def get_content_block(self):
stix_ip_list = self.cleaned_data['ip_list']
stix_ip_list = string.replace(stix_ip_list, ",", "##comma##")
stix_ip_list = string.replace(stix_ip_list, ";", "##comma##")
stix_ip_list = string.replace(stix_ip_list, " ", "")
xml = render_to_string('stix-ip-list.xml', {
'stix_ip_list': stix_ip_list,
'description': self.cleaned_data['desc']
})
cb = tm11.ContentBlock(t.CB_STIX_XML_101, xml)
return cb
def make_content(version, content_binding=CUSTOM_CONTENT_BINDING, content=CONTENT, subtype=None):
if version == 10:
return tm10.ContentBlock(content_binding, content)
elif version == 11:
content_block = tm11.ContentBlock(tm11.ContentBinding(content_binding), content)
if subtype:
content_block.content_binding.subtype_ids.append(subtype)
return content_block
else:
raise ValueError('Unknown TAXII message version: %s' % version)
def push(self,
content,
content_binding,
collection_names=None,
timestamp=None,
uri=None):
"""Push content into Inbox Service.
if ``uri`` is not provided, client will try to discover
services and find Inbox Service among them.
:param str content: content to push
:param content_binding: content binding for a content
:type content_binding: string or
:py:class:`cabby.entities.ContentBinding`
:param list collection_names:
destination collection names
:param datetime timestamp: timestamp label of the content block
(current UTC time by default)
:param str uri: URI path to a specific Inbox Service
:raises ValueError:
if URI provided is invalid or schema is not supported
:raises `cabby.exceptions.HTTPError`:
if HTTP error happened
:raises `cabby.exceptions.UnsuccessfulStatusError`:
if Status Message received and status_type is not `SUCCESS`
:raises `cabby.exceptions.ServiceNotFoundError`:
if no service found
:raises `cabby.exceptions.AmbiguousServicesError`:
more than one service with type specified
:raises `cabby.exceptions.NoURIProvidedError`:
no URI provided and client can't discover services
"""
content_block = tm11.ContentBlock(
content=content,
content_binding=pack_content_binding(content_binding, version=11),
timestamp_label=timestamp or get_utc_now(),
)
inbox_message = tm11.InboxMessage(message_id=self._generate_id(),
content_blocks=[content_block])
if collection_names:
inbox_message.destination_collection_names.extend(collection_names)
self._execute_request(inbox_message,
uri=uri,
service_type=const.SVC_INBOX)
self.log.debug("Content block successfully pushed")
def taxii_inbox(config, dest, stix_package=None, src=None, crits_id=None):
'''inbox a stix package via taxii'''
if src and crits_id:
# check whether this has already been ingested
sync_state = config['db'].get_object_id(src, dest, crits_id=crits_id)
if sync_state and sync_state.get('crits_id', None):
if config['daemon']['debug']:
config['logger'].debug(
log.log_messages['object_already_ingested'].format(
src_type='crits', src_id=crits_id, src=src,
dest_type='edge', dest=dest, dest_id=sync_state['edge_id']))
return(True)
if stix_package:
stixroot = lxml.etree.fromstring(stix_package.to_xml())
client = tc.HttpClient()
client.setUseHttps(config['edge']['sites'][dest]['taxii']['ssl'])
client.setAuthType(client.AUTH_BASIC)
client.setAuthCredentials(
{'username':
config['edge']['sites'][dest]['taxii']['user'],
'password':
config['edge']['sites'][dest]['taxii']['pass']})
message = tm11.InboxMessage(message_id=tm11.generate_message_id())
content_block = tm11.ContentBlock(content_binding=t.CB_STIX_XML_11,
content=stixroot)
if config['edge']['sites'][dest]['taxii']['collection'] != \
'system.Default':
message.destination_collection_names = \
[config['edge']['sites'][dest]['taxii']['collection']]
message.content_blocks.append(content_block)
if config['daemon']['debug']:
config['logger'].debug(
log.log_messages[
'open_session'].format(type_='taxii', host=dest))
taxii_response = client.callTaxiiService2(
config['edge']['sites'][dest]['host'],
