OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Classifying File or Domain as Malware

Hi I am having confusion on how to get started with Cybox. I have installed python library and run one sample code:
Consider,

from cybox.core import Observables
from cybox.objects.file_object import File
from cybox.objects.domain_name_object import DomainName
from cybox.utils import IDGenerator, set_id_method
set_id_method(IDGenerator.METHOD_INT)
f = File()
d = DomainName()
d.value = "1.2.3.4"
f.file_name = "malware.exe"
f.file_path = "C:\Windows\Temp\malware.exe"
print Observables(f).to_xml(include_namespaces=True)
print Observables(d).to_xml(include_namespaces=True)

This will output XML which looks like:

<cybox:Observables
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
    xmlns:example="http://example.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="example:Observable-1">
        <cybox:Object id="example:File-2">
            <cybox:Properties xsi:type="FileObj:FileObjectType">
                <FileObj:File_Name>malware.exe</FileObj:File_Name>
                <FileObj:File_Path>C:\Windows\Temp\malware.exe</FileObj:File_Path>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

<cybox:Observables
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
    xmlns:example="http://example.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#DomainNameObject-1 http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="example:Observable-3">
        <cybox:Object id="example:DomainName-4">
            <cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
                <DomainNameObj:Value>1.2.3.4</DomainNameObj:Value>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

​If the file malware.exe is a malware or domain 1.2.3.4 is a malicious domain, how does this generated XML helps me to identify that these are malware or not? I am required create a program preferably in Python that will get those XML. By getting those Cybox XML document, how can I know if the information given on XML is suspicious or not. Please clarify if I'm wrong.

Thank you.

--
Sarvagya Pant
Kathmandu, Nepal
+9779803468257

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]