Created
November 30, 2013 22:15
-
-
Save johnnykv/7725345 to your computer and use it in GitHub Desktop.
basic stix data from conpot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <stix:STIX_Package xmlns:CodeObj="http://cybox.mitre.org/objects#CodeObject-2" xmlns:ioc-tr="http://schemas.mandiant.com/2010/ioc/TR/" xmlns:GUIObj="http://cybox.mitre.org/objects#GUIObject-2" xmlns:UnixVolumeObj="http://cybox.mitre.org/objects#UnixVolumeObject-2" xmlns:WinNetworkRouteEntryObj="http://cybox.mitre.org/objects#WinNetworkRouteEntryObject-2" xmlns:maec="http://maec.mitre.org/XMLSchema/maec-package-2" xmlns:WinDriverObj="http://cybox.mitre.org/objects#WinDriverObject-2" xmlns:NetworkSocketObj="http://cybox.mitre.org/objects#NetworkSocketObject-2" xmlns:GUIDialogBoxObj="http://cybox.mitre.org/objects#GUIDialogboxObject-2" xmlns:LibraryObj="http://cybox.mitre.org/objects#LibraryObject-2" xmlns:openiocTM="http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1" xmlns:WinThreadObj="http://cybox.mitre.org/objects#WinThreadObject-2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:DiskObj="http://cybox.mitre.org/objects#DiskObject-2" xmlns:NetworkConnectionObj="http://cybox.mitre.org/objects#NetworkConnectionObject-2" xmlns:prod="http://www.icasi.org/CVRF/schema/prod/1.1" xmlns:UserAccountObj="http://cybox.mitre.org/objects#UserAccountObject-2" xmlns:ovalTM="http://stix.mitre.org/extensions/TestMechanism#OVAL5.10-1" xmlns:CustomObj="http://cybox.mitre.org/objects#CustomObject-1" xmlns:tlpMarking="http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" xmlns:WinKernelHookObj="http://cybox.mitre.org/objects#WinKernelHookObject-2" xmlns:LinuxPackageObj="http://cybox.mitre.org/objects#LinuxPackageObject-2" xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:UserSessionObj="http://cybox.mitre.org/objects#UserSessionObject-2" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:WinPipeObj="http://cybox.mitre.org/objects#WinPipeObject-2" xmlns:ArtifactObj="http://cybox.mitre.org/objects#ArtifactObject-2" xmlns:WinMailslotObj="http://cybox.mitre.org/objects#WinMailslotObject-2" xmlns:sch="http://purl.oclc.org/dsdl/schematron" xmlns:incident="http://stix.mitre.org/Incident-1" xmlns:WinFileObj="http://cybox.mitre.org/objects#WinFileObject-2" xmlns:et="http://stix.mitre.org/ExploitTarget-1" xmlns:WinCriticalSectionObj="http://cybox.mitre.org/objects#WinCriticalSectionObject-2" xmlns:coa="http://stix.mitre.org/CourseOfAction-1" xmlns:DNSCacheObj="http://cybox.mitre.org/objects#DNSCacheObject-2" xmlns:DeviceObj="http://cybox.mitre.org/objects#DeviceObject-2" xmlns:WinVolumeObj="http://cybox.mitre.org/objects#WinVolumeObject-2" xmlns:yaraTM="http://stix.mitre.org/extensions/TestMechanism#YARA-1" xmlns:UnixFileObj="http://cybox.mitre.org/objects#UnixFileObject-2" xmlns:NetFlowObj="http://cybox.mitre.org/objects#NetworkFlowObject-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:capecInstance="http://stix.mitre.org/extensions/AP#CAPEC2.6-1" xmlns:ioc="http://schemas.mandiant.com/2010/ioc" xmlns:MutexObj="http://cybox.mitre.org/objects#MutexObject-2" xmlns:WinServiceObj="http://cybox.mitre.org/objects#WinServiceObject-2" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/1.0" xmlns:WinRegistryKeyObj="http://cybox.mitre.org/objects#WinRegistryKeyObject-2" xmlns:WinSystemRestoreObj="http://cybox.mitre.org/objects#