
||||
private $__tmp_dir = null;
|
||||
private $__tmp_file = null;
|
||||
private $__n_attributes = 0;
|
||||
private $__filenames = array();
|
||||
|
||||
public $non_restrictive_export = true;
|
||||
public $use_default_filters = true;
|
||||
|
||||
public function setDefaultFilters($filters)
|
||||
{
|
||||
$sane_version = (!empty($filters['version']) && in_array($filters['version'], $this->__sane_versions));
|
||||
$this->__version = $sane_version ? $filters['version'] : $this->__default_version;
|
||||
}
|
||||
|
||||
public function handler($data, $options = array())
|
||||
{
|
||||
|
@ -34,7 +44,7 @@ class StixExport
|
|||
$converter = new JSONConverterTool();
|
||||
$event = $converter->convert($data);
|
||||
if ($this->__n_attributes + $attributes_count < $this->__attributes_limit) {
|
||||
($this->__n_attributes == 0) ? $this->__tmp_file->append($event) : $this->__tmp_file->append(',' . $event);
|
||||
$this->__tmp_file->append($this->__n_attributes == 0 ? $event : ',' . $event);
|
||||
$this->__n_attributes += $attributes_count;
|
||||
$this->__empty_file = false;
|
||||
} else {
|
||||
|
@ -64,9 +74,8 @@ class StixExport
|
|||
} else if ($this->__return_type == 'stix') {
|
||||
$this->__return_format = 'xml';
|
||||
}
|
||||
$framing_cmd = $this->initiate_framing_params();
|
||||
$framing_cmd = $this->__initiate_framing_params();
|
||||
$randomFileName = $this->__generateRandomFileName();
|
||||
$this->__tmp_dir = $this->__scripts_dir . 'tmp/';
|
||||
$this->__framing = json_decode(shell_exec($framing_cmd), true);
|
||||
$this->__stix_file = new File($this->__tmp_dir . $randomFileName . '.' . $this->__return_type);
|
||||
unset($randomFileName);
|
||||
|
@ -85,14 +94,15 @@ class StixExport
|
|||
$this->__tmp_file->close();
|
||||
array_push($this->__filenames, $this->__current_filename);
|
||||
}
|
||||
$filenames = implode(' ' . $this->__tmp_dir, $this->__filenames);
|
||||
$result = $this->__parse_misp_events($filenames);
|
||||
$decoded = json_decode($result, true);
|
||||
if (!isset($decoded['success']) || !$decoded['success']) {
|
||||
$this->__delete_temporary_files();
|
||||
$error = $decoded && !empty($decoded['error']) ? $decoded['error'] : $result;
|
||||
return 'Error while processing your query: ' . $error;
|
||||
}
|
||||
foreach ($this->__filenames as $f => $filename) {
|
||||
$result = $this->__parse_misp_events($filename);
|
||||
$decoded = json_decode($result, true);
|
||||
if (!isset($decoded['success']) || !$decoded['success']) {
|
||||
$this->__delete_temporary_files($f);
|
||||
$error = $decoded && !empty($decoded['error']) ? $decoded['error'] : $result;
|
||||
return 'Error while processing your query: ' . $error;
|
||||
}
|
||||
$file = new File($this->__tmp_dir . $filename . '.out');
|
||||
$stix_event = ($this->__return_type == 'stix') ? $file->read() : substr($file->read(), 1, -1);
|
||||
$file->close();
|
||||
|
@ -127,12 +137,10 @@ class StixExport
|
|||
return (new RandomTool())->random_str(false, 12);
|
||||
}
|
||||
|
||||
private function __delete_temporary_files($index)
|
||||
private function __delete_temporary_files()
|
||||
{
|
||||
foreach ($this->__filenames as $f => $filename) {
|
||||
if ($index >= $f) {
|
||||
@unlink($this->__tmp_dir . $filename);
|
||||
}
|
||||
@unlink($this->__tmp_dir . $filename);
|
||||
}
|
||||
$this->__stix_file->close();
|
||||
$this->__stix_file->delete();
|
||||
|
|
|
@ -3240,7 +3240,7 @@ class Server extends AppModel
|
|||
|
||||
public function stixDiagnostics(&$diagnostic_errors)
|
||||
{
|
||||
$expected = array('stix' => '>1.2.0.11', 'cybox' => '>2.1.0.21', 'mixbox' => '>1.0.5', 'maec' => '>4.1.0.17', 'stix2' => '>2.0', 'pymisp' => '>2.4.120');
|
||||
$expected = array('stix' => '>1.2.0.11', 'cybox' => '>2.1.0.21', 'mixbox' => '>1.0.5', 'maec' => '>4.1.0.17', 'stix2' => '>3.0.0', 'pymisp' => '>2.4.120');
|
||||
// check if the STIX and Cybox libraries are working using the test script stixtest.py
|
||||
$scriptResult = shell_exec($this->getPythonVersion() . ' ' . APP . 'files' . DS . 'scripts' . DS . 'stixtest.py');
|
||||
try {
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit cefd58b101284cf9a8879f23ea9b701bee83230b
|
||||
Subproject commit 1827b14c20e31355b1216fa896e6f8dad62ec12b
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 519a5cb8fad2fdfd715ca32bcd5b7f414e395a59
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 8cfdcb04db3418636fa1c39f7f8655e91b160b50
|
File diff suppressed because it is too large
Load Diff
|
@ -1,448 +0,0 @@
|
|||
# mappings
|
||||
status_mapping = {'0': 'New', '1': 'Open', '2': 'Closed'}
|
||||
threat_level_mapping = {'1': 'High', '2': 'Medium', '3': 'Low', '4': 'Undefined'}
|
||||
TLP_order = {'RED': 4, 'AMBER': 3, 'AMBER NATO ALLIANCE': 3, 'GREEN': 2, 'WHITE': 1}
|
||||
confidence_mapping = {False: 'None', True: 'High'}
|
||||
|
||||
not_implemented_attributes = ('yara', 'snort', 'pattern-in-traffic', 'pattern-in-memory')
|
||||
|
||||
non_indicator_attributes = (
|
||||
'text',
|
||||
'comment',
|
||||
'other',
|
||||
'link',
|
||||
'target-user',
|
||||
'target-email',
|
||||
'target-machine',
|
||||
'target-org',
|
||||
'target-location',
|
||||
'target-external',
|
||||
'vulnerability'
|
||||
)
|
||||
|
||||
hash_type_attributes = {
|
||||
"single": (
|
||||
"md5",
|
||||
"sha1",
|
||||
"sha224",
|
||||
"sha256",
|
||||
"sha384",
|
||||
"sha512",
|
||||
"sha512/224",
|
||||
"sha512/256",
|
||||
"ssdeep",
|
||||
"imphash",
|
||||
"authentihash",
|
||||
"pehash",
|
||||
"tlsh",
|
||||
"cdhash"
|
||||
),
|
||||
"composite": (
|
||||
"filename|md5",
|
||||
"filename|sha1",
|
||||
"filename|sha224",
|
||||
"filename|sha256",
|
||||
"filename|sha384",
|
||||
"filename|sha512",
|
||||
"filename|sha512/224",
|
||||
"filename|sha512/256",
|
||||
"filename|authentihash",
|
||||
"filename|ssdeep",
|
||||
"filename|tlsh",
|
||||
"filename|imphash",
|
||||
"filename|pehash"
|
||||
)
|
||||
}
|
||||
|
||||
# mapping for the attributes that can go through the simpleobservable script
|
||||
misp_cybox_name = {
|
||||
"domain": "DomainName",
|
||||
"hostname": "Hostname",
|
||||
"url": "URI",
|
||||
"AS": "AutonomousSystem",
|
||||
"mutex": "Mutex",
|
||||
"named pipe": "Pipe",
|
||||
"link": "URI",
|
||||
"network-connection": "NetworkConnection",
|
||||
"windows-service-name": "WinService"
|
||||
}
|
||||
cybox_name_attribute = {
|
||||
"DomainName": "value",
|
||||
"Hostname": "hostname_value",
|
||||
"URI": "value",
|
||||
"AutonomousSystem": "number",
|
||||
"Pipe": "name",
|
||||
"Mutex": "name",
|
||||
"WinService": "name"
|
||||
}
|
||||
misp_indicator_type = {
|
||||
"email-attachment": "Malicious E-mail",
|
||||
"filename": "File Hash Watchlist",
|
||||
"mutex": "Host Characteristics",
|
||||
"named pipe": "Host Characteristics",
|
||||
"url": "URL Watchlist"
|
||||
}
|
||||
misp_indicator_type.update(dict.fromkeys(list(hash_type_attributes["single"]), "File Hash Watchlist"))
|
||||
misp_indicator_type.update(dict.fromkeys(list(hash_type_attributes["composite"]), "File Hash Watchlist"))
|
||||
misp_indicator_type.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"email-src",
|
||||
"email-dst",
|
||||
"email-subject",
|
||||
"email-reply-to",
|
||||
"email-attachment"
|
||||
],
|
||||
"Malicious E-mail"
|
||||
)
|
||||
)
|
||||
misp_indicator_type.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"AS",
|
||||
"ip-src",
|
||||
"ip-dst",
|
||||
"ip-src|port",
|
||||
"ip-dst|port"
|
||||
],
|
||||
"IP Watchlist"
|
||||
)
|
||||
)
|
||||
misp_indicator_type.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"domain",
|
||||
"domain|ip",
|
||||
"hostname"
|
||||
],
|
||||
"Domain Watchlist"
|
||||
)
|
||||
)
|
||||
misp_indicator_type.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"regkey",
|
||||
"regkey|value"
|
||||
],
|
||||
"Host Characteristics"
|
||||
)
|
||||
)
|
||||
cybox_validation = {"AutonomousSystem": "isInt"}
|
||||
|
||||
## ATTRIBUTES MAPPING
|
||||
simple_type_to_method = {
|
||||
'attachment': 'resolve_attachment',
|
||||
'domain|ip': 'generate_domain_ip_observable',
|
||||
'email-attachment': 'generate_email_attachment_observable',
|
||||
'filename': 'resolve_file_observable',
|
||||
'mac-address': 'resolve_system_observable',
|
||||
'malware-sample': 'resolve_malware_sample',
|
||||
'named pipe': 'generate_pipe_observable',
|
||||
'port': 'generate_port_observable',
|
||||
}
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
list(hash_type_attributes["single"]),
|
||||
'resolve_file_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
list(hash_type_attributes["composite"]),
|
||||
'resolve_file_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"ip-src",
|
||||
"ip-dst"
|
||||
],
|
||||
'generate_ip_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"ip-src|port",
|
||||
"ip-dst|port",
|
||||
"hostname|port"
|
||||
],
|
||||
'generate_socket_address_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"regkey",
|
||||
"regkey|value"
|
||||
],
|
||||
'generate_regkey_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"hostname",
|
||||
"domain",
|
||||
"url",
|
||||
"AS",
|
||||
"mutex",
|
||||
"named pipe",
|
||||
"link",
|
||||
"windows-service-name"
|
||||
],
|
||||
'generate_simple_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"email-src",
|
||||
"email-dst",
|
||||
"email-subject",
|
||||
"email-reply-to"
|
||||
],
|
||||
'resolve_email_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"http-method",
|
||||
"user-agent"
|
||||
],
|
||||
'resolve_http_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
"pattern-in-file",
|
||||
"pattern-in-traffic",
|
||||
"pattern-in-memory"
|
||||
],
|
||||
'resolve_pattern_observable'
|
||||
)
|
||||
)
|
||||
simple_type_to_method.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
'x509-fingerprint-md5',
|
||||
'x509-fingerprint-sha1',
|
||||
'x509-fingerprint-sha256'
|
||||
],
|
||||
'parse_x509_object'
|
||||
)
|
||||
)
|
||||
|
||||
## OBJECTS MAPPING
|
||||
ttp_names = {
|
||||
'attack-pattern': 'parse_attack_pattern',
|
||||
'course-of-action': 'parse_course_of_action',
|
||||
'vulnerability': 'parse_vulnerability',
|
||||
'weakness': 'parse_weakness'
|
||||
}
|
||||
objects_mapping = {
|
||||
"asn": 'parse_asn_object',
|
||||
"credential": 'parse_credential_object',
|
||||
"domain-ip": 'parse_domain_ip_object',
|
||||
"email": 'parse_email_object',
|
||||
"file": 'parse_file_object',
|
||||
"ip-port": 'parse_ip_port_object',
|
||||
"network-connection": 'parse_network_connection_object',
|
||||
"network-socket": 'parse_network_socket_object',
|
||||
"pe": 'store_pe',
|
||||
"pe-section": 'store_pe',
|
||||
"process": 'parse_process_object',
|
||||
"registry-key": 'parse_regkey_object',
|
||||
"url": 'parse_url_object',
|
||||
"user-account": 'parse_user_account_object',
|
||||
"whois": 'parse_whois',
|
||||
"x509": 'parse_x509_object'
|
||||
}
|
||||
|
||||
## GALAXIES MAPPING
|
||||
galaxy_types_mapping = {'branded-vulnerability': 'parse_vulnerability_galaxy'}
|
||||
galaxy_types_mapping.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
'mitre-attack-pattern',
|
||||
'mitre-enterprise-attack-attack-pattern',
|
||||
'mitre-mobile-attack-attack-pattern',
|
||||
'mitre-pre-attack-attack-pattern'
|
||||
],
|
||||
'parse_attack_pattern_galaxy'
|
||||
)
|
||||
)
|
||||
galaxy_types_mapping.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
'mitre-course-of-action',
|
||||
'mitre-enterprise-attack-course-of-action',
|
||||
'mitre-mobile-attack-course-of-action'
|
||||
],
|
||||
'parse_course_of_action_galaxy'
|
||||
)
|
||||
)
|
||||
galaxy_types_mapping.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
'android',
|
||||
'banker',
|
||||
'stealer',
|
||||
'backdoor',
|
||||
'ransomware',
|
||||
'mitre-malware',
|
||||
'malpedia',
|
||||
'mitre-enterprise-attack-malware',
|
||||
'mitre-mobile-attack-malware'
|
||||
],
|
||||
'parse_malware_galaxy'
|
||||
)
|
||||
)
|
||||
galaxy_types_mapping.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
'threat-actor',
|
||||
'microsoft-activity-group'
|
||||
],
|
||||
'parse_threat_actor_galaxy'
|
||||
)
|
||||
)
|
||||
galaxy_types_mapping.update(
|
||||
dict.fromkeys(
|
||||
[
|
||||
'botnet',
|
||||
'rat',
|
||||
'exploit-kit',
|
||||
'tds',
|
||||
'tool',
|
||||
'mitre-tool',
|
||||
'mitre-enterprise-attack-tool',
|
||||
'mitre-mobile-attack-tool'
|
||||
],
|
||||
'parse_tool_galaxy'
|
||||
)
|
||||
)
|
||||
|
||||
# mapping Windows Registry Hives and their abbreviations
|
||||
# see https://cybox.mitre.org/language/version2.1/xsddocs/objects/Win_Registry_Key_Object_xsd.html#RegistryHiveEnum
|
||||
# the dict keys must be UPPER CASE and end with \\
|
||||
misp_reghive = {
|
||||
"HKEY_CLASSES_ROOT\\": "HKEY_CLASSES_ROOT",
|
||||
"HKCR\\": "HKEY_CLASSES_ROOT",
|
||||
"HKEY_CURRENT_CONFIG\\": "HKEY_CURRENT_CONFIG",
|
||||
"HKCC\\": "HKEY_CURRENT_CONFIG",
|
||||
"HKEY_CURRENT_USER\\": "HKEY_CURRENT_USER",
|
||||
"HKCU\\": "HKEY_CURRENT_USER",
|
||||
"HKEY_LOCAL_MACHINE\\": "HKEY_LOCAL_MACHINE",
|
||||
"HKLM\\": "HKEY_LOCAL_MACHINE",
|
||||
"HKEY_USERS\\": "HKEY_USERS",
|
||||
"HKU\\": "HKEY_USERS",
|
||||
"HKEY_CURRENT_USER_LOCAL_SETTINGS\\": "HKEY_CURRENT_USER_LOCAL_SETTINGS",
|
||||
"HKCULS\\": "HKEY_CURRENT_USER_LOCAL_SETTINGS",
|
||||
"HKEY_PERFORMANCE_DATA\\": "HKEY_PERFORMANCE_DATA",
|
||||
"HKPD\\": "HKEY_PERFORMANCE_DATA",
|
||||
"HKEY_PERFORMANCE_NLSTEXT\\": "HKEY_PERFORMANCE_NLSTEXT",
|
||||
"HKPN\\": "HKEY_PERFORMANCE_NLSTEXT",
|
||||
"HKEY_PERFORMANCE_TEXT\\": "HKEY_PERFORMANCE_TEXT",
|
||||
"HKPT\\": "HKEY_PERFORMANCE_TEXT",
|
||||
}
|
||||
|
||||
|
||||
attack_pattern_object_mapping = {
|
||||
'id': 'capec_id',
|
||||
'name': 'title',
|
||||
