mirror of https://github.com/MISP/MISP
Iglocska
commit
265088a0ea
|
|
@ -31,6 +31,7 @@ simple_type_to_method.update(dict.fromkeys(["pattern-in-file", "pattern-in-traff
|
|||
# mapping for the attributes that can go through the simpleobservable script
|
||||
misp_cybox_name = {"domain" : "DomainName", "hostname" : "Hostname", "url" : "URI", "AS" : "AutonomousSystem", "mutex" : "Mutex", "named pipe" : "Pipe", "link" : "URI"}
|
||||
cybox_name_attribute = {"DomainName" : "value", "Hostname" : "hostname_value", "URI" : "value", "AutonomousSystem" : "number", "Pipe" : "name", "Mutex" : "name"}
|
||||
misp_indicator_type = {"domain" : "Domain Watchlist", "hostname" : "Domain Watchlist", "url" : "URL Watchlist", "AS" : "", "mutex" : "Host Characteristics", "named pipe" : "Host Characteristics", "link" : ""}
|
||||
|
||||
def generateObservable(indicator, attribute):
|
||||
if (attribute["type"] in ("snort", "yara")):
|
||||
|
|
@ -40,25 +41,28 @@ def generateObservable(indicator, attribute):
|
|||
if (attribute["type"] in simple_type_to_method.keys()):
|
||||
action = getattr(this_module, simple_type_to_method[attribute["type"]], None)
|
||||
if (action != None):
|
||||
property = action(attribute)
|
||||
property = action(indicator, attribute)
|
||||
property.condition = "Equals"
|
||||
object = Object(property)
|
||||
object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute["uuid"]
|
||||
observable = Observable(object)
|
||||
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
|
||||
indicator.add_observable(observable)
|
||||
|
||||
def resolveFileObservable(attribute):
|
||||
def resolveFileObservable(indicator, attribute):
|
||||
hashValue = ""
|
||||
filenameValue = ""
|
||||
if (attribute["type"] in ("filename|md5", "filename|sha1", "filename|sha256", "malware-sample")):
|
||||
values = attribute["value"].split('|')
|
||||
filenameValue = values[0]
|
||||
hashValue = values[1]
|
||||
indicator.add_indicator_type("File Hash Watchlist")
|
||||
else:
|
||||
if (attribute["type"] in ("filename", "attachment")):
|
||||
filenameValue = attribute["value"]
|
||||
else:
|
||||
hashValue = attribute["value"]
|
||||
indicator.add_indicator_type("File Hash Watchlist")
|
||||
observable = generateFileObservable(filenameValue, hashValue)
|
||||
return observable
|
||||
|
||||
|
|
@ -71,10 +75,11 @@ def generateFileObservable(filenameValue, hashValue):
|
|||
else:
|
||||
file_object.file_name = filenameValue
|
||||
if (hashValue != ""):
|
||||
file_object.add_hash(Hash(hashValue))
|
||||
file_object.add_hash(Hash(hash_value=hashValue, exact=True))
|
||||
return file_object
|
||||
|
||||
def generateIPObservable(attribute):
|
||||
def generateIPObservable(indicator, attribute):
|
||||
indicator.add_indicator_type("IP Watchlist")
|
||||
address_object = Address()
|
||||
cidr = False
|
||||
if ("/" in attribute["value"]):
|
||||
|
|
@ -100,7 +105,8 @@ def generateIPObservable(attribute):
|
|||
address_object.address_value = attribute["value"]
|
||||
return address_object
|
||||
|
||||
def generateRegkeyObservable(attribute):
|
||||
def generateRegkeyObservable(indicator, attribute):
|
||||
indicator.add_indicator_type("Host Characteristics")
|
||||
regkey = ""
|
||||
regvalue = ""
|
||||
if (attribute["type"] == "regkey|value"):
|
||||
|
|
@ -116,9 +122,12 @@ def generateRegkeyObservable(attribute):
|
|||
reg_object.values = RegistryValues(reg_value_object)
|
||||
return reg_object
|
||||
|
||||
