Ejemplo n.º 1
0
def _get_email_recipients(header):
    """Parse a string into an EmailRecipients list"""
    if not header:
        return None

    recips = EmailRecipients()
    for match in EMAIL_PATTERN.findall(header):
        recips.append(match[0])
    return recips
Ejemplo n.º 2
0
 def test_list5(self):
     recips = EmailRecipients()
     recips.append(EmailAddress(self.email1))
     recips.append(EmailAddress(self.email2))
     self._compare(recips)
Ejemplo n.º 3
0
 def test_list4(self):
     recips = EmailRecipients()
     recips.append(self.email1)
     recips.append(self.email2)
     self._compare(recips)
Ejemplo n.º 4
0
 def test_list5(self):
     recips = EmailRecipients()
     recips.append(EmailAddress(self.email1))
     recips.append(EmailAddress(self.email2))
     self._compare(recips)
Ejemplo n.º 5
0
 def test_list(self):
     recips = EmailRecipients(Address(self.email1, Address.CAT_EMAIL),
                              Address(self.email2, Address.CAT_EMAIL))
     self._compare(recips)
Ejemplo n.º 6
0
 def test_list3(self):
     recips = EmailRecipients(self.email1, self.email2)
     self._compare(recips)
Ejemplo n.º 7
0
 def test_list4(self):
     recips = EmailRecipients()
     recips.append(self.email1)
     recips.append(self.email2)
     self._compare(recips)
Ejemplo n.º 8
0
 def test_list2(self):
     recips = EmailRecipients(EmailAddress(self.email1),
                              EmailAddress(self.email2))
     self._compare(recips)
Ejemplo n.º 9
0
    def populate_email(self, cybox_email, attribute):
        # returns a cybox email object out of a ce1sus object
        def_name = attribute.definition.name

        if def_name == 'email_attachment_file_name':
            attachment = File()
            attachment.file_name = attribute.value
            attachment.file_name.condition = self.get_condition(attribute)

            # cybox_email.attachments = Attachments()
            # cybox_email.attachments.append(File)

        elif def_name == 'email_bcc':
            self.__check_set_email_header(cybox_email)
            if not cybox_email.header.bcc:
                cybox_email.header.bcc = EmailRecipients()
            cybox_email.header.bcc.append(self.create_EmailAddress(attribute))
        elif def_name == 'email_cc':
            self.__check_set_email_header(cybox_email)
            if not cybox_email.header.cc:
                cybox_email.header.cc = EmailRecipients()
            cybox_email.header.bcc.append(self.create_EmailAddress(attribute))
        elif def_name == 'email_errors_to':
            self.__check_set_email_header(cybox_email)
            self.set_check_attr(cybox_email, 'header.errors_to', attribute)
        elif def_name == 'email_message_id':
            self.__check_set_email_header(cybox_email)
            self.set_check_attr(cybox_email, 'header.message_id', attribute)
        elif def_name == 'email_mime_version':
            self.__check_set_email_header(cybox_email)
            self.set_check_attr(cybox_email, 'header.mime_version', attribute)
        elif def_name == 'email_raw_body':
            self.set_check_attr(cybox_email, 'raw_body', attribute)
        elif def_name == 'email_raw_header':
            self.set_check_attr(cybox_email, 'raw_header', attribute)
        elif def_name == 'email_reply_to':
            if not cybox_email.header.in_reply_to:
                self.__check_set_email_header(cybox_email)
                cybox_email.header.in_reply_to = EmailRecipients()
            cybox_email.header.in_reply_to.append(
                self.create_EmailAddress(attribute))
        elif def_name == 'email_server':
            self.set_check_attr(cybox_email, 'email_server', attribute)
        elif def_name == 'email_subject':
            self.set_check_attr(cybox_email, 'subject', attribute)
        elif def_name == 'email_from':
            self.__check_set_email_header(cybox_email)
            if not cybox_email.header.from_:
                cybox_email.header.from_ = self.create_EmailAddress(attribute)
        elif def_name == 'email_to':
            self.__check_set_email_header(cybox_email)
            if not cybox_email.header.to:
                cybox_email.header.to = EmailRecipients()
            cybox_email.header.to.append(self.create_EmailAddress(attribute))
        elif def_name == 'email_x_mailer':
            self.set_check_attr(cybox_email, 'header.x_mailer', attribute)
        elif def_name == 'email_x_originating_ip':
            self.set_check_attr(cybox_email, 'header.x_originating_ip',
                                attribute)
        elif 'hash' in def_name:
            raise CyboxMapperException('Not defined')
        elif def_name == 'email_link':
            if not cybox_email.links:
                cybox_email.links = Links()
            cybox_email.links.append(Link(attribute.value))
        elif def_name == 'email_send_date':
            cybox_email.date = attribute.value
        elif def_name == 'email_in_reply_to':
            self.__check_set_email_header(cybox_email)
            cybox_email.header.in_reply_to = attribute.value
        else:
            raise CyboxMapperException('Not defined for {0}'.format(def_name))
Ejemplo n.º 10
0
def cybox_object_email(obj):
    e = EmailMessage()
    e.raw_body = obj.raw_body
    e.raw_header = obj.raw_header
    # Links
    e.links = Links()
    for link in obj.links.all():
        pass
    # Attachments
    e.attachments = Attachments()
    attachment_objects = []
    for att in obj.attachments.all():
        for meta in att.file_meta.all():
            fobj = cybox_object_file(att, meta)
            e.attachments.append(fobj.parent.id_)
            fobj.add_related(e, "Contained_Within", inline=False)
            attachment_objects.append(fobj)
    # construct header information
    h = EmailHeader()
    h.subject = obj.subject
    h.date = obj.email_date
    h.message_id = obj.message_id
    h.content_type = obj.content_type
    h.mime_version = obj.mime_version
    h.user_agent = obj.user_agent
    h.x_mailer = obj.x_mailer
    # From
    for from_ in obj.from_string.all():
        from_address = EmailAddress(from_.sender)
        from_address.is_spoofed = from_.is_spoofed
        from_address.condition = from_.condition
        h.from_ = from_address
    # Sender
    for sender in obj.sender.all():
        sender_address = EmailAddress(sender.sender)
        sender_address.is_spoofed = sender.is_spoofed
        sender_address.condition = sender.condition
        h.sender.add(sender_address)
    # To
    recipients = EmailRecipients()
    for recipient in obj.recipients.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.to = recipients
    # CC
    recipients = EmailRecipients()
    for recipient in obj.recipients_cc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.cc = recipients
    # BCC
    recipients = EmailRecipients()
    for recipient in obj.recipients_bcc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.bcc = recipients
    e.header = h
    return e, attachment_objects
Ejemplo n.º 11
0
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"):
    """
    Convert a CRITs TLO to a CybOX Observable.

