Beispiel #1
0
def convert_process_extensions(process20, process1x, obs20_id):
    extensions = process20["extensions"]
    if "windows-process-ext" in extensions:
        windows_process = extensions["windows-process-ext"]
        convert_obj(windows_process, process1x, WINDOWS_PROCESS_EXTENSION_MAP,
                    obs20_id)
        if "startup_info" in windows_process:
            process1x.startup_info = StartupInfo()
            convert_obj(windows_process["startup_info"],
                        process1x.startup_info, STARTUP_INFO_MAP)
    if "windows-service-ext" in extensions:
        windows_service = extensions["windows-service-ext"]
        convert_obj(windows_service, process1x, WINDOWS_SERVICE_EXTENSION_MAP,
                    obs20_id)
        if "service_dll_refs" in windows_service:
            if windows_service["service_dll_refs"][0] in _STIX1X_OBJS:
                file_object = _STIX1X_OBJS[windows_service["service_dll_refs"]
                                           [0]]
                if "name" in file_object:
                    process1x.service_dll = file_object.file_name
            else:
                warn("%s is not an index found in %s", 306,
                     windows_service["service_dll_refs"][0], obs20_id)
            if len(windows_service["service_dll_refs"]) > 1:
                for dll_ref in windows_service["service_dll_refs"][1:]:
                    warn(
                        "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
                        401, obs20_id, "service_dll_refs", dll_ref)
        if "descriptions" in windows_service:
            process1x.description_list = ServiceDescriptionList()
            for d in windows_service["descriptions"]:
                process1x.description_list.append(d)
Beispiel #2
0
def convert_file_c_o(file2x, file1x, obs2x_id):
    if "hashes" in file2x:
        for k, v in sort_objects_into_processing_order(file2x["hashes"]):
            add_hashes_property(file1x, k, v)
    convert_obj(file2x, file1x, FILE_MAP, obs2x_id)
    if "parent_directory_ref" in file2x:
        if file2x["parent_directory_ref"] in _STIX1X_OBJS:
            directory_object = _STIX1X_OBJS[file2x["parent_directory_ref"]]
            directory_string = str(directory_object.full_path)
            file1x.full_path = directory_string + ("\\" if is_windows_directory(directory_string) else "/") + file2x["name"]
        else:
            warn("%s is not an index found in %s", 306, file2x["parent_directory_ref"], obs2x_id)
    if "is_encrypted" in file2x and get_option_value("version_of_stix2x") == "2.0":
        if file2x["is_encrypted"]:
            if "encryption_algorithm" in file2x:
                file1x.encryption_algorithm = file2x["encryption_algorithm"]
            else:
                info("is_encrypted in %s is true, but no encryption_algorithm is given", 309, obs2x_id)
            if "decryption_key" in file2x:
                file1x.decryption_key = file2x["decryption_key"]
            else:
                info("is_encrypted in %s is true, but no decryption_key is given", 311, obs2x_id)
        else:
            if "encryption_algorithm" in file2x:
                info("is_encrypted in %s is false, but encryption_algorithm is given", 310, obs2x_id)
            if "decryption_key" in file2x:
                info("is_encrypted in %s is false, but decryption_key is given", 312, obs2x_id)
    if "extensions" in file2x:
        convert_file_extensions(file2x, file1x, obs2x_id)
    # in STIX 2.0, there are two contains_ref properties, one in the basic File object, and one on the Archive File extension
    # the slider does not handle the one in the basic File object
    if "contains_refs" in file2x:
        warn("contains_refs in %s not handled", 607, obs2x_id)
    return file1x
def convert_tool(tool20):
    tool1x = ToolInformation()
    if "name" in tool20:
        tool1x.title = tool20["name"]
    if "description" in tool20:
        tool1x.description = tool20["description"]
    if "tool_version" in tool20:
        tool1x.version = tool20["tool_version"]
    if "labels" in tool20:
        warn(
            "labels not representable in a STIX 1.x ToolInformation.  Found in %s",
            502, tool20["id"])
        # bug in python_stix prevents using next line of code
        # tool1x.type_ = convert_open_vocabs_to_controlled_vocabs(tool20["labels"], TOOL_LABELS_MAP)
    ttp = TTP(id_=convert_id20(tool20["id"]),
              timestamp=text_type(tool20["modified"]))
    if not ttp.resources:
        ttp.resources = Resource()
    if not ttp.resources.tools:
        ttp.resources.tools = Tools()
    ttp.resources.tools.append(tool1x)
    if "kill_chain_phases" in tool20:
        process_kill_chain_phases(tool20["kill_chain_phases"], ttp)
    if "object_marking_refs" in tool20:
        for m_id in tool20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(ttp, ms, descendants=True)
    if "granular_markings" in tool20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, tool20["id"])
    record_id_object_mapping(tool20["id"], ttp)
    return ttp
Beispiel #4
0
def process_sighting(o):
    if indicator_ref(o["sighting_of_ref"]):
        indicator_of_sighting = _ID_OBJECT_MAPPING[o["sighting_of_ref"]]
        if not indicator_of_sighting:
            warn("%s is not in this bundle.  Referenced from %s", 308,
                 o["sighting_of_ref"], o["id"])
            return
        if not indicator_of_sighting.sightings:
            indicator_of_sighting.sightings = Sightings()
        if "where_sighted_refs" in o:
            for ref in o["where_sighted_refs"]:
                s = Sighting()
                indicator_of_sighting.sightings.append(s)
                if ref in _IDENTITIES:
                    identity20_tuple = _IDENTITIES[ref]
                    s.information_source = create_information_source(
                        identity20_tuple)
                if "observed_data_refs" in o:
                    # reference, regardless of whether its in the bundle or not
                    s.related_observables = RelatedObservables()
                    for od_ref in o["observed_data_refs"]:
                        ro = RelatedObservable()
                        s.related_observables.append(ro)
                        ro.item = Observable(idref=convert_id20(od_ref))
                        # TODO: first_seen
                        # TODO: last_seen
    else:
        warn(
            "Unable to convert STIX 2.0 sighting %s because it doesn't refer to an indicator",
            508, o["sighings_of_ref"])
def convert_coa(coa20):
    coa1x = CourseOfAction(id_=convert_id20(coa20["id"]),
                           timestamp=text_type(coa20["modified"]))
    if "name" in coa20:
        coa1x.title = coa20["name"]
    if "description" in coa20:
        coa1x.add_description(coa20["description"])
    if "labels" in coa20:
        coa_types = convert_open_vocabs_to_controlled_vocabs(
            coa20["labels"], COA_LABEL_MAP)
        coa1x.type_ = coa_types[0]
        for l in coa_types[1:]:
            warn(
                "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
                401, "labels", l)
    if "object_marking_refs" in coa20:
        for m_id in coa20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(coa1x, ms, descendants=True)
    if "granular_markings" in coa20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, coa20["id"])
    record_id_object_mapping(coa20["id"], coa1x)
    return coa1x
def convert_identity(ident20):
    if ("sectors" in ident20 or "contact_information" in ident20
            or "labels" in ident20 or "identity_class" in ident20
            or "description" in ident20):
        ident1x = CIQIdentity3_0Instance()
        id1x = convert_id20(ident20["id"])
        ident1x.id_ = id1x
        if ident20["identity_class"] != "organization":
            ident1x.name = ident20["name"]
        if "labels" in ident20:
            ident1x.roles = ident20["labels"]
        if ("sectors" in ident20 or "contact_information" in ident20
                or "identity_class" in ident20 or "description" in ident20):
            ident1x.specification = STIXCIQIdentity3_0()
            if ident20["identity_class"] == "organization":
                party_name = PartyName()
                party_name.add_organisation_name(text_type(ident20["name"]))
                ident1x.specification.party_name = party_name
            if "sectors" in ident20:
                first = True
                for s in ident20["sectors"]:
                    if first:
                        ident1x.specification.organisation_info = \
                            OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0]))
                        first = False
                    else:
                        warn(
                            "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
                            401, "Identity", "sectors", s)
            # Identity in 1.x has no description property, use free-text-lines
            if "identity_class" in ident20:
                add_missing_property_to_free_text_lines(
                    ident1x.specification, "identity_class",
                    ident20["identity_class"])
            # Because there is format defined in the specification for this property, it is difficult to
            # determine how to convert the information probably found within it to the CIQ fields, so it will be put
            # in the free_text_lines
            if "contact_information" in ident20:
                add_missing_property_to_free_text_lines(
                    ident1x.specification, "contact_information",
                    ident20["contact_information"])
            if "description" in ident20:
                add_missing_property_to_free_text_lines(
                    ident1x.specification, "description",
                    ident20["description"])
    else:
        ident1x = Identity(id_=convert_id20(ident20["id"]),
                           name=ident20["name"])
    if "object_marking_refs" in ident20:
        for m_id in ident20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(ident1x, ms, descendants=True)
    if "granular_markings" in ident20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, ident20["id"])
    return ident1x
Beispiel #7
0
def convert_image_file_extension(image_ext, file1x, obs20_id):
    convert_obj(image_ext, file1x, IMAGE_FILE_EXTENSION_MAP, obs20_id)
    if "exif_tags" in image_ext:
        exif_tags = image_ext["exif_tags"]
        if "Compression" in exif_tags:
            file1x.image_is_compressed = (exif_tags["Compression"] != 1)
        else:
            warn("%s not representable in a STIX 1.x %s.  Found in %s", 503,
                 "exif_tags", "ImageFile", obs20_id)
Beispiel #8
0
def convert_domain_name_c_o(dn20, dn1x, obs20_id):
    dn1x.value = dn20["value"]
    dn1x.type_ = "FQDN"
    if "resolves_to_refs" in dn20:
        for ref in dn20["resolves_to_refs"]:
            if ref in _STIX1X_OBJS:
                obj = _STIX1X_OBJS[ref]
                dn1x.add_related(obj, "Resolved_To", inline=True)
            else:
                warn("%s is not an index found in %s", 306, ref, obs20_id)
Beispiel #9
0
def convert_archive_file_extension(archive_ext, file1x, obs20_id):
    if "version" in archive_ext:
        file1x.version = archive_ext["version"]
    if "comment" in archive_ext:
        file1x.comment = archive_ext["comment"]
    for ref in archive_ext["contains_refs"]:
        if ref in _STIX1X_OBJS:
            file1x.archived_file.append(_STIX1X_OBJS[ref])
        else:
            warn("%s is not an index found in %s", 306, ref, obs20_id)
Beispiel #10
0
def convert_pe_type(pe_type20, obs20_id):
    if pe_type20 == "exe":
        return "Executable"
    elif pe_type20 == "dll":
        return "Dll"
    elif pe_type20 == "sys":
        warn("pe_type SYS in %s is valid in STIX 2.0, but not in STIX 1.x", 511, obs20_id)
        return "Invalid"
    else:
        warn("pe_type %s in %s is allowed in STIX 2.0, but not in STIX 1.x", 512, pe_type20, obs20_id)
        return "Invalid"
Beispiel #11
0
def convert_network_traffic_to_network_socket(socket_ext, nc, obs20_id):
    obj1x = NetworkSocket()
    convert_obj(socket_ext, obj1x, SOCKET_MAP, obs20_id)
    if "options" in socket_ext:
        obj1x.options = SocketOptions()
        convert_obj(socket_ext["options"], obj1x.options, SOCKET_OPTIONS_MAP,
                    obs20_id)
    if "socket_handle" in socket_ext:
        warn("%s not representable in a STIX 1.x %s.  Found in %s", 503,
             "socket_handle", "NetworkSocket", obs20_id)
    nc.add_related(obj1x, VocabString("Related_Socket"), inline=True)
Beispiel #12
0
def convert_image_file_extension(image_ext, file1x, obs2x_id):
    convert_obj(image_ext, file1x, IMAGE_FILE_EXTENSION_MAP_2_0 if get_option_value("version_of_stix2x") == "2.0" else IMAGE_FILE_EXTENSION_MAP_2_1,
                obs2x_id)
    if "exif_tags" in image_ext:
        exif_tags = image_ext["exif_tags"]
        if "Compression" in exif_tags:
            file1x.image_is_compressed = (exif_tags["Compression"] != 1)
        else:
            warn("%s not representable in a STIX 1.x %s.  Found in %s", 503,
                 "exif_tags",
                 "ImageFile",
                 obs2x_id)
def set_ta_identity(source, target_ref, target_obj_idref_1x):
    target, identity1x_tuple = handle_identity(target_ref, target_obj_idref_1x)
    if source.identity:
        warn(
            "Threat Actor in STIX 2.0 has multiple attributed-to relationships, only one is allowed in STIX 1.x. Using first in list - %s omitted",
            401, target_ref)
        # Remove marking to CIQ identity if any.
        # If not removed, stixmarx will cause an exception upon serialization
        for mark_spec in CONTAINER.get_markings(target):
            CONTAINER.remove_marking(target, mark_spec, True)
    else:
        source.identity = target
        identity1x_tuple[1] = True
Beispiel #14
0
def convert_windows_registry_key_c_o(wrk2x, wrk1x, obs2x_id):
    convert_obj(wrk2x, wrk1x, REGISTRY_KEY_MAP, obs2x_id)
    if "values" in wrk2x:
        values = []
        for v in wrk2x["values"]:
            values.append(convert_window_registry_value(v, obs2x_id))
        wrk1x.values = RegistryValues()
        wrk1x.values.value = values
    if "creator_user_ref" in wrk2x:
        if wrk2x["creator_user_ref"] in _STIX1X_OBJS:
            account_object = _STIX1X_OBJS[wrk2x["creator_user_ref"]]
            wrk1x.creator_username = account_object.username
        else:
            warn("%s is not an index found in %s", 306, wrk2x["creator_user_ref"], obs2x_id)
Beispiel #15
0
def add_hashes_property(obj, hash_type, value):
    if hash_type == "MD5":
        obj.md5 = value
    elif hash_type == "SHA-1":
        obj.sha1 = value
    elif hash_type == "SHA-224":
        obj.sha224 = value
    elif hash_type == "SHA-256":
        obj.sha256 = value
    elif hash_type == "SHA-384":
        obj.sha384 = value
    elif hash_type == "SHA-512":
        obj.sha512 = value
    else:
        warn("Unknown hash type %s used in %s", 302, hash_type, obj.id_)
def convert_unix_account_extensions(ua20, ua1x, obs20_id):
    if "extensions" in ua20:
        # must be unix-account-ext
        if "user_id" in ua20:
            ua1x.user_id = int(ua20["user_id"])
        unix_account_ext = ua20["extensions"]["unix-account-ext"]
        if "gid" in unix_account_ext:
            ua1x.group_id = unix_account_ext["gid"]
        if "groups" in unix_account_ext:
            for g in unix_account_ext["groups"]:
                warn(
                    "The 'groups' property of unix-account-ext contains strings, but the STIX 1.x property expects integers in %s",
                    515, obs20_id)
        if "home_dir" in unix_account_ext:
            ua1x.home_directory = unix_account_ext["home_dir"]
def convert_software_c_o(soft20, prod1x, obs20_id):
    prod1x.product = soft20["name"]
    # TODO: cpe
    if "languages" in soft20:
        prod1x.language = soft20["languages"][0]
        if len(soft20["languages"]) > 1:
            for l in soft20["languages"][1:]:
                warn(
                    "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
                    401, obs20_id, "languages", l)

    if "vendor" in soft20:
        prod1x.vendor = soft20["vendor"]
    if "version" in soft20:
        prod1x.version = soft20["version"]
Beispiel #18
0
def convert_software_c_o(soft2x, prod1x, obs2x_id):
    prod1x.product = soft2x["name"]
    if "cpe" in soft2x:
        warn("cpe not representable in a STIX 1.x Product.  Found in %s", 503, obs2x_id)
    if "languages" in soft2x:
        prod1x.language = soft2x["languages"][0]
        if len(soft2x["languages"]) > 1:
            for l in soft2x["languages"][1:]:
                warn("%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
                     401, obs2x_id, "languages", l)

    if "vendor" in soft2x:
        prod1x.vendor = soft2x["vendor"]
    if "version" in soft2x:
        prod1x.version = soft2x["version"]
Beispiel #19
0
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id):
    obj1x = HTTPSession()
    nc.layer7_connections = Layer7Connections()
    nc.layer7_connections.http_session = obj1x
    rr = HTTPRequestResponse()
    obj1x.http_request_response.append(rr)
    rr.http_client_request = HTTPClientRequest()
    request_line = HTTPRequestLine()
    request_line.http_method = http_request_ext["request_method"]
    request_line.value = http_request_ext["request_value"]
    if "request_version" in http_request_ext:
        request_line.version = http_request_ext["request_version"]
    rr.http_client_request.http_request_line = request_line
    if "request_header" in http_request_ext:
        rr.http_client_request.http_request_header = HTTPRequestHeader()
        rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields(
        )
        convert_obj(http_request_ext["request_header"],
                    rr.http_client_request.http_request_header.parsed_header,
                    HTTP_REQUEST_HEADERS_MAP, obs20_id)
        if "Host" in http_request_ext["request_header"]:
            rr.http_client_request.http_request_header.parsed_header.host = \
                add_host(http_request_ext["request_header"]["Host"])
        if "From" in http_request_ext["request_header"]:
            rr.http_client_request.http_request_header.parsed_header.from_ = \
                EmailAddress(http_request_ext["request_header"]["From"])
        if "Referer" in http_request_ext["request_header"]:
            rr.http_client_request.http_request_header.parsed_header.referer = \
                URI(http_request_ext["request_header"]["Referer"])
        if "X_Wap_Profile" in http_request_ext["request_header"]:
            rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \
                URI(http_request_ext["request_header"]["X_Wap_Profile"])
    if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext:
        body = HTTPMessage()
        if "message_body_length" in http_request_ext:
            body.length = http_request_ext["message_body_length"]
        if "message_body_data_ref" in http_request_ext:
            if http_request_ext["message_body_length"] in _STIX1X_OBJS:
                artifact_obj = _STIX1X_OBJS[
                    http_request_ext["message_body_length"]]
                body.message_body = artifact_obj.packed_data
            else:
                warn("%s is not an index found in %s", 306,
                     http_request_ext["message_body_length"], obs20_id)
        rr.http_client_request.http_message_body = body
Beispiel #20
0
def convert_addr_c_o(addr2x, addr1x, obs2x_id):
    # CIDR values are not treated in any different way
    addr1x.address_value = addr2x["value"]
    if addr2x["type"] == 'ipv4-addr':
        addr1x.category = Address.CAT_IPV4
    elif addr2x["type"] == 'ipv6-addr':
        addr1x.category = Address.CAT_IPV6
    elif addr2x["type"] == 'mac-addr':
        addr1x.category = Address.CAT_MAC
    if "resolves_to_refs" in addr2x:
        for ref in addr2x["resolves_to_refs"]:
            if ref in _STIX1X_OBJS:
                obj = _STIX1X_OBJS[ref]
                addr1x.add_related(obj, "Resolved_To", inline=True)
            else:
                warn("%s is not an index found in %s", 306, ref, obs2x_id)
    if "belongs_to_refs" in addr2x:
        warn("%s property in %s not handled yet", 606, "belongs_to_refs", obs2x_id)
def convert_network_traffic_c_o(obj20, obj1x, obs20_id):
    obj1x.source_socket_address = convert_address_ref(obj20, "src")
    obj1x.destination_socket_address = convert_address_ref(obj20, "dst")
    if "extensions" in obj20:
        extensions = obj20["extensions"]
        if "socket-ext" in extensions:
            convert_network_traffic_to_network_socket(extensions["socket-ext"],
                                                      obj1x, obs20_id)
        elif "icmp-ext" in extensions:
            convert_network_traffic_to_network_icmp_packet(
                extensions["icmp-ext"], obj1x, obs20_id)
        elif "http-request-ext" in extensions:
            convert_network_traffic_to_http_session(
                extensions["http-request-ext"], obj1x, obs20_id)
        elif "tcp-ext" in extensions:
            warn("tcp-ext in %s not handled, yet", 609, obs20_id)
    if "protocols" in obj20:
        warn("%s property in %s not handled, yet", 608, "protocols", obs20_id)
Beispiel #22
0
def populate_received_line(rl2x, rl1x, obs2x_id):
    # do we need to consider case?
    # can't there be multiple lines with the same prefix??
    if rl2x.startswith("from"):
        rl1x.from_ = rl2x
    elif rl2x.startswith("by"):
        rl1x.by = rl2x
    elif rl2x.startswith("via"):
        rl1x.via = rl2x
    elif rl2x.startswith("with"):
        rl1x.with_ = rl2x
    elif rl2x.startswith("for"):
        rl1x.for_ = rl2x
    elif rl2x.startswith("id"):
        rl1x.id_ = rl2x
    elif rl2x.startswith("timestamp"):
        rl1x.timestamp = rl2x
    else:
        warn("Received Line %s in %s has a prefix that is not representable in STIX 1.x", 507, rl2x), obs2x_id
def convert_addr_c_o(addr20, addr1x, obs20_id):
    # TODO: does the slider need to handle CIDR values?
    addr1x.address_value = addr20["value"]
    if addr20["type"] == 'ipv4-addr':
        addr1x.category = Address.CAT_IPV4
    elif addr20["type"] == 'ipv6-addr':
        addr1x.category = Address.CAT_IPV6
    elif addr20["type"] == 'mac-addr':
        addr1x.category = Address.CAT_MAC
    if "resolves_to_refs" in addr20:
        for ref in addr20["resolves_to_refs"]:
            if ref in _STIX1X_OBJS:
                obj = _STIX1X_OBJS[ref]
                addr1x.add_related(obj, "Resolved_To", inline=True)
            else:
                warn("%s ia not an index found in %s", 306, ref, obs20_id)
    if "belongs_to_refs" in addr20:
        warn("%s property in %s not handled yet", 606, "belongs_to_refs",
             obs20_id)
def process_relationships(rel):
    target_obj = None
    if rel["source_ref"] in _ID_OBJECT_MAPPING:
        source_obj = _ID_OBJECT_MAPPING[rel["source_ref"]]
    else:
        warn("No source object exists for %s to add the relationship %s", 301,
             rel["source_ref"], rel["id"])
        return
    if rel["target_ref"] in _ID_OBJECT_MAPPING:
        target_obj = _ID_OBJECT_MAPPING[rel["target_ref"]]
    type_of_source = get_type_from_id(rel["source_ref"])
    type_of_target = get_type_from_id(rel["target_ref"])
    type_of_relationship = rel["relationship_type"]
    add_method_info = get_relationship_adder(type_of_source, type_of_target,
                                             type_of_relationship)
    if not add_method_info:
        warn(
            "The '%s' relationship of %s between %s and %s is not supported in STIX 1.x",
            501, type_of_relationship, rel["id"], type_of_source,
            type_of_target)
        return
    if not add_method_info["method"]:
        # handled elsewhere
        return
    source_obj_class = add_method_info["stix1x_source_type"]
    target_obj_class = add_method_info["stix1x_target_type"]
    if add_method_info["reverse"] and target_obj:
        source_obj_ref_1x = source_obj_class(idref=source_obj.id_)
        add_method_info["method"](target_obj, source_obj_ref_1x)
    else:
        if target_obj:
            target_obj_idref_1x = target_obj_class(idref=target_obj.id_)
        else:
            target_obj_idref_1x = target_obj_class(
                idref=convert_id20(rel["target_ref"]))
        # type_of_source == type_of_target implies its a self-referencing related-to relationship
        if target_obj_class == Identity or target_obj_class == ExploitTarget or type_of_source == type_of_target:
            add_method_info["method"](source_obj, rel["target_ref"],
                                      target_obj_idref_1x)
        else:
            add_method_info["method"](source_obj, target_obj_idref_1x)
Beispiel #25
0
def convert_address_ref(obj2x, direction, obs2x_id):
    sa = None
    add_property = direction + "_ref"
    port_property = direction + "_port"
    if add_property in obj2x:
        if obj2x[add_property] in _STIX1X_OBJS:
            sa = SocketAddress()
            obj = _STIX1X_OBJS[obj2x[add_property]]
            if isinstance(obj, Address):
                sa.ip_address = obj