WinSystemRestoreObject-2" xmlns:ProductObj="http://cybox.mitre.org/objects#ProductObject-2" xmlns:PacketObj="http://cybox.mitre.org/objects#PacketObject-2" xmlns:HTTPSessionObj="http://cybox.mitre.org/objects#HTTPSessionObject-2" xmlns:DiskPartitionObj="http://cybox.mitre.org/objects#DiskPartitionObject-2" xmlns:WinPrefetchObj="http://cybox.mitre.org/objects#WinPrefetchObject-2" xmlns:WinHandleObj="http://cybox.mitre.org/objects#WinHandleObject-2" xmlns:oval-var="http://oval.mitre.org/XMLSchema/oval-variables-5" xmlns:a="urn:oasis:names:tc:ciq:xal:3" xmlns:WinEventLogObj="http://cybox.mitre.org/objects#WinEventLogObject-2" xmlns:PipeObj="http://cybox.mitre.org/objects#PipeObject-2" xmlns:ProcessObj="http://cybox.mitre.org/objects#ProcessObject-2" xmlns:UnixUserAccountObj="http://cybox.mitre.org/objects#UnixUserAccountObject-2" xmlns:vuln="http://www.icasi.org/CVRF/schema/vuln/1.1" xmlns:simpleMarking="http://data-marking.mitre.org/extensions/MarkingStructure#Simple-1" xmlns:ciq="urn:oasis:names:tc:ciq:xpil:3" xmlns:APIObj="http://cybox.mitre.org/objects#APIObject-2" xmlns:WinUserAccountObj="http://cybox.mitre.org/objects#WinUserAccountObject-2" xmlns:genericStructuredCOA="http://stix.mitre.org/extensions/StructuredCOA#Generic-1" xmlns:WinMemoryPageRegionObj="http://cybox.mitre.org/objects#WinMemoryPageRegionObject-2" xmlns:NetworkSubnetObj="http://cybox.mitre.org/objects#NetworkSubnetObject-2" xmlns:ct="urn:oasis:names:tc:ciq:ct:3" xmlns:WinSystemObj="http://cybox.mitre.org/objects#WinSystemObject-2" xmlns:UnixPipeObj="http://cybox.mitre.org/objects#UnixPipeObject-2" xmlns:SystemObj="http://cybox.mitre.org/objects#SystemObject-2" xmlns:DNSRecordObj="http://cybox.mitre.org/objects#DNSRecordObject-2" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:WinProcessObj="http://cybox.mitre.org/objects#WinProcessObject-2" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/1.0" xmlns:SemaphoreObj="http://cybox.mitre.org/objects#SemaphoreObject-2" xmlns:cvrfVuln="http://stix.mitre.org/extensions/Vulnerability#CVRF-1" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:EmailMessageObj="http://cybox.mitre.org/objects#EmailMessageObject-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:GUIWindowObj="http://cybox.mitre.org/objects#GUIWindowObject-2" xmlns:WinWaitableTimerObj="http://cybox.mitre.org/objects#WinWaitableTimerObject-2" xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2" xmlns:PDFFileObj="http://cybox.mitre.org/objects#PDFFileObject-1" xmlns:cvrf-common="http://www.icasi.org/CVRF/schema/common/1.1" xmlns:WinKernelObj="http://cybox.mitre.org/objects#WinKernelObject-2" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:capec="http://capec.mitre.org/capec-2" xmlns:maecInstance="http://stix.mitre.org/extensions/Malware#MAEC4.0-1" xmlns:marking="http://data-marking.mitre.org/Marking-1" xmlns:UnixProcessObj="http://cybox.mitre.org/objects#UnixProcessObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:ta="http://stix.mitre.org/ThreatActor-1" xmlns:snortTM="http://stix.mitre.org/extensions/TestMechanism#Snort-1" xmlns:MemoryObj="http://cybox.mitre.org/objects#MemoryObject-2" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:WinTaskObj="http://cybox.mitre.org/objects#WinTaskObject-2" xmlns:SocketAddressObj="http://cybox.mitre.org/objects#SocketAddressObject-1" xmlns:WinSemaphoreObj="http://