added tests, also disregards related_observables. Because they're useless

pull/41/head
Hannah Ward 2016-08-12 12:16:49 +01:00
parent a34014e245
commit c02a452c05
No known key found for this signature in database
GPG Key ID: BA89E572EE1B4C5F
3 changed files with 354 additions and 6 deletions

View File

@ -135,13 +135,17 @@ def buildObservable(o):
""" """
#Life is easier with json #Life is easier with json
o = json.loads(o.to_json()) if not isinstance(o, dict):
o = json.loads(o.to_json())
#Make a new record to store values in #Make a new record to store values in
r = {"values":[]} r = {"values":[]}
#Get the object properties. This contains all the #Get the object properties. This contains all the
#fun stuff like values #fun stuff like values
if "observable_composition" in o:
#May as well be useless
return r
props = o["object"]["properties"] props = o["object"]["properties"]
#If it has an address_value field, it's gonna be an address #If it has an address_value field, it's gonna be an address

331
tests/stix.xml Normal file
View File

@ -0,0 +1,331 @@
<stix:STIX_Package
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:campaign="http://stix.mitre.org/Campaign-1"
xmlns:ciqIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:bae="http://bae.com"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="bae:Package-f0b927dd-9356-49ba-8f56-6d9f3d42fe25" version="1.1.1">
<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable id="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
<cybox:Title>CNC Server 1</cybox:Title>
<cybox:Object id="bae:Address-6e6990d8-20b6-4482-97a2-55732c993982">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>82.146.166.56</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
<cybox:Title>CNC Server 2</cybox:Title>
<cybox:Object id="bae:Address-00dc7361-ca55-48ef-8529-72a3ac9c58d7">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>209.239.79.47</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
<cybox:Title>CNC Server 3</cybox:Title>
<cybox:Object id="bae:Address-bbbbdcad-e8f5-449d-99d3-264de0ed512e">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>41.213.121.180</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
<cybox:Title>Watering Hole Wordpress</cybox:Title>
<cybox:Object id="bae:Address-c0e85056-de10-44f7-a600-73144514e7a1">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address_Value>eu-society.com</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
<cybox:Title>Watering Hole Wordpress</cybox:Title>
<cybox:Object id="bae:Address-ae972731-3b33-4fb1-bab6-053b0056deb5">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address_Value>aromatravel.org</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
<cybox:Title>Watering Hole Wordpress</cybox:Title>
<cybox:Object id="bae:Address-f0d9ef90-af2d-462d-aa69-bfd55da9e65c">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address_Value>bss.servebbs.com</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="bae:indicator-1c3fc03e-86dc-4440-9e95-8b9964f03b92" timestamp="2016-07-04T15:17:14.479542+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Watering Hole Detected</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Observable id="bae:Observable-4e173154-e739-4917-86e8-8b30e4cf39e5">
<cybox:Observable_Composition operator="OR">
<cybox:Observable idref="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
</cybox:Observable_Composition>
</indicator:Observable>
</stix:Indicator>
<stix:Indicator id="bae:indicator-e5ff413f-074e-41fe-ab20-6d0e0bf10f9c" timestamp="2016-07-04T15:17:14.480747+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>CnC Beaconing Detected</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">C2</indicator:Type>
<indicator:Observable id="bae:Observable-f4695e3e-5a27-4889-ba48-456b14146911">
<cybox:Observable_Composition operator="OR">
<cybox:Observable idref="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
</cybox:Observable>
<cybox:Observable idref="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
</cybox:Observable>
<cybox:Observable idref="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
</cybox:Observable>
</cybox:Observable_Composition>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP id="bae:ttp-801d59e9-28c2-4016-976e-011dcab22cfd" timestamp="2016-07-04T15:17:14.479244+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Malware CnC Channels</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.479332+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Type xsi:type="stixVocabs:AttackerInfrastructureTypeVocab-1.0">Hosting</ttp:Type>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable idref="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
</cybox:Observable>
<cybox:Observable idref="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
</cybox:Observable>
<cybox:Observable idref="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
<stix:TTP id="bae:ttp-62c59e28-9480-4080-ad20-6b4092cb118d" timestamp="2016-07-04T15:17:14.476428+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Fingerprinting and whitelisting during watering-hole operations</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477552+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Type xsi:type="stixVocabs:AttackerInfrastructureTypeVocab-1.0">Domain Registration</ttp:Type>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable idref="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-7ffb9e3d-688a-4ec4-8919-f8ccb91d4b59" timestamp="2016-07-04T15:17:14.476589+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Spear-phishing in tandem with 0-day exploits</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477592+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-f13297d6-0963-4a74-89dc-12745db39845" timestamp="2016-07-04T15:17:14.476707+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Infiltration of organisations via third party supplier/partner</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477629+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-78aef1ee-8c7d-4a6e-87cc-a4471b29ac45" timestamp="2016-07-04T15:17:14.476822+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Custom recon tool to compromise and identify credentials of the network</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477665+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-3a5f9a19-fa56-4b7d-ad7f-df64b7efdf98" timestamp="2016-07-04T15:17:14.476932+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Multiple means of C2 communications given the diversity of the attacker toolset</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477708+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-e08d9d94-0294-4fa7-9e1d-8f1e087e3dc0" timestamp="2016-07-04T15:17:14.477046+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>rootkit communicates during the same time as network activity, encoded with an XOR key</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477744+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-898d58cd-369c-4b76-892b-2f5ced35cf0e" timestamp="2016-07-04T15:17:14.477159+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Kernel-centric rootkit waits for network trigger before launching</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477779+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-fb1ac371-8e28-48d9-8905-03f54bd546ee" timestamp="2016-07-04T15:17:14.477269+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Kernel centric exfiltration over TCP/UDP/DNS/ICMP/HTTP</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477814+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-27872de0-c3ce-425d-9348-8f1439645398" timestamp="2016-07-04T15:17:14.477382+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Exfiltration over HTTP/HTTPS</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477849+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-c3a4fec7-00b7-4efb-adf9-a38feee005fe" timestamp="2016-07-04T15:17:14.477499+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Use of previously undocumented functions in their Kernel centric attacks</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477888+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
</stix:TTP>
<stix:Kill_Chains>
<stixCommon:Kill_Chain id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" definer="LMCO" name="LM Cyber Kill Chain">
<stixCommon:Kill_Chain_Phase ordinality="1" name="Reconnaissance" phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a"/>
<stixCommon:Kill_Chain_Phase ordinality="2" name="Weaponization" phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16"/>
<stixCommon:Kill_Chain_Phase ordinality="3" name="Delivery" phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d"/>
<stixCommon:Kill_Chain_Phase ordinality="4" name="Exploitation" phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0"/>
<stixCommon:Kill_Chain_Phase ordinality="5" name="Installation" phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f"/>
<stixCommon:Kill_Chain_Phase ordinality="6" name="Command and Control" phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2"/>
<stixCommon:Kill_Chain_Phase ordinality="7" name="Actions on Objectives" phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6"/>
</stixCommon:Kill_Chain>
</stix:Kill_Chains>
</stix:TTPs>
<stix:Exploit_Targets>
<stixCommon:Exploit_Target id="bae:et-ca916690-1221-46b3-8e69-dabd46018892" timestamp="2016-07-04T15:17:14.480615+00:00" xsi:type='et:ExploitTargetType'>
<et:Title>Privilage Escalation Vulnerability</et:Title>
<et:Vulnerability>
<et:CVE_ID>CVE-2013-5065</et:CVE_ID>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</stix:Exploit_Targets>
<stix:Campaigns>
<stix:Campaign id="bae:campaign-2b81268f-c0f0-4bd4-aa63-a880dc05ed82" timestamp="2016-07-04T15:17:14.478248+00:00" xsi:type='campaign:CampaignType'>
<campaign:Title>The Epic Turla Campaign</campaign:Title>
<campaign:Description>The Epic Turla Campaign</campaign:Description>
<campaign:Intended_Effect timestamp="2016-07-04T15:17:14.478460+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
</campaign:Intended_Effect>
<campaign:Attribution>
<campaign:Attributed_Threat_Actor>
<stixCommon:Threat_Actor idref="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type='ta:ThreatActorType'>
</stixCommon:Threat_Actor>
</campaign:Attributed_Threat_Actor>
</campaign:Attribution>
</stix:Campaign>
<stix:Campaign id="bae:campaign-53a0ca81-b065-431a-b043-0457b0bcfffa" timestamp="2016-07-04T15:17:14.478394+00:00" xsi:type='campaign:CampaignType'>
<campaign:Title>SNAKE Campaign</campaign:Title>
<campaign:Description>The SNAKE Campaign</campaign:Description>
<campaign:Intended_Effect timestamp="2016-07-04T15:17:14.478500+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
</campaign:Intended_Effect>
<campaign:Attribution>
<campaign:Attributed_Threat_Actor>
<stixCommon:Threat_Actor idref="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type='ta:ThreatActorType'>
</stixCommon:Threat_Actor>
</campaign:Attributed_Threat_Actor>
</campaign:Attribution>
</stix:Campaign>
</stix:Campaigns>
<stix:Threat_Actors>
<stix:Threat_Actor id="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" timestamp="2016-07-04T15:17:14.454074+00:00" xsi:type='ta:ThreatActorType'>
<ta:Title>SNAKE</ta:Title>
<ta:Description>
The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits virtually undetectable by conventional security products.
This threat actor group has been operating continuously for over a decade, infiltrating governments and strategic private sector networks in that time. The most notorious of their early campaigns led to a breach of classified US military systems, an extensive clean-up called Operation Buckshot Yankee, and led to the creation of the US Cyber Command.
Whilst the sophisticated rootkit is used for persistent access to networks, the group also leverage more straight-forward capabilities for gaining an initial toe-hold on targets. This includes the use of watering-hole attacks and basic remote access tools.
</ta:Description>
<ta:Short_Description>
The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits virtually undetectable by conventional security products.
</ta:Short_Description>
<ta:Identity xsi:type="ciqIdentity:CIQIdentity3.0InstanceType">
<ExtSch:Specification xmlns:ExtSch="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1">
<xpil:PartyName xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="OfficialName">
<xnl:NameElement>SNAKE</xnl:NameElement>
</xnl:OrganisationName>
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="OfficialName">
<xnl:NameElement>Turla</xnl:NameElement>
</xnl:OrganisationName>
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="UnofficialName">
<xnl:NameElement>WRAITH</xnl:NameElement>
</xnl:OrganisationName>
</xpil:PartyName>
<xpil:Addresses xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:Address>
<xal:Country xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
<xal:NameElement>Russia</xal:NameElement>
</xal:Country>
<xal:AdministrativeArea xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
<xal:NameElement>Moscow</xal:NameElement>
</xal:AdministrativeArea>
</xpil:Address>
</xpil:Addresses>
<xpil:ElectronicAddressIdentifiers xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:ElectronicAddressIdentifier>snake@gmail.com</xpil:ElectronicAddressIdentifier>
<xpil:ElectronicAddressIdentifier>twitter.com/snake</xpil:ElectronicAddressIdentifier>
</xpil:ElectronicAddressIdentifiers>
<xpil:Languages xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:Language>Russian</xpil:Language>
</xpil:Languages>
</ExtSch:Specification>
</ta:Identity>
<ta:Motivation timestamp="2016-07-04T15:17:14.475968+00:00">
<stixCommon:Value xsi:type="stixVocabs:MotivationVocab-1.1">Political</stixCommon:Value>
</ta:Motivation>
<ta:Sophistication timestamp="2016-07-04T15:17:14.454350+00:00">
<stixCommon:Value xsi:type="stixVocabs:ThreatActorSophisticationVocab-1.0">Expert</stixCommon:Value>
</ta:Sophistication>
<ta:Intended_Effect timestamp="2016-07-04T15:17:14.476056+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
</ta:Intended_Effect>
<ta:Intended_Effect timestamp="2016-07-04T15:17:14.476095+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Intellectual Property</stixCommon:Value>
</ta:Intended_Effect>
</stix:Threat_Actor>
</stix:Threat_Actors>
</stix:STIX_Package>

