本文整理汇总了Python中stix.core.STIXHeader.handling方法的典型用法代码示例。如果您正苦于以下问题:Python STIXHeader.handling方法的具体用法?Python STIXHeader.handling怎么用?Python STIXHeader.handling使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类stix.core.STIXHeader的用法示例。
在下文中一共展示了STIXHeader.handling方法的4个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: build_stix
# 需要导入模块: from stix.core import STIXHeader [as 别名]
# 或者: from stix.core.STIXHeader import handling [as 别名]
def build_stix( input_dict ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Incident report for " + input_dict['organization']
stix_header.add_package_intent ("Incident")
# Add handling requirements if needed
if input_dict['sensitive'] == "True":
mark = SimpleMarkingStructure()
mark.statement = "Sensitive"
mark_spec = MarkingSpecification()
mark_spec.marking_structures.append(mark)
stix_header.handling = Marking(mark_spec)
stix_package.stix_header = stix_header
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
#Add the thing that was stolen
jewels = AffectedAsset()
jewels.type_ = input_dict['asset']
incident.add_affected_asset (jewels)
# add the victim
incident.add_victim (input_dict['organization'])
stix_package.add_incident(incident)
return stix_package示例2: build_stix
# 需要导入模块: from stix.core import STIXHeader [as 别名]
# 或者: from stix.core.STIXHeader import handling [as 别名]
def build_stix( input_dict ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "TTP " + input_dict['title']
# Add handling requirements if needed
if input_dict['marking']:
mark = SimpleMarkingStructure()
mark.statement = input_dict['marking']
mark_spec = MarkingSpecification()
mark_spec.marking_structures.append(mark)
stix_header.handling = Marking(mark_spec)
stix_package.stix_header = stix_header
report = Report()
if input_dict['incidents']:
for each in input_dict['incidents'].split(','):
result = query_db('select * from incidents where id = ?',
[each], one=True)
report.add_incident(buildIncident(result))
if input_dict['ttps']:
for each in input_dict['ttps'].split(','):
result = query_db('select * from ttps where id = ?',
[each], one=True)
report.add_ttp(buildTtp(result))
if input_dict['indicators']:
for each in input_dict['indicators'].split(','):
result = query_db('select * from indicators where id = ?',
[each], one=True)
report.add_indicator(buildIndicator(result))
if input_dict['observables']:
for each in input_dict['observables'].split(','):
result = query_db('select * from observables where id = ?',
[each], one=True)
report.add_observable(buildObservable(result))
if input_dict['threatActors']:
for each in input_dict['threatActors'].split(','):
result = query_db('select * from threatActors where id = ?',
[each], one=True)
report.add_threat_actor(buildThreatActor(result))
if input_dict['targets']:
for each in input_dict['targets'].split(','):
result = query_db('select * from targets where id = ?',
[each], one=True)
report.add_exploit_target(buildTarget(result))
if input_dict['coas']:
for each in input_dict['coas'].split(','):
result = query_db('select * from coas where id = ?',
[each], one=True)
report.add_course_of_action(buildCoa(result))
if input_dict['campaigns']:
for each in input_dict['campaigns'].split(','):
result = query_db('select * from campaigns where id = ?',
[each], one=True)
report.add_campaign(buildCampaign(result))
stix_package.add_report(report)
return stix_package示例3: create_cybox_object
# 需要导入模块: from stix.core import STIXHeader [as 别名]
# 或者: from stix.core.STIXHeader import handling [as 别名]
def create_cybox_object(self, jdict, whitelist, config):
listObservables = []
NS = cybox.utils.Namespace("cert.siemens.com", "siemens_cert")
cybox.utils.set_id_namespace(NS)
""" store information about malware binary that was analyzed """
if 'target' in jdict and 'category' in jdict['target'] and jdict['target']['category'] == 'file':
log.debug("handling File information ...")
main_file_object = self.__create_cybox_main_file(jdict['target']['file'])
file_md5 = jdict['target']['file']['md5']
elif 'target' in jdict and 'category' in jdict['target'] and jdict['target']['category'] == 'url':
log.warning("Not a file analysis report! URL reports not handled")
return
else:
log.error("No target information in report ... skipping")
return
""" try to find email that dropped this attachment """
if config["attachemail"] or config["referenceemail"]:
log.info("handling email attack vector information ...")
email_object_properties, email_observables_list, email_stix_path_tuple_list = self.__check_malware_mailing_list(file_md5, log, config)
if email_object_properties and len(email_object_properties)>0:
for email_object in email_object_properties:
main_file_object.add_related(email_object, "Contained_Within", inline=False)
else:
log.warning("failed linking mail object (no objects to link)")
email_stix_path_tuple_list = []
else:
email_object = None
email_observables = []
email_stix_path_tuple_list = []
""" store extended information about malware file """
if 'static' in jdict:
log.debug("handling extended File information ...")
win_executable_extension = self.__create_cybox_win_executable(jdict['target']['file'], jdict['static'])
if win_executable_extension:
main_file_object.add_related(win_executable_extension, "Characterized_By", inline=False)
win_executable_extension = [win_executable_extension]
else:
log.warning("No extended File information found")
win_executable_extension = []
""" store domains connected to """
if 'network' in jdict and 'domains' in jdict['network']:
log.debug("handling Domain information ...")
domains, addresses = self.__create_cybox_domains(jdict['network']['domains'], whitelist)
for dom in domains:
main_file_object.add_related(dom, 'Connected_To', inline=False)
else:
domains = []
addresses = []
""" store http session information """
if 'network' in jdict and 'http' in jdict['network']:
log.debug("handling HTTP information ...")
http_requests = self.__create_cybox_https(jdict['network']['http'], whitelist)
for session in http_requests:
main_file_object.add_related(session, 'Connected_To', inline=False)
else:
http_requests = []
""" store dns queries information about the malware """
if 'network' in jdict and 'dns' in jdict['network']:
log.debug("handling DNS information ...")
queries = self.__create_cybox_dns_queries(jdict['network']['dns'], whitelist)
for query in queries:
main_file_object.add_related(query, 'Connected_To', inline=False)
else:
queries = []
""" store information about dropped files """
if 'dropped' in jdict:
log.debug('handling dropped files ...')
dropped = self.__create_cybox_dropped_files(jdict['dropped'], jdict['target']['file']['sha256'])
for drop in dropped:
main_file_object.add_related(drop, 'Dropped', inline=False)
else:
dropped = []
""" store virustotal information """
if 'virustotal' in jdict and 'positives' in jdict['virustotal']:
log.debug('handling virustotal information ...')
vtInformationTools = self.__create_stix_virustotal(jdict['virustotal'], log, config)
vtFound = True
else:
vtInformationTools = []
vtFound = False
""" create observables """
if config["attachemail"] and len(email_observables)>0:
obs = Observables([main_file_object]+email_observables+win_executable_extension+domains+addresses+http_requests+dropped+queries)
else:
obs = Observables([main_file_object]+win_executable_extension+domains+addresses+http_requests+dropped+queries)
""" generate stix id with siemens namespace """
if config:
stix_id_generator = stix.utils.IDGenerator(namespace={config["xmlns"]: config["namespace"]})
else:
stix_id_generator = stix.utils.IDGenerator(namespace={"cert.siemens.com": "siemens_cert"})
""" create stix package """
#.........这里部分代码省略.........
示例4: main
# 需要导入模块: from stix.core import STIXHeader [as 别名]
# 或者: from stix.core.STIXHeader import handling [as 别名]
def main():
# get args
parser = argparse.ArgumentParser ( description = "Parse a given CSV from Shadowserver and output STIX XML to stdout"
, formatter_class=argparse.ArgumentDefaultsHelpFormatter )
parser.add_argument("--infile","-f", help="input CSV with bot data", default = "bots.csv")
args = parser.parse_args()
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Bot Server IP addresses"
stix_header.description = "IP addresses connecting to bot control servers at a given port"
stix_header.add_package_intent ("Indicators - Watchlist")
# add marking
mark = Marking()
markspec = MarkingSpecification()
markstruct = SimpleMarkingStructure()
markstruct.statement = "Usage of this information, including integration into security mechanisms implies agreement with the Shadowserver Terms of Service available at https://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/TermsOfService"
markspec.marking_structures.append(markstruct)
mark.add_marking(markspec)
stix_header.handling = mark
# include author info
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time =datetime.now(tzutc())
stix_header.information_source.tools = ToolInformationList()
stix_header.information_source.tools.append("ShadowBotnetIP-STIXParser")
stix_header.information_source.identity = Identity()
stix_header.information_source.identity.name = "MITRE STIX Team"
stix_header.information_source.add_role(VocabString("Format Transformer"))
src = InformationSource()
src.description = "https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP"
srcident = Identity()
srcident.name = "shadowserver.org"
src.identity = srcident
src.add_role(VocabString("Originating Publisher"))
stix_header.information_source.add_contributing_source(src)
stix_package.stix_header = stix_header
# add TTP for overall indicators
bot_ttp = TTP()
bot_ttp.title = 'Botnet C2'
bot_ttp.resources = Resource()
bot_ttp.resources.infrastructure = Infrastructure()
bot_ttp.resources.infrastructure.title = 'Botnet C2'
stix_package.add_ttp(bot_ttp)
# read input data
fd = open (args.infile, "rb")
infile = csv.DictReader(fd)
for row in infile:
# split indicators out, may be 1..n with positional storage, same port and channel, inconsistent delims
domain = row['Domain'].split()
country = row['Country'].split()
region = row['Region'].split('|')
state = row['State'].split('|')
asn = row['ASN'].split()
asname = row['AS Name'].split()
asdesc = row['AS Description'].split('|')
index = 0
for ip in row['IP Address'].split():
indicator = Indicator()
indicator.title = "IP indicator for " + row['Channel']
indicator.description = "Bot connecting to control server"
# point to overall TTP
indicator.add_indicated_ttp(TTP(idref=bot_ttp.id_))
# add our IP and port
sock = SocketAddress()
sock.ip_address = ip
# add sighting
sight = Sighting()
sight.timestamp = ""
obs = Observable(item=sock.ip_address)
obsref = Observable(idref=obs.id_)
sight.related_observables.append(obsref)
indicator.sightings.append(sight)
stix_package.add_observable(obs)
# add pattern for indicator
sock_pattern = SocketAddress()
sock_pattern.ip_address = ip
port = Port()
port.port_value = row['Port']
#.........这里部分代码省略.........