def generateObservable(indicator, attribute): if (attribute["type"] in ("snort", "yara")): generateTM(indicator, attribute) else: observable = None; if (attribute["type"] in simple_type_to_method.keys()): action = getattr(this_module, simple_type_to_method[attribute["type"]], None) if (action != None): property = action(attribute) object = Object(property) object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute["uuid"] observable = Observable(object) observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"] indicator.add_observable(observable)
def generateObservable(indicator, attribute): if (attribute["type"] in ("snort", "yara")): generateTM(indicator, attribute) else: observable = None if (attribute["type"] in simple_type_to_method.keys()): action = getattr(this_module, simple_type_to_method[attribute["type"]], None) if (action != None): property = action(attribute) object = Object(property) object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute[ "uuid"] observable = Observable(object) observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute[ "uuid"] indicator.add_observable(observable)
def generate_observable(self, indicator, attribute): attribute_type = attribute.type if attribute_type in ('snort', 'yara'): self.generate_TM(indicator, attribute) else: observable = None # if attribute_type in self.simple_type_to_method: try: observable_property = self.simple_type_to_method[attribute_type](indicator, attribute) except KeyError: return False if isinstance(observable_property, Observable): return indicator.add_observable(observable_property) observable_property.condition = "Equals" observable_object = Object(observable_property) observable_object.id_ = "{}:{}-{}".format(self.namespace_prefix, observable_property.__class__.__name__, attribute.uuid) observable = Observable(observable_object) observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute.uuid) indicator.add_observable(observable)
def publish_indicator(self, indicator_data, user): indicator = DBIndicator( id_=indicator_data['id'], title=indicator_data.get('title'), description=indicator_data.get('description'), short_description=indicator_data.get('short_description'), ) indicator.add_indicator_type(indicator_data.get('indicatorType')) indicator.confidence = indicator_data.get('confidence', '') indicator.id_ns = indicator_data.get('id_ns', '') ident = EdgeIdentity(name=indicator_data.get('producer', '')) indicator.producer = EdgeInformationSource(identity=ident) indicator.handling = handling_from_draft('ind', indicator_data) if 'test_mechanisms' in indicator_data: for test_mechanism in indicator_data['test_mechanisms']: indicator.test_mechanisms.append( IndicatorBuilderPatch.test_mechanism_from_draft( test_mechanism)) api_objects = {} observable_composition = ObservableComposition( operator=indicator_data.get('composition_type')) # If this is an Update rather than a create, # we only need to copy the id and ns to the composition reedit_flag = 0 # New Observables via Build or Edit for data in indicator_data['observables']: observable_id = data.get('id') if observable_id is None: # No id for this observable, therefore it is new and must be created: object_type = data['objectType'] object_type_info = self.observable_object_generator.get_object_type_information( object_type) observable_object = self.observable_object_generator.generate_observable_object_from_data( object_type, data) object_container = Object(observable_object) object_container.id_ = self.generate_id( object_type_info['id_prefix']) # Create the observable, and store it in a collection so they can be saved to the database later on: observable_id = self.generate_id('observable') observable = Observable(title=data['title'], description=data.get( 'description', ''), item=object_container, id_=observable_id) observable.id_ns = indicator_data['id_ns'] api_objects[observable.id_] = ApiObject('obs', observable) elif reedit_flag == 0 and self._is_re_edit_mode(data): reedit_flag = 1 # Create a reference to the observable, and add it to the observable composition. # The observable composition will be added to the indicator. # Adding references to the composition saves duplication of data. observable_reference = Observable(idref=observable_id, idref_ns=indicator_data['id_ns']) observable_composition.add(observable_reference) # For some reason, the observable composition must be wrapped up in another observable. # So to clarify, at this point, we have an observable that contains an observable composition. This composition # contains a collection of references to the actual observables. # We only want a new ID for the observable composition (obs) if it is first-time Build # otherwise, get it from...?the database? if reedit_flag: user_action_log = logging.getLogger('user_actions') user_action_log.info( "%s updated STIX item %s (%s)" % (user.username, indicator.id_, indicator.title)) # EOIndicator = self.edge_object_loader.load(indicator.id_) # Get the parent indicator # find_ob_comp = lambda edges: [x.fetch() for x in edges if x.ty == 'obs'][0] # # Find the observable composition among it's edges and return only the first hit. # # The call to fetch() resolves the idref into an instance of the object itself # existing_obs_comp = find_ob_comp(EOIndicator.edges) # parent_observable = Observable(item=observable_composition, id_=existing_obs_comp.id_) # else: parent_observable = Observable(item=observable_composition, id_=self.generate_id('observable')) parent_observable.id_ns = indicator.id_ns parent_observable.timestamp = datetime.utcnow( ) # needed for versioning Observable Composition # ...and store this observable so we can actually write its contents to the database later... api_objects[parent_observable.id_] = ApiObject('obs', parent_observable) # Add a reference of the 'parent' observable to the indicator parent_observable_reference = Observable(idref=parent_observable.id_, idref_ns=indicator.id_ns) indicator.add_observable(parent_observable_reference) indicator_api_object = ApiObject('ind', indicator) # Process related items/correlations [ relate.correlateIndtoTtp(indicator_api_object, item['idref']) for item in indicator_data.get('indicated_ttps', []) ] [ relate.correlateIndtoInd(indicator_api_object, item['idref']) for item in indicator_data.get('related_indicators', []) ] [ relate.correlateIndtoCoa(indicator_api_object, item['idref']) for item in indicator_data.get('suggested_coas', []) ] # Store the indicator so we can write it to the database later api_objects[indicator_api_object.id_] = indicator_api_object # Finally lets add everything to our Mongo collection... tlp = (indicator_data.get('tlp') or 'NULL').upper() esms = lines2list(indicator_data.get('markings', "")) inbox_processor = InboxProcessorForBuilders( user=user, trustgroups=indicator_data.get('trustgroups', []), ) for api_obj in api_objects.itervalues(): inbox_processor.add( InboxItem(api_object=api_obj, etlp=tlp, esms=esms)) inbox_processor.run() self.delete_draft(user, indicator_data['id'])