mirror of https://github.com/MISP/MISP
Merge branch 'stix_no_random_ids' into hotfix-2.3.59
commit
c2d5a5f1fc
|
@ -1,4 +1,4 @@
|
|||
from cybox.core import Observable, ObservableComposition
|
||||
from cybox.core import Object, Observable, ObservableComposition
|
||||
from cybox.objects.file_object import File
|
||||
from cybox.objects.address_object import Address
|
||||
from cybox.objects.hostname_object import Hostname
|
||||
|
@ -40,7 +40,11 @@ def generateObservable(indicator, attribute):
|
|||
if (attribute["type"] in simple_type_to_method.keys()):
|
||||
action = getattr(this_module, simple_type_to_method[attribute["type"]], None)
|
||||
if (action != None):
|
||||
observable = action(attribute)
|
||||
property = action(attribute)
|
||||
object = Object(property)
|
||||
object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute["uuid"]
|
||||
observable = Observable(object)
|
||||
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
|
||||
indicator.add_observable(observable)
|
||||
|
||||
def resolveFileObservable(attribute):
|
||||
|
@ -177,30 +181,44 @@ def resolvePatternObservable(attribute):
|
|||
# create an artifact object for the malware-sample type.
|
||||
def createArtifactObject(indicator, attribute):
|
||||
artifact = Artifact(data = attribute["data"])
|
||||
indicator.add_observable(artifact)
|
||||
artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":artifact-" + attribute["uuid"]
|
||||
observable = Observable(artifact)
|
||||
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute["uuid"]
|
||||
indicator.add_observable(observable)
|
||||
|
||||
# return either a composition if data is set in attribute, or just an observable with a filename if it's not set
|
||||
def returnAttachmentComposition(attribute):
|
||||
file_object = File()
|
||||
file_object.file_name = attribute["value"]
|
||||
file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
|
||||
observable = Observable()
|
||||
if "data" in attribute:
|
||||
artifact = Artifact(data = attribute["data"])
|
||||
composition = ObservableComposition(observables = [artifact, file_object])
|
||||
artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":artifact-" + attribute["uuid"]
|
||||
observable_artifact = Observable(artifact)
|
||||
observable_artifact.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute["uuid"]
|
||||
observable_file = Observable(file_object)
|
||||
observable_file.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-file-" + attribute["uuid"]
|
||||
composition = ObservableComposition(observables = [observable_artifact, observable_file])
|
||||
observable.observable_composition = composition
|
||||
else:
|
||||
observable = Observable(file_object)
|
||||
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
|
||||
if attribute["comment"] != "":
|
||||
observable.description = attribute["comment"]
|
||||
return observable
|
||||
|
||||
# email-attachment are mapped to an email message observable that contains the attachment as a file object
|
||||
def generateEmailAttachmentObject(indicator, filename):
|
||||
def generateEmailAttachmentObject(indicator, attribute):
|
||||
file_object = File()
|
||||
file_object.file_name = filename
|
||||
file_object.file_name = attribute["value"]
|
||||
email = EmailMessage()
|
||||
email.attachments = Attachments()
|
||||
email.add_related(file_object, "Contains", inline=True)
|
||||
file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
|
||||
email.attachments.append(file_object.parent.id_)
|
||||
indicator.observable = email
|
||||
email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
|
||||
observable = Observable(email)
|
||||
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
|
||||
indicator.observable = observable
|
||||
|
||||
|
|
|
@ -129,7 +129,8 @@ def generateMainPackage(events):
|
|||
# generate a package for each event
|
||||
def generateEventPackage(event):
|
||||
package_name = namespace[1] + ':STIXPackage-' + event["Event"]["uuid"]
|
||||
stix_package = STIXPackage(id_=package_name)
|
||||
timestamp = getDateFromTimestamp(int(event["Event"]["timestamp"]))
|
||||
stix_package = STIXPackage(id_=package_name, timestamp=timestamp)
|
||||
stix_header = STIXHeader()
|
||||
stix_header.title=event["Event"]["info"] + " (MISP Event #" + event["Event"]["id"] + ")"
|
||||
stix_header.package_intents="Threat Report"
|
||||
|
@ -185,7 +186,7 @@ def resolveAttributes(incident, ttps, attributes):
|
|||
def handleIndicatorAttribute(incident, ttps, attribute):
|
||||
indicator = generateIndicator(attribute)
|
||||
if attribute["type"] == "email-attachment":
|
||||
generateEmailAttachmentObject(indicator, attribute["value"])
|
||||
generateEmailAttachmentObject(indicator, attribute)
|
||||
else:
|
||||
generateObservable(indicator, attribute)
|
||||
if "data" in attribute:
|
||||
|
@ -230,14 +231,14 @@ def handleNonIndicatorAttribute(incident, ttps, attribute):
|
|||
|
||||
# TTPs are only used to describe malware names currently (attribute with category Payload Type and type text/comment/other)
|
||||
def generateTTP(incident, attribute):
|
||||
ttp = TTP()
|
||||
ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
|
||||
setTLP(ttp, attribute["distribution"])
|
||||
ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
|
||||
if attribute["type"] == "vulnerability":
|
||||
vulnerability = Vulnerability()
|
||||
vulnerability.cve_id = attribute["value"]
|
||||
et = ExploitTarget()
|
||||
et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
et.add_vulnerability(vulnerability)
|
||||
ttp.exploit_targets.append(et)
|
||||
else:
|
||||
|
@ -252,7 +253,7 @@ def generateTTP(incident, attribute):
|
|||
|
||||
# Threat actors are currently only used for the category:attribution / type:(text|comment|other) attributes
|
||||
def generateThreatActor(attribute):
|
||||
ta = ThreatActor()
|
||||
ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"]
|
||||
ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
|
||||
if attribute["comment"] != "":
|
||||
|
@ -263,7 +264,7 @@ def generateThreatActor(attribute):
|
|||
|
||||
# generate the indicator and add the relevant information
|
||||
def generateIndicator(attribute):
|
||||
indicator = Indicator()
|
||||
indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"]
|
||||
if attribute["comment"] != "":
|
||||
indicator.description = attribute["comment"]
|
||||
|
@ -273,7 +274,7 @@ def generateIndicator(attribute):
|
|||
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
|
||||
if confidence_value is None:
|
||||
return indicator
|
||||
indicator.confidence = Confidence(value=confidence_value, description=confidence_description)
|
||||
indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
return indicator
|
||||
|
||||
# converts timestamp to the format used by STIX
|
||||
|
|
Loading…
Reference in New Issue