            elif isinstance(obj, DomainName):
                sa.hostname = Hostname()
                sa.hostname.hostname_value = obj.value
        else:
            warn("%s is not an index found in %s", 306, obj2x[add_property], obs2x_id)
    if port_property in obj2x:
        if not sa:
            sa = SocketAddress()
        sa.port = Port()
        sa.port.port_value = obj2x[port_property]
    return sa
Beispiel #26
0
def convert_network_traffic_c_o(obj20, obj1x, obs20_id):
    obj1x.source_socket_address = convert_address_ref(obj20, "src", obs20_id)
    obj1x.destination_socket_address = convert_address_ref(
        obj20, "dst", obs20_id)
    if "extensions" in obj20:
        extensions = obj20["extensions"]
        if "socket-ext" in extensions:
            convert_network_traffic_to_network_socket(extensions["socket-ext"],
                                                      obj1x, obs20_id)
        elif "icmp-ext" in extensions:
            convert_network_traffic_to_network_icmp_packet(
                extensions["icmp-ext"], obj1x, obs20_id)
        elif "http-request-ext" in extensions:
            convert_network_traffic_to_http_session(
                extensions["http-request-ext"], obj1x, obs20_id)
        elif "tcp-ext" in extensions:
            warn("tcp-ext in %s not handled, yet", 609, obs20_id)
    if "protocols" in obj20:
        warn("%s property in %s not handled, yet", 608, "protocols", obs20_id)
    # how is is_active related to tcp_state?
    for name in ("start", "end", "src_byte_count", "dst_byte_count",
                 "src_packets", "dst_packets", "ipfix", "src_payload_ref",
                 "dst_payload_ref", "encapsulates_refs",
                 "encapsulated_by_ref"):
        if name in obj20:
            warn("%s not representable in a STIX 1.x %s.  Found in %s", 503,
                 name, "NetworkConnection", obs20_id)
Beispiel #27
0
def create_references(obj):
    if identity_ref(obj["id"]):
        warn("Identity has no property to store external-references from %s",
             510, obj["id"])
        return
    info_source = None
    for er in obj["external_references"]:
        if (er["source_name"] != 'capec'
                and er["source_name"] != 'cve') and "url" in er:
            # TODO: description, hashes, external_id
            if not info_source:
                if obj["id"] in _ID_OBJECT_MAPPING:
                    ob1x = _ID_OBJECT_MAPPING[obj["id"]]
                    if ob1x.information_source:
                        info_source = ob1x.information_source
                    else:
                        if obj["id"] in _INFORMATION_SOURCES:
                            info_source = _INFORMATION_SOURCES[obj["id"]]
                            ob1x.information_source = info_source
                        else:
                            info_source = InformationSource(
                                references=References())
                            _INFORMATION_SOURCES[obj["id"]] = info_source
                            ob1x.information_source = info_source
                else:
                    warn("No object %s is found to add the reference to", 307,
                         obj["id"])
            info_source.add_reference(er["url"])
        elif (er["source_name"] != 'capec' and er["source_name"] != 'cve'):
            warn(
                "Source name %s in external references of %s not handled, yet",
                605, er["source_name"], obj["id"])
def convert_file_c_o(file20, file1x, obs20_id):
    if "hashes" in file20:
        for k, v in sort_objects_into_processing_order(file20["hashes"]):
            add_hashes_property(file1x, k, v)
    convert_obj(file20, file1x, FILE_MAP, obs20_id)
    if "parent_directory_ref" in file20:
        if file20["parent_directory_ref"] in _STIX1X_OBJS:
            directory_object = _STIX1X_OBJS[file20["parent_directory_ref"]]
            # TODO separator?
            file1x.full_path = str(
                directory_object.full_path) + "/" + file20["name"]
    if "is_encrypted" in file20:
        if file20["is_encrypted"]:
            if "encryption_algorithm" in file20:
                file1x.encryption_algorithm = file20["encryption_algorithm"]
            else:
                info(
                    "is_encrypted in %s is true, but no encryption_algorithm is given",
                    309, obs20_id)
            if "decryption_key" in file20:
                file1x.decryption_key = file20["decryption_key"]
            else:
                info(
                    "is_encrypted in %s is true, but no decryption_key is given",
                    311, obs20_id)
        else:
            if "encryption_algorithm" in file20:
                info(
                    "is_encrypted in %s is false, but encryption_algorithm is given",
                    310, obs20_id)
            if "decryption_key" in file20:
                info(
                    "is_encrypted in %s is false, but decryption_key is given",
                    312, obs20_id)
    if "extensions" in file20:
        convert_file_extensions(file20, file1x, obs20_id)
    # in STIX 2.0, there are two contains_ref properties, one in the basic File object, and one on the Archive File extension
    # the slider does not handle the one in the basic File object
    if "contains_refs" in file20:
        warn("contains_refs in %s not handled", 607, obs20_id)
Beispiel #29
0
def convert_pdf_file_extension(pdf_ext, file1x, obs20_id):
    if "version" in pdf_ext:
        file1x.version = pdf_ext["version"]
    if "is_optimized" in pdf_ext or "document_info_dict" in pdf_ext:
        file1x.metadata = PDFFileMetadata()
        if "is_optimized" in pdf_ext:
            file1x.metadata.optimized = pdf_ext["is_optimized"]
        if "document_info_dict" in pdf_ext:
            file1x.metadata.document_information_dictionary = PDFDocumentInformationDictionary(
            )
            convert_obj(pdf_ext["document_info_dict"],
                        file1x.metadata.document_information_dictionary,
                        PDF_DOCUMENT_INFORMATION_DICT_MAP, obs20_id)
    if "pdfid0" in pdf_ext or "pdfid1" in pdf_ext:
        warn("Order may not be maintained for pdfids in %s", 514, obs20_id)
        file1x.trailers = PDFTrailerList()
        trailer = PDFTrailer()
        file1x.trailers.trailer.append(trailer)
        trailer.id_ = PDFFileID()
        if "pdfid0" in pdf_ext:
            trailer.id_.id_string.append(pdf_ext["pdfid0"])
        if "pdfid1" in pdf_ext:
            trailer.id_.id_string.append(pdf_ext["pdfid1"])
def create_references(obj):
    if id_of_type(obj["id"], "identity"):
        warn("Identity has no property to store external-references from %s",
             510, obj["id"])
        return
    elif id_of_type(obj["id"], "vulnerability"):
        create_references_for_vulnerability(obj)
        return
    if obj["id"] in _ID_OBJECT_MAPPING:
        ob1x = _ID_OBJECT_MAPPING[obj["id"]]
    else:
        warn("No object %s is found to add the reference to", 307, obj["id"])
        return
    for er in obj["external_references"]:
        # capec and cve handled elsewhere
        if (er["source_name"] != 'capec'
                and er["source_name"] != 'cve') and ("url" in er
                                                     or "external_id" in er):
            ref_texts = []
            if "url" in er:
                ref_texts.append("SOURCE: " + er["source_name"] + " - " +
                                 er["url"])
            if "external_id" in er:
                ref_texts.append("SOURCE: " + er["source_name"] + " - " +
                                 "EXTERNAL ID: " + er["external_id"])
            if "hashes" in er:
                warn("hashes not representable in a STIX 1.x %s.  Found in %s",
                     503, "InformationSource", obj["id"])
            if "description" in er:
                ob1x.add_description(er["description"])
            if ref_texts != []:
                if isinstance(ob1x, Indicator):
                    for rt in ref_texts:
                        ob1x.add_description(rt)
                else:
                    info_source = get_info_source(ob1x, obj)
                    for rt in ref_texts:
                        info_source.add_reference(rt)
        elif (er["source_name"] != 'capec' and er["source_name"] != 'cve'):
            warn(
                "Source name %s in external references of %s not handled, yet",
                605, er["source_name"], obj["id"])
        if (er["source_name"] == 'capec'
                or er["source_name"] == 'cve') and "url" in er:
            info_source = get_info_source(ob1x, obj)
            info_source.add_reference("SOURCE: " + er["source_name"] + " - " +
                                      er["url"])