-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathSTIX_IP_Watchlist.xml
50 lines (45 loc) · 2.97 KB
/
STIX_IP_Watchlist.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<!--
STIX IP Watchlist Example
Copyright (c) 2015, The MITRE Corporation. All rights reserved.
The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html.
This example demonstrates a simple usage of STIX to represent a list of IP address indicators (watchlist of IP addresses). Cyber operations and malware analysis centers often share a list of suspected malicious IP addresses with information about what those IPs might indicate. This STIX package represents a list of three IP addresses with a short dummy description of what they represent.
It demonstrates the use of:
* STIX Indicators
* CybOX within STIX
* The CybOX Address Object (IP)
* CybOX Patterns (apply_condition="ANY")
* Controlled vocabularies
Created by Mark Davidson
-->
<stix:STIX_Package
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://docs.oasis-open.org/cti/ns/stix/core-1"
xmlns:indicator="http://docs.oasis-open.org/cti/ns/stix/indicator-1"
xmlns:cybox="http://docs.oasis-open.org/cti/ns/cybox/core-2"
xmlns:AddressObject="http://docs.oasis-open.org/cti/ns/cybox/objects/address-2"
xmlns:cyboxVocabs="http://docs.oasis-open.org/cti/ns/cybox/vocabularies-2"
xmlns:stixVocabs="http://docs.oasis-open.org/cti/ns/stix/vocabularies-1"
xmlns:example="http://example.com/"
xsi:schemaLocation="
http://docs.oasis-open.org/cti/ns/stix/core-1 ../core.xsd
http://docs.oasis-open.org/cti/ns/stix/indicator-1 ../indicator.xsd
http://docs.oasis-open.org/cti/ns/cybox/vocabularies-2 ../cybox/default_vocabularies.xsd
http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 ../vocabularies.xsd
http://docs.oasis-open.org/cti/ns/cybox/objects/address-2 ../cybox/objects/Address_Object.xsd"
id="example:STIXPackage-33fe3b22-0201-47cf-85d0-97c02164528d"
version="stix-1.2.1"
>
<stix:Indicators>
<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-33fe3b22-0201-47cf-85d0-97c02164528d" timestamp="2015-05-15T09:00:00.000000Z">
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
<indicator:Description>Sample IP Address Indicator for this watchlist. This contains one indicator with a set of three IP addresses in the watchlist.</indicator:Description>
<indicator:Observable id="example:Observable-1c798262-a4cd-434d-a958-884d6980c459">
<cybox:Object id="example:Object-1980ce43-8e03-490b-863a-ea404d12242e">
<cybox:Properties xsi:type="AddressObject:AddressObjectType" category="ipv4-addr">
<AddressObject:Address_Value condition="Equals" apply_condition="ANY">10.0.0.0##comma##10.0.0.1##comma##10.0.0.2</AddressObject:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>