def generateSimpleObservable(attribute):
|
||||
def generateSimpleObservable(indicator, attribute):
|
||||
cyboxName = misp_cybox_name[attribute["type"]]
|
||||
constructor = getattr(this_module, cyboxName, None)
|
||||
indicatorType = misp_indicator_type[attribute["type"]]
|
||||
if (indicatorType != ""):
|
||||
indicator.add_indicator_type(indicatorType)
|
||||
new_object = constructor()
|
||||
setattr(new_object, cybox_name_attribute[cyboxName], attribute["value"])
|
||||
return new_object
|
||||
|
|
@ -134,7 +143,8 @@ def generateTM(indicator, attribute):
|
|||
#tm.rules = [attribute["value"]]
|
||||
indicator.test_mechanisms = [tm]
|
||||
|
||||
def resolveEmailObservable(attribute):
|
||||
def resolveEmailObservable(indicator, attribute):
|
||||
indicator.add_indicator_type("Malicious E-mail")
|
||||
new_object = EmailMessage()
|
||||
email_header = EmailHeader()
|
||||
if (attribute["type"] == "email-src"):
|
||||
|
|
@ -146,7 +156,7 @@ def resolveEmailObservable(attribute):
|
|||
new_object.header = email_header
|
||||
return new_object
|
||||
|
||||
def resolveHTTPObservable(attribute):
|
||||
def resolveHTTPObservable(indicator, attribute):
|
||||
request_response = HTTPRequestResponse()
|
||||
client_request = HTTPClientRequest()
|
||||
if (attribute["type"] == "user-agent"):
|
||||
|
|
@ -166,7 +176,7 @@ def resolveHTTPObservable(attribute):
|
|||
return new_object
|
||||
|
||||
# use this when implementing pattern in memory and pattern in traffic
|
||||
def resolvePatternObservable(attribute):
|
||||
def resolvePatternObservable(indicator, attribute):
|
||||
new_object = None
|
||||
if attribute["type"] == "pattern-in-file":
|
||||
byte_run = ByteRun()
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ from misp2cybox import *
|
|||
from misp2ciq import *
|
||||
from dateutil.tz import tzutc
|
||||
from stix.indicator import Indicator
|
||||
from stix.indicator.valid_time import ValidTime
|
||||
from stix.ttp import TTP, Behavior
|
||||
from stix.ttp.malware_instance import MalwareInstance
|
||||
from stix.incident import Incident, Time, ImpactAssessment, ExternalID, AffectedAsset
|
||||
|
|
@ -145,7 +146,7 @@ def generateEventPackage(event):
|
|||
|
||||
# generate the incident information. MISP events are currently mapped to incidents with the event metadata being stored in the incident information
|
||||
def generateSTIXObjects(event):
|
||||
incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], description=event["Event"]["info"])
|
||||
incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"])
|
||||
setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"]))
|
||||
addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"])
|
||||
ttps = []
|
||||
|
|
@ -180,12 +181,24 @@ def resolveAttributes(incident, ttps, attributes):
|
|||
else:
|
||||
#types that may become indicators
|
||||
handleIndicatorAttribute(incident, ttps, attribute)
|
||||
if incident.related_indicators and not ttps:
|
||||
ttp = TTP(timestamp=incident.timestamp)
|
||||
ttp.id_= incident.id_.replace("incident","ttp")
|
||||
ttp.title = "Unknown"
|
||||
ttps.append(ttp)
|
||||
for rindicator in incident.related_indicators:
|
||||
for ttp in ttps:
|
||||
ittp=TTP(idref=ttp.id_, timestamp=ttp.timestamp)
|
||||
rindicator.item.add_indicated_ttp(ittp)
|
||||
return [incident, ttps]
|
||||
|
||||
# Create the indicator and pass the attribute further for observable creation - this can be called from resolveattributes directly or from handleNonindicatorAttribute, for some special cases
|
||||
def handleIndicatorAttribute(incident, ttps, attribute):
|
||||
indicator = generateIndicator(attribute)
|
||||
indicator.add_indicator_type("Malware Artifacts")
|
||||
indicator.add_valid_time_position(ValidTime())
|
||||
if attribute["type"] == "email-attachment":
|
||||
indicator.add_indicator_type("Malicious E-mail")
|
||||
generateEmailAttachmentObject(indicator, attribute)
|
||||
else:
|
||||
generateObservable(indicator, attribute)
|
||||
|
|
@ -199,7 +212,7 @@ def handleIndicatorAttribute(incident, ttps, attribute):
|
|||
def handleNonIndicatorAttribute(incident, ttps, attribute):
|
||||
if attribute["type"] in ("comment", "text", "other"):
|
||||
if attribute["category"] == "Payload type":
|
||||
generateTTP(incident, attribute)
|
||||
generateTTP(incident, attribute, ttps)
|
||||
elif attribute["category"] == "Attribution":
|
||||
ta = generateThreatActor(attribute)
|
||||
rta = RelatedThreatActor(ta, relationship="Attribution")
|
||||
|
|
@ -215,7 +228,7 @@ def handleNonIndicatorAttribute(incident, ttps, attribute):
|
|||
aa.description = attribute["value"]
|
||||
incident.affected_assets.append(aa)
|
||||
elif attribute["type"] == "vulnerability":
|
||||
generateTTP(incident, attribute)
|
||||
generateTTP(incident, attribute, ttps)
|
||||
elif attribute["type"] == "link":
|
||||
if attribute["category"] == "Payload delivery":
|
||||
handleIndicatorAttribute(incident, ttps, attribute)
|
||||
|
|
@ -230,7 +243,7 @@ def handleNonIndicatorAttribute(incident, ttps, attribute):
|
|||
return [incident, ttps]
|
||||
|
||||
# TTPs are only used to describe malware names currently (attribute with category Payload Type and type text/comment/other)
|
||||
def generateTTP(incident, attribute):
|
||||
def generateTTP(incident, attribute, ttps):
|
||||
ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
|
||||
setTLP(ttp, attribute["distribution"])
|
||||
|
|
@ -248,7 +261,9 @@ def generateTTP(incident, attribute):
|
|||
ttp.behavior.add_malware_instance(malware)
|
||||
if attribute["comment"] != "":
|
||||
ttp.description = attribute["comment"]
|
||||
relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
|
||||
ttps.append(ttp)
|
||||
rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp)
|
||||
relatedTTP = RelatedTTP(rttp, relationship=attribute["category"])
|
||||
incident.leveraged_ttps.append(relatedTTP)
|
||||
|
||||
# Threat actors are currently only used for the category:attribution / type:(text|comment|other) attributes
|
||||
|
|
@ -270,6 +285,7 @@ def generateIndicator(attribute):
|
|||
indicator.description = attribute["comment"]
|
||||
setTLP(indicator, attribute["distribution"])
|
||||
indicator.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
|
||||
indicator.description = indicator.title
|
||||
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
|
||||
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
|
||||
if confidence_value is None:
|
||||
|
|
@ -279,7 +295,7 @@ def generateIndicator(attribute):
|
|||
|
||||
# converts timestamp to the format used by STIX
|
||||
def getDateFromTimestamp(timestamp):
|
||||
return datetime.datetime.fromtimestamp(timestamp).isoformat()
|
||||
return datetime.datetime.fromtimestamp(timestamp).isoformat() + "+00:00"
|
||||
|
||||
# converts a date (YYYY-mm-dd) to the format used by stix
|
||||
def convertToStixDate(date):
|
||||
|
|
|
|||
Loading…
Reference in New Issue