Ejemplo n.º 1
0
def process_indicator(indicator,
                      observables,
                      observable_composition,
                      top_level=True,
                      embed_observables=False):
    if test_compatible_indicator(indicator):
        #Dictionary for keeping track of indicatoritems without IDs
        indicatoritem_dict = {}
        current_composition = None
        if not top_level:
            observable = cybox_binding.ObservableType(
                id='openioc:indicator-' + normalize_id(indicator.get_id()))
            nested_observable_composition = cybox_binding.ObservableCompositionType(
                operator=indicator.get_operator())
            observable.set_Observable_Composition(
                nested_observable_composition)
            observable_composition.add_Observable(observable)
            current_composition = nested_observable_composition
        elif top_level:
            current_composition = observable_composition

        for indicator_item in indicator.get_IndicatorItem():
            observable_obj = process_indicator_item(indicator_item,
                                                    observables,
                                                    indicatoritem_dict)
            if observable_obj:
                if embed_observables:
                    current_composition.add_Observable(observable_obj)
                else:
                    if indicator_item.get_id() is not None:
                        observable = cybox_binding.ObservableType(
                            idref='openioc:indicator-item-' +
                            normalize_id(indicator_item.get_id()))
                    else:
                        observable = cybox_binding.ObservableType(
                            idref=indicatoritem_dict.get(
                                get_indicatoritem_string(indicator_item)))
                    observables.add_Observable(observable_obj)
                    current_composition.add_Observable(observable)

        #Recurse as needed to handle embedded indicators
        for embedded_indicator in indicator.get_Indicator():
            process_indicator(embedded_indicator, observables,
                              current_composition, False, embed_observables)
    else:
        return False

    return True
Ejemplo n.º 2
0
    def to_obj(self, return_obj=None, ns_info=None):
        self._collect_ns_info(ns_info)

        obs_obj = core_binding.ObservableType()

        obs_obj.id = self.id_
        if self.title is not None:
            obs_obj.Title = self.title
        if self.description is not None:
            obs_obj.Description = self.description.to_obj(ns_info=ns_info)
        if self.object_:
            obs_obj.Object = self.object_.to_obj(ns_info=ns_info)
        if self.event:
            obs_obj.Event = self.event.to_obj(ns_info=ns_info)
        if self.observable_composition:
            obs_obj.Observable_Composition = self.observable_composition.to_obj(ns_info=ns_info)
        if self.idref is not None: 
            obs_obj.idref = self.idref
        if self.sighting_count is not None:
            obs_obj.sighting_count = self.sighting_count
        if self.observable_source:
            obs_obj.Observable_Source = [x.to_obj(ns_info=ns_info) for x in self.observable_source]
        if self.keywords:
            obs_obj.Keywords = self.keywords.to_obj(ns_info=ns_info)
        if self.pattern_fidelity:
            obs_obj.Pattern_Fidelity = self.pattern_fidelity.to_obj(ns_info=ns_info)

        return obs_obj
Ejemplo n.º 3
0
def process_indicator_item(indicator_item,
                           observables=None,
                           indicatoritem_dict=None):
    context = indicator_item.get_Context()
    content = indicator_item.get_Content()
    search_string = context.get_search()
    content_string = content.get_valueOf_().rstrip()
    condition = indicator_item.get_condition()
    relatedobj = None
    observable = None

    if observables:
        id_string = ''
        if indicator_item.get_id() is not None:
            id_string = 'openioc:indicator-item-' + normalize_id(
                indicator_item.get_id())
        else:
            id_string = 'openioc:indicator-item-' + generate_observable_id()
            indicatoritem_dict[get_indicatoritem_string(
                indicator_item)] = id_string
        observable = cybox_binding.ObservableType(id=id_string)

    try:
        properties = ioc_observable.createObj(
            search_string, content_string, map_condition_keywords(condition))
    except Exception as e:
        if observable:
            description_text = str("<![CDATA[{0}]]>").format(
                "Error|Fatal. Encountered error when attempting IndicatorItem translation:"
                + str(e))
    #check if createObj returned only the expected object, or a list including a RelatedObject
    if type(properties) is list:
        relatedobj = properties[1]
        properties = properties[0]

    if properties:
        if observable:
            cyObject = cybox_binding.ObjectType(Properties=properties)
            observable.set_Object(cyObject)
            if relatedobj != None:
                roType = cybox_binding.RelatedObjectsType()
                roType.add_Related_Object(relatedobj)
                cyObject.set_Related_Objects(roType)
            return observable
        return True
    else:
        if observable:
            skipped_term = string_test(
                indicator_item.get_Context().get_search())
            description_text = str("<![CDATA[{0}]]>").format("Error|Ignore. IndicatorItem not translated. Encountered IOC term "\
                + skipped_term + ", which does not currently map to CybOX.")
            observable.set_Description(
                cybox_common_binding.StructuredTextType(
                    valueOf_=description_text))
            return observable
        return False
    return
Ejemplo n.º 4
0
def process_indicator_item(indicator_item,
                           observables=None,
                           indicatoritem_dict=None):
    context = indicator_item.get_Context()
    content = indicator_item.get_Content()
    search_string = context.get_search()
    content_string = content.get_valueOf_().rstrip()
    condition = indicator_item.get_condition()

    properties = ioc_observable.createObj(search_string, content_string,
                                          map_condition_keywords(condition))
    relatedobj = None

    #check if createObj returned only the expected object, or a list including a RelatedObject
    if type(properties) is list:
        relatedobj = properties[1]
        properties = properties[0]

    if properties != None:
        if observables != None:
            id_string = ''
            if indicator_item.get_id() is not None:
                id_string = 'openioc:indicator-item-' + normalize_id(
                    indicator_item.get_id())
            else:
                id_string = 'openioc:indicator-item-' + generate_observable_id(
                )
                indicatoritem_dict[get_indicatoritem_string(
                    indicator_item)] = id_string
            observable = cybox_binding.ObservableType(id=id_string)
            cyObject = cybox_binding.ObjectType(Properties=properties)
            observable.set_Object(cyObject)
            observables.add_Observable(observable)
            if relatedobj != None:
                roType = cybox_binding.RelatedObjectsType()
                roType.add_Related_Object(relatedobj)
                cyObject.set_Related_Objects(roType)

        return True
    else:
        if verbose_mode:
            if indicator_item not in skipped_indicators:
                skipped_indicators.append(indicator_item)
        return False
    return
Ejemplo n.º 5
0
def generate_cybox(indicators, infilename, embed_observables):
    #Create the core CybOX structure
    observables = cybox_binding.ObservablesType()

    #Set the description if it exists
    description = None
    if indicators.get_description() != None:
        description = indicators.get_description()
    elif indicators.get_short_description != None:
        description = indicators.get_short_description()

    indicator_definition = indicators.get_definition()
    for indicator in indicator_definition.get_Indicator():
        #Create the 'indicator' observable for holding the boolean indicator logic
        id_string = ''
        if indicator.get_id() is not None:
            id_string = 'openioc:indicator-' + normalize_id(indicator.get_id())
        else:
            id_string = 'openioc:indicator-' + generate_observable_id()
        indicator_observable = cybox_binding.ObservableType(id=id_string)
        #Set the title as appropriate
        if description != None:
            indicator_observable.set_Title(description)
        #Set observable source to IOC
        observable_source = cybox_common_binding.MeasureSourceType()
        observable_source_description = cybox_common_binding.StructuredTextType(
        )
        observable_source_description.set_valueOf_(
            'OpenIOC File: ' + os.path.basename(infilename))
        observable_source.set_Description(observable_source_description)
        indicator_observable.set_Observable_Source(observable_source)

        composition = cybox_binding.ObservableCompositionType(
            operator=indicator.get_operator())
        #Process the indicator, including any embedded indicators
        if process_indicator(indicator, observables, composition, True,
                             embed_observables):
            indicator_observable.set_Observable_Composition(composition)
            observables.add_Observable(indicator_observable)
        else:
            #IOC had no indicator items compatible with CybOX
            return None

    return observables
Ejemplo n.º 6
0
    def to_obj(self):
        obs_obj = core_binding.ObservableType()

        obs_obj.set_id(self.id_)
        if self.title is not None:
            obs_obj.set_Title(self.title)
        if self.description is not None:
            obs_obj.set_Description(self.description.to_obj())
        if self.object_:
            obs_obj.set_Object(self.object_.to_obj())
        if self.event:
            obs_obj.set_Event(self.event.to_obj())
        if self.observable_composition:
            obs_obj.set_Observable_Composition(self.observable_composition.to_obj())
        if self.idref is not None: 
            obs_obj.set_idref(self.idref)
        if self.sighting_count is not None:
            obs_obj.set_sighting_count(self.sighting_count)
        if self.observable_source:
            obs_obj.set_Observable_Source([x.to_obj() for x in self.observable_source])

        return obs_obj