def buildObservable(input_dict):
    # add incident and confidence
    observable = Observable()
    observable.description = input_dict['description']
    observable.title = input_dict['title']

    source = MeasureSource()
    source.name = input_dict['source']
    observable.observable_source = [source] # figure out why this is necessary

    if input_dict['keyword']:
        observable.add_keyword(input_dict['keyword'])
    """
    event = Event()
    event.description = input_dict['event']
    observable.event = event

    """
    if input_dict['objectType'] and input_dict['object']:
        cybObj = Object()

        if input_dict['objectType'] == 'Address':
            cybObj.properties = Address(input_dict['object'])
        elif input_dict['objectType'] == 'File':
            cybObj.properties = File()
            cybObj.properties.file_path = FilePath(input_dict['object'])
        elif input_dict['objectType'] == 'URI':
            cybObj.properties = URI(input_dict['object'])

        if cybObj:
            observable.object_ = cybObj

    print observable.to_xml()
    return observable
Beispiel #2
0
    def test_round_trip(self):
        o = Object()
        o.idref = "example:a1"
        o.properties = Address("1.2.3.4", Address.CAT_IPV4)
        o2 = round_trip(o)

        self.assertEqual(o.to_dict(), o2.to_dict())
Beispiel #3
0
    def from_dict(observable_dict):
        if not observable_dict:
            return None

        from cybox.core import PatternFidelity
        obs = Observable()

        obs.id_ = observable_dict.get('id')
        obs.title = observable_dict.get('title')
        obs.description = StructuredText.from_dict(
            observable_dict.get('description'))
        obs.object_ = Object.from_dict(observable_dict.get('object'))
        obs.event = Object.from_dict(observable_dict.get('event'))
        obs.observable_composition = ObservableComposition.from_dict(
            observable_dict.get('observable_composition'))
        obs.idref = observable_dict.get('idref')
        obs.sighting_count = observable_dict.get('sighting_count')
        if observable_dict.get('observable_source'):
            obs.observable_source = [
                MeasureSource.from_dict(x)
                for x in observable_dict.get('observable_source')
            ]
        obs.keywords = Keywords.from_dict(observable_dict.get('keywords'))
        obs.pattern_fidelity = PatternFidelity.from_dict(
            observable_dict.get('pattern_fidelity'))

        return obs
Beispiel #4
0
    def test_round_trip(self):
        o = Object()
        o.idref = "example:a1"
        o.properties = Address("1.2.3.4", Address.CAT_IPV4)
        o2 = cybox.test.round_trip(o)

        self.assertEqual(o.to_dict(), o2.to_dict())
 def test_properties_not_in_inline(self):
     # https://github.com/CybOXProject/python-cybox/issues/287
     o1 = Object(self.domain)
     o2 = Object(self.ip)
     o1.add_related(self.ip, "Resolved_To", inline=False)
     xml = o1.to_xml(encoding=None)
     print(xml)
     self.assertTrue(o1.id_ in xml)
     self.assertTrue(o2.id_ in xml)
     self.assertFalse(str(self.ip.address_value) in xml)
Beispiel #6
0
    def __init__(self,
                 item=None,
                 id_=None,
                 idref=None,
                 title=None,
                 description=None):
        """Create an Observable out of 'item'.

        `item` can be any of:
        - an Object
        - an Event
        - an ObservableComposition
        - any subclass of ObjectProperties.

        In the first three cases, the appropriate property of the Observable
        will be set. In the last cases, an Object will be built automatically
        to ensure the correct hierarchy is created.
        """
        super(Observable, self).__init__()
        if not id_ and not idref:
            id_ = cybox.utils.create_id(prefix="Observable")

        self.id_ = id_
        self.title = title
        self.description = description

        self.object_ = None
        self.event = None
        self.observable_composition = None
        self.idref = idref
        self.sighting_count = None
        self.observable_source = []
        self.keywords = Keywords()
        self.pattern_fidelity = None

        if item is None:
            return
        elif isinstance(item, Object):
            self.object_ = item
        elif isinstance(item, ObservableComposition):
            self.observable_composition = item
        elif isinstance(item, Event):
            self.event = item
        elif isinstance(item, ObjectProperties):
            if item.parent:
                self.object_ = item.parent
            else:
                self.object_ = Object(item)
        else:
            msg = ("item must be an Object, Event, ObservableComposition, or "
                   "subclass of ObjectProperties. Received an %s" % type(item))
            raise TypeError(msg)
Beispiel #7
0
def generateObservable(indicator, attribute):
    if (attribute["type"] in ("snort", "yara")):
        generateTM(indicator, attribute)
    else:
        observable = None;
        if (attribute["type"] in simple_type_to_method.keys()):
            action = getattr(this_module, simple_type_to_method[attribute["type"]], None)
            if (action != None):
                property = action(attribute)
                object = Object(property)
                object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute["uuid"]
                observable = Observable(object)
                observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
                indicator.add_observable(observable)
Beispiel #8
0
    def from_obj(observable_obj):
        if not observable_obj:
            return None

        from cybox.core import PatternFidelity
        obs = Observable()

        obs.id_ = observable_obj.id
        obs.title = observable_obj.Title
        obs.description = StructuredText.from_obj(observable_obj.Description)
        obs.object_ = Object.from_obj(observable_obj.Object)
        obs.event = Event.from_obj(observable_obj.Event)
        obs.observable_composition = ObservableComposition.from_obj(
            observable_obj.Observable_Composition)
        obs.idref = observable_obj.idref
        obs.sighting_count = observable_obj.sighting_count
        if observable_obj.Observable_Source:
            obs.observable_source = [
                MeasureSource.from_obj(x)
                for x in observable_obj.Observable_Source
            ]
        obs.keywords = Keywords.from_obj(observable_obj.Keywords)
        obs.pattern_fidelity = PatternFidelity.from_obj(
            observable_obj.Pattern_Fidelity)

        return obs
Beispiel #9
0
    def test_observble_init(self):
        obj = Object()
        dobj = ObjectProperties()
        a = Address()
        oc = ObservableComposition()
        e = Event()

        obs1 = Observable(obj)
        self.assertTrue(obs1.object_ is obj)
        self.assertFalse(obs1.observable_composition)
        self.assertFalse(obs1.event)

        obs2 = Observable(dobj)
        self.assertTrue(obs2.object_)
        self.assertTrue(obs2.object_.properties is dobj)
        self.assertFalse(obs2.observable_composition)
        self.assertFalse(obs2.event)

        obs3 = Observable(a)
        self.assertTrue(obs3.object_)
        self.assertTrue(obs3.object_.properties is a)
        self.assertFalse(obs3.event)
        self.assertFalse(obs3.observable_composition)

        obs4 = Observable(oc)
        self.assertFalse(obs4.object_)
        self.assertFalse(obs4.event)
        self.assertTrue(obs4.observable_composition is oc)

        obs5 = Observable(e)
        self.assertFalse(obs5.object_)
        self.assertTrue(obs5.event is e)
        self.assertFalse(obs5.observable_composition)
Beispiel #10
0
 def from_obj(object_obj):
     if not object_obj:
         return None
     obj = Object.from_obj(object_obj, AssociatedObject())
     obj.association_type = AssociationType.from_obj(
         object_obj.get_Association_Type())
     return obj
Beispiel #11
0
 def from_dict(object_dict):
     if not object_dict:
         return None
     obj = Object.from_dict(object_dict, AssociatedObject())
     obj.association_type = AssociationType.from_dict(
         object_dict.get('association_type', None))
     return obj
Beispiel #12
0
 def from_obj(bundle_obj):
     if not bundle_obj:
         return None
     bundle_ = Bundle(None, None)
     bundle_.id = bundle_obj.get_id()
     bundle_.schema_version = bundle_obj.get_schema_version()
     bundle_.defined_subject = bundle_obj.get_defined_subject()
     bundle_.content_type = bundle_obj.get_content_type()
     bundle_.timestamp = bundle_obj.get_timestamp()
     bundle_.malware_instance_object_attributes = Object.from_obj(
         bundle_obj.get_Malware_Instance_Object_Attributes()
     )
     if bundle_obj.get_AV_Classifications() is not None:
         bundle_.av_classifications = AVClassifications.from_obj(bundle_obj.get_AV_Classifications())
     bundle_.process_tree = ProcessTree.from_obj(bundle_obj.get_Process_Tree())
     if bundle_obj.get_Behaviors() is not None:
         bundle_.behaviors = BehaviorList.from_obj(bundle_obj.get_Behaviors())
     if bundle_obj.get_Capabilities() is not None:
         bundle_.capabilities = CapabilityList.from_obj(bundle_obj.get_Capabilities())
     if bundle_obj.get_Actions() is not None:
         bundle_.actions = ActionList.from_obj(bundle_obj.get_Actions())
     if bundle_obj.get_Objects() is not None:
         bundle_.objects = ObjectList.from_obj(bundle_obj.get_Objects())
     if bundle_obj.get_Candidate_Indicators() is not None:
         bundle_.candidate_indicators = CandidateIndicatorList.from_obj(bundle_obj.get_Candidate_Indicators())
     bundle_.collections = Collections.from_obj(bundle_obj.get_Collections())
     return bundle_
Beispiel #13
0
    def test_add_collections(self):
        o = Bundle()

        o.add_named_action_collection("Actions")
        ma = MalwareAction()
        o.add_action(ma, "Actions")
        self.assertTrue(
            o.collections.action_collections.has_collection("Actions"))

        o.add_named_object_collection("Objects")
        obj = Object()
        o.add_object(obj, "Objects")
        self.assertTrue(
            o.collections.object_collections.has_collection("Objects"))

        o.add_named_behavior_collection("Behaviors")
        b = Behavior()
        o.add_behavior(b, "Behaviors")
        self.assertTrue(
            o.collections.behavior_collections.has_collection("Behaviors"))

        o.add_named_candidate_indicator_collection("Indicators")
        ci = CandidateIndicator()
        o.add_candidate_indicator(ci, "Indicators")
        self.assertTrue(
            o.collections.candidate_indicator_collections.has_collection(
                "Indicators"))
    def __init__(self, item=None, id_=None):
        """Create an Observable out of 'item'.

        `item` can be any of:
        - an Object
        - an ObservableComposition
        - any subclass of ObjectProperties.

        In the first two cases, the appropriate property of the Observable will
        be set. In the last cases, an Object will be built automatically to
        ensure the correct hierarchy is created.
        """
        if not id_:
            id_ = cybox.utils.create_id(prefix="Observable")

        self.id_ = id_
        self.title = None
        self.description = None

        self.object_ = None
        self.observable_composition = None
        self.idref = None

        if not item:
            return

        if isinstance(item, Object):
            self.object_ = item
        elif isinstance(item, ObservableComposition):
            self.observable_composition = item
        elif isinstance(item, ObjectProperties):
            if item.parent:
                self.object_ = item.parent
            else:
                self.object_ = Object(item)
Beispiel #15
0
 def from_obj(object_obj):
     if not object_obj:
         return None
     obj = Object.from_obj(object_obj, AssociatedObject())
     obj.association_type = VocabString.from_obj(
         object_obj.Association_Type)
     return obj
Beispiel #16
0
    def test_obj_oc_mutally_exclusive(self):
        obj = Object()
        oc = ObservableComposition()
        e = Event()

        o1 = Observable(obj)
        self.assertRaises(ValueError, _set_event, o1, e)
        self.assertRaises(ValueError, _set_oc, o1, oc)

        o5 = Observable(e)
        self.assertRaises(ValueError, _set_obj, o5, obj)
        self.assertRaises(ValueError, _set_oc, o5, oc)

        o2 = Observable(oc)
        self.assertRaises(ValueError, _set_obj, o2, obj)
        self.assertRaises(ValueError, _set_event, o2, e)

        o3 = Observable()
        _set_obj(o3, obj)
        self.assertRaises(ValueError, _set_event, o3, e)
        self.assertRaises(ValueError, _set_oc, o3, oc)

        o6 = Observable()
        _set_event(o6, e)
        self.assertRaises(ValueError, _set_obj, o6, obj)
        self.assertRaises(ValueError, _set_oc, o6, oc)

        o4 = Observable()
        _set_oc(o4, oc)
        self.assertRaises(ValueError, _set_obj, o4, obj)
        self.assertRaises(ValueError, _set_event, o4, e)
    def __init__(self,
                 item=None,
                 id_=None,
                 idref=None,
                 title=None,
                 description=None):
        """Create an Observable out of 'item'.

        `item` can be any of:
        - an Object
        - an Event
        - an ObservableComposition
        - any subclass of ObjectProperties.

        In the first three cases, the appropriate property of the Observable
        will be set. In the last cases, an Object will be built automatically
        to ensure the correct hierarchy is created.
        """
        super(Observable, self).__init__()
        if not id_ and not idref:
            id_ = cybox.utils.create_id(prefix="Observable")

        self.id_ = id_
        self.title = title
        self.description = description

        self.object_ = None
        self.event = None
        self.observable_composition = None
        self.idref = idref
        self.sighting_count = None
        self.observable_source = []

        if not item:
            return

        if isinstance(item, Object):
            self.object_ = item
        elif isinstance(item, ObservableComposition):
            self.observable_composition = item
        elif isinstance(item, Event):
            self.event = item
        elif isinstance(item, ObjectProperties):
            if item.parent:
                self.object_ = item.parent
            else:
                self.object_ = Object(item)
Beispiel #18
0
def generateObservable(indicator, attribute):
    if (attribute["type"] in ("snort", "yara")):
        generateTM(indicator, attribute)
    else:
        observable = None
        if (attribute["type"] in simple_type_to_method.keys()):
            action = getattr(this_module,
                             simple_type_to_method[attribute["type"]], None)
            if (action != None):
                property = action(attribute)
                object = Object(property)
                object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute[
                    "uuid"]
                observable = Observable(object)
                observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute[
                    "uuid"]
                indicator.add_observable(observable)
 def populate(self, entry_dict, static_bundle, malware_subject=None):
     if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
         file_dict = self.create_object_dict(entry_dict['file'])
         if malware_subject:
             malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
             # Add the hashes for the Malware Instance Object Attributes
             data = open(self.pefile_parser.infile, 'rb').read()
             if data:
                 md5_hash = hashlib.md5(data).hexdigest()
                 sha1_hash = hashlib.sha1(data).hexdigest()
                 malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
                 malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
         else:
             static_bundle.add_object(Object.from_dict(file_dict))
     if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
         pe_dict = self.create_object_dict(entry_dict['pe'])
         static_bundle.add_object(Object.from_dict(pe_dict))
Beispiel #20
0
 def populate(self, entry_dict, static_bundle, malware_subject=None):
     if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
         file_dict = self.create_object_dict(entry_dict['file'])
         if malware_subject:
             malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
             # Add the hashes for the Malware Instance Object Attributes
             data = open(self.pefile_parser.infile, 'rb').read()
             if data:
                 md5_hash = hashlib.md5(data).hexdigest()
                 sha1_hash = hashlib.sha1(data).hexdigest()
                 malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
                 malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
         else:
             static_bundle.add_object(Object.from_dict(file_dict))
     if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
         pe_dict = self.create_object_dict(entry_dict['pe'])
         static_bundle.add_object(Object.from_dict(pe_dict))
Beispiel #21
0
    def from_dict(observable_dict):
        if not observable_dict:
            return None

