def from_dict(process_dict, process_cls = None): if not process_dict: return None if process_cls == None: process_ = Process() else: process_ = process_cls ObjectProperties.from_dict(process_dict, process_) process_.is_hidden = process_dict.get('is_hidden') process_.pid = UnsignedInteger.from_dict(process_dict.get('pid')) process_.name = String.from_dict(process_dict.get('name')) process_.creation_time = DateTime.from_dict(process_dict.get('creation_time')) process_.parent_pid = UnsignedInteger.from_dict(process_dict.get('parent_pid')) process_.child_pid_list = [UnsignedInteger.from_dict(x) for x in process_dict.get('child_pid_list', [])] process_.image_info = ImageInfo.from_dict(process_dict.get('image_info')) process_.argument_list = [String.from_dict(x) for x in process_dict.get('argument_list', [])] process_.environment_variable_list = EnvironmentVariableList.from_list(process_dict.get('environment_variable_list')) process_.kernel_time = Duration.from_dict(process_dict.get('kernel_time')) process_.port_list = [Port.from_dict(x) for x in process_dict.get('port_list', [])] process_.network_connection_list = [NetworkConnection.from_dict(x) for x in process_dict.get('network_connection_list', [])] process_.start_time = DateTime.from_dict(process_dict.get('start_time')) process_.username = String.from_dict(process_dict.get('username')) process_.user_time = Duration.from_dict(process_dict.get('user_time')) process_.extracted_features = None return process_
def from_obj(validity_obj): if not validity_obj: return None validity_ = Validity() validity_.not_after = DateTime.from_obj(validity_obj.get_Not_After()) validity_.not_before = DateTime.from_obj(validity_obj.get_Not_Before()) return validity_
def from_obj(process_obj, process_cls = None): if not process_obj: return None if process_cls == None: process_ = Process() else: process_ = process_cls ObjectProperties.from_obj(process_obj, process_) process_.is_hidden = process_obj.get_is_hidden() process_.pid = UnsignedInteger.from_obj(process_obj.get_PID()) process_.name = String.from_obj(process_obj.get_Name()) process_.creation_time = DateTime.from_obj(process_obj.get_Creation_Time()) process_.parent_pid = UnsignedInteger.from_obj(process_obj.get_Parent_PID()) process_.image_info = ImageInfo.from_obj(process_obj.get_Image_Info()) process_.environment_variable_list = EnvironmentVariableList.from_obj(process_obj.get_Environment_Variable_List()) process_.kernel_time = Duration.from_obj(process_obj.get_Kernel_Time()) process_.start_time = DateTime.from_obj(process_obj.get_Start_Time()) process_.username = String.from_obj(process_obj.get_Username()) process_.user_time = Duration.from_obj(process_obj.get_User_Time()) process_.extracted_features = None if process_obj.get_Argument_List() is not None : process_.argument_list = [String.from_obj(x) for x in process_obj.get_Argument_List().get_Argument()] if process_obj.get_Child_PID_List() is not None : process_.child_pid_list = [UnsignedInteger.from_obj(x) for x in process_obj.get_Child_PID_List().get_Child_PID()] if process_obj.get_Port_List() is not None : process_.port_list = [Port.from_obj(x) for x in process_obj.get_Port_List().get_Port()] if process_obj.get_Network_Connection_List() is not None : process_.network_connection_list = [NetworkConnection.from_obj(x) for x in process_obj.get_Network_Connection_List().get_Network_Connection()] return process_
def from_dict(validity_dict): if not validity_dict: return None validity_ = Validity() validity_.not_after = DateTime.from_dict(validity_dict.get('not_after')) validity_.not_before = DateTime.from_dict(validity_dict.get('not_before')) return validity_