'summary': 'description'
|
||||
}
|
||||
course_of_action_object_keys = (
|
||||
'type',
|
||||
'description',
|
||||
'objective',
|
||||
'stage',
|
||||
'cost',
|
||||
'impact',
|
||||
'efficacy'
|
||||
)
|
||||
email_object_mapping = {
|
||||
'from': 'from_',
|
||||
'reply-to': 'reply_to',
|
||||
'subject': 'subject',
|
||||
'x-mailer': 'x_mailer',
|
||||
'mime-boundary': 'boundary',
|
||||
'user-agent': 'user_agent'
|
||||
}
|
||||
file_object_mapping = {
|
||||
'path': 'full_path',
|
||||
'size-in-bytes': 'size_in_bytes',
|
||||
'entropy': 'peak_entropy'
|
||||
}
|
||||
process_object_keys = (
|
||||
'creation-time',
|
||||
'start-time',
|
||||
'name',
|
||||
'pid',
|
||||
'parent-pid'
|
||||
)
|
||||
regkey_object_mapping = {
|
||||
'name': 'name',
|
||||
'data': 'data',
|
||||
'data-type': 'datatype'
|
||||
}
|
||||
user_account_id_mapping = {
|
||||
'unix': 'user_id',
|
||||
'windows-domain': 'security_id',
|
||||
'windows-local': 'security_id'
|
||||
}
|
||||
user_account_object_mapping = {
|
||||
'username': 'username',
|
||||
'display-name': 'full_name',
|
||||
'disabled': 'disabled',
|
||||
'created': 'creation_date',
|
||||
'last_login': 'last_login',
|
||||
'home_dir': 'home_directory',
|
||||
'shell': 'script_path'
|
||||
}
|
||||
vulnerability_object_mapping = {
|
||||
'id': 'cve_id',
|
||||
'summary': 'description',
|
||||
'published': 'published_datetime'
|
||||
}
|
||||
weakness_object_mapping = {
|
||||
'id': 'cwe_id',
|
||||
'description': 'description'
|
||||
}
|
||||
whois_object_mapping = {
|
||||
'creation-date': 'creation_date',
|
||||
'modification-date': 'updated_date',
|
||||
'expiration-date': 'expiration_date'
|
||||
}
|
||||
whois_registrant_mapping = {
|
||||
'registrant-name': 'name',
|
||||
'registrant-phone': 'phone_number',
|
||||
'registrant-email': 'email_address',
|
||||
'registrant-org': 'organization'
|
||||
}
|
||||
x509_creation_mapping = {
|
||||
'version': 'contents',
|
||||
'serial-number': 'contents',
|
||||
'issuer': 'contents',
|
||||
'subject': 'contents',
|
||||
'validity-not-before': 'validity',
|
||||
'validity-not-after': 'validity',
|
||||
'pubkey-info-exponent': 'rsa_pubkey',
|
||||
'pubkey-info-modulus': 'rsa_pubkey',
|
||||
'raw-base64': 'raw_certificate',
|
||||
'pem': 'raw_certificate',
|
||||
'x509-fingerprint-md5': 'signature',
|
||||
'x509-fingerprint-sha1': 'signature',
|
||||
'x509-fingerprint-sha256': 'signature',
|
||||
'pubkey-info-algorithm': 'subject_pubkey'
|
||||
}
|
||||
x509_object_keys = (
|
||||
'version',
|
||||
'serial-number',
|
||||
'issuer',
|
||||
'subject'
|
||||
)
|
|
@ -1,164 +1,47 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
import sys, json
|
||||
import argparse
|
||||
import json
|
||||
import sys
|
||||
from pathlib import Path
|
||||
|
||||
n_args = {'stix': 4, 'stix2': 2}
|
||||
json_footer = "]}\n"
|
||||
keys_to_return = ['header', 'separator', 'footer']
|
||||
_current_path = Path(__file__).resolve().parent
|
||||
sys.path.insert(0, str(_current_path / 'cti-python-stix2'))
|
||||
sys.path.insert(1, str(_current_path / 'python-stix'))
|
||||
sys.path.insert(2, str(_current_path / 'python-cybox'))
|
||||
sys.path.insert(3, str(_current_path / 'mixbox'))
|
||||
sys.path.insert(4, str(_current_path / 'misp-stix'))
|
||||
from misp_stix_converter import stix1_framing, stix20_framing, stix21_framing
|
||||
|
||||
def stix_framing(*args):
|
||||
import datetime, re
|
||||
from stix.core import STIXPackage, STIXHeader
|
||||
from cybox.utils import Namespace
|
||||
# As python3 is forced anyway, mixbox is used and we don't need to try to import idgen from stix.utils
|
||||
from mixbox import idgen
|
||||
from stix import __version__ as STIXVER
|
||||
NS_DICT = {
|
||||
"http://cybox.mitre.org/common-2" : 'cyboxCommon',
|
||||
"http://cybox.mitre.org/cybox-2" : 'cybox',
|
||||
"http://cybox.mitre.org/default_vocabularies-2" : 'cyboxVocabs',
|
||||
"http://cybox.mitre.org/objects#AccountObject-2" : 'AccountObj',
|
||||
"http://cybox.mitre.org/objects#ArtifactObject-2": 'ArtifactObj',
|
||||
"http://cybox.mitre.org/objects#ASObject-1" : 'ASObj',
|
||||
"http://cybox.mitre.org/objects#AddressObject-2" : 'AddressObj',
|
||||
"http://cybox.mitre.org/objects#PortObject-2" : 'PortObj',
|
||||
"http://cybox.mitre.org/objects#DomainNameObject-1" : 'DomainNameObj',
|
||||
"http://cybox.mitre.org/objects#EmailMessageObject-2" : 'EmailMessageObj',
|
||||
"http://cybox.mitre.org/objects#FileObject-2" : 'FileObj',
|
||||
"http://cybox.mitre.org/objects#HTTPSessionObject-2" : 'HTTPSessionObj',
|
||||
"http://cybox.mitre.org/objects#HostnameObject-1" : 'HostnameObj',
|
||||
"http://cybox.mitre.org/objects#MutexObject-2" : 'MutexObj',
|
||||
"http://cybox.mitre.org/objects#PipeObject-2" : 'PipeObj',
|
||||
"http://cybox.mitre.org/objects#URIObject-2" : 'URIObj',
|
||||
"http://cybox.mitre.org/objects#WinRegistryKeyObject-2" : 'WinRegistryKeyObj',
|
||||
'http://cybox.mitre.org/objects#WinServiceObject-2' : 'WinServiceObj',
|
||||
"http://cybox.mitre.org/objects#NetworkConnectionObject-2" : 'NetworkConnectionObj',
|
||||
"http://cybox.mitre.org/objects#NetworkSocketObject-2" : 'NetworkSocketObj',
|
||||
"http://cybox.mitre.org/objects#SocketAddressObject-1" : 'SocketAddressObj',
|
||||
"http://cybox.mitre.org/objects#SystemObject-2" : 'SystemObj',
|
||||
"http://cybox.mitre.org/objects#ProcessObject-2" : 'ProcessObj',
|
||||
"http://cybox.mitre.org/objects#X509CertificateObject-2" : 'X509CertificateObj',
|
||||
"http://cybox.mitre.org/objects#WhoisObject-2" : 'WhoisObj',
|
||||
"http://cybox.mitre.org/objects#WinExecutableFileObject-2" : 'WinExecutableFileObj',
|
||||
"http://cybox.mitre.org/objects#UnixUserAccountObject-2": "UnixUserAccountObj",
|
||||
"http://cybox.mitre.org/objects#UserAccountObject-2": "UserAccountObj",
|
||||
"http://cybox.mitre.org/objects#WinUserAccountObject-2": "WinUserAccountObj",
|
||||
"http://cybox.mitre.org/objects#CustomObject-1": "CustomObj",
|
||||
"http://data-marking.mitre.org/Marking-1" : 'marking',
|
||||
"http://data-marking.mitre.org/extensions/MarkingStructure#Simple-1": 'simpleMarking',
|
||||
"http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" : 'tlpMarking',
|
||||
"http://stix.mitre.org/ExploitTarget-1" : 'et',
|
||||
"http://stix.mitre.org/Incident-1" : 'incident',
|
||||
"http://stix.mitre.org/Indicator-2" : 'indicator',
|
||||
"http://stix.mitre.org/CourseOfAction-1": 'coa',
|
||||
"http://stix.mitre.org/TTP-1" : 'ttp',
|
||||
"http://stix.mitre.org/ThreatActor-1" : 'ta',
|
||||
"http://stix.mitre.org/common-1" : 'stixCommon',
|
||||
"http://stix.mitre.org/default_vocabularies-1" : 'stixVocabs',
|
||||
"http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1" : 'stix-ciqidentity',
|
||||
"http://stix.mitre.org/extensions/TestMechanism#Snort-1" : 'snortTM',
|
||||
"http://stix.mitre.org/stix-1" : 'stix',