        obs = Observable()

        obs.id_ = observable_dict.get('id')
        obs.title = observable_dict.get('title')
        obs.description = StructuredText.from_dict(observable_dict.get('description'))
        obs.object_ = Object.from_dict(observable_dict.get('object'))
        obs.event = Object.from_dict(observable_dict.get('event'))
        obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
        obs.idref = observable_dict.get('idref')
        obs.sighting_count = observable_dict.get('sighting_count')
        if observable_dict.get('observable_source'):
            obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')]

        return obs
def create_file(file_name=None, md5=None, sha1=None, sha256=None):
    file_ = File()
    file_.file_name = file_name
    file_.md5 = md5
    file_.sha1 = sha1
    file_.sha256 = sha256
    api_object = ApiObject(ty='obs', apiobj=Observable(item=Object(file_)))
    api_object.api_object = api_object
    return api_object
Beispiel #23
0
 def create_maec(self, url_indicator):
     package = Package()
     ms = MalwareSubject()
     ms.malware_instance_object_attributes = Object()
     ms.malware_instance_object_attributes.properties = URI(
         type_=URI.TYPE_URL)
     ms.malware_instance_object_attributes.properties.value = url_indicator
     package.add_malware_subject(ms)
     return package
    def test_round_trip(self):
        o = Observable()
        o.title = "An observable"
        o.description = "some text"
        o.description.structuring_format = "plain"
        o.id_ = "abc123"
        o.object_ = Object()

        o2 = cybox.test.round_trip(o)
        self.assertEqual(o.to_dict(), o2.to_dict())
Beispiel #25
0
 def generate_observable(self, indicator, attribute):
     attribute_type = attribute.type
     if attribute_type in ('snort', 'yara'):
         self.generate_TM(indicator, attribute)
     else:
         observable = None
         # if attribute_type in self.simple_type_to_method:
         try:
             observable_property = self.simple_type_to_method[attribute_type](indicator, attribute)
         except KeyError:
             return False
         if isinstance(observable_property, Observable):
             return indicator.add_observable(observable_property)
         observable_property.condition = "Equals"
         observable_object = Object(observable_property)
         observable_object.id_ = "{}:{}-{}".format(self.namespace_prefix, observable_property.__class__.__name__, attribute.uuid)
         observable = Observable(observable_object)
         observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute.uuid)
         indicator.add_observable(observable)
Beispiel #26
0
    def prune_objects(self, candidate_indicator_objects):
        """Perform contraindicator and required property checking and prune un-wanted 
        properties from the input list of candidate Indicator CybOX Objects. 
        
        Args:
            candidate_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
                the initial list of CybOX Objects that may be used in the STIX Indicators.

        Returns:
            A list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
                the final list of checked and pruned CybOX Objects that will be used for the STIX Indicators.
        """
        final_indicator_objects = []
        # Prune any unwanted properties from Objects
        for entry in candidate_indicator_objects:
            object = entry.object
            xsi_type = object.properties._XSI_TYPE
            # Do the contraindicator check
            if xsi_type in self.config.supported_objects and not self._contraindicator_check(
                    entry):
                object_type_conf = self.config.supported_objects[xsi_type]
                # Prune the properties of the Object to correspond to the input config file
                # First, test for the presence of only the required properties
                if self._required_property_check(
                        object, self.config.supported_objects[xsi_type]):
                    # If the required properties are found, prune based on the full set (optional + required)
                    full_properties = {}
                    full_properties.update(object_type_conf["required"])
                    full_properties.update(object_type_conf["optional"])
                    full_properties.update(
                        object_type_conf["mutually_exclusive"])
                    full_pruned_properties = self._prune_object_properties(
                        object.properties.to_dict(), full_properties)
                    full_pruned_properties["xsi:type"] = xsi_type
                    # Create a new Object with the pruned ObjectProperties
                    pruned_object = Object()
                    pruned_object.properties = ObjectProperties.from_dict(
                        full_pruned_properties)
                    entry.object = pruned_object
                    # Add the updated Object History entry to the final list of Indicators
                    final_indicator_objects.append(entry)
        return final_indicator_objects
Beispiel #27
0
    def test_invalid_arguments(self):
        obj = Object()
        e = Event()
        oc = ObservableComposition()

        o1 = Observable()
        self.assertRaises(TypeError, _set_event, o1, obj)
        self.assertRaises(TypeError, _set_oc, o1, obj)
        self.assertRaises(TypeError, _set_obj, o1, e)
        self.assertRaises(TypeError, _set_oc, o1, e)
        self.assertRaises(TypeError, _set_obj, o1, oc)
        self.assertRaises(TypeError, _set_event, o1, oc)
Beispiel #28
0
    def from_dict(observable_dict):
        if not observable_dict:
            return None

        from cybox.core import PatternFidelity
        obs = Observable()

        obs.id_ = observable_dict.get('id')
        obs.title = observable_dict.get('title')
        obs.description = StructuredText.from_dict(observable_dict.get('description'))
        obs.object_ = Object.from_dict(observable_dict.get('object'))
        obs.event = Object.from_dict(observable_dict.get('event'))
        obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
        obs.idref = observable_dict.get('idref')
        obs.sighting_count = observable_dict.get('sighting_count')
        if observable_dict.get('observable_source'):
            obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')]
        obs.keywords = Keywords.from_dict(observable_dict.get('keywords'))
        obs.pattern_fidelity = PatternFidelity.from_dict(observable_dict.get('pattern_fidelity'))

        return obs
    def from_obj(observable_obj):
        if not observable_obj:
            return None

        obs = Observable()

        obs.id_ = observable_obj.get_id()
        obs.title = observable_obj.get_Title()
        obs.description = StructuredText.from_obj(observable_obj.get_Description())
        obs.object_ = Object.from_obj(observable_obj.get_Object())
        obs.observable_composition = ObservableComposition.from_obj(observable_obj.get_Observable_Composition())
        obs.idref = observable_obj.get_idref()
        return obs
    def from_dict(observable_dict):
        if not observable_dict:
            return None

        obs = Observable()

        obs.id_ = observable_dict.get('id')
        obs.title = observable_dict.get('title')
        obs.description = StructuredText.from_dict(observable_dict.get('description'))
        obs.object_ = Object.from_dict(observable_dict.get('object'))
        obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
        obs.idref = observable_dict.get('idref')

        return obs
    def prune_objects(self, candidate_indicator_objects):
        """Perform contraindicator and required property checking and prune un-wanted 
        properties from the input list of candidate Indicator CybOX Objects. 
        
        Args:
            candidate_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
                the initial list of CybOX Objects that may be used in the STIX Indicators.

        Returns:
            A list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
                the final list of checked and pruned CybOX Objects that will be used for the STIX Indicators.
        """
        final_indicator_objects = []
        # Prune any unwanted properties from Objects
        for entry in candidate_indicator_objects:
            object = entry.object
            xsi_type = object.properties._XSI_TYPE
            # Do the contraindicator check
            if xsi_type in self.config.supported_objects and not self._contraindicator_check(entry):
                object_type_conf = self.config.supported_objects[xsi_type]
                # Prune the properties of the Object to correspond to the input config file
                # First, test for the presence of only the required properties
                if self._required_property_check(object, self.config.supported_objects[xsi_type]):
                    # If the required properties are found, prune based on the full set (optional + required)
                    full_properties = {}
                    full_properties.update(object_type_conf["required"])
                    full_properties.update(object_type_conf["optional"])
                    full_properties.update(object_type_conf["mutually_exclusive"])
                    full_pruned_properties = self._prune_object_properties(object.properties.to_dict(), full_properties)
                    full_pruned_properties["xsi:type"] = xsi_type
                    # Create a new Object with the pruned ObjectProperties
                    pruned_object = Object()
                    pruned_object.properties = ObjectProperties.from_dict(full_pruned_properties)
                    entry.object = pruned_object
                    # Add the updated Object History entry to the final list of Indicators
                    final_indicator_objects.append(entry)
        return final_indicator_objects
Beispiel #32
0
 def test_properties_not_in_inline(self):
     # https://github.com/CybOXProject/python-cybox/issues/287
     o1 = Object(self.domain)
     o2 = Object(self.ip)
     o1.add_related(self.ip, "Resolved_To", inline=False)
     xml = o1.to_xml(encoding=None)
     print(xml)
     self.assertTrue(o1.id_ in xml)
     self.assertTrue(o2.id_ in xml)
     self.assertFalse(str(self.ip.address_value) in xml)
Beispiel #33
0
    def __init__(self, item=None, id_=None, idref=None, title=None, description=None):
        """Create an Observable out of 'item'.

        `item` can be any of:
        - an Object
        - an Event
        - an ObservableComposition
        - any subclass of ObjectProperties.

        In the first three cases, the appropriate property of the Observable
        will be set. In the last cases, an Object will be built automatically
        to ensure the correct hierarchy is created.
        """
        super(Observable, self).__init__()
        if not id_ and not idref:
            id_ = cybox.utils.create_id(prefix="Observable")

        self.id_ = id_
        self.title = title
        self.description = description

        self.object_ = None
        self.event = None
        self.observable_composition = None
        self.idref = idref
        self.sighting_count = None
        self.observable_source = []
        self.keywords = Keywords()
        self.pattern_fidelity = None

        if item is None:
            return
        elif isinstance(item, Object):
            self.object_ = item
        elif isinstance(item, ObservableComposition):
            self.observable_composition = item
        elif isinstance(item, Event):
            self.event = item
        elif isinstance(item, ObjectProperties):
            if item.parent:
                self.object_ = item.parent
            else:
                self.object_ = Object(item)
        else:
            msg = ("item must be an Object, Event, ObservableComposition, or "
                   "subclass of ObjectProperties. Received an %s" % type(item))
            raise TypeError(msg)
Beispiel #34
0
    def from_obj(observable_obj):
        if not observable_obj:
            return None

        obs = Observable()

        obs.id_ = observable_obj.get_id()
        obs.title = observable_obj.get_Title()
        obs.description = StructuredText.from_obj(observable_obj.get_Description())
        obs.object_ = Object.from_obj(observable_obj.get_Object())
        obs.event = Event.from_obj(observable_obj.get_Event())
        obs.observable_composition = ObservableComposition.from_obj(observable_obj.get_Observable_Composition())
        obs.idref = observable_obj.get_idref()
        obs.sighting_count = observable_obj.get_sighting_count()
        if observable_obj.get_Observable_Source():
            obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.get_Observable_Source()]
        return obs
Beispiel #35
0
    def test_round_trip(self):
        o = Observable()
        o.title = "An observable"
        o.description = "some text"
        o.description.structuring_format = "plain"
        o.id_ = "abc123"
        o.object_ = Object()

        pf = PatternFidelity()
        ot = ObfuscationTechnique()
        ot.description = "X0Rz"
        pf.evasion_techniques = ObfuscationTechniques()
        pf.evasion_techniques.append(ot)
        o.pattern_fidelity = pf

        o2 = round_trip(o)
        self.assertEqual(o.to_dict(), o2.to_dict())
Beispiel #36
0
 def from_dict(malware_subject_dict):
     if not malware_subject_dict:
         return None
     malware_subject_ = MalwareSubject(None)
     malware_subject_.id = malware_subject_dict.get('id')
     malware_subject_.malware_instance_object_attributes = Object.from_dict(malware_subject_dict.get('malware_instance_object_attributes'))
     malware_subject_.minor_variants = MinorVariants.from_list(malware_subject_dict.get('minor_variants'))
     malware_subject_.configuration_details = MalwareConfigurationDetails.from_dict(malware_subject_dict.get('configuration_details'))
     malware_subject_.development_environment = MalwareDevelopmentEnvironment.from_dict(malware_subject_dict.get('development_environment'))
     malware_subject_.field_data = None #TODO: add support
     malware_subject_.analyses = Analyses.from_list(malware_subject_dict.get('analyses'))
     malware_subject_.findings_bundles = FindingsBundleList.from_dict(malware_subject_dict.get('findings_bundles'))
     malware_subject_.relationships = MalwareSubjectRelationshipList.from_list(malware_subject_dict.get('id'))
     if malware_subject_dict.get('label'):
         malware_subject_.label = [VocabString.from_dict(x) for x in malware_subject_dict.get('label')]
     if malware_subject_dict.get('compatible_platform'):
         malware_subject_.compatible_platform = [PlatformSpecification.from_dict(x) for x in malware_subject_dict.get('compatible_platform')]
     return malware_subject_
Beispiel #37
0
 def from_obj(malware_subject_obj):
     if not malware_subject_obj:
         return None
     malware_subject_ = MalwareSubject(None)
     malware_subject_.id = malware_subject_obj.get_id()
     malware_subject_.malware_instance_object_attributes = Object.from_obj(malware_subject_obj.get_Malware_Instance_Object_Attributes())
     malware_subject_.minor_variants = MinorVariants.from_obj(malware_subject_obj.get_Minor_Variants())
     malware_subject_.configuration_details = MalwareConfigurationDetails.from_obj(malware_subject_obj.get_Configuration_Details())
     malware_subject_.development_environment = MalwareDevelopmentEnvironment.from_obj(malware_subject_obj.get_Development_Environment())
     malware_subject_.field_data = None #TODO: add support
     malware_subject_.analyses = Analyses.from_obj(malware_subject_obj.get_Analyses())
     malware_subject_.findings_bundles = FindingsBundleList.from_obj(malware_subject_obj.get_Findings_Bundles())
     malware_subject_.relationships = MalwareSubjectRelationshipList.from_obj(malware_subject_obj.get_Relationships())
     if malware_subject_obj.get_Label():
         malware_subject_.label = [VocabString.from_obj(x) for x in malware_subject_obj.get_Label()]
     if malware_subject_obj.get_Compatible_Platform():
         malware_subject_.compatible_platform = [PlatformSpecification.from_obj(x) for x in malware_subject_obj.get_Compatible_Platform()]
     return malware_subject_
Beispiel #38
0
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict):
    '''Merge a list of input binned (related) Malware Subjects'''
    # Merge the Malware_Instance_Object_Attributes
    mal_inst_obj_list = [x.malware_instance_object_attributes for x in binned_list]
    merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list))
    # Give the merged Object a new ID
    merged_inst_obj.id_ = maec.utils.idgen.create_id('object')
    # Deduplicate the hash values, if they exist
    if merged_inst_obj.properties and merged_inst_obj.properties.hashes:
        hashes = merged_inst_obj.properties.hashes
        hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'simple_hash_value'))
        hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'fuzzy_hash_value'))
        merged_inst_obj.properties.hashes = hashes
    # Merge and deduplicate the labels
    merged_labels = list(itertools.chain(*[x.label for x in binned_list if x.label]))
    deduplicated_labels = deduplicate_vocabulary_list(merged_labels)
    # Merge the configuration details
    config_details_list = [x.configuration_details for x in binned_list if x.configuration_details]
    merged_config_details = None
    if config_details_list:
        merged_config_details = MalwareConfigurationDetails.from_dict(merge_entities(config_details_list))
    # Merge the minor variants
    merged_minor_variants = list(itertools.chain(*[x.minor_variants for x in binned_list if x.minor_variants]))
    # Merge the field data # TODO: Add support. Not implemented in the APIs.
    # Merge the analyses
    merged_analyses = list(itertools.chain(*[x.analyses for x in binned_list if x.analyses]))
    # Merge the findings bundles
    merged_findings_bundles = merge_findings_bundles([x.findings_bundles for x in binned_list if x.findings_bundles])
    # Merge the relationships
    merged_relationships = list(itertools.chain(*[x.relationships for x in binned_list if x.relationships]))
    # Merge the compatible platforms
    merged_compatible_platforms = list(itertools.chain(*[x.compatible_platform for x in binned_list if x.compatible_platform]))



    # Build the merged Malware Subject
    merged_malware_subject.malware_instance_object_attributes = merged_inst_obj
    if deduplicated_labels: merged_malware_subject.label = deduplicated_labels
    if merged_config_details: merged_malware_subject.configuration_details = merged_config_details
    if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants(merged_minor_variants)
    if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses)
    if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles
    if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList(merged_relationships)
    if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms
Beispiel #39
0
 def from_dict(bundle_dict):
     if not bundle_dict:
         return None
     bundle_ = Bundle(None, None)
     bundle_.id = bundle_dict.get('id')
     bundle_.schema_version = bundle_dict.get('schema_version')
     bundle_.defined_subject = bundle_dict.get('defined_subject')
     bundle_.content_type = bundle_dict.get('content_type')
     bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get('timestamp'), "%Y-%m-%dT%H:%M:%S.%f")
     bundle_.malware_instance_object_attributes = Object.from_dict(bundle_dict.get('malware_instance_object_attributes'))
     bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get('av_classifications'))
     bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get('process_tree'))
     bundle_.behaviors = BehaviorList.from_list(bundle_dict.get('behaviors', []))
     bundle_.capabilities = CapabilityList.from_dict(bundle_dict.get('capabilities'))
     bundle_.actions = ActionList.from_list(bundle_dict.get('actions', []))
     bundle_.objects = ObjectList.from_list(bundle_dict.get('objects', []))
     bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get('candidate_indicators', []))
     bundle_.collections = Collections.from_dict(bundle_dict.get('collections'))
     return bundle_
    def __init__(self, item=None, id_=None, idref=None, title=None, description=None):
        """Create an Observable out of 'item'.

        `item` can be any of:
        - an Object
        - an Event
        - an ObservableComposition
        - any subclass of ObjectProperties.

        In the first three cases, the appropriate property of the Observable
        will be set. In the last cases, an Object will be built automatically
        to ensure the correct hierarchy is created.
        """
        super(Observable, self).__init__()
        if not id_ and not idref:
            id_ = cybox.utils.create_id(prefix="Observable")

        self.id_ = id_
        self.title = title
        self.description = description

        self.object_ = None
        self.event = None
        self.observable_composition = None
        self.idref = idref
        self.sighting_count = None
        self.observable_source = []

        if not item:
            return

        if isinstance(item, Object):
            self.object_ = item
        elif isinstance(item, ObservableComposition):
            self.observable_composition = item
        elif isinstance(item, Event):
            self.event = item
        elif isinstance(item, ObjectProperties):
            if item.parent:
                self.object_ = item.parent
            else:
                self.object_ = Object(item)
Beispiel #41
0
    def test_observable_init(self):
        # Can pass an Object into the Observable constructor
        o = Object()
        obs = Observable(o)

        # Can pass an Event into the Observable constructor
        e = Event()
        obs = Observable(e)

        # Can pass an ObservableComposition into the Observable constructor
        oc = ObservableComposition()
        obs = Observable(oc)

        # Can pass an ObjectProperties subclass into the Observable constructor
        a = Address()
        obs = Observable(a)

        # Cannot pass a String into the Observable constructor.
        s = String()
        self.assertRaises(TypeError, Observable, s)
Beispiel #42
0
    def __get_email_cybox_object(self, email_sha256, log, config=None):
        if not config:
            return None, None, None

        mail_path = os.path.join(config['emailpath'], email_sha256[0:2], email_sha256[2:4], email_sha256)
        email_path = os.path.join(mail_path, 'cybox-%s-message.xml' % (email_sha256))
        email_stix_path = os.path.join(mail_path, 'stix-%s-email-message.xml' % (email_sha256))
        email_stix_filename = 'stix-%s-email-message.xml' % (email_sha256)
        if os.path.exists(mail_path) and os.path.exists(email_path):
            try:
                observables_obj = cybox_core_binding.parse(email_path)
                obs = Observables.from_obj(observables_obj)
                email_observables = obs.observables[1:]
                email_object = Object.from_obj(obs.observables[0].to_obj().Object)
                return email_object._properties, email_observables, (email_stix_path, email_stix_filename)
            except StandardError as e:
                log.error("failed extracting cybox email observable: %s" % (e))
                return None, None, None
        log.warning("no cybox report or email found for given hash: %s" % (email_path))
        return None, None, None
Beispiel #43
0
    def from_obj(observable_obj):
        if not observable_obj:
            return None

        from cybox.core import PatternFidelity
        obs = Observable()

        obs.id_ = observable_obj.id
        obs.title = observable_obj.Title
        obs.description = StructuredText.from_obj(observable_obj.Description)
        obs.object_ = Object.from_obj(observable_obj.Object)
        obs.event = Event.from_obj(observable_obj.Event)
        obs.observable_composition = ObservableComposition.from_obj(observable_obj.Observable_Composition)
        obs.idref = observable_obj.idref
        obs.sighting_count = observable_obj.sighting_count
        if observable_obj.Observable_Source:
            obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.Observable_Source]
        obs.keywords = Keywords.from_obj(observable_obj.Keywords)
        obs.pattern_fidelity = PatternFidelity.from_obj(observable_obj.Pattern_Fidelity)