def from_obj(win_file_obj, file_class = None): if not win_file_obj: return None if not file_class: win_file_ = File.from_obj(win_file_obj, WinFile()) else: win_file_ = File.from_obj(win_file_obj, file_class) win_file_.filename_accessed_time = DateTime.from_obj(win_file_obj.get_Filename_Accessed_Time()) win_file_.filename_created_time = DateTime.from_obj(win_file_obj.get_Filename_Created_Time()) win_file_.filename_modified_time = DateTime.from_obj(win_file_obj.get_Filename_Modified_Time()) win_file_.drive = String.from_obj(win_file_obj.get_Drive()) win_file_.security_id = String.from_obj(win_file_obj.get_Security_ID()) win_file_.security_type = String.from_obj(win_file_obj.get_Security_Type()) win_file_.stream_list = StreamList.from_obj(win_file_obj.get_Stream_List()) return win_file_
def from_dict(win_file_dict, file_class = None): if not win_file_dict: return None if not file_class: win_file_ = File.from_dict(win_file_dict, WinFile()) else: win_file_ = File.from_dict(win_file_dict, file_class) win_file_.filename_accessed_time = DateTime.from_dict(win_file_dict.get('filename_accessed_time')) win_file_.filename_created_time = DateTime.from_dict(win_file_dict.get('filename_created_time')) win_file_.filename_modified_time = DateTime.from_dict(win_file_dict.get('filename_modified_time')) win_file_.drive = String.from_dict(win_file_dict.get('drive')) win_file_.security_id = String.from_dict(win_file_dict.get('security_id')) win_file_.security_type = String.from_dict(win_file_dict.get('security_type')) win_file_.stream_list = StreamList.from_list(win_file_dict.get('stream_list')) return win_file_
def from_obj(file_obj, file_class=None): if not file_obj: return None if not file_class: file_ = File() else: file_ = file_class ObjectProperties.from_obj(file_obj, file_) file_.is_packed = file_obj.get_is_packed() file_.file_name = String.from_obj(file_obj.get_File_Name()) file_.file_path = FilePath.from_obj(file_obj.get_File_Path()) file_.device_path = String.from_obj(file_obj.get_Device_Path()) file_.full_path = String.from_obj(file_obj.get_Full_Path()) file_.file_extension = String.from_obj(file_obj.get_File_Extension()) file_.size_in_bytes = UnsignedLong.from_obj(file_obj.get_Size_In_Bytes()) file_.magic_number = HexBinary.from_obj(file_obj.get_Magic_Number()) file_.file_format = String.from_obj(file_obj.get_File_Format()) file_.hashes = HashList.from_obj(file_obj.get_Hashes()) file_.extracted_features = ExtractedFeatures.from_obj(file_obj.get_Extracted_Features()) #TODO: why are there two Strings and one DateTime here? file_.modified_time = String.from_obj(file_obj.get_Modified_Time()) file_.accessed_time = String.from_obj(file_obj.get_Accessed_Time()) file_.created_time = DateTime.from_obj(file_obj.get_Created_Time()) return file_
def from_dict(file_dict, file_class=None): if not file_dict: return None if not file_class: file_ = File() else: file_ = file_class ObjectProperties.from_dict(file_dict, file_) file_.is_packed = file_dict.get('is_packed') file_.file_name = String.from_dict(file_dict.get('file_name')) file_.file_path = FilePath.from_dict(file_dict.get('file_path')) file_.device_path = String.from_dict(file_dict.get('device_path')) file_.full_path = String.from_dict(file_dict.get('full_path')) file_.file_extension = String.from_dict(file_dict.get('file_extension')) file_.size_in_bytes = UnsignedLong.from_dict(file_dict.get('size_in_bytes')) file_.magic_number = HexBinary.from_dict(file_dict.get('magic_number')) file_.file_format = String.from_dict(file_dict.get('file_format')) file_.hashes = HashList.from_list(file_dict.get('hashes')) file_.extracted_features = ExtractedFeatures.from_dict(file_dict.get('extracted_features')) file_.modified_time = String.from_dict(file_dict.get('modified_time')) file_.accessed_time = String.from_dict(file_dict.get('accessed_time')) file_.created_time = DateTime.from_dict(file_dict.get('created_time')) return file_
def from_dict(whois_dict): if not whois_dict: return None whois = WhoisEntry() ObjectProperties.from_dict(whois_dict, whois) whois.domain_name = URI.from_dict(whois_dict.get('domain_name')) whois.domain_id = String.from_dict(whois_dict.get('domain_id')) whois.server_name = URI.from_dict(whois_dict.get('server_name')) whois.ip_address = Address.from_dict(whois_dict.get('ip_address'), Address.CAT_IPV4) whois.dnssec = whois_dict.get('dnssec') whois.nameservers = WhoisNameservers.from_list(whois_dict.get('nameservers')) whois.status = WhoisStatuses.from_list(whois_dict.get('status')) whois.updated_date = DateTime.from_dict(whois_dict.get('updated_date')) whois.creation_date = DateTime.from_dict(whois_dict.get('creation_date')) whois.expiration_date = DateTime.from_dict(whois_dict.get('expiration_date')) whois.regional_internet_registry = String.from_dict(whois_dict.get('regional_internet_registry')) whois.sponsoring_registrar = String.from_dict(whois_dict.get('sponsoring_registrar')) whois.registrar_info = WhoisRegistrar.from_dict(whois_dict.get('registrar_info')) whois.registrants = WhoisRegistrants.from_list(whois_dict.get('registrants')) whois.contact_info = WhoisContact.from_dict(whois_dict.get('contact_info')) return whois
def from_obj(whois_obj): if not whois_obj: return None whois = WhoisEntry() ObjectProperties.from_obj(whois_obj, whois) whois.domain_name = URI.from_obj(whois_obj.get_Domain_Name()) whois.domain_id = String.from_obj(whois_obj.get_Domain_ID()) whois.server_name = URI.from_obj(whois_obj.get_Server_Name()) whois.ip_address = Address.from_obj(whois_obj.get_IP_Address()) whois.dnssec = whois_obj.get_DNSSEC() whois.nameservers = WhoisNameservers.from_obj(whois_obj.get_Nameservers()) whois.status = WhoisStatuses.from_obj(whois_obj.get_Status()) whois.updated_date = DateTime.from_obj(whois_obj.get_Updated_Date()) whois.creation_date = DateTime.from_obj(whois_obj.get_Creation_Date()) whois.expiration_date = DateTime.from_obj(whois_obj.get_Expiration_Date()) whois.regional_internet_registry = String.from_obj(whois_obj.get_Regional_Internet_Registry()) whois.sponsoring_registrar = String.from_obj(whois_obj.get_Sponsoring_Registrar()) whois.registrar_info = WhoisRegistrar.from_obj(whois_obj.get_Registrar_Info()) whois.registrants = WhoisRegistrants.from_obj(whois_obj.get_Registrants()) whois.contact_info = WhoisContact.from_obj(whois_obj.get_Contact_Info()) return whois
def from_obj(network_connection_obj): if not network_connection_obj: return None network_connection_ = NetworkConnection() network_connection_.tls_used = network_connection_obj.get_tls_used() network_connection_.creation_time = DateTime.from_obj(network_connection_obj.get_Creation_Time()) network_connection_.layer3_protocol = String.from_obj(network_connection_obj.get_Layer3_Protocol()) network_connection_.layer4_protocol = String.from_obj(network_connection_obj.get_Layer4_Protocol()) network_connection_.layer7_protocol = String.from_obj(network_connection_obj.get_Layer7_Protocol()) network_connection_.source_socket_address = SocketAddress.from_obj(network_connection_obj.get_Source_Socket_Address()) network_connection_.source_tcp_state = network_connection_obj.get_Source_TCP_State() network_connection_.destination_socket_address = SocketAddress.from_obj(network_connection_obj.get_Destination_Socket_Address()) network_connection_.destination_tcp_state = network_connection_obj.get_Destination_TCP_State() network_connection_.layer7_connections = Layer7Connections.from_obj(network_connection_obj.get_Layer7_Connections()) return network_connection_
def from_dict(network_connection_dict): if not network_connection_dict: return None network_connection_ = NetworkConnection() network_connection_.tls_used = network_connection_dict.get('tls_used') network_connection_.creation_time = DateTime.from_dict(network_connection_dict.get('creation_time')) network_connection_.layer3_protocol = String.from_dict(network_connection_dict.get('layer3_protocol')) network_connection_.layer4_protocol = String.from_dict(network_connection_dict.get('layer4_protocol')) network_connection_.layer7_protocol = String.from_dict(network_connection_dict.get('layer7_protocol')) network_connection_.source_socket_address = SocketAddress.from_dict(network_connection_dict.get('source_socket_address')) network_connection_.source_tcp_state = network_connection_dict.get('source_tcp_state') network_connection_.destination_socket_address = SocketAddress.from_dict(network_connection_dict.get('destination_socket_address')) network_connection_.destination_tcp_state = network_connection_dict.get('destination_tcp_state') network_connection_.layer7_connections = Layer7Connections.from_dict(network_connection_dict.get('layer7_connections')) return network_connection_