config['edge']['sites'][dest]['taxii']['path'],
t.VID_TAXII_XML_11, message.to_xml(),
port=config['edge']['sites'][dest]['taxii']['port'])
if taxii_response.code != 200 or taxii_response.msg != 'OK':
success = False
config['logger'].error(
log.log_messages[
'inbox_error'].format(type_='taxii', host=dest,
msg=taxii_response.msg))
else:
success = True
if config['daemon']['debug']:
config['logger'].debug(
log.log_messages['inbox_success'].format(type_='taxii',
host=dest))
return(success)
def get_content_block(self, f):
binding_map = {
'.xlsx': ('application',
'vnd.openxmlformats-officedocument.spreadsheetml.sheet'),
'.xls': ('application', 'vnd.ms-excel'),
'.csv': ('text', 'csv'),
'.json': ('application', 'json'),
'.syslog': ('text', 'syslog')
}
# Check the file extension to see if it is a supported type
name_part, ext_part = os.path.splitext(f.name)
if ext_part.lower() == '.xml':
cb = tm11.ContentBlock(tm11.ContentBinding(t.CB_STIX_XML_101),
f.read())
else:
binding_tuple = binding_map.get(ext_part.lower(), None)
if not binding_tuple:
logger.error(
'File extension not supported: %s. Supported extensions: %s'
% (ext_part, binding_map.keys()))
return
# Read the file and create a MIME message for it
maintype = binding_tuple[0]
subtype = binding_tuple[
1] # Note: This is MIME subtype, not TAXII subtype
mime_msg = MIMENonMultipart(maintype, subtype)
mime_msg.add_header('Content-Disposition',
'attachment',
filename=f.name)
mime_msg.set_payload(f.read())
encode_base64(mime_msg)
cb = tm11.ContentBlock('%s/%s' % (maintype, subtype),
mime_msg.as_string())
return cb
def push_11(self, stix_file_doc):
self.debug_print('>>> push_11: enter')
# stix_file_doc の versionが 2.0 ならスライド
if stix_file_doc.version == '2.0':
try:
content = stix_file_doc.get_slide_1_x()
except Exception as e:
traceback.print_exc()
raise e
else:
with open(stix_file_doc.origin_path, 'r', encoding='utf-8') as fp:
content = fp.read()
# Subscription Information xml作成
subscription_information = tm11.SubscriptionInformation(
collection_name=self._collection_name,
subscription_id='subscripiton_id')
cb = tm11.ContentBlock(const.CB_STIX_XML_11, content)
im = tm11.InboxMessage(
message_id=tm11.generate_message_id(),
destination_collection_names=[self._collection_name],
subscription_information=subscription_information,
content_blocks=[cb])
try:
# push
self._address = '10.0.3.100'
# self.debug_print('>>> push_11: self._address:%s' %(self._address))
# self.debug_print('>>> push_11: self._path:%s' %(self._path))
# self.debug_print('>>> push_11: self._port:%d' %(self._port))
# self.debug_print('>>> push_11: self._collection_name:%s' %(self._collection_name))
# self.debug_print('>>> push_11: verify_server:%s' %(str(self._client.verify_server)))
# self.debug_print('>>> push_11: use_https:%s' %(str(self._client.use_https)))
http_resp = self._client.call_taxii_service2(
self._address,
self._path,
const.VID_TAXII_XML_11,
im.to_xml(),
port=self._port)
taxii_message = libtaxii.get_message_from_http_response(
http_resp, im.message_id)
if taxii_message.status_type != 'SUCCESS':
self.debug_print('taxii_message.status_type is not SUCCESS')
self.debug_print(taxii_message.to_xml(pretty_print=True))
raise Exception('taxii_message.status_type is not SUCCESS')
except Exception as e:
traceback.print_exc()
self.debug_print(e)
raise e
def push_11(self, stix_file_doc):
if stix_file_doc.version.startswith('2.'):
try:
content = stix_file_doc.get_slide_12()
except Exception as e:
traceback.print_exc()
raise e
else:
with open(stix_file_doc.origin_path, 'r', encoding='utf-8') as fp:
content = fp.read()
auth_credentials_dict = self._get_auth_credentials_dict()
self._client.set_auth_credentials(auth_credentials_dict)
try:
subscription_information = tm11.SubscriptionInformation(
collection_name=self._collection_name,
subscription_id='subscripiton_id')
cb = tm11.ContentBlock(const.CB_STIX_XML_11, content)
im = tm11.InboxMessage(
message_id=tm11.generate_message_id(),
destination_collection_names=[self._collection_name],
subscription_information=subscription_information,
content_blocks=[cb])
http_resp = self._client.call_taxii_service2(
self._address,
self._path,
const.VID_TAXII_XML_11,
im.to_xml(),
port=self._port)
taxii_message = libtaxii.get_message_from_http_response(
http_resp, im.message_id)
if taxii_message.status_type != 'SUCCESS':
raise Exception('taxii_message.status_type is not SUCCESS')
except Exception as e:
traceback.print_exc()
raise e
finally:
if 'cert_file' in auth_credentials_dict:
try:
os.remove(auth_credentials_dict['cert_file'])
except Exception:
pass
if 'key_file' in auth_credentials_dict:
try:
os.remove(auth_credentials_dict['key_file'])
except Exception:
pass
def gen_post(self, msg_type, xml):
content_block = tm11.ContentBlock(tm11.ContentBinding(Client.BINDING_STIX), xml)
if msg_type.lower() == 'inbox':
post = tm11.InboxMessage(tm11.generate_message_id())
post.content_blocks.append(content_block)
post.message = Client.CLIENT_MSG
if self.subscription:
post.subscription_id = self.subscription
if self.collection:
post.destination_collection_names.append(self.collection)
return post
def create_request_message(self, args):
if args.content_file is self.stix_watchlist:
data = self.stix_watchlist
else:
with open(args.content_file, 'r') as f:
data = f.read()
cb = tm11.ContentBlock(tm11.ContentBinding(args.content_binding), data)
if args.subtype is not None:
cb.content_binding.subtype_ids.append(args.subtype)
inbox_message = tm11.InboxMessage(message_id=tm11.generate_message_id(), content_blocks=[cb])
if args.dcn:
inbox_message.destination_collection_names.append(args.dcn)
return inbox_message
def content_block_entity_to_content_block(entity, version):
content_bindings = content_binding_entity_to_content_binding(
entity.content_binding, version=version)
# Libtaxii requires content to be unicode
content = (entity.content if isinstance(entity.content, six.string_types)
else entity.content.decode('utf-8'))
if version == 10:
return tm10.ContentBlock(content_binding=content_bindings,
content=content,
timestamp_label=entity.timestamp_label)
elif version == 11:
return tm11.ContentBlock(content_binding=content_bindings,
content=content,
timestamp_label=entity.timestamp_label,
message=entity.message)
def content_block_entity_to_content_block(entity, version):
content_bindings = content_binding_entity_to_content_binding(
entity.content_binding, version=version)
if version == 10:
return tm10.ContentBlock(
content_binding=content_bindings,
content=entity.content,
timestamp_label=entity.timestamp_label,
)
elif version == 11:
return tm11.ContentBlock(
content_binding=content_bindings,
content=entity.content,
timestamp_label=entity.timestamp_label,
message=entity.message,
)
def main():
config = ConfigParser.ConfigParser()
config.read('app.conf')
dstHost = config.get('taxii', 'dstHost')
dstPort = config.get('taxii', 'dstPort')
dstPath = config.get('taxii', 'dstPath')
username = config.get('taxii', 'username')
password = config.get('taxii', 'password')
parser = argparse.ArgumentParser(description="Inbox Client")
parser.add_argument(
"--host",
dest="host",
default=dstHost,
help="Host where the Inbox Service is hosted. Defaults to " + dstHost)
parser.add_argument(
"--port",
dest="port",
default=dstPort,
help="Port where the Inbox Service is hosted. Defaults to " + dstPort)
parser.add_argument(
"--path",
dest="path",
default=dstPath,
help="Path where the Inbox Service is hosted. Defaults to " + dstPath)
parser.add_argument(
"--content-binding",
dest="content_binding",
default=t.CB_STIX_XML_11,
help="Content binding of the Content Block to send. Defaults to %s" %
t.CB_STIX_XML_11)
parser.add_argument(
"--content-file",
dest="content_file",
default=stixContent,
help="File name of the Content Block to send. Required.")
args = parser.parse_args()
if args.content_file is '':
parser.print_help()
sys.exit(1)
_l.info('Starting...')
c = open(args.content_file, 'r')
cb = tmsg.ContentBlock(tmsg.ContentBinding(args.content_binding), c.read())
c.close()
taxiiMsg = tmsg.InboxMessage(message_id=tmsg.generate_message_id(),
content_blocks=[cb])
taxiiMsgXml = taxiiMsg.to_xml()
# send it
_l.debug('Uploading content.')
client = tc.HttpClient()
client.setProxy('noproxy')
client.setAuthType(tc.HttpClient.AUTH_BASIC)
client.setAuthCredentials({'username': username, 'password': password})
resp = client.callTaxiiService2(args.host, args.path, t.VID_TAXII_XML_11,
taxiiMsgXml, args.port)
response_message = t.get_message_from_http_response(resp, '0')
_l.debug('Response was: ' + response_message.to_xml())
_l.info('Ended.')
def _get_content_block(self, content):
return tm11.ContentBlock(const.CB_STIX_XML_11, content)
def main():
# "hardcoded" values
ns = "urn:example.com:marks_malware_metadata_mart"
ns_alias = "m4"
# Set the STIX ID Namespace
stix_namespace = {ns: ns_alias}
stix_sin(stix_namespace)
# Set the CybOX ID Namespace
cybox_namespace = Namespace(ns, ns_alias)
cybox_sin(cybox_namespace)
ttp_id = 'ttp-d539bb85-9363-4814-83c8-fa9975045686'
ttp_timestamp = '2014-09-30T15:56:27.000000+00:00'
# Fake database values
md5_hash = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
object_id = 'File-927731f2-cc2c-421c-a40e-dc6f4a6c75a4'
observable_id = 'Observable-45e3e64c-8438-441e-bc49-51e417466e29'
confidence = 'High'
confidence_timestamp = '2014-09-29T14:32:00.000000'
indicator_id = 'Indicator-54baefc1-4742-4b40-ba83-afd51115015b'
indicator_timestamp = '2014-09-29T14:32:00.000000'
# Code to create the STIX Package
sp = STIXPackage()
sp.stix_header = STIXHeader()
sp.stix_header.title = "File Hash Reputation for %s" % md5_hash
sp.stix_header.add_package_intent("Indicators - Malware Artifacts")
sp.stix_header.information_source = InformationSource()
sp.stix_header.information_source.identity = Identity()
sp.stix_header.information_source.identity.name = "Mark's Malware Metadata Mart"
file_hash = Hash(hash_value=md5_hash, type_='MD5', exact=True)
file_hash.type_.condition = "Equals"
file_obj = File()
file_obj.id_ = (ns_alias + ':' + object_id)
file_obj.add_hash(file_hash)
indicator = Indicator(title="File Hash Reputation",
id_=(ns_alias + ':' + indicator_id),
timestamp=indicator_timestamp)
indicator.indicator_type = "File Hash Reputation"
indicator.add_observable(file_obj)
indicator.observables[0].id_ = ns_alias + ':' + observable_id
ttp = TTP()
ttp.id_ = ns_alias + ':' + ttp_id
ttp.timestamp = ttp_timestamp
ttp.title = "Malicious File"
indicator.add_indicated_ttp(TTP(idref=ttp.id_, timestamp=ttp.timestamp))
indicator.indicated_ttps[0].confidence = confidence
indicator.indicated_ttps[0].confidence.timestamp = confidence_timestamp
sp.add_indicator(indicator)
sp.add_ttp(ttp)
stix_xml = sp.to_xml()
poll_response = tm11.PollResponse(message_id=generate_message_id(),
in_response_to="1234",
collection_name='file_hash_reputation')
cb = tm11.ContentBlock(content_binding=CB_STIX_XML_111, content=stix_xml)
poll_response.content_blocks.append(cb)
print poll_response.to_xml(pretty_print=True)
