Created
May 12, 2013 09:45
-
-
Save 2xyo/5563004 to your computer and use it in GitHub Desktop.
Phishing example with Stix / CyBox
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2013, The MITRE Corporation. All rights reserved. | |
| # See LICENSE.txt for complete terms. | |
| ''' | |
| File: ex_02.py | |
| Description: Build a STIX Indicator document containing a File observable with an associated hash. | |
| ''' | |
| from datetime import datetime | |
| from stix.indicator import Indicator | |
| from stix.core import STIXPackage, STIXHeader | |
| from cybox.common import Hash | |
| from cybox.objects.file_object import File | |
| from cybox import helper | |
| from cybox.core import Observables | |
| def step(_url, _ip, _file, _hash, _title, _desc, _producer): | |
| url = helper.create_url_observable(_url) | |
| ip = helper.create_ipv4_observable(_ip) | |
| file_ = helper.create_file_hash_observable(_file, _hash) | |
| indicator = Indicator() | |
| indicator.title = _title | |
| indicator.description = _desc | |
| indicator.set_producer_identity(_producer) | |
| indicator.add_observable(url) | |
| indicator.add_observable(ip) | |
| indicator.add_observable(file_) | |
| return indicator | |
| def main(): | |
| # Redirection | |
| redir = step( | |
| "http://www.example1.com/redir.php", | |
| "10.0.0.1", | |
| "redir.php", | |
| "94f93e00fd122466d68a6ae3b8c7f908", | |
| "Main redirection", | |
| "A redirection to the phishing website", | |
| "Badass") | |
| form = step( | |
| "http://www.example2.com/bank/form.html", | |
| "10.0.0.2", | |
| "form.html", | |
| "94f93e00fd122466d68a6ae3b8c7f908", | |
| "Form", | |
| "The Phishing website", | |
| "Badass") | |
| collector = step( | |
| "http://www.example2.com/bank/collector.php", | |
| "10.0.0.2", | |
| "collector.php", | |
| "94f93e00fd122466d68a6ae3b8c7f908", | |
| "Collector", | |
| "The Phishing collector", | |
| "Badass") | |
| kit = = step( | |
| "http://www.example2.com/bank/collector.php", | |
| "10.0.0.2", | |
| "collector.php", | |
| "94f93e00fd122466d68a6ae3b8c7f908", | |
| "Collector", | |
| "The Phishing collector", | |
| "Badass") | |
| bank = step( | |
| "http://www.bank.com", | |
| "10.0.0.3", | |
| "", | |
| "94f93e00fd122466d68a6ae3b8c7f908", | |
| "Collector", | |
| "The Phishing collector", | |
| "Badass") | |
| scenario = (redir, form, collector,bank) | |
| stix_package = STIXPackage() | |
| stix_header = STIXHeader() | |
| stix_header.description = "Example 02" | |
| stix_package.stix_header = stix_header | |
| for s in scenario: | |
| stix_package.add_indicator(s) | |
| print(stix_package.to_xml()) | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment