[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Classifying File or Domain as Malware
Hi Sarvagya,
CybOX by itself is intended to capture cyber “facts” such as the characterization of the domain name and file you have below. What it does not include is context as to whether something is specifically malicious – this is done intentionally, as this type
of context is left to other languages such as Malware Attribute Enumeration and Characterization (MAEC) [1] for malware and Structured Threat Information _expression_ (STIX) [2] for the broader cyber threat domain. Both of these languages leverage CybOX for
describing their relevant cyber entities, and also layer additional context on top of this information. It seems like you’re primarily interested in being able to define whether a particular cyber artifact is malicious, something which can be accomplished
through the STIX Indicator [3].
Let me know if you have any further questions about CybOX, STIX, or MAEC.
Regards,
Ivan Kirillov
MITRE
From: <cti-users@lists.oasis-open.org> on behalf of Sarvagya Pant
Date: Wednesday, October 7, 2015 at 6:32 AM To: "cti-users@lists.oasis-open.org" Subject: [cti-users] Classifying File or Domain as Malware Hi I am having confusion on how to get started with Cybox. I have installed python library and run one sample code:
Consider,
from cybox.core import Observables from cybox.objects.file_object import File from cybox.objects.domain_name_object import DomainName from cybox.utils import IDGenerator, set_id_method set_id_method(IDGenerator.METHOD_INT) f = File() d = DomainName() d.value = "1.2.3.4" f.file_name = "malware.exe" f.file_path = "C:\Windows\Temp\malware.exe" print Observables(f).to_xml(include_namespaces=True) print Observables(d).to_xml(include_namespaces=True) This will output XML which looks like:
<cybox:Observables xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:example="http://example.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://cybox.mitre.org/common-2http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsdhttp://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0"> <cybox:Observable id="example:Observable-1"> <cybox:Object id="example:File-2"> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>malware.exe</FileObj:File_Name> <FileObj:File_Path>C:\Windows\Temp\malware.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> </cybox:Observables> <cybox:Observables xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1" xmlns:example="http://example.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://cybox.mitre.org/common-2http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsdhttp://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#DomainNameObject-1 http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0"> <cybox:Observable id="example:Observable-3"> <cybox:Object id="example:DomainName-4"> <cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType"> <DomainNameObj:Value>1.2.3.4</DomainNameObj:Value> </cybox:Properties> </cybox:Object> </cybox:Observable> </cybox:Observables> If the file malware.exe is a malware or domain 1.2.3.4 is a malicious domain, how does this generated XML helps me to identify that these are malware or not? I am required create a program
preferably in Python that will get those XML. By getting those Cybox XML document, how can I know if the information given on XML is suspicious or not. Please clarify if I'm wrong.
Thank you.
-- Sarvagya Pant
Kathmandu, Nepal
+9779803468257 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]