        return obs
Beispiel #44
0
 def from_dict(bundle_dict):
     if not bundle_dict:
         return None
     bundle_ = Bundle(None, None)
     bundle_.id = bundle_dict.get("id")
     bundle_.schema_version = bundle_dict.get("schema_version")
     bundle_.defined_subject = bundle_dict.get("defined_subject")
     bundle_.content_type = bundle_dict.get("content_type")
     bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get("timestamp"), "%Y-%m-%dT%H:%M:%S.%f")
     bundle_.malware_instance_object_attributes = Object.from_dict(
         bundle_dict.get("malware_instance_object_attributes")
     )
     bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get("av_classifications"))
     bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get("process_tree"))
     bundle_.behaviors = BehaviorList.from_list(bundle_dict.get("behaviors", []))
     bundle_.capabilities = CapabilityList.from_dict(bundle_dict.get("capabilities"))
     bundle_.actions = ActionList.from_list(bundle_dict.get("actions", []))
     bundle_.objects = ObjectList.from_list(bundle_dict.get("objects", []))
     bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get("candidate_indicators", []))
     bundle_.collections = Collections.from_dict(bundle_dict.get("collections"))
     return bundle_
 def from_obj(object_obj):
     if not object_obj:
         return None
     obj = Object.from_obj(object_obj, AssociatedObject())
     obj.association_type = AssociationType.from_obj(object_obj.Association_Type)
     return obj
from maec.package.package import Package
from maec.package.malware_subject import (MalwareSubject, MalwareSubjectRelationship, 
                                          MalwareSubjectRelationshipList, MalwareSubjectReference)
from cybox.common import VocabString
from cybox.core import Object
from cybox.objects.file_object import File

# Set up the necessary Package and Malware Subject instances
p = Package()
ms1 = MalwareSubject()
ms2 = MalwareSubject()
ms3 = MalwareSubject()
ms4 = MalwareSubject()

# Set the Malware_Instance_Object_Attributes on the first Malware Subject
ms1.malware_instance_object_attributes = Object()
ms1.malware_instance_object_attributes.properties = File()
ms1.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe"
ms1.malware_instance_object_attributes.properties.size_in_bytes = "196608"
ms1.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")

# Set the Malware_Instance_Object_Attributes on the second Malware Subject
ms2.malware_instance_object_attributes = Object()
ms2.malware_instance_object_attributes.properties = File()
ms2.malware_instance_object_attributes.properties.file_name = "msvcr.dll"

# Set the Malware_Instance_Object_Attributes on the third Malware Subject
ms3.malware_instance_object_attributes = Object()
ms3.malware_instance_object_attributes.properties = File()
ms3.malware_instance_object_attributes.properties.file_name = "fvcwin32.exe"
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_mutex_object import WinMutex
from cybox.common import ToolInformation, VocabString

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
    "B6C39FF68346DCC8B67AA060DEFE40C2")
ms.malware_instance_object_attributes.properties.add_hash(
    "D55B0FB96FAD96D203D10850469489FC03E6F2F7")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
t.name = "ThreatExpert"
t.vendor = "ThreatExpert"
a.add_tool(t)
Beispiel #48
0
 def from_obj(object_obj):
     if not object_obj:
         return None
     obj = Object.from_obj(object_obj, AssociatedObject())
     obj.association_type_ = VocabString.from_obj(object_obj.get_Association_Type())
     return obj
Beispiel #49
0
class Observable(cybox.Entity):
    """A single Observable.
    """
    _binding = core_binding
    _namespace = 'http://cybox.mitre.org/cybox-2'

    def __init__(self, item=None, id_=None, idref=None, title=None, description=None):
        """Create an Observable out of 'item'.

        `item` can be any of:
        - an Object
        - an Event
        - an ObservableComposition
        - any subclass of ObjectProperties.

        In the first three cases, the appropriate property of the Observable
        will be set. In the last cases, an Object will be built automatically
        to ensure the correct hierarchy is created.
        """
        super(Observable, self).__init__()
        if not id_ and not idref:
            id_ = cybox.utils.create_id(prefix="Observable")

        self.id_ = id_
        self.title = title
        self.description = description

        self.object_ = None
        self.event = None
        self.observable_composition = None
        self.idref = idref
        self.sighting_count = None
        self.observable_source = []
        self.keywords = Keywords()
        self.pattern_fidelity = None

        if not item:
            return

        if isinstance(item, Object):
            self.object_ = item
        elif isinstance(item, ObservableComposition):
            self.observable_composition = item
        elif isinstance(item, Event):
            self.event = item
        elif isinstance(item, ObjectProperties):
            if item.parent:
                self.object_ = item.parent
            else:
                self.object_ = Object(item)

    @property
    def id_(self):
        return self._id
    
    @id_.setter
    def id_(self, value):
        if not value:
            self._id = None
        else:
            self._id = value
            self.idref = None
    
    @property
    def idref(self):
        return self._idref
    
    @idref.setter
    def idref(self, value):
        if not value:
            self._idref = None
        else:
            self._idref = value
            self.id_ = None # unset id_ if idref is present 

    @property
    def object_(self):
        return self._object

    @object_.setter
    def object_(self, value):
        if value:
            if self.event:
                msg = 'Observable already has an Event.'
                raise ValueError(msg)
            elif self.observable_composition:
                msg = 'Observable already has an ObservableComposition.'
                raise ValueError(msg)
            if not isinstance(value, Object):
                raise TypeError('value must be an Object')

        self._object = value

    @property
    def event(self):
        return self._event

    @event.setter
    def event(self, value):
        if value:
            if self.object_:
                raise ValueError('Observable already has an Object.')
            elif self.observable_composition:
                msg = 'Observable already has an ObservableComposition.'
                raise ValueError(msg)
            if not isinstance(value, Event):
                raise TypeError('value must be an Event')

        self._event = value

    @property
    def observable_composition(self):
        return self._observable_composition

    @observable_composition.setter
    def observable_composition(self, value):
        if value:
            if self.object_:
                raise ValueError('Observable already has an Object.')
            elif self.event:
                msg = 'Observable already has an Event.'
                raise ValueError(msg)
            if not isinstance(value, ObservableComposition):
                raise TypeError('value must be an ObservableComposition')

        self._observable_composition = value

    @property
    def description(self):
        return self._description

    @description.setter
    def description(self, value):
        if value is not None and not isinstance(value, StructuredText):
            value = StructuredText(value)
        self._description = value

    def add_keyword(self, value):
        self.keywords.append(value)

    def to_obj(self, return_obj=None, ns_info=None):
        self._collect_ns_info(ns_info)

        obs_obj = core_binding.ObservableType()

        obs_obj.id = self.id_
        if self.title is not None:
            obs_obj.Title = self.title
        if self.description is not None:
            obs_obj.Description = self.description.to_obj(ns_info=ns_info)
        if self.object_:
            obs_obj.Object = self.object_.to_obj(ns_info=ns_info)
        if self.event:
            obs_obj.Event = self.event.to_obj(ns_info=ns_info)
        if self.observable_composition:
            obs_obj.Observable_Composition = self.observable_composition.to_obj(ns_info=ns_info)
        if self.idref is not None: 
            obs_obj.idref = self.idref
        if self.sighting_count is not None:
            obs_obj.sighting_count = self.sighting_count
        if self.observable_source:
            obs_obj.Observable_Source = [x.to_obj(ns_info=ns_info) for x in self.observable_source]
        if self.keywords:
            obs_obj.Keywords = self.keywords.to_obj(ns_info=ns_info)
        if self.pattern_fidelity:
            obs_obj.Pattern_Fidelity = self.pattern_fidelity.to_obj(ns_info=ns_info)