|
||||
"http://www.w3.org/2001/XMLSchema-instance" : 'xsi',
|
||||
"urn:oasis:names:tc:ciq:xal:3" : 'xal',
|
||||
"urn:oasis:names:tc:ciq:xnl:3" : 'xnl',
|
||||
"urn:oasis:names:tc:ciq:xpil:3" : 'xpil',
|
||||
}
|
||||
SCHEMALOC_DICT = {
|
||||
'http://cybox.mitre.org/common-2': 'http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd',
|
||||
'http://cybox.mitre.org/cybox-2': 'http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd',
|
||||
'http://cybox.mitre.org/default_vocabularies-2': 'http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd',
|
||||
'http://cybox.mitre.org/objects#AccountObject-2': ' http://cybox.mitre.org/XMLSchema/objects/Account/2.1/Account_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#ArtifactObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Artifact/2.1/Artifact_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#ASObject-1': 'http://cybox.mitre.org/XMLSchema/objects/AS/1.0/AS_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#AddressObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#PortObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Port/2.1/Port_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#DomainNameObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#EmailMessageObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#FileObject-2': 'http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#HTTPSessionObject-2': 'http://cybox.mitre.org/XMLSchema/objects/HTTP_Session/2.1/HTTP_Session_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#HostnameObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Hostname/1.0/Hostname_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#MutexObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Mutex/2.1/Mutex_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#PipeObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Pipe/2.1/Pipe_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#URIObject-2': 'http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#WinServiceObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Service/2.1/Win_Service_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#WinRegistryKeyObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Registry_Key/2.1/Win_Registry_Key_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#NetworkConnectionObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.0.1/Network_Connection_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#NetworkSocketObject-2': 'https://cybox.mitre.org/XMLSchema/objects/Network_Socket/2.1/Network_Socket_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#SystemObject-2': 'http://cybox.mitre.org/XMLSchema/objects/System/2.1/System_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#SocketAddressObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#ProcessObject-2': 'https://cybox.mitre.org/XMLSchema/objects/Process/2.1/Process_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#X509CertificateObject-2': 'http://cybox.mitre.org/XMLSchema/objects/X509_Certificate/2.1/X509_Certificate_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#WhoisObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Whois/2.1/Whois_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#WinExecutableFileObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Executable_File/2.1/Win_Executable_File_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#UnixUserAccountObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Unix_User_Account/2.1/Unix_User_Account_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#UserAccountObject-2': 'http://cybox.mitre.org/XMLSchema/objects/User_Account/2.1/User_Account_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#WinUserAccountObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_User_Account/2.1/Win_User_Account_Object.xsd',
|
||||
'http://cybox.mitre.org/objects#CustomObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Custom/1.1/Custom_Object.xsd',
|
||||
'http://data-marking.mitre.org/Marking-1': 'http://stix.mitre.org/XMLSchema/data_marking/1.1.1/data_marking.xsd',
|
||||
'http://data-marking.mitre.org/extensions/MarkingStructure#Simple-1': 'http://stix.mitre.org/XMLSchema/extensions/marking/simple/1.1.1/simple_marking.xsd',
|
||||
'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1': 'http://stix.mitre.org/XMLSchema/extensions/marking/tlp/1.1.1/tlp_marking.xsd',
|
||||
'http://stix.mitre.org/ExploitTarget-1': 'http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd',
|
||||
'http://stix.mitre.org/Incident-1': 'http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd',
|
||||
'http://stix.mitre.org/Indicator-2': 'http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd',
|
||||
'http://stix.mitre.org/CourseOfAction-1': 'http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd',
|
||||
'http://stix.mitre.org/TTP-1': 'http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd',
|
||||
'http://stix.mitre.org/ThreatActor-1': 'http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd',
|
||||
'http://stix.mitre.org/common-1': 'http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd',
|
||||
'http://stix.mitre.org/default_vocabularies-1': 'http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd',
|
||||
'http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1': 'http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd',
|
||||
'http://stix.mitre.org/extensions/TestMechanism#Snort-1': 'http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd',
|
||||
'http://stix.mitre.org/stix-1': 'http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd',
|
||||
'urn:oasis:names:tc:ciq:xal:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xAL.xsd',
|
||||
'urn:oasis:names:tc:ciq:xnl:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xNL.xsd',
|
||||
'urn:oasis:names:tc:ciq:xpil:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd',
|
||||
}
|
||||
|
||||
baseurl, orgname, return_type = args
|
||||
if not baseurl:
|
||||
baseurl = 'https://www.misp-project.org'
|
||||
real_orgname = args[1]
|
||||
orgname = re.sub('[\W]+', '', orgname.replace(" ", "_"))
|
||||
NS_DICT[baseurl] = orgname
|
||||
try:
|
||||
idgen.set_id_namespace(Namespace(baseurl, orgname))
|
||||
except TypeError:
|
||||
idgen.set_id_namespace(Namespace(baseurl, orgname, "MISP"))
|
||||
stix_package = STIXPackage()
|
||||
stix_header = STIXHeader()
|
||||
stix_header.title="Export from {} MISP".format(real_orgname)
|
||||
stix_header.package_intents="Threat Report"
|
||||
stix_package.stix_header = stix_header
|
||||
stix_package.version = "1.1.1"
|
||||
stix_package.timestamp = datetime.datetime.now()
|
||||
return stix_json_framing(stix_package) if return_type == 'json' else stix_xml_framing(stix_package, NS_DICT, SCHEMALOC_DICT)
|
||||
def stix_framing(args: argparse.Namespace) -> dict:
|
||||
header, separator, footer = stix1_framing(args.namespace, args.orgname, args.format, args.version)
|
||||
return {'header': header, 'separator': separator, 'footer': footer}
|
||||
|
||||
def stix_json_framing(stix_package):
|
||||
header = '{}, "related_packages": ['.format(stix_package.to_json()[:-1])
|
||||
return header, ',', json_footer
|
||||
|
||||
def stix_xml_framing(stix_package, ns, schema):
|
||||
s_stix_package = "</stix:STIX_Package>\n"
|
||||
s_related_package = "stix:Related_Package"
|
||||
header = stix_package.to_xml(auto_namespace=False, ns_dict=ns, schemaloc_dict=schema)
|
||||
header = header.decode()
|
||||
header = "{0} <{1}s>\n <{1}>\n".format(header, s_related_package).replace(s_stix_package, "")
|
||||
footer = " </{0}>\n </{0}s>\n{1}".format(s_related_package, s_stix_package)
|
||||
separator = " </{0}>\n <{0}>\n".format(s_related_package)
|
||||
return header, separator, footer
|
||||
def stix2_framing(args: argparse.Namespace) -> dict:
|
||||
header, separator, footer = stix20_framing(args.uuid) if args.version == '2.0' else stix21_framing(args.uuid)
|
||||
return {'header': header, 'separator': separator, 'footer': footer}
|
||||
|
||||
def stix2_framing(*args):
|
||||
return '{"type": "bundle", "spec_version": "2.0", "id": "bundle--%s", "objects": [' % args[0], ',', json_footer
|
||||
|
||||
framing_mapping = {'stix': stix_framing, 'stix2': stix2_framing}
|
||||
|
||||
def main(args):
|
||||
framing_type = args[1]
|
||||
n = n_args[framing_type]
|
||||
if len(args) < n:
|
||||
sys.exit("Invalid parameters")
|
||||
args = args[2:]
|
||||
values_to_return = framing_mapping[framing_type](*args)
|
||||
print(json.dumps({keys: values for keys, values in zip(keys_to_return, values_to_return)}))
|
||||
|
||||
if __name__ == "__main__":
|
||||
main(sys.argv)
|
||||
parser = argparse.ArgumentParser(description='Handle framing to return header, separator and footer for a given return format.')
|
||||
subparsers = parser.add_subparsers()
|
||||
|
||||
stix1_parser = subparsers.add_parser('stix1', help='STIX1 framing.')
|
||||
stix1_parser.add_argument('-v', '--version', default='1.1.1', choices=['1.1.1', '1.2'], help='STIX1 version (1.1.1 or 1.2).')
|
||||
stix1_parser.add_argument('-f', '--format', default='xml', choices=['json', 'xml'], help='Return format (xml or json).')
|
||||
stix1_parser.add_argument('-n', '--namespace', default='https://misp-project.org', help='Default namespace to include in the namespaces defined in the STIX header.')
|
||||
stix1_parser.add_argument('-o', '--orgname', default='MISP', help='Default Org name associated with the namespace.')
|
||||
stix1_parser.set_defaults(func=stix_framing)
|
||||
|
||||
stix2_parser = subparsers.add_parser('stix2', help='STIX2 framing.')
|
||||
stix2_parser.add_argument('-v', '--version', default='2.0', choices=['2.0', '2.1'], help='STIX2 version (2.0 or 2.1).')
|
||||
stix2_parser.add_argument('--uuid', help='UUID used to identity the STIX2 bundle.')
|
||||
stix2_parser.set_defaults(func=stix2_framing)
|
||||
|
||||
try:
|
||||
args = parser.parse_args()
|
||||
print(json.dumps(args.func(args)))
|
||||
except SystemExit:
|
||||
print(json.dumps({'error': 'Framing arguments error, please check requirements for each return format.'}))
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 70bc18c714134c5be5a70226aac5961ad810a6c0
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 25e6e8b3a6f429f079d3fbd9ace3db9eb3d5ab71
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 13e66105c9646156060d0896a4d54970ea358f44
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 34f24261b70c7d02ddf0f5696d3919e771dbd32f
|
File diff suppressed because it is too large
Load Diff
|
@ -1,256 +0,0 @@
|
|||
misp_hash_types = ("authentihash", "ssdeep", "imphash", "md5", "sha1", "sha224",
|
||||
"sha256", "sha384", "sha512", "sha512/224","sha512/256","tlsh")
|
||||
attack_pattern_galaxies_list = ('mitre-attack-pattern', 'mitre-enterprise-attack-attack-pattern',
|
||||
'mitre-mobile-attack-attack-pattern', 'mitre-pre-attack-attack-pattern')
|
||||
course_of_action_galaxies_list = ('mitre-course-of-action', 'mitre-enterprise-attack-course-of-action',
|
||||
'mitre-mobile-attack-course-of-action')
|
||||
intrusion_set_galaxies_list = ('mitre-enterprise-attack-intrusion-set', 'mitre-mobile-attack-intrusion-set',
|
||||
'mitre-pre-attack-intrusion-set', 'mitre-intrusion-set')
|
||||
malware_galaxies_list = ('android', 'banker', 'stealer', 'backdoor', 'ransomware', 'mitre-malware',
|
||||
'mitre-enterprise-attack-malware', 'mitre-mobile-attack-malware')
|
||||
threat_actor_galaxies_list = ('threat-actor', 'microsoft-activity-group')
|
||||
tool_galaxies_list = ('botnet', 'rat', 'exploit-kit', 'tds', 'tool', 'mitre-tool',
|
||||
'mitre-enterprise-attack-tool', 'mitre-mobile-attack-tool')
|
||||
|
||||
galaxies_mapping = {'branded-vulnerability': ['vulnerability', 'add_vulnerability_from_galaxy']}
|
||||
galaxies_mapping.update(dict.fromkeys(attack_pattern_galaxies_list, ['attack-pattern', 'add_attack_pattern']))
|
||||
galaxies_mapping.update(dict.fromkeys(course_of_action_galaxies_list, ['course-of-action', 'add_course_of_action']))
|
||||
galaxies_mapping.update(dict.fromkeys(intrusion_set_galaxies_list, ['intrusion-set', 'add_intrusion_set']))
|
||||
galaxies_mapping.update(dict.fromkeys(malware_galaxies_list, ['malware', 'add_malware']))
|
||||
galaxies_mapping.update(dict.fromkeys(threat_actor_galaxies_list, ['threat-actor', 'add_threat_actor']))
|
||||
galaxies_mapping.update(dict.fromkeys(tool_galaxies_list, ['tool', 'add_tool']))
|
||||
|
||||
mispTypesMapping = {
|
||||
'md5': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'sha1': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'sha256': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'filename': {'observable': '_get_file_observable', 'pattern': '_get_file_pattern'},
|
||||
'filename|md5': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|sha1': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|sha256': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'ip-src': {'observable': '_get_ip_observable', 'pattern': '_get_ip_pattern'},
|
||||
'ip-dst': {'observable': '_get_ip_observable', 'pattern': '_get_ip_pattern'},
|
||||
'hostname': {'observable': '_get_domain_observable', 'pattern': '_get_domain_pattern'},
|
||||
'domain': {'observable': '_get_domain_observable', 'pattern': '_get_domain_pattern'},
|
||||
'domain|ip': {'observable': '_get_domain_ip_observable', 'pattern': '_get_domain_ip_pattern'},
|
||||
'email-src': {'observable': '_get_email_address_observable', 'pattern': '_get_email_address_pattern'},
|
||||
'email-dst': {'observable': '_get_email_address_observable', 'pattern': '_get_email_address_pattern'},
|
||||
'email-subject': {'observable': '_get_email_message_observable', 'pattern': '_get_email_message_pattern'},