def from_dict(header_dict): header = EmailHeader() header.to = EmailRecipients.from_dict(header_dict.get('to')) header.cc = EmailRecipients.from_dict(header_dict.get('cc')) header.bcc = EmailRecipients.from_dict(header_dict.get('bcc')) header.from_ = Address.from_dict(header_dict.get('from'), Address.CAT_EMAIL) header.subject = String.from_dict(header_dict.get('subject')) header.in_reply_to = String.from_dict(header_dict.get('in_reply_to')) header.date = DateTime.from_dict(header_dict.get('date')) header.message_id = String.from_dict(header_dict.get('message_id')) header.sender = Address.from_dict(header_dict.get('sender'), Address.CAT_EMAIL) header.reply_to = Address.from_dict(header_dict.get('reply_to'), Address.CAT_EMAIL) header.errors_to = String.from_dict(header_dict.get('errors_to')) return header
def from_obj(header_obj): header = EmailHeader() header.to = EmailRecipients.from_obj(header_obj.get_To()) header.cc = EmailRecipients.from_obj(header_obj.get_CC()) header.bcc = EmailRecipients.from_obj(header_obj.get_BCC()) header.from_ = Address.from_obj(header_obj.get_From()) header.subject = String.from_obj(header_obj.get_Subject()) header.in_reply_to = String.from_obj(header_obj.get_In_Reply_To()) header.date = DateTime.from_obj(header_obj.get_Date()) header.message_id = String.from_obj(header_obj.get_Message_ID()) header.sender = Address.from_obj(header_obj.get_Sender()) header.reply_to = Address.from_obj(header_obj.get_Reply_To()) header.errors_to = String.from_obj(header_obj.get_Errors_To()) return header
def from_obj(registry_key_obj): if not registry_key_obj: return None win_registry_key_ = WinRegistryKey() win_registry_key_.key = String.from_obj(registry_key_obj.get_Key()) win_registry_key_.hive = String.from_obj(registry_key_obj.get_Hive()) win_registry_key_.number_values = UnsignedInteger.from_obj(registry_key_obj.get_Number_Values()) win_registry_key_.modified_time = DateTime.from_obj(registry_key_obj.get_Modified_Time()) win_registry_key_.creator_username = String.from_obj(registry_key_obj.get_Creator_Username()) win_registry_key_.handle_list = WinHandleList.from_obj(registry_key_obj.get_Handle_List()) win_registry_key_.number_subkeys = UnsignedInteger.from_obj(registry_key_obj.get_Number_Subkeys()) #win_registry_key_.byte_runs = ByteRuns.from_obj(registry_key_obj.get_Byte_Runs()) if registry_key_obj.get_Values() is not None: for registry_value_obj in registry_key_obj.get_Values().get_Value(): win_registry_key_.values.append(RegistryValue.from_obj(registry_value_obj)) if registry_key_obj.get_Subkeys() is not None: for registry_subkey_obj in registry_key_dict.get_Subkeys().get_Subkey(): win_registry_key_.subkeys.append(WinRegistryKey.from_obj(registry_subkey_obj)) return win_registry_key_
def from_dict(registry_key_dict): if not registry_key_dict: return None win_registry_key_ = WinRegistryKey() win_registry_key_.key = String.from_dict(registry_key_dict.get('key')) win_registry_key_.hive = String.from_dict(registry_key_dict.get('hive')) win_registry_key_.number_values = UnsignedInteger.from_dict(registry_key_dict.get('number_values')) win_registry_key_.modified_time = DateTime.from_dict(registry_key_dict.get('modified_time')) win_registry_key_.creator_username = String.from_dict(registry_key_dict.get('creator_username')) win_registry_key_.handle_list = WinHandleList.from_list(registry_key_dict.get('handle_list')) win_registry_key_.number_subkeys = UnsignedInteger.from_dict(registry_key_dict.get('number_subkeys')) #win_registry_key_.byte_runs = ByteRuns.from_dict(registry_key_dict.get('byte_runs')) if registry_key_dict.get('values') is not None: for registry_value_dict in registry_key_dict.get('values'): win_registry_key_.values.append(RegistryValue.from_dict(registry_value_dict)) if registry_key_dict.get('subkeys') is not None: for registry_subkey_dict in registry_key_dict.get('subkeys'): win_registry_key_.subkeys.append(WinRegistryKey.from_dict(registry_subkey_dict)) return win_registry_key_
build_information.compiler_version = String('') build_information.linker_name = String('') build_information.linker_version = String('') # https://cybox.readthedocs.org/en/stable/_modules/cybox/common/digitalsignature.html#DigitalSignature digital_signature = DigitalSignature() digital_signature.certificate_issuer = String('') digital_signature.certificate_subject = String('') digital_signature.signature_description = String('') digital_signature.signature_exists = None digital_signature.signature_verified = None # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEExports exports = PEExports() exports.exported_functions = PEExportedFunctions() exports.exports_time_stamp = DateTime() exports.name = String() exports.number_of_addresses = Long() exports.number_of_functions = Integer() exports.number_of_names = Long() # The Extraneous_Bytes field specifies the number of extraneous bytes contained in the PE binary. extraneous_bytes = Integer() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEHeaders headers = PEHeaders() headers.dos_header = DOSHeader() headers.entropy = Entropy() headers.file_header = PEFileHeader() headers.hashes = HashList() headers.optional_header = PEOptionalHeader()
def test_parse_datetime(self): cybox_dt = DateTime(self.dt) self.assertEqual(self.dt, cybox_dt.value) self.assertEqual(self.dt.isoformat(), six.text_type(cybox_dt))
def test_isodate(self): now = datetime.datetime.now() dt = DateTime(now) self.assertEqual(now.isoformat(), dt.serialized_value)
def test_isodate(self): now = datetime.datetime.now() dt = DateTime(now) self.assertEqual(now.isoformat(), dt.serialized_value) self.assertEqual(now.isoformat(), dt.to_obj().valueOf_)
def test_parse_date_string(self): cybox_dt2 = DateTime(self.dt_str) self.assertEqual(self.dt, cybox_dt2.value) self.assertEqual(self.dt.isoformat(), cybox_dt2.serialized_value) self.assertEqual(self.dt.isoformat(), str(cybox_dt2))
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"): """ Convert a CRITs TLO to a CybOX Observable. :param obj: The TLO to convert. :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes` :param exclude: Attributes to exclude. :type exclude: list :param bin_fmt: The format for the binary (if applicable). :type bin_fmt: str """ type_ = obj._meta['crits_type'] if type_ == 'Certificate': custom_prop = Property( ) # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obje = File() # represent cert information as file obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.filetype obje.size_in_bytes = obj.size obje.custom_properties = CustomProperties() obje.custom_properties.append(custom_prop) obs = Observable(obje) obs.description = obj.description data = obj.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obje.add_related(a, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'Domain': obje = DomainName() obje.value = obj.domain obje.type_ = obj.record_type return ([Observable(obje)], obj.releasability) elif type_ == 'Email': if exclude == None: exclude = [] observables = [] obje = EmailMessage() # Assume there is going to be at least one header obje.header = EmailHeader() if 'message_id' not in exclude: obje.header.message_id = String(obj.message_id) if 'subject' not in exclude: obje.header.subject = String(obj.subject) if 'sender' not in exclude: obje.header.sender = Address(obj.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obje.header.x_originating_ip = Address(obj.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obje.header.x_mailer = String(obj.x_mailer) if 'boundary' not in exclude: obje.header.boundary = String(obj.boundary) if 'raw_body' not in exclude: obje.raw_body = obj.raw_body if 'raw_header' not in exclude: obje.raw_header = obj.