View File

@ -3,24 +3,37 @@
import unittest import unittest
import requests import requests
import base64
import json
class TestModules(unittest.TestCase): class TestModules(unittest.TestCase):
def setUp(self): def setUp(self):
self.maxDiff = None self.maxDiff = None
self.headers = {'Content-Type': 'application/json'} self.headers = {'Content-Type': 'application/json'}
self.url = "http://127.0.0.1:6666/"
def test_introspection(self): def test_introspection(self):
response = requests.get('http://127.0.0.1:6666/modules') response = requests.get(self.url + "modules")
print(response.json()) print(response.json())
def test_cve(self): def test_cve(self):
with open('tests/bodycve.json', 'r') as f: with open('tests/bodycve.json', 'r') as f:
response = requests.post('http://127.0.0.1:6666/query', data=f.read()) response = requests.post(self.url + "query", data=f.read())
print(response.json()) print(response.json())
def test_dns(self): def test_dns(self):
with open('tests/body.json', 'r') as f: with open('tests/body.json', 'r') as f:
response = requests.post('http://127.0.0.1:6666/query', data=f.read()) response = requests.post(self.url + "query", data=f.read())
print(response.json()) print(response.json())
def test_stix(self):
with open("tests/stix.xml", "r") as f:
data = json.dumps({"module":"stiximport",
"data":str(base64.b64encode(bytes(f.read(), 'utf-8')), 'utf-8')
})
response = requests.post(self.url + "query", data=data)
print(response.json())
if __name__ == '__main__':
unittest.main()