        return obs_obj

    def to_dict(self):
        obs_dict = {}

        if self.id_ is not None:
            obs_dict['id'] = self.id_
        if self.title is not None:
            obs_dict['title'] = self.title
        if self.description is not None:
            obs_dict['description'] = self.description.to_dict()
        if self.object_:
            obs_dict['object'] = self.object_.to_dict()
        if self.event:
            obs_dict['event'] = self.event.to_dict()
        if self.observable_composition:
            obs_dict['observable_composition'] = self.observable_composition.to_dict()
        if self.idref is not None: 
            obs_dict['idref'] = self.idref
        if self.sighting_count is not None:
            obs_dict['sighting_count'] = self.sighting_count
        if self.observable_source:
            obs_dict['observable_source'] = [x.to_dict() for x in self.observable_source]
        if self.keywords:
            obs_dict['keywords'] = self.keywords.to_dict()
        if self.pattern_fidelity:
            obs_dict['pattern_fidelity'] = self.pattern_fidelity.to_dict()

        return obs_dict

    @staticmethod
    def from_obj(observable_obj):
        if not observable_obj:
            return None

        from cybox.core import PatternFidelity
        obs = Observable()

        obs.id_ = observable_obj.id
        obs.title = observable_obj.Title
        obs.description = StructuredText.from_obj(observable_obj.Description)
        obs.object_ = Object.from_obj(observable_obj.Object)
        obs.event = Event.from_obj(observable_obj.Event)
        obs.observable_composition = ObservableComposition.from_obj(observable_obj.Observable_Composition)
        obs.idref = observable_obj.idref
        obs.sighting_count = observable_obj.sighting_count
        if observable_obj.Observable_Source:
            obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.Observable_Source]
        obs.keywords = Keywords.from_obj(observable_obj.Keywords)
        obs.pattern_fidelity = PatternFidelity.from_obj(observable_obj.Pattern_Fidelity)

        return obs

    @staticmethod
    def from_dict(observable_dict):
        if not observable_dict:
            return None

        from cybox.core import PatternFidelity
        obs = Observable()

        obs.id_ = observable_dict.get('id')
        obs.title = observable_dict.get('title')
        obs.description = StructuredText.from_dict(observable_dict.get('description'))
        obs.object_ = Object.from_dict(observable_dict.get('object'))
        obs.event = Object.from_dict(observable_dict.get('event'))
        obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
        obs.idref = observable_dict.get('idref')
        obs.sighting_count = observable_dict.get('sighting_count')
        if observable_dict.get('observable_source'):
            obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')]
        obs.keywords = Keywords.from_dict(observable_dict.get('keywords'))
        obs.pattern_fidelity = PatternFidelity.from_dict(observable_dict.get('pattern_fidelity'))

        return obs
Beispiel #50
0
 def from_dict(object_dict):
     if not object_dict:
         return None
     obj = Object.from_dict(object_dict, AssociatedObject())
     obj.association_type_ = VocabString.from_dict(object_dict.get('association_type', None))
     return obj
    def publish_indicator(self, indicator_data, user):
        indicator = DBIndicator(
            id_=indicator_data['id'],
            title=indicator_data.get('title'),
            description=indicator_data.get('description'),
            short_description=indicator_data.get('short_description'),
        )
        indicator.add_indicator_type(indicator_data.get('indicatorType'))
        indicator.confidence = indicator_data.get('confidence', '')
        indicator.id_ns = indicator_data.get('id_ns', '')
        ident = EdgeIdentity(name=indicator_data.get('producer', ''))
        indicator.producer = EdgeInformationSource(identity=ident)
        indicator.handling = handling_from_draft('ind', indicator_data)

        if 'test_mechanisms' in indicator_data:
            for test_mechanism in indicator_data['test_mechanisms']:
                indicator.test_mechanisms.append(
                    IndicatorBuilderPatch.test_mechanism_from_draft(
                        test_mechanism))

        api_objects = {}
        observable_composition = ObservableComposition(
            operator=indicator_data.get('composition_type'))

        # If this is an Update rather than a create,
        #  we only need to copy the id and ns to the composition
        reedit_flag = 0

        # New Observables via Build or Edit
        for data in indicator_data['observables']:
            observable_id = data.get('id')
            if observable_id is None:
                # No id for this observable, therefore it is new and must be created:
                object_type = data['objectType']
                object_type_info = self.observable_object_generator.get_object_type_information(
                    object_type)
                observable_object = self.observable_object_generator.generate_observable_object_from_data(
                    object_type, data)

                object_container = Object(observable_object)
                object_container.id_ = self.generate_id(
                    object_type_info['id_prefix'])

                # Create the observable, and store it in a collection so they can be saved to the database later on:
                observable_id = self.generate_id('observable')
                observable = Observable(title=data['title'],
                                        description=data.get(
                                            'description', ''),
                                        item=object_container,
                                        id_=observable_id)
                observable.id_ns = indicator_data['id_ns']
                api_objects[observable.id_] = ApiObject('obs', observable)
            elif reedit_flag == 0 and self._is_re_edit_mode(data):
                reedit_flag = 1

            # Create a reference to the observable, and add it to the observable composition.
            # The observable composition will be added to the indicator.
            # Adding references to the composition saves duplication of data.
            observable_reference = Observable(idref=observable_id,
                                              idref_ns=indicator_data['id_ns'])
            observable_composition.add(observable_reference)

        # For some reason, the observable composition must be wrapped up in another observable.
        # So to clarify, at this point, we have an observable that contains an observable composition. This composition
        # contains a collection of references to the actual observables.

        # We only want a new ID for the observable composition (obs) if it is first-time Build
        #  otherwise, get it from...?the database?
        if reedit_flag:
            user_action_log = logging.getLogger('user_actions')
            user_action_log.info(
                "%s updated STIX item %s (%s)" %
                (user.username, indicator.id_, indicator.title))
        # EOIndicator = self.edge_object_loader.load(indicator.id_)              # Get the parent indicator
        #     find_ob_comp = lambda edges: [x.fetch() for x in edges if x.ty == 'obs'][0]
        #     # Find the observable composition among it's edges and return only the first hit.
        #     # The call to fetch() resolves the idref into an instance of the object itself
        #     existing_obs_comp = find_ob_comp(EOIndicator.edges)
        #     parent_observable = Observable(item=observable_composition, id_=existing_obs_comp.id_)
        # else:
        parent_observable = Observable(item=observable_composition,
                                       id_=self.generate_id('observable'))

        parent_observable.id_ns = indicator.id_ns
        parent_observable.timestamp = datetime.utcnow(
        )  # needed for versioning Observable Composition

        # ...and store this observable so we can actually write its contents to the database later...
        api_objects[parent_observable.id_] = ApiObject('obs',
                                                       parent_observable)

        # Add a reference of the 'parent' observable to the indicator
        parent_observable_reference = Observable(idref=parent_observable.id_,
                                                 idref_ns=indicator.id_ns)
        indicator.add_observable(parent_observable_reference)

        indicator_api_object = ApiObject('ind', indicator)
        # Process related items/correlations
        [
            relate.correlateIndtoTtp(indicator_api_object, item['idref'])
            for item in indicator_data.get('indicated_ttps', [])
        ]
        [
            relate.correlateIndtoInd(indicator_api_object, item['idref'])
            for item in indicator_data.get('related_indicators', [])
        ]
        [
            relate.correlateIndtoCoa(indicator_api_object, item['idref'])
            for item in indicator_data.get('suggested_coas', [])
        ]
        # Store the indicator so we can write it to the database later
        api_objects[indicator_api_object.id_] = indicator_api_object