|
||||
'email-body': {'observable': '_get_email_message_observable', 'pattern': '_get_email_message_pattern'},
|
||||
'email-attachment': {'observable': '_get_email_attachment_observable', 'pattern': '_get_email_attachment_observable'},
|
||||
'url': {'observable': '_get_url_observable', 'pattern': '_get_url_pattern'},
|
||||
'regkey': {'observable': '_get_regkey_observable', 'pattern': '_get_regkey_pattern'},
|
||||
'regkey|value': {'observable': '_get_regkey_value_observable', 'pattern': '_get_regkey_value_pattern'},
|
||||
'malware-sample': {'observable': '_get_malware_sample_observable', 'pattern': '_get_malware_sample_pattern'},
|
||||
'mutex': {'observable': '_get_mutex_observable', 'pattern': '_get_mutex_pattern'},
|
||||
'uri': {'observable': '_get_url_observable', 'pattern': '_get_url_pattern'},
|
||||
'authentihash': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'ssdeep': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'imphash': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'pehash': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'impfuzzy': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'sha224': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'sha384': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'sha512': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'sha512/224': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'sha512/256': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'tlsh': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'cdhash': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
|
||||
'filename|authentihash': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|ssdeep': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|imphash': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|impfuzzy': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|pehash': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|sha224': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|sha384': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|sha512': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|sha512/224': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|sha512/256': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'filename|tlsh': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
|
||||
'x509-fingerprint-md5': {'observable': '_get_x509_observable', 'pattern': '_get_x509_pattern'},
|
||||
'x509-fingerprint-sha1': {'observable': '_get_x509_observable', 'pattern': '_get_x509_pattern'},
|
||||
'x509-fingerprint-sha256': {'observable': '_get_x509_observable', 'pattern': '_get_x509_pattern'},
|
||||
'port': {'observable': '_get_port_observable', 'pattern': '_get_port_pattern'},
|
||||
'ip-dst|port': {'observable': '_get_ip_port_observable', 'pattern': '_get_ip_port_pattern'},
|
||||
'ip-src|port': {'observable': '_get_ip_port_observable', 'pattern': '_get_ip_port_pattern'},
|
||||
'hostname|port': {'observable': '_get_hostname_port_observable', 'pattern': '_get_hostname_port_pattern'},
|
||||
'email-reply-to': {'observable': '_get_reply_to_observable', 'pattern': '_get_reply_to_pattern'},
|
||||
'attachment': {'observable': '_get_attachment_observable', 'pattern': '_get_attachment_pattern'},
|
||||
'mac-address': {'observable': '_get_mac_address_observable', 'pattern': '_get_mac_address_pattern'},
|
||||
'AS': {'observable': '_get_as_observable', 'pattern': '_get_as_pattern'}
|
||||
#'email-dst-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
|
||||
# 'pattern': 'email-addr:display_name = \'{0}\''},
|
||||
#'email-src-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
|
||||
# 'pattern': 'email-addr:display_name = \'{0}\''}
|
||||
}
|
||||
|
||||
objects_mapping = {
|
||||
'asn': {'observable': 'resolve_asn_observable',
|
||||
'pattern': 'resolve_asn_pattern'},
|
||||
'credential': {'observable': 'resolve_credential_observable',
|
||||
'pattern': 'resolve_credential_pattern'},
|
||||
'domain-ip': {'observable': 'resolve_domain_ip_observable',
|
||||
'pattern': 'resolve_domain_ip_pattern'},
|
||||
'email': {'observable': 'resolve_email_object_observable',
|
||||
'pattern': 'resolve_email_object_pattern'},
|
||||
'file': {'observable': 'resolve_file_observable',
|
||||
'pattern': 'resolve_file_pattern'},
|
||||
'ip-port': {'observable': 'resolve_ip_port_observable',
|
||||
'pattern': 'resolve_ip_port_pattern'},
|
||||
'network-connection': {'observable': 'resolve_network_connection_observable',
|
||||
'pattern': 'resolve_network_connection_pattern'},
|
||||
'network-socket': {'observable': 'resolve_network_socket_observable',
|
||||
'pattern': 'resolve_network_socket_pattern'},
|
||||
'process': {'observable': 'resolve_process_observable',
|
||||
'pattern': 'resolve_process_pattern'},
|
||||
'registry-key': {'observable': 'resolve_regkey_observable',
|
||||
'pattern': 'resolve_regkey_pattern'},
|
||||
'stix2-pattern': {'pattern': 'resolve_stix2_pattern'},
|
||||
'url': {'observable': 'resolve_url_observable',
|
||||
'pattern': 'resolve_url_pattern'},
|
||||
'user-account': {'observable': 'resolve_user_account_observable',
|
||||
'pattern': 'resolve_user_account_pattern'},
|
||||
'x509': {'observable': 'resolve_x509_observable',
|
||||
'pattern': 'resolve_x509_pattern'}
|
||||
}
|
||||
|
||||
network_traffic_pattern = "network-traffic:{0} = '{1}'"
|
||||
network_traffic_src_ref = "src_{0}.type = '{1}' AND network-traffic:src_{0}.value"
|
||||
network_traffic_dst_ref = "dst_{0}.type = '{1}' AND network-traffic:dst_{0}.value"
|
||||
network_traffic_reference_mapping = {'': ''}
|
||||
|
||||
objectsMapping = {'asn': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'type': 'autonomous-system'},
|
||||
'pattern': "autonomous-system:{0} = '{1}'"},
|
||||
'attack-pattern': {'to_call': 'add_attack_pattern_object'},
|
||||
'course-of-action': {'to_call': 'add_course_of_action_from_object'},
|
||||
'credential': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'type': 'user-account'},
|
||||
'pattern': "user-account:{0} = '{1}'"},
|
||||
'domain-ip': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': "domain-name:{0} = '{1}'"},
|
||||
'email': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'0': {'type': 'email-message'}},
|
||||
'pattern': "email-{0}:{1} = '{2}'"},
|
||||
'file': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'0': {'type': 'file', 'hashes': {}}},
|
||||
'pattern': "file:{0} = '{1}'"},
|
||||
'ip-port': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': network_traffic_pattern},
|
||||
'network-connection': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': network_traffic_pattern},
|
||||
'network-socket': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': network_traffic_pattern},
|
||||
'pe': {'to_call': 'populate_objects_to_parse'},
|
||||
'pe-section': {'to_call': 'populate_objects_to_parse'},
|
||||
'process': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': "process:{0} = '{1}'"},
|
||||
'registry-key': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'0': {'type': 'windows-registry-key'}},
|
||||
'pattern': "windows-registry-key:{0} = '{1}'"},
|
||||
'stix2-pattern': {'to_call': 'handle_usual_object_name'},
|
||||
'url': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'0': {'type': 'url'}},
|
||||
'pattern': "url:{0} = '{1}'"},
|
||||
'user-account': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': "user-account:{0} = '{1}'"},
|
||||
'vulnerability': {'to_call': 'add_object_vulnerability'},
|
||||
'x509': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': "x509-certificate:{0} = '{1}'"}
|
||||
}
|
||||
|
||||
asnObjectMapping = {'asn': 'number', 'description': 'name', 'subnet-announced': 'value'}
|
||||
|
||||
attackPatternObjectMapping = {'name': 'name', 'summary': 'description'}
|
||||
|
||||
attack_pattern_reference_mapping = {'id': ('capec', 'external_id'),
|
||||
'references': ('mitre-attack', 'url')}
|
||||
|
||||
credentialObjectMapping = {'password': 'credential', 'username': 'user_id'}
|
||||
|
||||
domainIpObjectMapping = {'ip-dst': 'resolves_to_refs[*].value', 'domain': 'value'}
|
||||
|
||||
email_attachment = {'email_type': 'message', 'stix_type': 'body_multipart[{}].body_raw_ref.name'}
|
||||
emailObjectMapping = {'email-body': {'email_type': 'message', 'stix_type': 'body'},
|
||||
'subject': {'email_type': 'message', 'stix_type': 'subject'},
|
||||
'to': {'email_type': 'message', 'stix_type': 'to_refs'},
|
||||
'cc': {'email_type': 'message', 'stix_type': 'cc_refs'},
|
||||
'to-display-name': {'email_type': 'addr', 'stix_type': 'display_name'},
|
||||
'from': {'email_type': 'message', 'stix_type': 'from_ref'},
|
||||
'from-display-name': {'email_type': 'addr', 'stix_type': 'display_name'},
|
||||
'reply-to': {'email_type': 'message', 'stix_type': 'additional_header_fields.reply_to'},
|
||||
'attachment': email_attachment, 'screenshot': email_attachment,
|
||||
'send-date': {'email_type': 'message', 'stix_type': 'date'},
|
||||
'x-mailer': {'email_type': 'message', 'stix_type': 'additional_header_fields.x_mailer'}}
|
||||
|
||||
fileMapping = {'size-in-bytes': 'size', 'mime-type': 'mime_type', 'file-encoding': 'name_enc'}
|
||||
hash_types = ('MD5', 'SHA-1', 'SHA-256', 'SHA-224', 'SHA-384', 'SHA-512', 'ssdeep', 'tlsh')
|
||||
fileMapping.update({hash_type.replace('-', '').lower(): hash_type for hash_type in hash_types})
|
||||
hash_types = tuple(hash_type.replace('-', '').lower() for hash_type in hash_types)
|
||||
|
||||
ipPortObjectMapping = {'ip': network_traffic_dst_ref,
|
||||
'src-port': 'src_port', 'dst-port': 'dst_port',
|
||||
'first-seen': 'start', 'last-seen': 'end',
|
||||
'domain': 'value'}
|
||||
|
||||
networkTrafficMapping = {'address-family': 'address_family', 'domain-family': 'protocol_family',
|
||||
'protocol': 'protocols', 'src-port': 'src_port', 'dst-port': 'dst_port',
|
||||
'ip-src': network_traffic_src_ref, 'ip-dst': network_traffic_dst_ref,
|
||||
'hostname-src': network_traffic_src_ref, 'hostname-dst': network_traffic_dst_ref}
|
||||
|
||||
peMapping = {'type': 'pe_type', 'number-sections': 'number_of_sections', 'imphash': 'imphash'}
|
||||
|
||||
peSectionMapping = {'name': 'name', 'size-in-bytes': 'size', 'entropy': 'entropy'}
|
||||
|
||||
processMapping = {'pid': 'pid', 'child-pid': 'child_refs[*].pid',
|
||||
'name': 'name', 'parent-pid': 'parent_ref.pid',
|
||||
'creation-time': 'created', 'image': 'binary_ref.name'}
|
||||
|
||||
regkeyMapping = {'data-type': 'data_type', 'data': 'data', 'name': 'name',
|
||||
'last-modified': 'modified', 'key': 'key'}
|
||||
|
||||
urlMapping = {'url': 'value', 'domain': 'value', 'port': 'dst_port'}
|
||||
|
||||
userAccountMapping = {'account-type': 'account_type', 'can_escalate_privs': 'can_escalate_privs',
|
||||
'created': 'account_created', 'disabled': 'is_disabled', 'display-name': 'display_name',
|
||||
'expires': 'account_expires', 'first_login': 'account_first_login',
|
||||
'is_service_account': 'is_service_account', 'last_login': 'account_last_login',
|
||||
'password': 'credential', 'password_last_changed': 'credential_last_changed',
|
||||
'privileged': 'is_privileged', 'username': 'account_login', 'user-id': 'user_id'}
|
||||
|
||||
unixAccountExtensionMapping = {'group': 'groups', 'group-id': 'gid', 'home_dir': 'home_dir', 'shell': 'shell'}
|
||||
|
||||
vulnerabilityMapping = {'id': 'name', 'summary': 'description'}
|
||||
|
||||
x509mapping = {'pubkey-info-algorithm': 'subject_public_key_algorithm', 'subject': 'subject',
|
||||
'pubkey-info-exponent': 'subject_public_key_exponent', 'issuer': 'issuer',
|
||||
'pubkey-info-modulus': 'subject_public_key_modulus', 'serial-number': 'serial_number',
|
||||
'validity-not-before': 'validity_not_before', 'validity-not-after': 'validity_not_after',
|
||||
'version': 'version',}
|
||||
|
||||
defineProtocols = {'80': 'http', '443': 'https'}
|
||||
|
||||
tlp_markings = {'tlp:white': 'TLP_WHITE', 'tlp:green': 'TLP_GREEN',
|
||||
'tlp:amber': 'TLP_AMBER', 'tlp:red': 'TLP_RED'}
|
||||
|
||||
relationshipsSpecifications = {'attack-pattern': {'vulnerability': 'targets', 'identity': 'targets',
|
||||
'malware': 'uses', 'tool': 'uses'},
|
||||
'campaign': {'intrusion-set': 'attributed-to', 'threat-actor': 'attributed-to',
|
||||
'identity': 'targets', 'vulnerability': 'targets',
|
||||
'attack-pattern': 'uses', 'malware': 'uses',
|
||||
'tool': 'uses'},
|
||||
'course-of-action':{'attack-pattern': 'mitigates', 'malware': 'mitigates',
|
||||
'tool': 'mitigates', 'vulnerability': 'mitigates'},
|
||||
'intrusion-set': {'threat-actor': 'attributed-to', 'identity': 'targets',
|
||||
'vulnerability': 'targets', 'attack-pattern': 'uses',
|
||||
'malware': 'uses', 'tool': 'uses'},
|
||||
'malware': {'identity': 'targets', 'vulnerability': 'targets',
|
||||
'tool': 'uses', 'malware': 'variant-of'},
|
||||
'threat-actor': {'identity': 'attributed-to', 'vulnerability': 'targets',
|
||||
'attack-pattern': 'uses', 'malware': 'uses',
|
||||
'tool': 'uses'},
|
||||
'tool': {'identity': 'targets', 'vulnerability': 'targets'}
|
||||
}
|
||||
galaxy_types = ('attack-pattern', 'campaign', 'intrusion-set', 'malware', 'threat-actor', 'tool')
|
||||
relationshipsSpecifications['indicator'] = {feature: 'indicates' for feature in galaxy_types}
|
||||
relationshipsSpecifications['observed-data'] = {feature: 'observed-with' for feature in galaxy_types}
|
|
@ -22,7 +22,6 @@ import os
|
|||
import time
|
||||
import io
|
||||
import pymisp
|
||||
import stix2
|
||||
import stix2misp_mapping
|
||||
from collections import defaultdict
|
||||
from copy import deepcopy
|
||||
|
@ -32,6 +31,10 @@ _misp_objects_path = _misp_dir / 'app' / 'files' / 'misp-objects' / 'objects'
|
|||
_misp_types = pymisp.AbstractMISP().describe_types.get('types')
|
||||
from pymisp import MISPEvent, MISPObject, MISPAttribute
|
||||
|
||||
_scripts_path = Path(__file__).resolve().parents[1]
|
||||
sys.path.insert(0, str(_scripts_path / 'cti-python-stix2'))
|
||||
import stix2
|
||||
|
||||
|
||||
class StixParser():
|
||||
_galaxy_types = ('intrusion-set', 'malware', 'threat-actor', 'tool')
|
||||
|
|
|
@ -23,11 +23,18 @@ import uuid
|
|||
import base64
|
||||
import pymisp
|
||||
import stix2misp_mapping
|
||||
from operator import attrgetter
|
||||
from collections import defaultdict
|
||||
from pathlib import Path
|
||||
|
||||
_current_path = Path(__file__).resolve().parent
|
||||
sys.path.insert(0, str(_current_path / 'python-stix'))
|
||||
sys.path.insert(1, str(_current_path / 'python-cybox'))
|
||||
sys.path.insert(2, str(_current_path / 'mixbox'))
|
||||
sys.path.insert(3, str(_current_path / 'python-maec'))
|
||||
import stix.extensions.marking.ais
|
||||
from mixbox.namespaces import NamespaceNotFoundError
|
||||
from operator import attrgetter
|
||||
from stix.core import STIXPackage
|
||||
from collections import defaultdict
|
||||
try:
|
||||
import stix_edh
|
||||
except ImportError:
|
||||
|
@ -636,6 +643,8 @@ class StixParser():
|
|||
def parse_pe_section(self, section):
|
||||
section_object = MISPObject('pe-section', misp_objects_path_custom=_MISP_objects_path)
|
||||
header_hashes = section.header_hashes
|
||||
if header_hashes is None:
|
||||
header_hashes = section.data_hashes
|
||||
for h in header_hashes:
|
||||
hash_type, hash_value, hash_relation = self.handle_hashes_attribute(h)
|
||||
section_object.add_attribute(**{"type": hash_type, "value": hash_value, "object_relation": hash_relation})
|
||||
|
|
|
@ -112,6 +112,7 @@ cybox_to_misp_object = {
|
|||
"EmailMessage": "email",
|
||||
"NetworkConnection": "network-connection",
|
||||
"NetworkSocket": "network-socket",
|
||||
"Observable": "obsevrable",
|
||||
"Process": "process",
|
||||
"UnixUserAccount": "user-account",
|
||||
"UserAccount": "user-account",
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
Subproject commit 52d806b349333d40c5dd75b62e8e64d6a18fcdf4
|
|
@ -233,35 +233,10 @@ installCoreRHEL7 () {
|
|||
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||
|
||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
UMASK=$(umask)
|
||||
umask 0022
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install mixbox to accommodate the new STIX dependencies:
|
||||
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install STIX2.0 library to support STIX 2.0 export:
|
||||
cd $PATH_TO_MISP/cti-python-stix2
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install maec
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec
|
||||
|
||||
# install zmq
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq
|
||||
|
||||
|
|
|
@ -265,13 +265,6 @@ installCoreRHEL8 () {
|
|||
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
([[ ${DISTRI} == 'fedora33' ]] || [[ ${DISTRI} == 'fedora34' ]] || [[ ${DISTRI} == 'rhel8.3' ]]) && sudo dnf install cmake3 -y && CMAKE_BIN='cmake3'
|
||||
([[ ${DISTRI} == 'centos8stream' ]] || [[ ${DISTRI} == 'centos8' ]] || [[ ${DISTRI} == 'rocky8.4' ]]) && sudo dnf install cmake -y && CMAKE_BIN='cmake'
|
||||
|
@ -279,25 +272,8 @@ installCoreRHEL8 () {
|
|||
UMASK=$(umask)
|
||||
umask 0022
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install mixbox to accommodate the new STIX dependencies:
|
||||
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install STIX2.0 library to support STIX 2.0 export:
|
||||
cd $PATH_TO_MISP/cti-python-stix2
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
# install maec, zmq, redis
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec zmq redis
|
||||
# install zmq, redis
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq redis
|
||||
|
||||
# install magic, pydeep
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara
|
||||
|
|
|
@ -145,15 +145,6 @@ installCore () {
|
|||
sudo mkdir /var/www/.cache/
|
||||
sudo chown ${WWW_USER}:${WWW_USER} /var/www/.cache
|
||||
|
||||
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git clone https://github.com/${dependency}.git ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}; done
|
||||
${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} config core.filemode false
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
|
||||
done
|
||||
|
||||
debug "Install python-stix2"
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/cti-python-stix2
|
||||
|
||||
debug "Install PyMISP"
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/PyMISP
|
||||
|
||||
|
@ -195,12 +186,7 @@ installCore () {
|
|||
false; while [[ $? -ne 0 ]]; do ${SUDO_WWW} git -C ${PATH_TO_MISP} submodule update --progress --init --recursive; done
|
||||
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U setuptools pip lief zmq redis python-magic plyara
|
||||
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} pull; done
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
|
||||
done
|
||||
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/cti-python-stix2
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/PyMISP
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U git+https://github.com/kbandla/pydeep.git; done
|
||||
fi
|
||||
|
|
|
@ -137,15 +137,6 @@ installCore () {
|
|||
sudo mkdir /var/www/.cache/
|
||||
sudo chown ${WWW_USER}:${WWW_USER} /var/www/.cache
|
||||
|
||||
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git clone https://github.com/${dependency}.git ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}; done
|
||||
${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} config core.filemode false
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
|
||||
done
|
||||
|
||||
debug "Install python-stix2"
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/cti-python-stix2
|
||||
|
||||
debug "Install PyMISP"
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/PyMISP
|
||||
|
||||
|
@ -186,13 +177,6 @@ installCore () {
|
|||
${SUDO_WWW} git pull -C ${PATH_TO_MISP}
|
||||
false; while [[ $? -ne 0 ]]; do ${SUDO_WWW} git -C ${PATH_TO_MISP} submodule update --progress --init --recursive; done
|
||||
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U setuptools pip lief zmq redis python-magic plyara
|
||||
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} pull; done
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
|
||||
done
|
||||
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/cti-python-stix2
|
||||
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/PyMISP
|
||||
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U git+https://github.com/kbandla/pydeep.git; done
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue