OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-users] Classifying File or Domain as Malware

Hi Sarvagya,

CybOX by itself is intended to capture cyber “facts” such as the characterization of the domain name and file you have below. What it does not include is context as to whether something is specifically malicious – this is done intentionally, as this type of context is left to other languages such as Malware Attribute Enumeration and Characterization (MAEC) [1] for malware and Structured Threat Information _expression_ (STIX) [2] for the broader cyber threat domain. Both of these languages leverage CybOX for describing their relevant cyber entities, and also layer additional context on top of this information. It seems like you’re primarily interested in being able to define whether a particular cyber artifact is malicious, something which can be accomplished through the STIX Indicator [3].

Let me know if you have any further questions about CybOX, STIX, or MAEC.


Regards,
Ivan Kirillov
MITRE

From: <cti-users@lists.oasis-open.org> on behalf of Sarvagya Pant
Date: Wednesday, October 7, 2015 at 6:32 AM
To: "cti-users@lists.oasis-open.org"
Subject: [cti-users] Classifying File or Domain as Malware

Hi I am having confusion on how to get started with Cybox. I have installed python library and run one sample code:
Consider,

from cybox.core import Observables
from cybox.objects.file_object import File
from cybox.objects.domain_name_object import DomainName
from cybox.utils import IDGenerator, set_id_method
set_id_method(IDGenerator.METHOD_INT)
f = File()
d = DomainName()
d.value = "1.2.3.4"
f.file_name = "malware.exe"
f.file_path = "C:\Windows\Temp\malware.exe"
print Observables(f).to_xml(include_namespaces=True)
print Observables(d).to_xml(include_namespaces=True)

This will output XML which looks like:

<cybox:Observables
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
    xmlns:example="http://example.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cybox.mitre.org/common-2http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsdhttp://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="example:Observable-1">
        <cybox:Object id="example:File-2">
            <cybox:Properties xsi:type="FileObj:FileObjectType">
                <FileObj:File_Name>malware.exe</FileObj:File_Name>
                <FileObj:File_Path>C:\Windows\Temp\malware.exe</FileObj:File_Path>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

<cybox:Observables
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
    xmlns:example="http://example.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cybox.mitre.org/common-2http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsdhttp://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#DomainNameObject-1 http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="example:Observable-3">
        <cybox:Object id="example:DomainName-4">
            <cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
                <DomainNameObj:Value>1.2.3.4</DomainNameObj:Value>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

​If the file malware.exe is a malware or domain 1.2.3.4 is a malicious domain, how does this generated XML helps me to identify that these are malware or not? I am required create a program preferably in Python that will get those XML. By getting those Cybox XML document, how can I know if the information given on XML is suspicious or not. Please clarify if I'm wrong.

Thank you.

--
Sarvagya Pant
Kathmandu, Nepal
+9779803468257

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]