[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Real world example of where CTI can help
For any CTI evangelist interested to write on it (I'm too lazy today), I find this Wordpress infection campaign a good opportunity for a real world (easy to understand) public example of where and how CTI should have helped. Ref.: https://hacked.com/hijacked-wordpress-websites-infect-visitors-malware/ (even if we missed this one http://making-security-measurable.1364806.n2.nabble.com/STIX-Community-Indicator-Profiles-tp7584593p7584723.html )
<?php
//TODO: check/sanitize/filter the IP in input
write_STIX_IP_Watchlist('127.0.0.1');
function write_STIX_IP_Watchlist($ip)
{
//Create a new STIX package from a sample
//here https://raw.github.com/STIXProject/schemas/version_1.1.1/samples/STIX_IP_Watchlist.xml
//Example use: as "WP-STIX" in https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
// CAPEC-49: Password Brute Forcing
/*
Copyright (C) 2014 Jerome Athias
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
date_default_timezone_set('UTC');
if (!file_exists('STIX_IP_Watchlist.xml')) {
exit('ERROR on STIX_IP_Watchlist.xml.');
}
$stixpackage = simplexml_load_file('STIX_IP_Watchlist.xml');
$newuuid=gen_uuid(); //New id for the STIX_Package
$stixpackage_newid='xorcism:STIX_Package-' . $newuuid;
$stixpackage[0]['id'] = $stixpackage_newid;
$timezone = new DateTimeZone('UTC');
$date = new DateTime('now', $timezone);
$stixpackage[0]['timestamp'] = $date->format('Y-m-d\TH:i:s.u\Z'); //Zulu
//Using Namespaces
$namespaces = $stixpackage->getNamespaces(true);
$stix = $stixpackage->children($namespaces["stix"]);
$stix->STIX_Header->Title='Watchlist that contains IP information.';
//Using XPath
$stixindicators = $stixpackage->xpath('/stix:STIX_Package/stix:Indicators/stix:Indicator');
//New id for the stix:Indicator
$stixindicators[0]['id'] = 'xorcism:Indicator-' . gen_uuid();
$stixindicators[0]['timestamp'] = $date->format('Y-m-d\TH:i:s.u\Z');
$stix->Indicators->Indicator->Description='IP Address Indicator for this watchlist';
//New id for the indicator:Observable
$observables = $stixpackage->xpath('/stix:STIX_Package/stix:Indicators/stix:Indicator/indicator:Observable');
$observables[0]['id'] = 'xorcism:Observable-' . gen_uuid();
//New id for the cybox:Object
$observables = $stixpackage->xpath('/stix:STIX_Package/stix:Indicators/stix:Indicator/indicator:Observable/cybox:Object');
$observables[0]['id'] = 'xorcism:Object-' . gen_uuid();
$stix->Indicators->Indicator->Observable->Object->Properties->Address_Value=$ip;
$xml = $stixpackage->asXML();
file_put_contents('STIX_IP_Watchlist_'.$newuuid.'.xml', $xml);
}
//************************************************************************************
//Generates version 4 UUID: random
function gen_uuid() {
return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
// 32 bits for "time_low"
mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),
// 16 bits for "time_mid"
mt_rand( 0, 0xffff ),
// 16 bits for "time_hi_and_version",
// four most significant bits holds version number 4
mt_rand( 0, 0x0fff ) | 0x4000,
// 16 bits, 8 bits for "clk_seq_hi_res",
// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
mt_rand( 0, 0x3fff ) | 0x8000,
// 48 bits for "node"
mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff )
);
}
?>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]