    :param obj: The TLO to convert.
    :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes`
    :param exclude: Attributes to exclude.
    :type exclude: list
    :param bin_fmt: The format for the binary (if applicable).
    :type bin_fmt: str
    """

    type_ = obj._meta['crits_type']
    if type_ == 'Certificate':
        custom_prop = Property() # make a custom property so CRITs import can identify Certificate exports
        custom_prop.name = "crits_type"
        custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
        custom_prop._value = "Certificate"
        obje = File() # represent cert information as file
        obje.md5 = obj.md5
        obje.file_name = obj.filename
        obje.file_format = obj.filetype
        obje.size_in_bytes = obj.size
        obje.custom_properties = CustomProperties()
        obje.custom_properties.append(custom_prop)
        obs = Observable(obje)
        obs.description = obj.description
        data = obj.filedata.read()
        if data: # if cert data available
            a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
            a.packaging.append(Base64Encoding())
            obje.add_related(a, "Child_Of") # relate artifact to file

        return ([obs], obj.releasability)
    elif type_ == 'Domain':
        obje = DomainName()
        obje.value = obj.domain
        obje.type_ = obj.record_type

        return ([Observable(obje)], obj.releasability)
    elif type_ == 'Email':
        if exclude == None:
            exclude = []

        observables = []

        obje = EmailMessage()
        # Assume there is going to be at least one header
        obje.header = EmailHeader()

        if 'message_id' not in exclude:
            obje.header.message_id = String(obj.message_id)

        if 'subject' not in exclude:
            obje.header.subject = String(obj.subject)

        if 'sender' not in exclude:
            obje.header.sender = Address(obj.sender, Address.CAT_EMAIL)

        if 'reply_to' not in exclude:
            obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL)

        if 'x_originating_ip' not in exclude:
            obje.header.x_originating_ip = Address(obj.x_originating_ip,
                                                  Address.CAT_IPV4)

        if 'x_mailer' not in exclude:
            obje.header.x_mailer = String(obj.x_mailer)

        if 'boundary' not in exclude:
            obje.header.boundary = String(obj.boundary)

        if 'raw_body' not in exclude:
            obje.raw_body = obj.raw_body

        if 'raw_header' not in exclude:
            obje.raw_header = obj.raw_header

        #adding rest of email fields
        obje.header.cc = EmailRecipients(obj.cc)
        obje.header.to = EmailRecipients(obj.to)

        #copy fields where the names differ between objects
        if 'helo' not in exclude and 'email_server' not in exclude:
            obje.email_server = String(obj.helo)
        if ('from_' not in exclude and 'from' not in exclude and
            'from_address' not in exclude):
            obje.header.from_ = EmailAddress(obj.from_address)
        if 'date' not in exclude and 'isodate' not in exclude:
            obje.header.date = DateTime(obj.isodate)

        obje.attachments = Attachments()

        observables.append(Observable(obje))

        return (observables, obj.releasability)
    elif type_ == 'Indicator':
        observables = []
        obje = make_cybox_object(obj.ind_type, obj.value)
        observables.append(Observable(obje))

        return (observables, obj.releasability)
    elif type_ == 'IP':
        obje = Address()
        obje.address_value = obj.ip
        if obj.ip_type == IPTypes.IPV4_ADDRESS:
            obje.category = "ipv4-addr"
        elif obj.ip_type == IPTypes.IPV6_ADDRESS:
            obje.category = "ipv6-addr"
        elif obj.ip_type == IPTypes.IPV4_SUBNET:
            obje.category = "ipv4-net"
        elif obj.ip_type == IPTypes.IPV6_SUBNET:
            obje.category = "ipv6-subnet"

        return ([Observable(obje)], obj.releasability)
    elif type_ == 'PCAP':
        obje = File()
        obje.md5 = obj.md5
        obje.file_name = obj.filename
        obje.file_format = obj.contentType
        obje.size_in_bytes = obj.length
        obs = Observable(obje)
        obs.description = obj.description
        art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK)
        art.packaging.append(Base64Encoding())
        obje.add_related(art, "Child_Of") # relate artifact to file

        return ([obs], obj.releasability)
    elif type_ == 'RawData':
        obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE)
        obje.packaging.append(Base64Encoding())
        obs = Observable(obje)
        obs.description = obj.description

        return ([obs], obj.releasability)
    elif type_ == 'Sample':
        if exclude == None:
            exclude = []

        observables = []
        f = File()
        for attr in ['md5', 'sha1', 'sha256', 'source']:
            if attr not in exclude:
                val = getattr(obj, attr, None)
                if val:
                    setattr(f, attr, val)
        if obj.ssdeep and 'ssdeep' not in exclude:
            f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP))
        if 'size' not in exclude and 'size_in_bytes' not in exclude:
            f.size_in_bytes = UnsignedLong(obj.size)
        if 'filename' not in exclude and 'file_name' not in exclude:
            f.file_name = obj.filename
        # create an Artifact object for the binary if it exists
        if 'filedata' not in exclude and bin_fmt:
            data = obj.filedata.read()
            if data: # if sample data available
                a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
                if bin_fmt == "zlib":
                    a.packaging.append(ZlibCompression())
                    a.packaging.append(Base64Encoding())
                elif bin_fmt == "base64":
                    a.packaging.append(Base64Encoding())
                f.add_related(a, "Child_Of") # relate artifact to file
        if 'filetype' not in exclude and 'file_format' not in exclude:
            #NOTE: this doesn't work because the CybOX File object does not
            #   have any support built in for setting the filetype to a
            #   CybOX-binding friendly object (e.g., calling .to_dict() on
            #   the resulting CybOX object fails on this field.
            f.file_format = obj.filetype

        f.extracted_features = ExtractedFeatures()
        f.extracted_features.strings = ExtractedStrings()
        for name in obj.filenames:
            f.extracted_features.strings.append(ExtractedString(name))

        observables.append(Observable(f))
        return (observables, obj.releasability)
    else:
        return (None, None)
Ejemplo n.º 12
0
def cybox_object_email(obj):
    e = EmailMessage()
    e.raw_body = obj.raw_body
    e.raw_header = obj.raw_header
    # Links
    e.links = Links()
    for link in obj.links.all():
        pass
    # Attachments
    e.attachments = Attachments()
    attachment_objects = []
    for att in obj.attachments.all():
        for meta in att.file_meta.all():
            fobj = cybox_object_file(att, meta)
            e.attachments.append(fobj.parent.id_)
            fobj.add_related(e, "Contained_Within", inline=False)
            attachment_objects.append(fobj)
    # construct header information
    h = EmailHeader()
    h.subject = obj.subject
    h.date = obj.email_date
    h.message_id = obj.message_id
    h.content_type = obj.content_type
    h.mime_version = obj.mime_version
    h.user_agent = obj.user_agent
    h.x_mailer = obj.x_mailer
    # From
    for from_ in obj.from_string.all():
        from_address = EmailAddress(from_.sender)
        from_address.is_spoofed = from_.is_spoofed
        from_address.condition = from_.condition
        h.from_ = from_address
    # Sender
    for sender in obj.sender.all():
        sender_address = EmailAddress(sender.sender)
        sender_address.is_spoofed = sender.is_spoofed
        sender_address.condition = sender.condition
        h.sender.add(sender_address)
    # To
    recipients = EmailRecipients()
    for recipient in obj.recipients.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.to = recipients
    # CC
    recipients = EmailRecipients()
    for recipient in obj.recipients_cc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.cc = recipients
    # BCC
    recipients = EmailRecipients()
    for recipient in obj.recipients_bcc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.bcc = recipients
    e.header = h
    return e, attachment_objects