cybox.mitre.org/objects#WinSemaphoreObject-2" xmlns:WinMutexObj="http://cybox.mitre.org/objects#WinMutexObject-2" xmlns:NetworkRouteEntryObj="http://cybox.mitre.org/objects#NetworkRouteEntryObject-2" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:ciqAddress="http://stix.mitre.org/extensions/Address#CIQAddress3.0-1" xmlns:VolumeObj="http://cybox.mitre.org/objects#VolumeObject-2" xmlns:WinExecutableFileObj="http://cybox.mitre.org/objects#WinExecutableFileObject-2" xmlns:WinNetworkShareObj="http://cybox.mitre.org/objects#WinNetworkShareObject-2" xmlns:DNSQueryObj="http://cybox.mitre.org/objects#DNSQueryObject-2" xmlns:ciqIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1" xmlns:WinEventObj="http://cybox.mitre.org/objects#WinEventObject-2" xmlns:LinkObj="http://cybox.mitre.org/objects#LinkObject-1" xmlns:NetworkRouteObj="http://cybox.mitre.org/objects#NetworkRouteObject-2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:WinComputerAccountObj="http://cybox.mitre.org/objects#WinComputerAccountObject-2" xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xmlns:X509CertificateObj="http://cybox.mitre.org/objects#X509CertificateObject-2" xmlns:campaign="http://stix.mitre.org/Campaign-1" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:UnixNetworkRouteEntryObj="http://cybox.mitre.org/objects#UnixNetworkRouteEntryObject-2" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:genericTM="http://stix.mitre.org/extensions/TestMechanism#Generic-1" xmlns:PortObj="http://cybox.mitre.org/objects#PortObject-2" xmlns:AccountObj="http://cybox.mitre.org/objects#AccountObject-2" xmlns:xlink="http://www.w3.org/1999/xlink"> | |
| <stix:STIX_Header> | |
| <stix:Description>Describes one or more honeypot incidents</stix:Description> | |
| <stix:Information_Source> | |
| <stixCommon:Time> | |
| <cyboxCommon:Produced_Time>2013-11-30T23:13:42.900335</cyboxCommon:Produced_Time> | |
| </stixCommon:Time> | |
| </stix:Information_Source> | |
| </stix:STIX_Header> | |
| <stix:Incidents id="101d9884-b695-4d8b-bf24-343c7dda1b68" xmlns:incident='http://stix.mitre.org/Incident-1' xsi:type='incident:IncidentType'> | |
| <incident:Time> | |
| <incident:First_Malicious_Action>2013-11-30T23:13:42.900318</incident:First_Malicious_Action> | |
| </incident:Time> | |
| <incident:Description>Traffic to ConPot honeypot</incident:Description> | |
| <incident:Categories> | |
| <incident:Category>Scans/Probes/Attempted Access</incident:Category> | |
| </incident:Categories> | |
| <incident:Related_Observables scope="exclusive"> | |
| <incident:Related_Observable> | |
| <stixCommon:Observable> | |
| <NetworkConnectionObj:Layer7_Protocol datatype="string">modbus</NetworkConnectionObj:Layer7_Protocol> | |
| <NetworkConnectionObj:Source_Socket_Address> | |
| <SocketAddressObj:IP_Address category="ipv4-addr" is_source="true"> | |
| <AddressObj:Address_Value datatype="string">1.2.3.4</AddressObj:Address_Value> | |
| </SocketAddressObj:IP_Address> | |
| <SocketAddressObj:Port> | |
| <PortObj:Port_Value datatype="string">54872</PortObj:Port_Value> | |
| </SocketAddressObj:Port> | |
| </NetworkConnectionObj:Source_Socket_Address> | |
| </stixCommon:Observable> | |
| </incident:Related_Observable> | |
| </incident:Related_Observables> | |
| </stix:Incidents> | |
| </stix:STIX_Package> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment