johnnykv/ha.xml

## ha.xml
<?xml version="1.0" encoding="UTF-8"?>
<stix:STIX_Package xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xmlns:cybox="http://cybox.mitre.org/cybox-2"
                   xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
                   xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
                   xmlns:PortObj="http://cybox.mitre.org/objects#PortObject-2"
                   xmlns:SocketAddressObj="http://cybox.mitre.org/objects#SocketAddressObject-1"
                   xmlns:NetworkConnectionObj="http://cybox.mitre.org/objects#NetworkConnectionObject-2"
                   xmlns:stix="http://stix.mitre.org/stix-1"
                   xmlns:stixCommon="http://stix.mitre.org/common-1"
                   xmlns:CustomObj="http://cybox.mitre.org/objects#CustomObject-1"
                   xmlns:incident="http://stix.mitre.org/Incident-1"
                   xmlns:Identity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
                   xmlns:ciq="urn:oasis:names:tc:ciq:xpil:3"
                   xmlns:n="urn:oasis:names:tc:ciq:xnl:3"
                   xmlns:ConPot="http://conpot.org/stix-1"
                   xsi:schemaLocation="
 http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.0.1/ciq_identity_3.0.xsd
 http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.1/stix_core.xsd
 http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.1/stix_common.xsd
 http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.1/incident.xsd
 http://stix.mitre.org/extensions/Address#CIQAddress3.0-1 http://stix.mitre.org/XMLSchema/extensions/address/ciq_address_3.0/1.0.1/ciq_address_3.0.xsd
 http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
 http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
 http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd
 http://cybox.mitre.org/objects#PortObject-2 http://cybox.mitre.org/XMLSchema/objects/Port/2.1/Port_Object.xsd
 http://cybox.mitre.org/objects#SocketAddressObject-1 http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd
 http://cybox.mitre.org/objects#ArtifactObject-2 http://cybox.mitre.org/XMLSchema/objects/Artifact/2.1/Artifact_Object.xsd
 http://cybox.mitre.org/objects#CustomObject-1 http://cybox.mitre.org/XMLSchema/objects/Custom/1.1/Custom_Object.xsd
 http://cybox.mitre.org/objects#NetworkConnectionObject-2 http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.1/Network_Connection_Object.xsd"
 id="ConPot:STIXPackage-23b23496-5218-4938-a3d2-6c92aa5c48fe" version="1.1">
	<stix:STIX_Header>
        <stix:Title>Unauthorized traffic to honeypot</stix:Title>
		<stix:Description>Describes one or more honeypot incidents</stix:Description>
		<stix:Information_Source>
			<stixCommon:Time>
				<cyboxCommon:Produced_Time>2014-04-15T18:44:38.410644</cyboxCommon:Produced_Time>
			</stixCommon:Time>
		</stix:Information_Source>
	</stix:STIX_Header>
	<stix:Incidents>
		<stix:Incident id="ConPot:Incident-101d9884-b695-4d8b-bf24-343c7dda1b68" xsi:type='incident:IncidentType'>
			<incident:Time>
				<incident:First_Malicious_Action>2014-04-15T20:44:38.398621</incident:First_Malicious_Action>
			</incident:Time>
			<incident:Description>Traffic to ConPot honeypot</incident:Description>
			<incident:Categories>
				<incident:Category>Scans/Probes/Attempted Access</incident:Category>
			</incident:Categories>
            <incident:Reporter>
                <stixCommon:Tools>
                    <cyboxCommon:Tool>
                        <cyboxCommon:Name>Conpot</cyboxCommon:Name>
                        <cyboxCommon:Type>Honeypot</cyboxCommon:Type>
                        <cyboxCommon:Description>Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend.</cyboxCommon:Description>
                         <cyboxCommon:References>
                            <cyboxCommon:Reference reference_type="Source">https://github.com/glastopf/conpot</cyboxCommon:Reference>
                            <cyboxCommon:Reference reference_type="Other">http://www.conpot.org</cyboxCommon:Reference>
                        </cyboxCommon:References>
                        <cyboxCommon:Version>0.2.2</cyboxCommon:Version>
                    </cyboxCommon:Tool>
                </stixCommon:Tools>
            </incident:Reporter>
			<incident:Related_Observables>
				<incident:Related_Observable>
					<stixCommon:Observable id="ConPot:Observable-a9db4d12-c7e0-4ef2-bd76-4d0717e7cf82">
						<cybox:Object>
							<cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
								<NetworkConnectionObj:Layer7_Protocol datatype="string">s7comm</NetworkConnectionObj:Layer7_Protocol>
								<NetworkConnectionObj:Source_Socket_Address>
									<SocketAddressObj:IP_Address category="ipv4-addr" is_source="true">
										<AddressObj:Address_Value>127.0.0.1</AddressObj:Address_Value>
									</SocketAddressObj:IP_Address>
									<SocketAddressObj:Port>
										<PortObj:Port_Value>54872</PortObj:Port_Value>
									</SocketAddressObj:Port>
								</NetworkConnectionObj:Source_Socket_Address>
                                <NetworkConnectionObj:Destination_Socket_Address>

									<SocketAddressObj:IP_Address category="ipv4-addr">
										<AddressObj:Address_Value>111.222.111.222</AddressObj:Address_Value>
									</SocketAddressObj:IP_Address>

									<SocketAddressObj:Port>
										<PortObj:Port_Value>102</PortObj:Port_Value>
									</SocketAddressObj:Port>
								</NetworkConnectionObj:Destination_Socket_Address>
							</cybox:Properties>
						</cybox:Object>
					</stixCommon:Observable>
				</incident:Related_Observable>
                 <incident:Related_Observable>
                       <stixCommon:Observable id="ConPot:Observable-af1824f8-02f9-4326-b56b-08b3c19ac3ce">
                            <cybox:Object>
                                 <cybox:Properties xsi:type="CustomObj:CustomObjectType" custom_name="ConpotLog">
                                    <cyboxCommon:Custom_Properties>
                                        <cyboxCommon:Property name="rawlog">{"0": {"request": "who are you", "response": "mr. blue"}, "1": {"request": "give me apples", "response": "no way"}}</cyboxCommon:Property>
                                     </cyboxCommon:Custom_Properties>
                                     <CustomObj:Description>Conpot log</CustomObj:Description>
                                </cybox:Properties>
                            </cybox:Object>
                       </stixCommon:Observable>
                 </incident:Related_Observable>
			</incident:Related_Observables>

            <incident:Contact>
                <stixCommon:Identity xsi:type='Identity:CIQIdentity3.0InstanceType'>
                    <Identity:Specification>
                        <ciq:PartyName>
                            <n:NameLine>
                                James Bond
                            </n:NameLine>
                        </ciq:PartyName>
                        <ciq:ElectronicAddressIdentifiers>
                            <ciq:ElectronicAddressIdentifier ciq:Type='EMAIL'>
                            ...
                            </ciq:ElectronicAddressIdentifier>
                        </ciq:ElectronicAddressIdentifiers>
                    </Identity:Specification>
                </stixCommon:Identity>
            </incident:Contact>

		</stix:Incident>
	</stix:Incidents>
</stix:STIX_Package>
	<?xml version="1.0" encoding="UTF-8"?>
	<stix:STIX_Package xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:cybox="http://cybox.mitre.org/cybox-2"
	xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
	xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
	xmlns:PortObj="http://cybox.mitre.org/objects#PortObject-2"
	xmlns:SocketAddressObj="http://cybox.mitre.org/objects#SocketAddressObject-1"
	xmlns:NetworkConnectionObj="http://cybox.mitre.org/objects#NetworkConnectionObject-2"
	xmlns:stix="http://stix.mitre.org/stix-1"
	xmlns:stixCommon="http://stix.mitre.org/common-1"
	xmlns:CustomObj="http://cybox.mitre.org/objects#CustomObject-1"
	xmlns:incident="http://stix.mitre.org/Incident-1"
	xmlns:Identity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
	xmlns:ciq="urn:oasis:names:tc:ciq:xpil:3"
	xmlns:n="urn:oasis:names:tc:ciq:xnl:3"
	xmlns:ConPot="http://conpot.org/stix-1"
	xsi:schemaLocation="
	http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.0.1/ciq_identity_3.0.xsd
	http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.1/stix_core.xsd
	http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.1/stix_common.xsd
	http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.1/incident.xsd
	http://stix.mitre.org/extensions/Address#CIQAddress3.0-1 http://stix.mitre.org/XMLSchema/extensions/address/ciq_address_3.0/1.0.1/ciq_address_3.0.xsd
	http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
	http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
	http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd
	http://cybox.mitre.org/objects#PortObject-2 http://cybox.mitre.org/XMLSchema/objects/Port/2.1/Port_Object.xsd
	http://cybox.mitre.org/objects#SocketAddressObject-1 http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd
	http://cybox.mitre.org/objects#ArtifactObject-2 http://cybox.mitre.org/XMLSchema/objects/Artifact/2.1/Artifact_Object.xsd
	http://cybox.mitre.org/objects#CustomObject-1 http://cybox.mitre.org/XMLSchema/objects/Custom/1.1/Custom_Object.xsd
	http://cybox.mitre.org/objects#NetworkConnectionObject-2 http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.1/Network_Connection_Object.xsd"
	id="ConPot:STIXPackage-23b23496-5218-4938-a3d2-6c92aa5c48fe" version="1.1">
	<stix:STIX_Header>
	<stix:Title>Unauthorized traffic to honeypot</stix:Title>
	<stix:Description>Describes one or more honeypot incidents</stix:Description>
	<stix:Information_Source>
	<stixCommon:Time>
	<cyboxCommon:Produced_Time>2014-04-15T18:44:38.410644</cyboxCommon:Produced_Time>
	</stixCommon:Time>
	</stix:Information_Source>
	</stix:STIX_Header>
	<stix:Incidents>
	<stix:Incident id="ConPot:Incident-101d9884-b695-4d8b-bf24-343c7dda1b68" xsi:type='incident:IncidentType'>
	<incident:Time>
	<incident:First_Malicious_Action>2014-04-15T20:44:38.398621</incident:First_Malicious_Action>
	</incident:Time>
	<incident:Description>Traffic to ConPot honeypot</incident:Description>
	<incident:Categories>
	<incident:Category>Scans/Probes/Attempted Access</incident:Category>
	</incident:Categories>
	<incident:Reporter>
	<stixCommon:Tools>
	<cyboxCommon:Tool>
	<cyboxCommon:Name>Conpot</cyboxCommon:Name>
	<cyboxCommon:Type>Honeypot</cyboxCommon:Type>
	<cyboxCommon:Description>Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend.</cyboxCommon:Description>
	<cyboxCommon:References>
	<cyboxCommon:Reference reference_type="Source">https://github.com/glastopf/conpot</cyboxCommon:Reference>
	<cyboxCommon:Reference reference_type="Other">http://www.conpot.org</cyboxCommon:Reference>
	</cyboxCommon:References>
	<cyboxCommon:Version>0.2.2</cyboxCommon:Version>
	</cyboxCommon:Tool>
	</stixCommon:Tools>
	</incident:Reporter>
	<incident:Related_Observables>
	<incident:Related_Observable>
	<stixCommon:Observable id="ConPot:Observable-a9db4d12-c7e0-4ef2-bd76-4d0717e7cf82">
	<cybox:Object>
	<cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
	<NetworkConnectionObj:Layer7_Protocol datatype="string">s7comm</NetworkConnectionObj:Layer7_Protocol>
	<NetworkConnectionObj:Source_Socket_Address>
	<SocketAddressObj:IP_Address category="ipv4-addr" is_source="true">
	<AddressObj:Address_Value>127.0.0.1</AddressObj:Address_Value>
	</SocketAddressObj:IP_Address>
	<SocketAddressObj:Port>
	<PortObj:Port_Value>54872</PortObj:Port_Value>
	</SocketAddressObj:Port>
	</NetworkConnectionObj:Source_Socket_Address>
	<NetworkConnectionObj:Destination_Socket_Address>

	<SocketAddressObj:IP_Address category="ipv4-addr">
	<AddressObj:Address_Value>111.222.111.222</AddressObj:Address_Value>
	</SocketAddressObj:IP_Address>

	<SocketAddressObj:Port>
	<PortObj:Port_Value>102</PortObj:Port_Value>
	</SocketAddressObj:Port>
	</NetworkConnectionObj:Destination_Socket_Address>
	</cybox:Properties>
	</cybox:Object>
	</stixCommon:Observable>
	</incident:Related_Observable>
	<incident:Related_Observable>
	<stixCommon:Observable id="ConPot:Observable-af1824f8-02f9-4326-b56b-08b3c19ac3ce">
	<cybox:Object>
	<cybox:Properties xsi:type="CustomObj:CustomObjectType" custom_name="ConpotLog">
	<cyboxCommon:Custom_Properties>
	<cyboxCommon:Property name="rawlog">{"0": {"request": "who are you", "response": "mr. blue"}, "1": {"request": "give me apples", "response": "no way"}}</cyboxCommon:Property>
	</cyboxCommon:Custom_Properties>
	<CustomObj:Description>Conpot log</CustomObj:Description>
	</cybox:Properties>
	</cybox:Object>
	</stixCommon:Observable>
	</incident:Related_Observable>
	</incident:Related_Observables>

	<incident:Contact>
	<stixCommon:Identity xsi:type='Identity:CIQIdentity3.0InstanceType'>
	<Identity:Specification>
	<ciq:PartyName>
	<n:NameLine>
	James Bond
	</n:NameLine>
	</ciq:PartyName>
	<ciq:ElectronicAddressIdentifiers>
	<ciq:ElectronicAddressIdentifier ciq:Type='EMAIL'>
	...
	</ciq:ElectronicAddressIdentifier>
	</ciq:ElectronicAddressIdentifiers>
	</Identity:Specification>
	</stixCommon:Identity>
	</incident:Contact>

	</stix:Incident>
	</stix:Incidents>
	</stix:STIX_Package>