Created
April 28, 2020 18:07
-
-
Save paralax/62c4c879ab6c6c2a6cc5d5f004bff274 to your computer and use it in GitHub Desktop.
playing around with stix 2.1 (JSON) in F#
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
open System.Text | |
/// https://fsharpforfunandprofit.com/posts/serializating-your-domain-model/ | |
#I "/usr/local/share/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/lib/net40/" | |
#r "/usr/local/share/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/lib/net40/Newtonsoft.Json.dll" | |
module Json = | |
open Newtonsoft.Json | |
let serialize obj = | |
JsonConvert.SerializeObject obj | |
let deserialize<'a> str = | |
try | |
JsonConvert.DeserializeObject<'a> str | |
|> Result.Ok | |
with | |
// catch all exceptions and convert to Result | |
| ex -> Result.Error ex | |
type IndicatorType = | |
| MaliciousActivity | |
| Anonymization | |
| Benign | |
| Backdoor | |
| Compromised | |
| RAT | |
| Attritbution | |
| Unknown | |
let nameIndicatorType (i:IndicatorType) = match i with | |
| AnomalousActivity -> "anomalous-activity" | |
| Anonymization -> "anonymization" | |
| Benign -> "benign" | |
| Compromised -> "compromised" | |
| MaliciousActivity -> "malicious-activity" | |
| Backdoor -> "backdoor" | |
| RAT -> "remote-access-trojan" | |
| Attribution -> "attribution" | |
| Unknown -> "unknown" | |
| _ -> "unknown" | |
type InfrastructureType = | |
| Amplification | |
| Anonymization | |
| Botnet | |
| CommandAndControl | |
| Exfiltration | |
| HostingMalware | |
| HostingTargetLists | |
| Phishing | |
| Reconnaissance | |
| Staging | |
| Undefined | |
let nameInfrastructionType (i:InfrastructureType) = match i with | |
| Amplification -> "amplification" | |
| Anonymization -> "anonymization" | |
| Botnet -> "botnet" | |
| CommandAndControl -> "command-and-control" | |
| Exfiltration -> "exfiltration" | |
| HostingMalware -> "hosting-malware" | |
| HostingTargetLists -> "hosting-target-lists" | |
| Phishing -> "phishing" | |
| Reconnaissance -> "reconnaissance" | |
| Staging -> "staging" | |
| Undefined -> "undefined" | |
| _ -> "undefined" | |
/// https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_muftrcpnf89v | |
type StixInfrastructure = { | |
Type: string; | |
spec_version: string; | |
ID: System.Guid; | |
created: string; | |
updated: string; | |
name: string; | |
description: string; | |
infrastructure_type: string list; | |
} | |
/// https://riptutorial.com/fsharp/example/7470/simple-string-formatting | |
let formatPattern (itype: string) (ind: string) = | |
let builder = StringBuilder() | |
let append format = Printf.bprintf builder format | |
append "%s:value='%s'" itype ind | |
builder.ToString() | |
/// https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_wfiae74706sw | |
type StixIndicator = { | |
Type: string; | |
spec_version: string; | |
ID: System.Guid; | |
created: string; | |
updated: string; | |
name: string; | |
description: string; | |
indicator_types: string list; | |
pattern: string; | |
pattern_type: string; | |
valid_from: string; | |
} | |
type StixObject = | |
| StixIndicator of StixIndicator | |
| StixInfrastructure of StixInfrastructure | |
type StixBundle = { | |
ID: System.Guid; | |
Type: string; | |
objects: StixObject list; | |
} | |
let ind = {Type = "indicator"; | |
spec_version = "2.1"; | |
ID = System.Guid.NewGuid(); | |
created = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK"); | |
updated = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK"); | |
description = "WordPress bruteforce login client IP"; | |
name = "WordPress honeypot logs for DDoS tracking and authentcation brute force from a US /32"; | |
indicator_types = List.map (fun x -> nameIndicatorType x) [MaliciousActivity]; | |
pattern = formatPattern "ipv4-addr" "1.2.3.4"; | |
pattern_type = "stix"; | |
valid_from = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK");} | |
let infra = {Type = "infrastructure"; | |
spec_version = "2.1"; | |
ID = System.Guid.NewGuid(); | |
created = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK"); | |
updated = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK"); | |
name = "C2 URL"; | |
description = "C2 URL"; | |
infrastructure_type = List.map (fun x -> nameInfrastructionType x) [CommandAndControl]; } | |
let bundle = { | |
ID = System.Guid.NewGuid(); | |
Type = "bundle"; | |
objects = [StixInfrastructure infra; StixIndicator ind]; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment