func main() { sm := stix.New() sm.AddIdRef("company1:package-8ef29ed2-0e87-4dfa-b5c4-00788484be09") sm.SetTimestampToNow() var data []byte data, _ = json.MarshalIndent(sm, "", " ") fmt.Println(string(data)) }
func main() { s := stix.New() i1 := s.NewIndicator() i1.AddValidTimePosition("2015-01-01T00:00:00-0700", "2015-02-02T23:59:59-0700") i1.AddValidTimePosition("2014-01-01T00:00:00-0700", "2014-02-02T23:59:59-0700") var data []byte data, _ = json.MarshalIndent(s, "", " ") fmt.Println(string(data)) }
func main() { s := stix.New() i1 := s.NewIndicator() i1.SetTimestampToNow() i1.AddTitle("Attack 2015-02") i1.AddType("IP Watchlist") observable_i1 := i1.NewObservable() properties_1 := observable_i1.GetObjectProperties() properties_1.AddType("URL") properties_1.AddEqualsUriValue("http://foo.com") properties_1.AddEqualsUriValue("http://bar.com") properties_1.AddEqualsUriValue("http://fooandbar.com") var data []byte data, _ = json.MarshalIndent(s, "", " ") fmt.Println(string(data)) }
func main() { s := stix.New() i1 := s.NewIndicator() i1.SetTimestampToNow() i1.AddTitle("Attack 2015-02") i1.AddType("IP Watchlist") i1.AddType("URL Watchlist") h := stix.CreateHandling() h.AddControlledStructure("Foobar") h.AddTLPMarking("Red") i1.AddHandling(h) var data []byte data, _ = json.MarshalIndent(s, "", " ") fmt.Println(string(data)) }
func main() { s := stix.New() i1 := s.NewIndicator() i1.AddIdRef("companyfoo:indicator-1234-1234-1234-1234") i1.AddVersion("2.0.alpha") i1.SetTimestampToNow() i1.SetNegate(false) i1.AddTitle("Some really neat indicator that we found") i1.AddType("URL Watchlist") i1.AddAlternativeID("CV-2014-12-12345") i1.AddAlternativeID("CV-2015-02-54321") i1.AddDescriptionText("", "Some long description") i1.AddShortDescriptionText("", "Some shorter description") var data []byte data, _ = json.MarshalIndent(s, "", " ") fmt.Println(string(data)) }
func main() { s := stix.New() i1 := s.NewIndicator() i1.SetTimestampToNow() i1.AddTitle("Attack 2015-02") // Create TTP and Cyber Kill Chain Definitions t := ttp.Create() k := stix.CreateKillChain() k.CreateId() k.AddDefiner("LMCO") k.AddName("LM Cyber Kill Chain") k.AddNumberOfPhases(7) k.AddReference("http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html") k.AddPhase(1, "Reconnaissance") k.AddPhase(2, "Weaponization") k.AddPhase(3, "Delivery") k.AddPhase(4, "Exploitation") k.AddPhase(5, "Installation") k.AddPhase(6, "Command and Control") k.AddPhase(7, "Actions on Objectives") t.AddKillChains(k) // Get ID values from kill chain chainId := k.Id phase3Id := k.KillChainPhase[2].PhaseId i1.AddKillChainPhaseAndChain(phase3Id, chainId) s.AddTTPs(t) var data []byte data, _ = json.MarshalIndent(s, "", " ") fmt.Println(string(data)) }
func (this *ServerType) createIndicatorsJSON(collectionName string) string { // Need to pass in the collection name they have requested // then go to the database and the get the fields that are needed // to populate the correct STIX message. // I need a table in the database add the source data and other things to the collections table // Create a new table for holding the indicators / observables. s := stix.New() i1 := s.NewIndicator() i1.SetTimestampToNow() if collectionName == "ip-watch-list" || collectionName == "url-watch-list" { list := []string{ "176.119.3.108", "178.207.85.119", "178.63.174.153", "188.241.140.212", "14.138.73.47", "131.72.138.45", "62.84.51.39", "62.109.23.246", "5.101.113.169", "213.231.8.30", "208.43.25.52", "112.208.6.209", "115.239.248.87", "117.216.190.71", "131.72.139.233", "129.194.97.21", "162.244.35.229", "178.219.10.23", "184.154.124.203", "184.154.146.100", "184.154.146.101", } i1.AddTitle("Malicious IP Addresses") i1.AddType("IP Watchlist") observable_i1 := i1.NewObservable() properties_1 := observable_i1.GetObjectProperties() properties_1.AddType("IP Address") for _, value := range list { properties_1.AddEqualsUriValue(value) } } else if collectionName == "et-compromised-ips" { source1 := stix.CreateInformationSource() source1.AddDescriptionText("The Test.FreeTAXII.com Server") source1.SetProducedTimeToNow() source1.AddReference("http://test.freetaxii.com") identity1 := stix.CreateIdentity() identity1.AddName("FreeTAXII") source1.AddIdentity(identity1) contribSource1 := stix.CreateInformationSource() identity2 := stix.CreateIdentity() identity2.AddName("Emerging Threats Compromised IPs") contribSource1.AddIdentity(identity2) contribSource1.AddReference("http://rules.emergingthreats.net/blockrules/compromised-ips.txt") source1.AddContributingSource(contribSource1) i1.AddProducer(source1) resp, _ := http.Get("http://rules.emergingthreats.net/blockrules/compromised-ips.txt") defer resp.Body.Close() rawhtmlbody, _ := ioutil.ReadAll(resp.Body) s := string(rawhtmlbody) s = strings.TrimSpace(s) body := strings.Split(s, "\n") i1.AddTitle("Compromised IP Addresses") i1.AddType("IP Watchlist") observable_i1 := i1.NewObservable() properties_1 := observable_i1.GetObjectProperties() properties_1.AddType("IP Address") for _, value := range body { properties_1.AddEqualsUriValue(value) } } var data []byte // if this.SysConfig.Poll.output == true { data, _ = json.MarshalIndent(s, "", " ") // } else { // data, _ = json.Marshal(s) // } return string(data) }
func main() { s := stix.New() i1 := s.NewIndicator() s.SetTimestampToNow() i1.AddIdRef("companyfoo:indicator-1234-1234-1234-1234") i1.AddVersion("2.0") i1.SetTimestampToNow() i1.SetNegate(false) i1.AddTitle("Some really neat indicator that we found") i1.AddType("URL Watchlist") i1.AddAlternativeID("CV-2014-12-12345") i1.AddAlternativeID("CV-2015-02-54321") i1.AddDescriptionText("", "Some long description") i1.AddShortDescriptionText("", "Some shorter description") i1.AddValidTimePosition("2015-01-01T00:00:00-0700", "2015-02-02T23:59:59-0700") i1.AddValidTimePosition("2014-01-01T00:00:00-0700", "2014-02-02T23:59:59-0700") source1 := stix.CreateInformationSource() source1.AddDescription("Some details about this source") source1.AddStartTime("2015-01-01T11:12:13-0700") source1.AddEndTime("2015-01-05T11:12:13-0700") source1.AddProducedTime("2015-01-05T11:12:13-0700") source1.AddReceivedTime("2015-01-05T11:12:13-0700") source1.AddRoleDetail("MyRoleVocab-1.0", "http://example.com/MyRoleVocab-1.0.txt", "CIO") identity1 := stix.CreateIdentity() identity1.CreateId() identity1.AddIdRef("companyfoo:identity-1234-1234-1234-1234") identity1.AddName("Lego Guy 1") source1.AddIdentity(identity1) // Create contributing source 1 contribSource1 := stix.CreateInformationSource() contribSource1.AddDescription("Special source 1") identity2 := stix.CreateIdentity() identity2.AddName("George the Lego Guy") contribSource1.AddIdentity(identity2) // Create contributing source 2 contribSource2 := stix.CreateInformationSource() contribSource2.AddDescription("Special source 2") identity3 := stix.CreateIdentity() identity3.AddName("Fred the Lego Guy") contribSource2.AddIdentity(identity3) source1.AddContributingSource(contribSource1) source1.AddContributingSource(contribSource2) source1.AddReference("http://foo.com/foo.txt") source1.AddReference("http://bar.com/bar.txt") con1 := stix.CreateConfidence() con1.CreateTimeStamp() con1.AddTimeStampPrecision("0.0") con1.AddValueDetail("MyConfidenceVocab-1.0", "http://example.com/MyConfidenceVocab-1.0.txt", "Super Sure") con1.AddDescription("We are super sure about this one") con1.AddSource(source1) con2 := stix.CreateConfidence() con2.CreateTimeStamp() con2.AddTimeStampPrecision("0.0") con2.AddValueDetail("MyConfidenceVocab-1.0", "http://example.com/MyConfidenceVocab-1.0.txt", "Super Sure") con2.AddDescription("These people are more sure") con2.AddSource(source1) con1.AddConfidenceAssertion(con2) i1.AddConfidence(con1) i1.AddProducer(source1) i2 := s.NewIndicator() i2.SetNegate(true) // fmt.Println(s.STIXPackage.Id) // fmt.Println(s.STIXPackage.Indicators[0].Title) // fmt.Println(s.STIXPackage.Indicators[0].Type[0].Value) // fmt.Println(s.STIXPackage.Indicators[0].Producer.Identity.Name) //fmt.Println(i) var data []byte data, _ = json.MarshalIndent(s, "", " ") fmt.Println(string(data)) }