def walkobservables(obs):
'''Recursive function for checking observables in an Observables, Observable_composition, Observable tree'''
try:
remove = Observables()
for x in obs.observables:
if walkobservables(x) is None:
remove.add(x)
for x in remove:
obs.remove(x)
return obs
except AttributeError:
pass
try:
remove = Observables()
for x in obs.observable_composition.observables:
if walkobservables(x) is None:
remove.add(x)
for x in remove:
obs.observable_composition.observables.remove(x)
return obs
except AttributeError:
pass
try:
if not checkcompatible_observable(obs):
return None
except AttributeError:
pass
return obs
def cybox_mutex(observable, observable_type, objects):
nsname, nsurl = observable.namespace.last().namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
m = Mutex()
m.name = obj.mutex_name
o = Observable(m)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def cybox_http(observable, observable_type, objects):
nsname, nsurl = observable.namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
h = cybox_object_http(obj)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
o = Observable(h)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def cybox_http(observable, observable_type, objects):
nsname, nsurl = observable.namespace.last().namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
h = cybox_object_http(obj)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
o = Observable(h)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def cybox_file(observable, observable_type, objects):
nsname, nsurl = observable.namespace.last().namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
for meta in obj.file_meta.all():
f = cybox_object_file(obj, meta)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
for rel_obj_dict in related_objects_list:
for rel_obj in rel_obj_dict['objects']:
if isinstance(rel_obj, EmailMessage_Object):
rel_o, attachments_list = cybox_object_email(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
for att in attachments_list:
observables.add(Observable(att))
continue
elif isinstance(rel_obj, File_Object):
for rel_meta in rel_obj.file_meta.all():
rel_o = cybox_object_file(rel_obj, rel_meta)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, Address_Object):
rel_o = cybox_object_address(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, URI_Object):
rel_o = cybox_object_uri(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, HTTPSession_Object):
rel_o = cybox_object_http(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
o = Observable(f)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def strip_observables(pkg_path):
'''Strips observable from a package, support multiple structures'''
result = Observables()
pkg = STIXPackage.from_xml(pkg_path)
processed = []
for ind in pkg.indicators:
if ind.composite_indicator_expression:
"""The indicator is a compsite structure, this references other indicators, which reference the observables..."""
cyboxobject = ObservableComposition()
cyboxobject.operator = str(ind.observable_composition_operator)
for x in ind.composite_indicator_expression:
"""For every indicator in the composite list, get referenced indicator"""
ref_ind = getindicator_by_id(pkg, str(x._idref))
if ref_ind.observables:
for y in ref_ind.observables:
"""For every referenced observable, get the object"""
ref_obs = getobservable_by_id(pkg, y._idref)
if ref_obs:
cyboxobject.add(ref_obs)
processed.append(ref_obs.id_)
result.add(cyboxobject)
if ind.observables:
for x in ind.observables:
if x is not None:
if x.id_ not in processed:
result.add(x)
processed.append(x.id_)
if pkg.observables:
for x in pkg.observables:
if x is not None:
if x.id_ not in processed:
result.add(x)
scanfile = open(os.path.join(iocname,"scan.json"),'w')
scanfile.write(json.dumps(walkobservables(result).to_dict(), indent=4))
scanfile.close()
def cybox_file(observable, observable_type, objects):
nsname, nsurl = observable.namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
for meta in obj.file_meta.all():
f = cybox_object_file(obj, meta)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
for rel_obj_dict in related_objects_list:
for rel_obj in rel_obj_dict['objects']:
if isinstance(rel_obj, EmailMessage_Object):
rel_o, attachments_list = cybox_object_email(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
for att in attachments_list:
observables.add(Observable(att))
continue
elif isinstance(rel_obj, File_Object):
for rel_meta in rel_obj.file_meta.all():
rel_o = cybox_object_file(rel_obj, rel_meta)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, Address_Object):
rel_o = cybox_object_address(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, URI_Object):
rel_o = cybox_object_uri(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, HTTPSession_Object):
rel_o = cybox_object_http(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
o = Observable(f)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None,
courses_of_action=None, exploit_targets=None, indicators=None,
observables=None, incidents=None, threat_actors=None,
ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = utils.dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
self._set_var(STIXHeader, try_cast=False, stix_header=value)
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
self.indicators.append(indicator)
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
self.campaigns.append(campaign)
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = Incidents(value)
def add_incident(self, incident):
self.incidents.append(incident)
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = ThreatActors(value)
def add_threat_actor(self, threat_actor):
self._threat_actors.append(threat_actor)
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = CoursesOfAction(value)
def add_course_of_action(self, course_of_action):
self._courses_of_action.append(course_of_action)
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = ExploitTargets(value)
def add_exploit_target(self, exploit_target):
self._exploit_targets.append(exploit_target)
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if isinstance(value, TTPs):
self._ttps = value
else:
self._ttps = TTPs(value)
def add_ttp(self, ttp):
self.ttps.append(ttp)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_threat_actor,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
def to_obj(self, return_obj=None, ns_info=None):
super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = self.version
return_obj.timestamp = utils.dates.serialize_value(self.timestamp)
if self.stix_header:
return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info)
if self.campaigns:
return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info)
if self.courses_of_action:
return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info)
if self.exploit_targets:
return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info)
if self.indicators:
return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info)
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info)
if self.threat_actors:
return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info)
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_packages:
return_obj.Related_Packages = self.related_packages.to_obj(ns_info=ns_info)
return return_obj
def to_dict(self):
return super(STIXPackage, self).to_dict()
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(dict_repr.get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(dict_repr.get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(dict_repr.get('indicators'))
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(dict_repr.get('threat_actors'))
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
entity_parser = parser.EntityParser()
return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity):
"""A STIX Package object.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``mixbox.idgen.create_id()``. If set, this will unset the
``idref`` property.
idref: **DEPRECATED** An identifier reference. If set this will unset
the ``id_`` property.
timestamp: **DEPRECATED** A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
header: A Report :class:`.Header` object.
campaigns: A collection of :class:`.Campaign` objects.
course_of_action: A collection of :class:`.CourseOfAction` objects.
exploit_targets: A collection of :class:`.ExploitTarget` objects.
incidents: A collection of :class:`.Incident` objects.
indicators: A collection of :class:`.Indicator` objects.
threat_actors: A collection of :class:`.ThreatActor` objects.
ttps: A collection of :class:`.TTP` objects.
related_packages: **DEPRECATED**. A collection of
:class:`.RelatedPackage` objects.
reports: A collection of :class:`.Report` objects.
"""
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.2"
_ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2")
id_ = fields.IdField("id")
idref = fields.IdrefField("idref", preset_hook=deprecated.field)
version = fields.TypedField("version")
timestamp = fields.DateTimeField("timestamp", preset_hook=deprecated.field)
stix_header = fields.TypedField("STIX_Header", STIXHeader)
campaigns = fields.TypedField("Campaigns", Campaigns)
courses_of_action = fields.TypedField("Courses_Of_Action", CoursesOfAction)
exploit_targets = fields.TypedField("Exploit_Targets", ExploitTargets)
observables = fields.TypedField("Observables", Observables)
indicators = fields.TypedField("Indicators", Indicators)
incidents = fields.TypedField("Incidents", Incidents)
threat_actors = fields.TypedField("Threat_Actors", ThreatActors)
ttps = fields.TypedField("TTPs", TTPs)
related_packages = fields.TypedField("Related_Packages", RelatedPackages)
reports = fields.TypedField("Reports", Reports)
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None,
courses_of_action=None, exploit_targets=None, indicators=None,
observables=None, incidents=None, threat_actors=None,
ttps=None, campaigns=None, related_packages=None,
reports=None):
super(STIXPackage, self).__init__()
self.id_ = id_ or idgen.create_id("Package")
self.idref = idref
self.version = STIXPackage._version
self.stix_header = stix_header
self.campaigns = campaigns or Campaigns()
self.courses_of_action = courses_of_action or CoursesOfAction()
self.exploit_targets = exploit_targets or ExploitTargets()
self.observables = observables or Observables()
self.indicators = indicators or Indicators()
self.incidents = incidents or Incidents()
self.threat_actors = threat_actors or ThreatActors()
self.ttps = ttps or TTPs()
self.related_packages = related_packages
self.reports = reports or Reports()
self.timestamp = timestamp
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
if self.indicators is None:
self.indicators = Indicators()
self.indicators.append(indicator)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
if self.campaigns is None:
self.campaigns = Campaigns()
self.campaigns.append(campaign)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
def add_incident(self, incident):
"""Adds an :class:`.Incident` object to the :attr:`incidents`
collection.
"""
if self.incidents is None:
self.incidents = Incidents()
self.incidents.append(incident)
def add_threat_actor(self, threat_actor):
"""Adds an :class:`.ThreatActor` object to the :attr:`threat_actors`
collection.
"""
if self.threat_actors is None:
self.threat_actors = ThreatActors()
self.threat_actors.append(threat_actor)
def add_course_of_action(self, course_of_action):
"""Adds an :class:`.CourseOfAction` object to the
:attr:`courses_of_action` collection.
"""
if self.courses_of_action is None:
self.courses_of_action = CoursesOfAction()
self.courses_of_action.append(course_of_action)
def add_exploit_target(self, exploit_target):
"""Adds an :class:`.ExploitTarget` object to the
:attr:`exploit_targets` collection.
"""
if self.exploit_targets is None:
self.exploit_targets = ExploitTargets()
self.exploit_targets.append(exploit_target)
def add_ttp(self, ttp):
"""Adds an :class:`.TTP` object to the :attr:`ttps` collection.
"""
if self.ttps is None:
self.ttps = TTPs()
self.ttps.append(ttp)
def add_report(self, report):
"""Adds a :class:`.Report` object to the :attr:`reports` collection.
"""
if self.reports is None:
self.reports = Reports()
self.reports.append(report)
def add_related_package(self, related_package):
"""Adds a :class:`.RelatedPackage` object to the
:attr:`related_packages` collection.
"""
if self.related_packages is None:
self.related_packages = RelatedPackages()
self.related_packages.append(related_package)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_ttp,
Report: self.add_report,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
entity_parser = parser.EntityParser()
return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_indicator(v)
else:
self.add_indicator(value)
def add_indicator(self, indicator):
if not indicator:
return
elif isinstance(indicator, Indicator):
self.indicators.append(indicator)
else:
raise ValueError('indicator must be instance of stix.indicator.Indicator')
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_campaign(v)
else:
self.add_campaign(value)
def add_campaign(self, campaign):
if not campaign:
return
elif isinstance(campaign, Campaign):
self.campaigns.append(campaign)
else:
raise ValueError('indicator must be instance of stix.campaign.Campaign')
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
if value and not isinstance(value, Observables):
raise ValueError('value must be instance of cybox.core.Observables')
self._observables = value
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_incident(v)
else:
self.add_incident(value)
def add_incident(self, incident):
if not incident:
return
elif isinstance(incident, Incident):
self.incidents.append(incident)
else:
raise ValueError('Cannot add %s to incident list' % type(incident))
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_threat_actor(v)
else:
self.add_threat_actor(value)
def add_threat_actor(self, threat_actor):
if not threat_actor:
return
elif isinstance(threat_actor, ThreatActor):
self._threat_actors.append(threat_actor)
else:
raise ValueError('Cannot add %s to threat actor list' % type(threat_actor))
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_course_of_action(v)
else:
self.add_course_of_action(value)
def add_course_of_action(self, course_of_action):
if not course_of_action:
return
elif isinstance(course_of_action, CourseOfAction):
self._courses_of_action.append(course_of_action)
else:
raise ValueError('Cannot add %s to course of action list' % type(course_of_action))
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_exploit_target(v)
else:
self.add_exploit_target(value)
def add_exploit_target(self, exploit_target):
if not exploit_target:
return
elif isinstance(exploit_target, ExploitTarget):
self._exploit_targets.append(exploit_target)
else:
raise ValueError('Cannot add %s to exploit target list' % type(exploit_target))
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if not value:
self._ttps = None
elif isinstance(value, TTPs):
self._ttps = value
elif isinstance(value, list):
for v in value:
self.add_ttp(v)
else:
self.add_ttp(value)
def add_ttp(self, ttp):
if not ttp:
return
if not self.ttps:
self.ttps = TTPs()
self.ttps.add_ttp(ttp)
def to_obj(self, return_obj=None):
if not return_obj:
return_obj = self._binding_class()
return_obj.set_id(self.id_)
return_obj.set_idref(self.idref)
return_obj.set_version(self.version)
return_obj.set_timestamp(dates.serialize_value(self.timestamp))
if self.stix_header:
return_obj.set_STIX_Header(self.stix_header.to_obj())
if self.campaigns:
coas_obj = self._binding.CampaignsType()
coas_obj.set_Campaign([x.to_obj() for x in self.campaigns])
return_obj.set_Campaigns(coas_obj)
if self.courses_of_action:
coas_obj = self._binding.CoursesOfActionType()
coas_obj.set_Course_Of_Action([x.to_obj() for x in self.courses_of_action])
return_obj.set_Courses_Of_Action(coas_obj)
if self.exploit_targets:
et_obj = stix_common_binding.ExploitTargetsType()
et_obj.set_Exploit_Target([x.to_obj() for x in self.exploit_targets])
return_obj.set_Exploit_Targets(et_obj)
if self.indicators:
indicators_obj = self._binding.IndicatorsType()
indicators_obj.set_Indicator([x.to_obj() for x in self.indicators])
return_obj.set_Indicators(indicators_obj)
if self.observables:
return_obj.set_Observables(self.observables.to_obj())
if self.incidents:
incidents_obj = self._binding.IncidentsType()
incidents_obj.set_Incident([x.to_obj() for x in self.incidents])
return_obj.set_Incidents(incidents_obj)
if self.threat_actors:
threat_actors_obj = self._binding.ThreatActorsType()
threat_actors_obj.set_Threat_Actor([x.to_obj() for x in self.threat_actors])
return_obj.set_Threat_Actors(threat_actors_obj)
if self.ttps:
return_obj.set_TTPs(self.ttps.to_obj())
if self.related_packages:
return_obj.set_Related_Packages(self.related_packages.to_obj())
return return_obj
def to_dict(self):
d = {}
if self.id_:
d['id'] = self.id_
if self.idref:
d['idref'] = self.idref
if self.version:
d['version'] = self.version
if self.idref:
d['idref'] = self.idref
if self.timestamp:
d['timestamp'] = dates.serialize_value(self.timestamp)
if self.stix_header:
d['stix_header'] = self.stix_header.to_dict()
if self.campaigns:
d['campaigns'] = [x.to_dict() for x in self.campaigns]
if self.courses_of_action:
d['courses_of_action'] = [x.to_dict() for x in self.courses_of_action]
if self.exploit_targets:
d['exploit_targets'] = [x.to_dict() for x in self.exploit_targets]
if self.indicators:
d['indicators'] = [x.to_dict() for x in self.indicators]
if self.observables:
d['observables'] = self.observables.to_dict()
if self.incidents:
d['incidents'] = [x.to_dict() for x in self.incidents]
if self.threat_actors:
d['threat_actors'] = [x.to_dict() for x in self.threat_actors]
if self.ttps:
d['ttps'] = self.ttps.to_dict()
if self.related_packages:
d['related_packages'] = self.related_packages.to_dict()
return d
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()]
if obj.get_Indicators():
return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()]
if obj.get_Threat_Actors():
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref = dict_repr.get('idref', None)
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
header_dict = dict_repr.get('stix_header', None)
return_obj.stix_header = STIXHeader.from_dict(header_dict)
return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])]
return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])]
return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])]
return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])]
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])]
return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])]
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file):
parser = EntityParser()
return parser.parse_xml(xml_file)
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = utils.dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
self._set_var(STIXHeader, try_cast=False, stix_header=value)
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
self.indicators.append(indicator)
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
self.campaigns.append(campaign)
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = Incidents(value)
def add_incident(self, incident):
self.incidents.append(incident)
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = ThreatActors(value)
def add_threat_actor(self, threat_actor):
self._threat_actors.append(threat_actor)
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = CoursesOfAction(value)
def add_course_of_action(self, course_of_action):
self._courses_of_action.append(course_of_action)
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = ExploitTargets(value)
def add_exploit_target(self, exploit_target):
self._exploit_targets.append(exploit_target)
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if isinstance(value, TTPs):
self._ttps = value
else:
self._ttps = TTPs(value)
def add_ttp(self, ttp):
self.ttps.append(ttp)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_threat_actor,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
def to_obj(self, return_obj=None, ns_info=None):
super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = self.version
return_obj.timestamp = utils.dates.serialize_value(self.timestamp)
if self.stix_header:
return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info)
if self.campaigns:
return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info)
if self.courses_of_action:
return_obj.Courses_Of_Action = self.courses_of_action.to_obj(
ns_info=ns_info)
if self.exploit_targets:
return_obj.Exploit_Targets = self.exploit_targets.to_obj(
ns_info=ns_info)
if self.indicators:
return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info)
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info)
if self.threat_actors:
return_obj.Threat_Actors = self.threat_actors.to_obj(
ns_info=ns_info)
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_packages:
return_obj.Related_Packages = self.related_packages.to_obj(
ns_info=ns_info)
return return_obj
def to_dict(self):
return super(STIXPackage, self).to_dict()
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(
obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(
obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(
obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(
dict_repr.get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(
dict_repr.get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(
dict_repr.get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(
dict_repr.get('indicators'))
return_obj.observables = Observables.from_dict(
dict_repr.get('observables'))
return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(
dict_repr.get('threat_actors'))
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(
dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
entity_parser = parser.EntityParser()
return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity):
"""A STIX Package object.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``mixbox.idgen.create_id()``. If set, this will unset the
``idref`` property.
idref: **DEPRECATED** An identifier reference. If set this will unset
the ``id_`` property.
timestamp: **DEPRECATED** A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
header: A Report :class:`.Header` object.
campaigns: A collection of :class:`.Campaign` objects.
course_of_action: A collection of :class:`.CourseOfAction` objects.
exploit_targets: A collection of :class:`.ExploitTarget` objects.
incidents: A collection of :class:`.Incident` objects.
indicators: A collection of :class:`.Indicator` objects.
threat_actors: A collection of :class:`.ThreatActor` objects.
ttps: A collection of :class:`.TTP` objects.
related_packages: **DEPRECATED**. A collection of
:class:`.RelatedPackage` objects.
reports: A collection of :class:`.Report` objects.
"""
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.2"
_ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2")
id_ = fields.IdField("id")
idref = fields.IdrefField("idref", preset_hook=deprecated.field)
version = fields.TypedField("version")
timestamp = fields.DateTimeField("timestamp", preset_hook=deprecated.field)
stix_header = fields.TypedField("STIX_Header", STIXHeader)
campaigns = fields.TypedField("Campaigns", Campaigns)
courses_of_action = fields.TypedField("Courses_Of_Action", CoursesOfAction)
exploit_targets = fields.TypedField("Exploit_Targets", ExploitTargets)
observables = fields.TypedField("Observables", Observables)
indicators = fields.TypedField("Indicators", Indicators)
incidents = fields.TypedField("Incidents", Incidents)
threat_actors = fields.TypedField("Threat_Actors", ThreatActors)
ttps = fields.TypedField("TTPs", TTPs)
related_packages = fields.TypedField("Related_Packages", RelatedPackages)
reports = fields.TypedField("Reports", Reports)
def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None,
related_packages=None,
reports=None):
super(STIXPackage, self).__init__()
self.id_ = id_ or idgen.create_id("Package")
self.idref = idref
self.version = STIXPackage._version
self.stix_header = stix_header
self.campaigns = campaigns or Campaigns()
self.courses_of_action = courses_of_action or CoursesOfAction()
self.exploit_targets = exploit_targets or ExploitTargets()
self.observables = observables or Observables()
self.indicators = indicators or Indicators()
self.incidents = incidents or Incidents()
self.threat_actors = threat_actors or ThreatActors()
self.ttps = ttps or TTPs()
self.related_packages = related_packages
self.reports = reports or Reports()
self.timestamp = timestamp
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
if self.indicators is None:
self.indicators = Indicators()
self.indicators.append(indicator)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
if self.campaigns is None:
self.campaigns = Campaigns()
self.campaigns.append(campaign)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
def add_incident(self, incident):
"""Adds an :class:`.Incident` object to the :attr:`incidents`
collection.
"""
if self.incidents is None:
self.incidents = Incidents()
self.incidents.append(incident)
def add_threat_actor(self, threat_actor):
"""Adds an :class:`.ThreatActor` object to the :attr:`threat_actors`
collection.
"""
if self.threat_actors is None:
self.threat_actors = ThreatActors()
self.threat_actors.append(threat_actor)
def add_course_of_action(self, course_of_action):
"""Adds an :class:`.CourseOfAction` object to the
:attr:`courses_of_action` collection.
"""
if self.courses_of_action is None:
self.courses_of_action = CoursesOfAction()
self.courses_of_action.append(course_of_action)
def add_exploit_target(self, exploit_target):
"""Adds an :class:`.ExploitTarget` object to the
:attr:`exploit_targets` collection.
"""
if self.exploit_targets is None:
self.exploit_targets = ExploitTargets()
self.exploit_targets.append(exploit_target)
def add_ttp(self, ttp):
"""Adds an :class:`.TTP` object to the :attr:`ttps` collection.
"""
if self.ttps is None:
self.ttps = TTPs()
self.ttps.ttp.append(ttp)
def add_report(self, report):
"""Adds a :class:`.Report` object to the :attr:`reports` collection.
"""
if self.reports is None:
self.reports = Reports()
self.reports.append(report)
def add_related_package(self, related_package):
"""Adds a :class:`.RelatedPackage` object to the
:attr:`related_packages` collection.
"""
if self.related_packages is None:
self.related_packages = RelatedPackages()
self.related_packages.append(related_package)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_ttp,
Report: self.add_report,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
entity_parser = parser.EntityParser()
return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity):
'''
classdocs
'''
def __init__(self,
id_=None,
idref_=None,
stix_header=None,
indicators=None,
observables=None):
'''
Constructor
'''
self.id_ = id_ if id_ else stix.utils.create_id()
self.idref_ = idref_
self.version = '1.0'
self.indicators = indicators
self.observables = observables
self.stix_header = stix_header
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, valuelist):
self._indicators = [] # initialize
if valuelist:
for value in valuelist:
self.add_indicator(value)
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
if value and not isinstance(value, Observables):
raise ValueError(
'value must be instance of cybox.core.Observables')
self._observables = value
def add_indicator(self, indicator):
if indicator and not isinstance(indicator, Indicator):
raise ValueError(
'indicator must be instance of stix.indicator.Indicator')
self.indicators.append(indicator)
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observable)
else:
self.observables.add(observable)
def to_obj(self, return_obj=None):
if not return_obj:
return_obj = stix_core_binding.STIXType()
return_obj.set_id(self.id_)
return_obj.set_idref(self.idref_)
return_obj.set_version(self.version)
if self.stix_header:
return_obj.set_STIX_Header(self.stix_header.to_obj())
if self.indicators:
indicators_obj = stix_core_binding.IndicatorsType()
for indicator in self.indicators:
indicators_obj.add_Indicator(indicator.to_obj())
return_obj.set_Indicators(indicators_obj)
if self.observables:
observables_obj = self.observables.to_obj()
return_obj.set_Observables(observables_obj)
return return_obj
def to_dict(self, return_dict=None):
if not return_dict:
return_dict = {}
if self.id_:
return_dict['id'] = self.id_
return_dict['version'] = self.version
if self.idref_:
return_dict['idref'] = self.idref_
if self.stix_header:
return_dict['stix_header'] = self.stix_header.to_dict()
if self.indicators:
for indicator in self.indicators:
return_dict.setdefault('indicators',
[]).append(indicator.to_dict())
if self.observables:
return_dict['observables'] = self.observables.to_dict()
return return_dict
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref_ = obj.get_idref()
return_obj.version = obj.get_version()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
if obj.get_Indicators():
indicators_obj = obj.get_Indicators()
if indicators_obj.get_Indicator():
for indicator_obj in indicators_obj.get_Indicator():
return_obj.add_indicator(Indicator.from_obj(indicator_obj))
if obj.get_Observables():
observables_obj = obj.get_Observables()
return_obj.observables = Observables.from_obj(observables_obj)
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref_ = dict_repr.get('idref', None)
return_obj.version = dict_repr.get('version', None)
header_dict = dict_repr.get('stix_header', None)
return_obj.stix_header = STIXHeader.from_dict(header_dict)
indicators = dict_repr.get('indicators', [])
for indicator_dict in indicators:
return_obj.add_indicator(Indicator.from_dict(indicator_dict))
observables_dict = dict_repr.get('observables')
return_obj.observables = Observables.from_dict(observables_dict)
return return_obj
@classmethod
def from_xml(cls, xml_file):
'''
Returns a tuple of (api_object, binding_object).
Parameters:
xml_file - either a filename or a stream object
'''
if isinstance(xml_file, basestring):
f = open(xml_file, "rb")
else:
f = xml_file
doc = stix_core_binding.parsexml_(f)
stix_package_obj = stix_core_binding.STIXType().factory()
stix_package_obj.build(doc.getroot())
stix_package = STIXPackage().from_obj(stix_package_obj)
return (stix_package, stix_package_obj)
def to_xml(self, ns_dict=None):
'''
Overrides the stix.to_xml() method.
The ns_dict parameter is a dictionary where keys are namespaces
and values are prefixes. The NS:PREFIX pairs are appended to the
stix_core_binding.DEFAULT_XML_NS_MAP dictionary.
'''
export_ns_dict = dict(stix_core_binding.DEFAULT_XML_NS_MAP)
if ns_dict:
export_ns_dict.update(ns_dict)
s = StringIO()
self.to_obj().export(s, 0, export_ns_dict)
return s.getvalue()
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_indicator(v)
else:
self.add_indicator(value)
def add_indicator(self, indicator):
if not indicator:
return
elif isinstance(indicator, Indicator):
self.indicators.append(indicator)
else:
raise ValueError(
'indicator must be instance of stix.indicator.Indicator')
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_campaign(v)
else:
self.add_campaign(value)
def add_campaign(self, campaign):
if not campaign:
return
elif isinstance(campaign, Campaign):
self.campaigns.append(campaign)
else:
raise ValueError(
'indicator must be instance of stix.campaign.Campaign')
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
if value and not isinstance(value, Observables):
raise ValueError(
'value must be instance of cybox.core.Observables')
self._observables = value
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_incident(v)
else:
self.add_incident(value)
def add_incident(self, incident):
if not incident:
return
elif isinstance(incident, Incident):
self.incidents.append(incident)
else:
raise ValueError('Cannot add %s to incident list' % type(incident))
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_threat_actor(v)
else:
self.add_threat_actor(value)
def add_threat_actor(self, threat_actor):
if not threat_actor:
return
elif isinstance(threat_actor, ThreatActor):
self._threat_actors.append(threat_actor)
else:
raise ValueError('Cannot add %s to threat actor list' %
type(threat_actor))
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_course_of_action(v)
else:
self.add_course_of_action(value)
def add_course_of_action(self, course_of_action):
if not course_of_action:
return
elif isinstance(course_of_action, CourseOfAction):
self._courses_of_action.append(course_of_action)
else:
raise ValueError('Cannot add %s to course of action list' %
type(course_of_action))
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_exploit_target(v)
else:
self.add_exploit_target(value)
def add_exploit_target(self, exploit_target):
if not exploit_target:
return
elif isinstance(exploit_target, ExploitTarget):
self._exploit_targets.append(exploit_target)
else:
raise ValueError('Cannot add %s to exploit target list' %
type(exploit_target))
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if not value:
self._ttps = None
elif isinstance(value, TTPs):
self._ttps = value
elif isinstance(value, list):
for v in value:
self.add_ttp(v)
else:
self.add_ttp(value)
def add_ttp(self, ttp):
if not ttp:
return
if not self.ttps:
self.ttps = TTPs()
self.ttps.add_ttp(ttp)
def to_obj(self, return_obj=None):
if not return_obj:
return_obj = self._binding_class()
return_obj.set_id(self.id_)
return_obj.set_idref(self.idref)
return_obj.set_version(self.version)
return_obj.set_timestamp(dates.serialize_value(self.timestamp))
if self.stix_header:
return_obj.set_STIX_Header(self.stix_header.to_obj())
if self.campaigns:
coas_obj = self._binding.CampaignsType()
coas_obj.set_Campaign([x.to_obj() for x in self.campaigns])
return_obj.set_Campaigns(coas_obj)
if self.courses_of_action:
coas_obj = self._binding.CoursesOfActionType()
coas_obj.set_Course_Of_Action(
[x.to_obj() for x in self.courses_of_action])
return_obj.set_Courses_Of_Action(coas_obj)
if self.exploit_targets:
et_obj = stix_common_binding.ExploitTargetsType()
et_obj.set_Exploit_Target(
[x.to_obj() for x in self.exploit_targets])
return_obj.set_Exploit_Targets(et_obj)
if self.indicators:
indicators_obj = self._binding.IndicatorsType()
indicators_obj.set_Indicator([x.to_obj() for x in self.indicators])
return_obj.set_Indicators(indicators_obj)
if self.observables:
return_obj.set_Observables(self.observables.to_obj())
if self.incidents:
incidents_obj = self._binding.IncidentsType()
incidents_obj.set_Incident([x.to_obj() for x in self.incidents])
return_obj.set_Incidents(incidents_obj)
if self.threat_actors:
threat_actors_obj = self._binding.ThreatActorsType()
threat_actors_obj.set_Threat_Actor(
[x.to_obj() for x in self.threat_actors])
return_obj.set_Threat_Actors(threat_actors_obj)
if self.ttps:
return_obj.set_TTPs(self.ttps.to_obj())
if self.related_packages:
return_obj.set_Related_Packages(self.related_packages.to_obj())
return return_obj
def to_dict(self):
d = {}
if self.id_:
d['id'] = self.id_
if self.idref:
d['idref'] = self.idref
if self.version:
d['version'] = self.version
if self.idref:
d['idref'] = self.idref
if self.timestamp:
d['timestamp'] = dates.serialize_value(self.timestamp)
if self.stix_header:
d['stix_header'] = self.stix_header.to_dict()
if self.campaigns:
d['campaigns'] = [x.to_dict() for x in self.campaigns]
if self.courses_of_action:
d['courses_of_action'] = [
x.to_dict() for x in self.courses_of_action
]
if self.exploit_targets:
d['exploit_targets'] = [x.to_dict() for x in self.exploit_targets]
if self.indicators:
d['indicators'] = [x.to_dict() for x in self.indicators]
if self.observables:
d['observables'] = self.observables.to_dict()
if self.incidents:
d['incidents'] = [x.to_dict() for x in self.incidents]
if self.threat_actors:
d['threat_actors'] = [x.to_dict() for x in self.threat_actors]
if self.ttps:
d['ttps'] = self.ttps.to_dict()
if self.related_packages:
d['related_packages'] = self.related_packages.to_dict()
return d
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(
obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [
Campaign.from_obj(x)
for x in obj.get_Campaigns().get_Campaign()
]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [
CourseOfAction.from_obj(x)
for x in obj.get_Courses_Of_Action().get_Course_Of_Action()
]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [
ExploitTarget.from_obj(x)
for x in obj.get_Exploit_Targets().get_Exploit_Target()
]
if obj.get_Indicators():
return_obj.indicators = [
Indicator.from_obj(x)
for x in obj.get_Indicators().get_Indicator()
]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(
obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [
Incident.from_obj(x)
for x in obj.get_Incidents().get_Incident()
]
if obj.get_Threat_Actors():
return_obj.threat_actors = [
ThreatActor.from_obj(x)
for x in obj.get_Threat_Actors().get_Threat_Actor()
]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref = dict_repr.get('idref', None)
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
header_dict = dict_repr.get('stix_header', None)
return_obj.stix_header = STIXHeader.from_dict(header_dict)
return_obj.campaigns = [
Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])
]
return_obj.courses_of_action = [
CourseOfAction.from_dict(x)
for x in dict_repr.get('courses_of_action', [])
]
return_obj.exploit_targets = [
ExploitTarget.from_dict(x)
for x in dict_repr.get('exploit_targets', [])
]
return_obj.indicators = [
Indicator.from_dict(x) for x in dict_repr.get('indicators', [])
]
return_obj.observables = Observables.from_dict(
dict_repr.get('observables'))
return_obj.incidents = [
Incident.from_dict(x) for x in dict_repr.get('incidents', [])
]
return_obj.threat_actors = [
ThreatActor.from_dict(x)
for x in dict_repr.get('threat_actors', [])
]
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(
dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file):
parser = EntityParser()
return parser.parse_xml(xml_file)
class STIXPackage(stix.Entity):
'''
classdocs
'''
def __init__(self, id_=None, idref_=None, stix_header=None, indicators=None, observables=None):
'''
Constructor
'''
self.id_ = id_ if id_ else stix.utils.create_id()
self.idref_ = idref_
self.version = '1.0'
self.indicators = indicators
self.observables = observables
self.stix_header = stix_header
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, valuelist):
self._indicators = [] # initialize
if valuelist:
for value in valuelist:
self.add_indicator(value)
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
if value and not isinstance(value, Observables):
raise ValueError('value must be instance of cybox.core.Observables')
self._observables = value
def add_indicator(self, indicator):
if indicator and not isinstance(indicator, Indicator):
raise ValueError('indicator must be instance of stix.indicator.Indicator')
self.indicators.append(indicator)
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observable)
else:
self.observables.add(observable)
def to_obj(self, return_obj=None):
if not return_obj:
return_obj = stix_core_binding.STIXType()
return_obj.set_id(self.id_)
return_obj.set_idref(self.idref_)
return_obj.set_version(self.version)
if self.stix_header:
return_obj.set_STIX_Header(self.stix_header.to_obj())
if self.indicators:
indicators_obj = stix_core_binding.IndicatorsType()
for indicator in self.indicators:
indicators_obj.add_Indicator(indicator.to_obj())
return_obj.set_Indicators(indicators_obj)
if self.observables:
observables_obj = self.observables.to_obj()
return_obj.set_Observables(observables_obj)
return return_obj
def to_dict(self, return_dict=None):
if not return_dict:
return_dict = {}
if self.id_:
return_dict['id'] = self.id_
return_dict['version'] = self.version
if self.idref_:
return_dict['idref'] = self.idref_
if self.stix_header:
return_dict['stix_header'] = self.stix_header.to_dict()
if self.indicators:
for indicator in self.indicators:
return_dict.setdefault('indicators', []).append(indicator.to_dict())
if self.observables:
return_dict['observables'] = self.observables.to_dict()
return return_dict
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref_ = obj.get_idref()
return_obj.version = obj.get_version()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
if obj.get_Indicators():
indicators_obj = obj.get_Indicators()
if indicators_obj.get_Indicator():
for indicator_obj in indicators_obj.get_Indicator():
return_obj.add_indicator(Indicator.from_obj(indicator_obj))
if obj.get_Observables():
observables_obj = obj.get_Observables()
return_obj.observables = Observables.from_obj(observables_obj)
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref_ = dict_repr.get('idref', None)
return_obj.version = dict_repr.get('version', None)
header_dict = dict_repr.get('stix_header', None)
return_obj.stix_header = STIXHeader.from_dict(header_dict)
indicators = dict_repr.get('indicators', [])
for indicator_dict in indicators:
return_obj.add_indicator(Indicator.from_dict(indicator_dict))
observables_dict = dict_repr.get('observables')
return_obj.observables = Observables.from_dict(observables_dict)
return return_obj
@classmethod
def from_xml(cls, xml_file):
'''
Returns a tuple of (api_object, binding_object).
Parameters:
xml_file - either a filename or a stream object
'''
if isinstance(xml_file, basestring):
f = open(xml_file, "rb")
else:
f = xml_file
doc = stix_core_binding.parsexml_(f)
stix_package_obj = stix_core_binding.STIXType().factory()
stix_package_obj.build(doc.getroot())
stix_package = STIXPackage().from_obj(stix_package_obj)
return (stix_package, stix_package_obj)
def to_xml(self, ns_dict=None):
'''
Overrides the stix.to_xml() method.
The ns_dict parameter is a dictionary where keys are namespaces
and values are prefixes. The NS:PREFIX pairs are appended to the
stix_core_binding.DEFAULT_XML_NS_MAP dictionary.
'''
export_ns_dict = dict(stix_core_binding.DEFAULT_XML_NS_MAP)
if ns_dict:
export_ns_dict.update(ns_dict)
s = StringIO()
self.to_obj().export(s, 0, export_ns_dict)
return s.getvalue()
class Report(Cached, stix.Entity):
"""A STIX Report Object.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``mixbox.idgen.create_id()``. If set, this will unset the
``idref`` property.
idref (optional): An identifier reference. If set this will unset the
``id_`` property.
timestamp (optional): A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
header: A Report :class:`.Header` object.
campaigns: A collection of :class:`.Campaign` objects.
course_of_action: A collection of :class:`.CourseOfAction` objects.
exploit_targets: A collection of :class:`.ExploitTarget` objects.
incidents: A collection of :class:`.Incident` objects.
indicators: A collection of :class:`.Indicator` objects.
threat_actors: A collection of :class:`.ThreatActor` objects.
ttps: A collection of :class:`.TTP` objects.
related_reports: A collection of :class:`.RelatedReport` objects.
"""
_binding = report_binding
_binding_class = _binding.ReportType
_namespace = 'http://stix.mitre.org/Report-1'
_version = "1.0"
def __init__(self, id_=None, idref=None, timestamp=None, header=None,
courses_of_action=None, exploit_targets=None, indicators=None,
observables=None, incidents=None, threat_actors=None,
ttps=None, campaigns=None, related_reports=None):
self.id_ = id_ or idgen.create_id("Report")
self.idref = idref
self.version = self._version
self.header = header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_reports = related_reports
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
@property
def id_(self):
"""A globally unique identifier for this Report. By default, one
will be generated automatically.
"""
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
"""A reference to another Report identifier. Setting this will unset
any previous ``id`` values.
"""
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
"""Specifies a timestamp for the definition of this specific Report
object.
"""
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = utils.dates.parse_value(value)
@property
def header(self):
"""The :class:`.Header` section for the Report.
"""
return self._header
@header.setter
def header(self, value):
self._set_var(Header, try_cast=False, header=value)
@property
def indicators(self):
"""The top-level :class:`.Indicator` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
self.indicators.append(indicator)
@property
def campaigns(self):
"""The top-level :class:`.Campaign` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
self.campaigns.append(campaign)
@property
def observables(self):
"""The top-level ``Observable`` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
"""The top-level :class:`.Incident` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = Incidents(value)
def add_incident(self, incident):
"""Adds an :class:`.Incident` object to the :attr:`incidents`
collection.
"""
self.incidents.append(incident)
@property
def threat_actors(self):
"""The top-level :class:`.ThreatActor` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = ThreatActors(value)
def add_threat_actor(self, threat_actor):
"""Adds an :class:`.ThreatActor` object to the :attr:`threat_actors`
collection.
"""
self._threat_actors.append(threat_actor)
@property
def courses_of_action(self):
"""The top-level :class:`.CourseOfAction` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = CoursesOfAction(value)
def add_course_of_action(self, course_of_action):
"""Adds an :class:`.CourseOfAction` object to the
:attr:`courses_of_action` collection.
"""
self._courses_of_action.append(course_of_action)
@property
def exploit_targets(self):
"""The top-level :class:`.ExploitTarget` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = ExploitTargets(value)
def add_exploit_target(self, exploit_target):
"""Adds an :class:`.ExploitTarget` object to the
:attr:`exploit_targets` collection.
"""
self._exploit_targets.append(exploit_target)
@property
def ttps(self):
"""The top-level :class:`.TTP` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._ttps
@ttps.setter
def ttps(self, value):
if isinstance(value, TTPs):
self._ttps = value
else:
self._ttps = TTPs(value)
def add_ttp(self, ttp):
"""Adds an :class:`.TTP` object to the :attr:`ttps` collection.
"""
self.ttps.append(ttp)
@property
def related_reports(self):
"""The top-level :class:`.RelatedReports` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._related_reports
@related_reports.setter
def related_reports(self, value):
if isinstance(value, RelatedReports):
self._related_reports = value
else:
self._related_reports = RelatedReports(value)
def add_related_report(self, related_report):
"""Adds an :class:`.RelatedReport` object to the
:attr:`related_reports` collection.
"""
self.related_reports.append(related_report)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_threat_actor,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
def to_obj(self, return_obj=None, ns_info=None):
super(Report, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = self.version
return_obj.timestamp = utils.dates.serialize_value(self.timestamp)
if self.header:
return_obj.Header = self.header.to_obj(ns_info=ns_info)
if self.campaigns:
return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info)
if self.courses_of_action:
return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info)
if self.exploit_targets:
return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info)
if self.indicators:
return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info)
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info)
if self.threat_actors:
return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info)
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_reports:
return_obj.Related_Reports = self.related_reports.to_obj(ns_info=ns_info)
return return_obj
def to_dict(self):
return super(Report, self).to_dict()
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
# ReportBaseType fields
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
# ReportType fields
if isinstance(obj, cls._binding_class):
return_obj.header = Header.from_obj(obj.Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
get = dict_repr.get
return_obj.id_ = get('id')
return_obj.idref = get('idref')
return_obj.timestamp = get('timestamp')
return_obj.version = get('version', cls._version)
return_obj.header = Header.from_dict(get('header'))
return_obj.campaigns = Campaigns.from_dict(get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(get('indicators'))
return_obj.observables = Observables.from_dict(get('observables'))
return_obj.incidents = Incidents.from_dict(get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(get('threat_actors'))
return_obj.ttps = TTPs.from_dict(get('ttps'))
return_obj.related_reports = RelatedReports.from_dict(get('related_reports'))
return return_obj
class Report(stix.Entity):
"""A STIX Report Object.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``mixbox.idgen.create_id()``. If set, this will unset the
``idref`` property.
idref (optional): An identifier reference. If set this will unset the
``id_`` property.
timestamp (optional): A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
header: A Report :class:`.Header` object.
campaigns: A collection of :class:`.Campaign` objects.
course_of_action: A collection of :class:`.CourseOfAction` objects.
exploit_targets: A collection of :class:`.ExploitTarget` objects.
incidents: A collection of :class:`.Incident` objects.
indicators: A collection of :class:`.Indicator` objects.
threat_actors: A collection of :class:`.ThreatActor` objects.
ttps: A collection of :class:`.TTP` objects.
related_reports: A collection of :class:`.RelatedReport` objects.
"""
_binding = report_binding
_binding_class = _binding.ReportType
_namespace = 'http://stix.mitre.org/Report-1'
_version = "1.0"
id_ = fields.IdField("id")
idref = fields.IdrefField("idref")
timestamp = fields.TypedField("timestamp")
version = fields.TypedField("version")
header = fields.TypedField("Header", Header)
campaigns = fields.TypedField("Campaigns", type_="stix.report.Campaigns")
courses_of_action = fields.TypedField("Courses_Of_Action",
type_="stix.report.CoursesOfAction")
exploit_targets = fields.TypedField("Exploit_Targets",
type_="stix.report.ExploitTargets")
observables = fields.TypedField("Observables", Observables)
indicators = fields.TypedField("Indicators",
type_="stix.report.Indicators")
incidents = fields.TypedField("Incidents", type_="stix.report.Incidents")
threat_actors = fields.TypedField("Threat_Actors",
type_="stix.report.ThreatActors")
ttps = fields.TypedField("TTPs", type_="stix.core.ttps.TTPs")
related_reports = fields.TypedField("Related_Reports",
type_="stix.report.RelatedReports")
def __init__(self,
id_=None,
idref=None,
timestamp=None,
header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None,
related_reports=None):
super(Report, self).__init__()
self.id_ = id_ or idgen.create_id("Report")
self.idref = idref
self.version = self._version
self.header = header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_reports = related_reports
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
if self.indicators is None:
self.indicators = Indicators()
self.indicators.append(indicator)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
if self.campaigns is None:
self.campaigns = Campaigns()
self.campaigns.append(campaign)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
def add_incident(self, incident):
"""Adds an :class:`.Incident` object to the :attr:`incidents`
collection.
"""
if self.incidents is None:
self.incidents = Incidents()
self.incidents.append(incident)
def add_threat_actor(self, threat_actor):
"""Adds an :class:`.ThreatActor` object to the :attr:`threat_actors`
collection.
"""
if self.threat_actors is None:
self.threat_actors = ThreatActors()
self.threat_actors.append(threat_actor)
def add_course_of_action(self, course_of_action):
"""Adds an :class:`.CourseOfAction` object to the
:attr:`courses_of_action` collection.
"""
if self.courses_of_action is None:
self.courses_of_action = CoursesOfAction()
self.courses_of_action.append(course_of_action)
def add_exploit_target(self, exploit_target):
"""Adds an :class:`.ExploitTarget` object to the
:attr:`exploit_targets` collection.
"""
if self.exploit_targets is None:
self.exploit_targets = ExploitTargets()
self.exploit_targets.append(exploit_target)
def add_ttp(self, ttp):
"""Adds an :class:`.TTP` object to the :attr:`ttps` collection.
"""
if self.ttps is None:
self.ttps = TTPs()
self.ttps.append(ttp)
def add_related_report(self, related_report):
"""Adds an :class:`.RelatedReport` object to the
:attr:`related_reports` collection.
"""
if self.related_reports is None:
self.related_reports = RelatedReports()
self.related_reports.append(related_report)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_ttp,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
d = json.load(json_data)
Obs = Observables()
#print(d[2])
#mapping starts
count = 0
hashes = {
'MD-5', 'MD-6', 'SHA-1', 'SHA-224', 'SHA-256', 'SHA-224', 'SHA-384',
'SHA-512', 'SSD-EEP'
'MD5', 'MD6', 'SHA1', 'SHA224', 'SHA256', 'SHA224', 'SHA384', 'SHA512',
'SSDEEP'
}
for a in d:
Bol = True
if d[count]['eventid'] == 'cowrie.session.connect':
Obs.add(create_network_connection_observable(count))
if d[count]['eventid'] == 'cowrie.login.failed' or d[count][
'eventid'] == 'cowrie.login.success':
Obs.add(create_user_account_observable(count))
if d[count]['eventid'] == 'cowrie.session.closed':
Obs.add(create_network_connection_closed_observable(count))
if d[count]['eventid'] == 'cowrie.command.input':
Bol = True
Obs.add(create_command_observable(count, Bol))
if d[count]['eventid'] == 'cowrie.command.failed':
Bol = False
Obs.add(create_command_observable(count, Bol))
if d[count]['eventid'] == 'cowrie.log.open':
Bol = True
Obs.add(create_file_observable(count, Bol))
if d[count]['eventid'] == 'cowrie.log.closed':
class Report(Cached, stix.Entity):
"""A STIX Report Object.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``stix.utils.create_id()``. If set, this will unset the
``idref`` property.
idref (optional): An identifier reference. If set this will unset the
``id_`` property.
timestamp (optional): A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
header: A Report :class:`.Header` object.
campaigns: A collection of :class:`.Campaign` objects.
course_of_action: A collection of :class:`.CourseOfAction` objects.
exploit_targets: A collection of :class:`.ExploitTarget` objects.
incidents: A collection of :class:`.Incident` objects.
indicators: A collection of :class:`.Indicator` objects.
threat_actors: A collection of :class:`.ThreatActor` objects.
ttps: A collection of :class:`.TTP` objects.
related_reports: A collection of :class:`.RelatedReport` objects.
"""
_binding = report_binding
_binding_class = _binding.ReportType
_namespace = 'http://stix.mitre.org/Report-1'
_version = "1.0"
def __init__(self, id_=None, idref=None, timestamp=None, header=None,
courses_of_action=None, exploit_targets=None, indicators=None,
observables=None, incidents=None, threat_actors=None,
ttps=None, campaigns=None, related_reports=None):
self.id_ = id_ or stix.utils.create_id("Report")
self.idref = idref
self.version = self._version
self.header = header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_reports = related_reports
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
@property
def id_(self):
"""A globally unique identifier for this Report. By default, one
will be generated automatically.
"""
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
"""A reference to another Report identifier. Setting this will unset
any previous ``id`` values.
"""
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
"""Specifies a timestamp for the definition of this specific Report
object.
"""
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = utils.dates.parse_value(value)
@property
def header(self):
"""The :class:`.Header` section for the Report.
"""
return self._header
@header.setter
def header(self, value):
self._set_var(Header, try_cast=False, header=value)
@property
def indicators(self):
"""The top-level :class:`.Indicator` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
self.indicators.append(indicator)
@property
def campaigns(self):
"""The top-level :class:`.Campaign` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
self.campaigns.append(campaign)
@property
def observables(self):
"""The top-level ``Observable`` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
"""The top-level :class:`.Incident` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = Incidents(value)
def add_incident(self, incident):
"""Adds an :class:`.Incident` object to the :attr:`incidents`
collection.
"""
self.incidents.append(incident)
@property
def threat_actors(self):
"""The top-level :class:`.ThreatActor` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = ThreatActors(value)
def add_threat_actor(self, threat_actor):
"""Adds an :class:`.ThreatActor` object to the :attr:`threat_actors`
collection.
"""
self._threat_actors.append(threat_actor)
@property
def courses_of_action(self):
"""The top-level :class:`.CourseOfAction` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = CoursesOfAction(value)
def add_course_of_action(self, course_of_action):
"""Adds an :class:`.CourseOfAction` object to the
:attr:`courses_of_action` collection.
"""
self._courses_of_action.append(course_of_action)
@property
def exploit_targets(self):
"""The top-level :class:`.ExploitTarget` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = ExploitTargets(value)
def add_exploit_target(self, exploit_target):
"""Adds an :class:`.ExploitTarget` object to the
:attr:`exploit_targets` collection.
"""
self._exploit_targets.append(exploit_target)
@property
def ttps(self):
"""The top-level :class:`.TTP` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._ttps
@ttps.setter
def ttps(self, value):
if isinstance(value, TTPs):
self._ttps = value
else:
self._ttps = TTPs(value)
def add_ttp(self, ttp):
"""Adds an :class:`.TTP` object to the :attr:`ttps` collection.
"""
self.ttps.append(ttp)
@property
def related_reports(self):
"""The top-level :class:`.RelatedReports` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._related_reports
@related_reports.setter
def related_reports(self, value):
if isinstance(value, RelatedReports):
self._related_reports = value
else:
self._related_reports = RelatedReports(value)
def add_related_report(self, related_report):
"""Adds an :class:`.RelatedReport` object to the
:attr:`related_reports` collection.
"""
self.related_reports.append(related_report)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_threat_actor,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
def to_obj(self, return_obj=None, ns_info=None):
super(Report, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = self.version
return_obj.timestamp = utils.dates.serialize_value(self.timestamp)
if self.header:
return_obj.Header = self.header.to_obj(ns_info=ns_info)
if self.campaigns:
return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info)
if self.courses_of_action:
return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info)
if self.exploit_targets:
return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info)
if self.indicators:
return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info)
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info)
if self.threat_actors:
return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info)
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_reports:
return_obj.Related_Reports = self.related_reports.to_obj(ns_info=ns_info)
return return_obj
def to_dict(self):
return super(Report, self).to_dict()
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
# ReportBaseType fields
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
# ReportType fields
if isinstance(obj, cls._binding_class):
return_obj.header = Header.from_obj(obj.Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
get = dict_repr.get
return_obj.id_ = get('id')
return_obj.idref = get('idref')
return_obj.timestamp = get('timestamp')
return_obj.version = get('version', cls._version)
return_obj.header = Header.from_dict(get('header'))
return_obj.campaigns = Campaigns.from_dict(get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(get('indicators'))
return_obj.observables = Observables.from_dict(get('observables'))
return_obj.incidents = Incidents.from_dict(get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(get('threat_actors'))
return_obj.ttps = TTPs.from_dict(get('ttps'))
return_obj.related_reports = RelatedReports.from_dict(get('related_reports'))
return return_obj
def main(Path_Malware):
malobs = Observables()
logobs = Observables()
Malware = parse(Path_Malware)
Log = parse(Path_Log)
CONFIDENCE = 0 #一致した数
mallist = []
loglist = []
m = 0
key = 0
for ob in Malware:
args = cyboxpop(ob.to_dict())
if args is not None:
mallist.append(args)
#print args.ActArg
malobs.add(ob)
for ob in Log:
args = cyboxpop(ob.to_dict())
if args is not None:
loglist.append(args)
logobs.add(ob)
#print "mallist_count:", len(mallist)
#print "loglist_count:", len(loglist)
'''
for mal_num in range(len(mallist)):
#if loglist[log_num]["event"]["actions"][0]["name"] == mallist[0]["event"]["actions"][0]["name"]:
cyboxpop(mallist[mal_num])
#print mallist
'''
print "------------------",os.path.basename(Path_Malware),"-------------------"
for n in range(len(loglist)):
#print "Log:",n,loglist[n].ActArg,loglist[n].Propertys,len(loglist[n].Propertys)
#print "[1]:",mallist[1].ActArg,mallist[1].Propertys[1]
#if loglist[n].ActName == mallist[1].ActName and loglist[n].ActArg == mallist[1].ActArg: #ShinoBOT.exe
#if loglist[n].ActName == mallist[1].ActName and loglist[n].Propertys[1] == mallist[1].Propertys[1]: #SHinoBOTSuiteで偽装したファイル
#if len(loglist[n].Propertys) > 1:
if loglist[n].Propertys[1] == mallist[0].Propertys[1]:
#if len(loglist)-n-len(loglist) < 0 : break
l=0
#print "POST!"
while True:
if len(mallist) < m+1 or len(loglist) < n+l+1:
key = n+l
break
if key < n+l and loglist[n+l].Propertys[1] == mallist[m].Propertys[1]:
print "Log[",n+l,"]:",loglist[n+l].ActArg,loglist[n+l].Propertys
print "Mal[",m,"]:",mallist[m].ActArg,mallist[m].Propertys
CONFIDENCE += 1
l +=1
m +=1
else :
l +=1
#print logobs.to_xml()
print "パターン一致数:",CONFIDENCE
print "マルウェアプロセス数:",len(mallist)
print "ログプロセス数:",len(loglist)
print "パターン一致割合:",float(CONFIDENCE)/len(mallist)
from cybox.objects.file_object import File
from cybox.objects.win_service_object import WinService
from cybox.objects.win_registry_key_object import WinRegistryKey
# this can be changed to an output file
outfd = sys.stdout
# create an Observable object:
observables_doc = Observables([])
# add some different observables:
# you don't have to use every member and there are other members that are not being utilized here:
observables_doc.add(Process.from_dict({"name": "Process.exe",
"pid": 90,
"parent_pid": 10,
#"creation_time": "",
"image_info": {"command_line": "Process.exe /c blah.txt"}}))
observables_doc.add(File.from_dict({"file_name": "file.txt",
"file_extension": "txt",
"file_path": "path\\to\\file.txt"}))
observables_doc.add(helper.create_ipv4_observable("192.168.1.101"))
observables_doc.add(helper.create_url_observable("somedomain.com"))
observables_doc.add(WinService.from_dict({"service_name": "Service Name",
"display_name": "Service Display name",
"startup_type": "Service type",
class STIXPackage(Cached, stix.Entity):
"""A STIX Package object.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``mixbox.idgen.create_id()``. If set, this will unset the
``idref`` property.
idref: **DEPRECATED** An identifier reference. If set this will unset
the ``id_`` property.
timestamp: **DEPRECATED** A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
header: A Report :class:`.Header` object.
campaigns: A collection of :class:`.Campaign` objects.
course_of_action: A collection of :class:`.CourseOfAction` objects.
exploit_targets: A collection of :class:`.ExploitTarget` objects.
incidents: A collection of :class:`.Incident` objects.
indicators: A collection of :class:`.Indicator` objects.
threat_actors: A collection of :class:`.ThreatActor` objects.
ttps: A collection of :class:`.TTP` objects.
related_packages: **DEPRECATED**. A collection of
:class:`.RelatedPackage` objects.
reports: A collection of :class:`.Report` objects.
"""
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.2"
_ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2")
def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None,
related_packages=None,
reports=None):
self.id_ = id_ or idgen.create_id("Package")
self.idref = idref
self._version = STIXPackage._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = related_packages
self.reports = reports
self.timestamp = timestamp
@property
def id_(self):
"""A globally unique identifier for this Report. By default, one
will be generated automatically.
"""
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
"""A reference to another Report identifier. Setting this will unset
any previous ``id`` values.
"""
return self._idref
@idref.setter
def idref(self, value):
deprecated(value)
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
"""Specifies a timestamp for the definition of this specifc Report
object.
"""
return self._timestamp
@timestamp.setter
def timestamp(self, value):
deprecated(value)
self._timestamp = utils.dates.parse_value(value)
@property
def version(self):
"""The schematic version of this component.
Note:
This property refers to the version of the schema component
type and should not be used for the purpose of content versioning.
Default Value: '1.2'
"""
return self._version
@property
def stix_header(self):
"""The :class:`.STIXHeader` section of the STIX Package.
"""
return self._stix_header
@stix_header.setter
def stix_header(self, value):
self._set_var(STIXHeader, try_cast=False, stix_header=value)
@property
def indicators(self):
"""The top-level :class:`.Indicator` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
self.indicators.append(indicator)
@property
def campaigns(self):
"""The top-level :class:`.Campaign` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
self.campaigns.append(campaign)
@property
def observables(self):
"""The top-level ``Observable`` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
"""The top-level :class:`.Incident` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = Incidents(value)
def add_incident(self, incident):
"""Adds an :class:`.Incident` object to the :attr:`incidents`
collection.
"""
self.incidents.append(incident)
@property
def threat_actors(self):
"""The top-level :class:`.ThreatActor` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = ThreatActors(value)
def add_threat_actor(self, threat_actor):
"""Adds an :class:`.ThreatActor` object to the :attr:`threat_actors`
collection.
"""
self._threat_actors.append(threat_actor)
@property
def courses_of_action(self):
"""The top-level :class:`.CourseOfAction` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = CoursesOfAction(value)
def add_course_of_action(self, course_of_action):
"""Adds an :class:`.CourseOfAction` object to the
:attr:`courses_of_action` collection.
"""
self._courses_of_action.append(course_of_action)
@property
def exploit_targets(self):
"""The top-level :class:`.ExploitTarget` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = ExploitTargets(value)
def add_exploit_target(self, exploit_target):
"""Adds an :class:`.ExploitTarget` object to the
:attr:`exploit_targets` collection.
"""
self._exploit_targets.append(exploit_target)
@property
def ttps(self):
"""The top-level :class:`.TTP` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._ttps
@ttps.setter
def ttps(self, value):
if isinstance(value, TTPs):
self._ttps = value
else:
self._ttps = TTPs(value)
def add_ttp(self, ttp):
"""Adds an :class:`.TTP` object to the :attr:`ttps` collection.
"""
self.ttps.append(ttp)
@property
def reports(self):
"""A collection of :class:`.Report` objects. This behaves like a
``MutableSequence`` object.
"""
return self._reports
@reports.setter
def reports(self, value):
self._reports = Reports(value)
def add_report(self, report):
"""Adds a :class:`.Report` object to the :attr:`reports` collection.
"""
self.reports.append(report)
@property
def related_packages(self):
"""**DEPRECATED**. A collection of :class:`.RelatedPackage` objects.
"""
return self._related_packages
@related_packages.setter
def related_packages(self, value):
if isinstance(value, RelatedPackages):
self._related_packages = value
else:
self._related_packages = RelatedPackages(value)
def add_related_package(self, related_package):
"""Adds a :class:`.RelatedPackage` object to the
:attr:`related_packages` collection.
"""
self.related_packages.append(related_package)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_threat_actor,
Report: self.add_report,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
def to_obj(self, return_obj=None, ns_info=None):
super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = STIXPackage._version # noqa
return_obj.timestamp = utils.dates.serialize_value(self.timestamp)
if self.stix_header:
return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info)
if self.campaigns:
return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info)
if self.courses_of_action:
return_obj.Courses_Of_Action = self.courses_of_action.to_obj(
ns_info=ns_info)
if self.exploit_targets:
return_obj.Exploit_Targets = self.exploit_targets.to_obj(
ns_info=ns_info)
if self.indicators:
return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info)
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info)
if self.threat_actors:
return_obj.Threat_Actors = self.threat_actors.to_obj(
ns_info=ns_info)
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_packages:
return_obj.Related_Packages = self.related_packages.to_obj(
ns_info=ns_info)
if self.reports:
return_obj.Reports = self.reports.to_obj(ns_info=ns_info)
return return_obj
def to_dict(self):
d = utils.to_dict(self)
if 'version' in d:
d['version'] = STIXPackage._version # noqa
return d
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(
obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(
obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(
obj.Related_Packages)
return_obj.reports = Reports.from_obj(obj.Reports)
# Don't overwrite this unless passed in.
if obj.version:
return_obj._version = obj.version
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
get = dict_repr.get
return_obj.id_ = get('id')
return_obj.idref = get('idref')
return_obj.timestamp = get('timestamp')
return_obj._version = get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(
get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(
get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(get('indicators'))
return_obj.observables = Observables.from_dict(get('observables'))
return_obj.incidents = Incidents.from_dict(get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(get('threat_actors'))
return_obj.ttps = TTPs.from_dict(get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(
get('related_packages'))
return_obj.reports = Reports.from_dict(get('reports'))
return return_obj
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
entity_parser = parser.EntityParser()
return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(Cached, stix.Entity):
"""A STIX Package object.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``mixbox.idgen.create_id()``. If set, this will unset the
``idref`` property.
idref: **DEPRECATED** An identifier reference. If set this will unset
the ``id_`` property.
timestamp: **DEPRECATED** A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
header: A Report :class:`.Header` object.
campaigns: A collection of :class:`.Campaign` objects.
course_of_action: A collection of :class:`.CourseOfAction` objects.
exploit_targets: A collection of :class:`.ExploitTarget` objects.
incidents: A collection of :class:`.Incident` objects.
indicators: A collection of :class:`.Indicator` objects.
threat_actors: A collection of :class:`.ThreatActor` objects.
ttps: A collection of :class:`.TTP` objects.
related_packages: **DEPRECATED**. A collection of
:class:`.RelatedPackage` objects.
reports: A collection of :class:`.Report` objects.
"""
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.2"
_ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2")
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None,
courses_of_action=None, exploit_targets=None, indicators=None,
observables=None, incidents=None, threat_actors=None,
ttps=None, campaigns=None, related_packages=None,
reports=None):
self.id_ = id_ or idgen.create_id("Package")
self.idref = idref
self._version = STIXPackage._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = related_packages
self.reports = reports
self.timestamp = timestamp
@property
def id_(self):
"""A globally unique identifier for this Report. By default, one
will be generated automatically.
"""
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
"""A reference to another Report identifier. Setting this will unset
any previous ``id`` values.
"""
return self._idref
@idref.setter
def idref(self, value):
deprecated(value)
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
"""Specifies a timestamp for the definition of this specifc Report
object.
"""
return self._timestamp
@timestamp.setter
def timestamp(self, value):
deprecated(value)
self._timestamp = utils.dates.parse_value(value)
@property
def version(self):
"""The schematic version of this component.
Note:
This property refers to the version of the schema component
type and should not be used for the purpose of content versioning.
Default Value: '1.2'
"""
return self._version
@property
def stix_header(self):
"""The :class:`.STIXHeader` section of the STIX Package.
"""
return self._stix_header
@stix_header.setter
def stix_header(self, value):
self._set_var(STIXHeader, try_cast=False, stix_header=value)
@property
def indicators(self):
"""The top-level :class:`.Indicator` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
self.indicators.append(indicator)
@property
def campaigns(self):
"""The top-level :class:`.Campaign` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
self.campaigns.append(campaign)
@property
def observables(self):
"""The top-level ``Observable`` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
"""The top-level :class:`.Incident` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = Incidents(value)
def add_incident(self, incident):
"""Adds an :class:`.Incident` object to the :attr:`incidents`
collection.
"""
self.incidents.append(incident)
@property
def threat_actors(self):
"""The top-level :class:`.ThreatActor` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = ThreatActors(value)
def add_threat_actor(self, threat_actor):
"""Adds an :class:`.ThreatActor` object to the :attr:`threat_actors`
collection.
"""
self._threat_actors.append(threat_actor)
@property
def courses_of_action(self):
"""The top-level :class:`.CourseOfAction` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = CoursesOfAction(value)
def add_course_of_action(self, course_of_action):
"""Adds an :class:`.CourseOfAction` object to the
:attr:`courses_of_action` collection.
"""
self._courses_of_action.append(course_of_action)
@property
def exploit_targets(self):
"""The top-level :class:`.ExploitTarget` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = ExploitTargets(value)
def add_exploit_target(self, exploit_target):
"""Adds an :class:`.ExploitTarget` object to the
:attr:`exploit_targets` collection.
"""
self._exploit_targets.append(exploit_target)
@property
def ttps(self):
"""The top-level :class:`.TTP` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._ttps
@ttps.setter
def ttps(self, value):
if isinstance(value, TTPs):
self._ttps = value
else:
self._ttps = TTPs(value)
def add_ttp(self, ttp):
"""Adds an :class:`.TTP` object to the :attr:`ttps` collection.
"""
self.ttps.append(ttp)
@property
def reports(self):
"""A collection of :class:`.Report` objects. This behaves like a
``MutableSequence`` object.
"""
return self._reports
@reports.setter
def reports(self, value):
self._reports = Reports(value)
def add_report(self, report):
"""Adds a :class:`.Report` object to the :attr:`reports` collection.
"""
self.reports.append(report)
@property
def related_packages(self):
"""**DEPRECATED**. A collection of :class:`.RelatedPackage` objects.
"""
return self._related_packages
@related_packages.setter
def related_packages(self, value):
if isinstance(value, RelatedPackages):
self._related_packages = value
else:
self._related_packages = RelatedPackages(value)
def add_related_package(self, related_package):
"""Adds a :class:`.RelatedPackage` object to the
:attr:`related_packages` collection.
"""
self.related_packages.append(related_package)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_ttp,
Report: self.add_report,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
def to_obj(self, return_obj=None, ns_info=None):
super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = STIXPackage._version # noqa
return_obj.timestamp = utils.dates.serialize_value(self.timestamp)
if self.stix_header:
return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info)
if self.campaigns:
return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info)
if self.courses_of_action:
return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info)
if self.exploit_targets:
return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info)
if self.indicators:
return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info)
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info)
if self.threat_actors:
return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info)
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_packages:
return_obj.Related_Packages = self.related_packages.to_obj(ns_info=ns_info)
if self.reports:
return_obj.Reports = self.reports.to_obj(ns_info=ns_info)
return return_obj
def to_dict(self):
d = utils.to_dict(self)
if 'version' in d:
d['version'] = STIXPackage._version # noqa
return d
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
return_obj.reports = Reports.from_obj(obj.Reports)
# Don't overwrite this unless passed in.
if obj.version:
return_obj._version = obj.version
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
get = dict_repr.get
return_obj.id_ = get('id')
return_obj.idref = get('idref')
return_obj.timestamp = get('timestamp')
return_obj._version = get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(get('indicators'))
return_obj.observables = Observables.from_dict(get('observables'))
return_obj.incidents = Incidents.from_dict(get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(get('threat_actors'))
return_obj.ttps = TTPs.from_dict(get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(get('related_packages'))
return_obj.reports = Reports.from_dict(get('reports'))
return return_obj
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
entity_parser = parser.EntityParser()
return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_indicator(v)
else:
self.add_indicator(value)
def add_indicator(self, indicator):
if not indicator:
return
elif isinstance(indicator, Indicator):
self.indicators.append(indicator)
else:
raise ValueError('indicator must be instance of stix.indicator.Indicator')
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_campaign(v)
else:
self.add_campaign(value)
def add_campaign(self, campaign):
if not campaign:
return
elif isinstance(campaign, Campaign):
self.campaigns.append(campaign)
else:
raise ValueError('indicator must be instance of stix.campaign.Campaign')
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
if value and not isinstance(value, Observables):
raise ValueError('value must be instance of cybox.core.Observables')
self._observables = value
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_incident(v)
else:
self.add_incident(value)
def add_incident(self, incident):
if not incident:
return
elif isinstance(incident, Incident):
self.incidents.append(incident)
else:
raise ValueError('Cannot add %s to incident list' % type(incident))
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_threat_actor(v)
else:
self.add_threat_actor(value)
def add_threat_actor(self, threat_actor):
if not threat_actor:
return
elif isinstance(threat_actor, ThreatActor):
self._threat_actors.append(threat_actor)
else:
raise ValueError('Cannot add %s to threat actor list' % type(threat_actor))
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_course_of_action(v)
else:
self.add_course_of_action(value)
def add_course_of_action(self, course_of_action):
if not course_of_action:
return
elif isinstance(course_of_action, CourseOfAction):
self._courses_of_action.append(course_of_action)
else:
raise ValueError('Cannot add %s to course of action list' % type(course_of_action))
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_exploit_target(v)
else:
self.add_exploit_target(value)
def add_exploit_target(self, exploit_target):
if not exploit_target:
return
elif isinstance(exploit_target, ExploitTarget):
self._exploit_targets.append(exploit_target)
else:
raise ValueError('Cannot add %s to exploit target list' % type(exploit_target))
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if not value:
self._ttps = TTPs()
elif isinstance(value, TTPs):
self._ttps = value
elif isinstance(value, list):
for v in value:
self.add_ttp(v)
else:
self.add_ttp(value)
def add_ttp(self, ttp):
if not ttp:
return
if not self.ttps:
self.ttps = TTPs()
self.ttps.append(ttp)
def to_obj(self, return_obj=None, ns_info=None):
super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = self.version
return_obj.timestamp = dates.serialize_value(self.timestamp)
if self.stix_header:
return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info)
if self.campaigns:
coas_obj = self._binding.CampaignsType()
coas_obj.Campaign = [x.to_obj(ns_info=ns_info) for x in self.campaigns]
return_obj.Campaigns = coas_obj
if self.courses_of_action:
coas_obj = self._binding.CoursesOfActionType()
coas_obj.Course_Of_Action = [x.to_obj(ns_info=ns_info) for x in self.courses_of_action]
return_obj.Courses_Of_Action = coas_obj
if self.exploit_targets:
et_obj = stix_common_binding.ExploitTargetsType()
et_obj.Exploit_Target = [x.to_obj(ns_info=ns_info) for x in self.exploit_targets]
return_obj.Exploit_Targets = et_obj
if self.indicators:
indicators_obj = self._binding.IndicatorsType()
indicators_obj.Indicator = [x.to_obj(ns_info=ns_info) for x in self.indicators]
return_obj.Indicators = indicators_obj
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
incidents_obj = self._binding.IncidentsType()
incidents_obj.Incident = [x.to_obj(ns_info=ns_info) for x in self.incidents]
return_obj.Incidents = incidents_obj
if self.threat_actors:
threat_actors_obj = self._binding.ThreatActorsType()
threat_actors_obj.Threat_Actor = [x.to_obj(ns_info=ns_info) for x in self.threat_actors]
return_obj.Threat_Actors = threat_actors_obj
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_packages:
return_obj.Related_Packages = self.related_packages.to_obj(ns_info=ns_info)
return return_obj
def to_dict(self):
d = {}
if self.id_:
d['id'] = self.id_
if self.idref:
d['idref'] = self.idref
if self.version:
d['version'] = self.version
if self.idref:
d['idref'] = self.idref
if self.timestamp:
d['timestamp'] = dates.serialize_value(self.timestamp)
if self.stix_header:
d['stix_header'] = self.stix_header.to_dict()
if self.campaigns:
d['campaigns'] = [x.to_dict() for x in self.campaigns]
if self.courses_of_action:
d['courses_of_action'] = [x.to_dict() for x in self.courses_of_action]
if self.exploit_targets:
d['exploit_targets'] = [x.to_dict() for x in self.exploit_targets]
if self.indicators:
d['indicators'] = [x.to_dict() for x in self.indicators]
if self.observables:
d['observables'] = self.observables.to_dict()
if self.incidents:
d['incidents'] = [x.to_dict() for x in self.incidents]
if self.threat_actors:
d['threat_actors'] = [x.to_dict() for x in self.threat_actors]
if self.ttps:
d['ttps'] = self.ttps.to_dict()
if self.related_packages:
d['related_packages'] = self.related_packages.to_dict()
return d
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
if obj.Exploit_Targets:
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
if obj.Indicators:
return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
if obj.Threat_Actors:
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref = dict_repr.get('idref', None)
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None))
return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])]
return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])]
return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])]
return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])]
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])]
return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])]
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
parser = EntityParser()
return parser.parse_xml(xml_file, encoding=encoding)