        # Finally lets add everything to our Mongo collection...
        tlp = (indicator_data.get('tlp') or 'NULL').upper()
        esms = lines2list(indicator_data.get('markings', ""))

        inbox_processor = InboxProcessorForBuilders(
            user=user,
            trustgroups=indicator_data.get('trustgroups', []),
        )
        for api_obj in api_objects.itervalues():
            inbox_processor.add(
                InboxItem(api_object=api_obj, etlp=tlp, esms=esms))
        inbox_processor.run()

        self.delete_draft(user, indicator_data['id'])
Beispiel #52
0
 def test_id_autoset(self):
     o = Object()
     self.assertNotEqual(o.id_, None)
Beispiel #53
0
 def test_id_prefix(self):
     a = Address()
     o = Object(a)
     self.assertTrue("Address" in o.id_)
from cybox.objects.file_object import File
from maec.bundle import Bundle, Collections, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package
from cybox.utils import Namespace
import maec.utils

# Instantiate the ID generator class (for automatic ID generation) with our example namespace
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File() 
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
a.method = "static"
a.type_ = "triage"
a.summary = "A basic static triage of the subject binary using PEiD."
a.set_findings_bundle(b.id_)
a.source = Source()
a.source.name = "Frankie Li"
a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814"
t = ToolInformation()
t.name = "PEiD"
t.version = "0.94"
a.add_tool(t)

# Set the requisite attributes on the Bundle and populate it with the Static Analysis findings
b.defined_subject = False
b.content_type = "static analysis tool output"
o = Object()
o.properties = WinExecutableFile()
o.properties.headers = PEHeaders()
o.properties.headers.optional_header = PEOptionalHeader()
o.properties.headers.optional_header.major_linker_version = "06"
o.properties.headers.optional_header.minor_linker_version = "00"
o.properties.headers.optional_header.address_of_entry_point = "036418"
o.properties.headers.optional_header.subsystem = "Windows_GUI"

# Build up the full Package/Malware Subject/Analysis/Bundle hierarchy
p.add_malware_subject(ms)
b.add_object(o)
ms.add_analysis(a)
ms.add_findings_bundle(b)

# Output the built up Package to XML
Beispiel #56
0
package = Package()
subject = MalwareSubject()
analysis = Analysis()


# Populate the Analysis with the metadata relating to the Analysis that was performed
analysis.method = "dynamic"
analysis.type_ = "triage"
analysis.set_findings_bundle(bundle.id_)
t = ToolInformation()
t.name = "APIMonitor"
t.vendor = "APIMonitor"
analysis.add_tool(t)

# Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?)
subject_object = Object() #オブジェクト
subject_object.properties = File() #ファイルオブジェクト
subject_object.properties.file_name = 'seminor.doc' # ファイル名(マルウェアを含んだファイル)
subject_object.properties.size_in_bytes = '154173' #ファイルサイズ
subject_object.properties.add_hash("54CC941747FA99A3521314B9969D4964")

# 辞書から構築されたオブジェクトとマルウェアインスタンスオブジェクト属性を設定
subject.set_malware_instance_object_attributes(subject_object)

# Actionで使うための関連オブジェクトのディクショナリーを作成
def associated(name,path,byte,value="output"):
  associated_object = AssociatedObject()
  associated_object.properties = File()
  associated_object.properties.file_name = name
  associated_object.properties.file_path = path
  associated_object.properties.size_in_bytes = byte
class Observable(cybox.Entity):
    """A single Observable.
    """
    _binding = core_binding
    _namespace = 'http://cybox.mitre.org/cybox-2'

    def __init__(self, item=None, id_=None):
        """Create an Observable out of 'item'.

        `item` can be any of:
        - an Object
        - an ObservableComposition
        - any subclass of ObjectProperties.

        In the first two cases, the appropriate property of the Observable will
        be set. In the last cases, an Object will be built automatically to
        ensure the correct hierarchy is created.
        """
        if not id_:
            id_ = cybox.utils.create_id(prefix="Observable")

        self.id_ = id_
        self.title = None
        self.description = None

        self.object_ = None
        self.observable_composition = None
        self.idref = None

        if not item:
            return

        if isinstance(item, Object):
            self.object_ = item
        elif isinstance(item, ObservableComposition):
            self.observable_composition = item
        elif isinstance(item, ObjectProperties):
            if item.parent:
                self.object_ = item.parent
            else:
                self.object_ = Object(item)

    @property
    def object_(self):
        return self._object

    @object_.setter
    def object_(self, value):
        if value:
            if self.observable_composition:
                msg = 'Observable already has an ObservableComposition.'
                raise ValueError(msg)
            if not isinstance(value, Object):
                raise TypeError('value must be a Object')

        self._object = value

    @property
    def observable_composition(self):
        return self._observable_composition

    @observable_composition.setter
    def observable_composition(self, value):
        if value:
            if self.object_:
                raise ValueError('Observable already has an Object.')
            if not isinstance(value, ObservableComposition):
                raise TypeError('value must be an ObservableComposition')

        self._observable_composition = value

    @property
    def description(self):
        return self._description

    @description.setter
    def description(self, value):
        if value is not None and not isinstance(value, StructuredText):
            value = StructuredText(value)
        self._description = value

    def to_obj(self):
        obs_obj = core_binding.ObservableType()

        obs_obj.set_id(self.id_)
        if self.title is not None:
            obs_obj.set_Title(self.title)
        if self.description is not None:
            obs_obj.set_Description(self.description.to_obj())
        if self.object_:
            obs_obj.set_Object(self.object_.to_obj())
        if self.observable_composition:
            obs_obj.set_Observable_Composition(self.observable_composition.to_obj())
        if self.idref is not None: 
            obs_obj.set_idref(self.idref)

        return obs_obj

    def to_dict(self):
        obs_dict = {}

        if self.id_ is not None:
            obs_dict['id'] = self.id_
        if self.title is not None:
            obs_dict['title'] = self.title
        if self.description is not None:
            obs_dict['description'] = self.description.to_dict()
        if self.object_:
            obs_dict['object'] = self.object_.to_dict()
        if self.observable_composition:
            obs_dict['observable_composition'] = self.observable_composition.to_dict()
        if self.idref is not None: 
            obs_dict['idref'] = self.idref

        return obs_dict

    @staticmethod
    def from_obj(observable_obj):
        if not observable_obj:
            return None

        obs = Observable()

        obs.id_ = observable_obj.get_id()
        obs.title = observable_obj.get_Title()
        obs.description = StructuredText.from_obj(observable_obj.get_Description())
        obs.object_ = Object.from_obj(observable_obj.get_Object())
        obs.observable_composition = ObservableComposition.from_obj(observable_obj.get_Observable_Composition())
        obs.idref = observable_obj.get_idref()
        return obs

    @staticmethod
    def from_dict(observable_dict):
        if not observable_dict:
            return None

        obs = Observable()

        obs.id_ = observable_dict.get('id')
        obs.title = observable_dict.get('title')
        obs.description = StructuredText.from_dict(observable_dict.get('description'))
        obs.object_ = Object.from_dict(observable_dict.get('object'))
        obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
        obs.idref = observable_dict.get('idref')

        return obs