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obje.email_server = String(obj.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obje.header.from_ = EmailAddress(obj.from_address) if 'date' not in exclude and 'isodate' not in exclude: obje.header.date = DateTime(obj.isodate) obje.attachments = Attachments() observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'Indicator': observables = [] obje = make_cybox_object(obj.ind_type, obj.value) observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'IP': obje = Address() obje.address_value = obj.ip if obj.ip_type == IPTypes.IPv4_ADDRESS: obje.category = "ipv4-addr" elif obj.ip_type == IPTypes.IPv6_ADDRESS: obje.category = "ipv6-addr" elif obj.ip_type == IPTypes.IPv4_SUBNET: obje.category = "ipv4-net" elif obj.ip_type == IPTypes.IPv6_SUBNET: obje.category = "ipv6-subnet" return ([Observable(obje)], obj.releasability) elif type_ == 'PCAP': obje = File() obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.contentType obje.size_in_bytes = obj.length obs = Observable(obje) obs.description = obj.description art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK) art.packaging.append(Base64Encoding()) obje.add_related(art, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'RawData': obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE) obje.packaging.append(Base64Encoding()) obs = Observable(obje) obs.description = obj.description return ([obs], obj.releasability) elif type_ == 'Sample': if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256']: if attr not in exclude: val = getattr(obj, attr, None) if val: setattr(f, attr, val) if obj.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(obj.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = obj.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude and bin_fmt: data = obj.filedata.read() if data: # if sample data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data if bin_fmt == "zlib": a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) elif bin_fmt == "base64": a.packaging.append(Base64Encoding()) f.add_related(a, "Child_Of") # relate artifact to file if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. f.file_format = obj.filetype observables.append(Observable(f)) return (observables, obj.releasability) else: return (None, None)
def test_list_dates(self): dt = DateTime([self.dt, self.dt, self.dt]) self.assertEqual(3, len(dt.value)) expected = "{0}{1}{0}{1}{0}".format(self.dt.isoformat(), DEFAULT_DELIM) actual = normalize_to_xml(dt.serialized_value, DEFAULT_DELIM) self.assertEqual(expected, actual)
def to_cybox_observable(self, exclude=None): """ Convert an email to a CybOX Observables. Pass parameter exclude to specify fields that should not be included in the returned object. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ if exclude == None: exclude = [] observables = [] obj = EmailMessage() # Assume there is going to be at least one header obj.header = EmailHeader() if 'message_id' not in exclude: obj.header.message_id = String(self.message_id) if 'subject' not in exclude: obj.header.subject = String(self.subject) if 'sender' not in exclude: obj.header.sender = Address(self.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obj.header.x_originating_ip = Address(self.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obj.header.x_mailer = String(self.x_mailer) if 'boundary' not in exclude: obj.header.boundary = String(self.boundary) if 'raw_body' not in exclude: obj.raw_body = self.raw_body if 'raw_header' not in exclude: obj.raw_header = self.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obj.email_server = String(self.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obj.header.from_ = EmailAddress(self.from_address) if 'date' not in exclude and 'isodate' not in exclude: obj.header.date = DateTime(self.isodate) obj.attachments = Attachments() observables.append(Observable(obj)) return (observables, self.releasability)