Skip to content

Instantly share code, notes, and snippets.

@johnnykv

johnnykv/gist:7900890

Created December 10, 2013 21:50
Show Gist options
  • Save johnnykv/7900890 to your computer and use it in GitHub Desktop.
Save johnnykv/7900890 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.xml
<?xml version="1.0" encoding="UTF-8"?>
<stix:STIX_Package xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:PortObj="http://cybox.mitre.org/objects#PortObject-2"
xmlns:SocketAddressObj="http://cybox.mitre.org/objects#SocketAddressObject-1"
xmlns:NetworkConnectionObj="http://cybox.mitre.org/objects#NetworkConnectionObject-2"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:CustomObj="http://cybox.mitre.org/objects#CustomObject-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:ArtifactObj="http://cybox.mitre.org/objects#ArtifactObject-2"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:sch="http://purl.oclc.org/dsdl/schematron"
xmlns:ConPot="http://conpot.org/stix-1"
xsi:schemaLocation="
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.0.1/stix_core.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.0.1/stix_common.xsd
http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.0.1/incident.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.0.1/cybox_core.xsd
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.0.1/cybox_common.xsd
http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.0.1/Address_Object.xsd
http://cybox.mitre.org/objects#PortObject-2 http://cybox.mitre.org/XMLSchema/objects/Port/2.0.1/Port_Object.xsd
http://cybox.mitre.org/objects#SocketAddressObject-1 http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.0.1/Socket_Address_Object.xsd
http://cybox.mitre.org/objects#ArtifactObject-2 http://cybox.mitre.org/XMLSchema/objects/Artifact/2.0.1/Artifact_Object.xsd
http://cybox.mitre.org/objects#CustomObject-1 http://cybox.mitre.org/XMLSchema/objects/Custom/1.0.1/Custom_Object.xsd
http://cybox.mitre.org/objects#NetworkConnectionObject-2 http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.0.1/Network_Connection_Object.xsd"
id="ConPot:STIXPackage-45065393-6e5b-4746-b1ab-143b0dd86af6" version="1.0.1">
<stix:STIX_Header>
<stix:Title>Unauthorized traffic to honeypot</stix:Title>
<stix:Description>Describes one or more honeypot incidents</stix:Description>
<stix:Information_Source>
<stixCommon:Time>
<cyboxCommon:Produced_Time>2013-12-10T21:45:11.109347</cyboxCommon:Produced_Time>
</stixCommon:Time>
<stixCommon:Tools>
<cyboxCommon:Tool>
<cyboxCommon:Name>Conpot</cyboxCommon:Name>
<cyboxCommon:Type>Honeypot</cyboxCommon:Type>
<cyboxCommon:Description>Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend.</cyboxCommon:Description>
<cyboxCommon:References>
<cyboxCommon:Reference reference_type="Source">https://github.com/glastopf/conpot</cyboxCommon:Reference>
<cyboxCommon:Reference reference_type="Other">http://www.conpot.org</cyboxCommon:Reference>
</cyboxCommon:References>
<cyboxCommon:Version>0.2.2</cyboxCommon:Version>
</cyboxCommon:Tool>
</stixCommon:Tools>
</stix:Information_Source>
</stix:STIX_Header>
<stix:Incidents>
<stix:Incident id="ConPot:Incident-101d9884-b695-4d8b-bf24-343c7dda1b68" xsi:type='incident:IncidentType'>
<incident:Time>
<incident:First_Malicious_Action>2013-12-10T22:45:11.099660</incident:First_Malicious_Action>
</incident:Time>
<incident:Description>Traffic to ConPot honeypot</incident:Description>
<incident:Categories>
<incident:Category>Scans/Probes/Attempted Access</incident:Category>
</incident:Categories>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Observable id="ConPot:Observable-729a14d6-1d50-412f-b753-019889072a45">
<cybox:Object>
<cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
<NetworkConnectionObj:Layer7_Protocol datatype="string">s7comm</NetworkConnectionObj:Layer7_Protocol>
<NetworkConnectionObj:Source_Socket_Address>
<SocketAddressObj:IP_Address category="ipv4-addr" is_source="true">
<AddressObj:Address_Value datatype="string">127.0.0.1</AddressObj:Address_Value>
</SocketAddressObj:IP_Address>
<SocketAddressObj:Port>
<PortObj:Port_Value>54872</PortObj:Port_Value>
</SocketAddressObj:Port>
</NetworkConnectionObj:Source_Socket_Address>
<NetworkConnectionObj:Destination_Socket_Address>
<SocketAddressObj:Port>
<PortObj:Port_Value>502</PortObj:Port_Value>
</SocketAddressObj:Port>
</NetworkConnectionObj:Destination_Socket_Address>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Observable id="ConPot:Observable-729a14d6-1d50-412f-b753-019889072a45">
<cybox:Object>
<cybox:Properties xsi:type="CustomObj:CustomObjectType" custom_name="ConpotLog">
<cyboxCommon:Custom_Properties>
<cyboxCommon:Property name="rawlog">{"0": {"request": "who are you", "response": "mr. blue"}, "1": {"request": "give me apples", "response": "no way"}}</cyboxCommon:Property>
</cyboxCommon:Custom_Properties>
<CustomObj:Description>Conpot log</CustomObj:Description>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
</stix:Incident>
</stix:Incidents>
</stix:STIX_Package>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment