# - A single Action embedded in the Bundle
# - A single Capability embedded in the Bundle

from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType
from cybox.common import Hash, HashList, VocabString
from cybox.objects.file_object import File
from maec.bundle import Bundle, Collections, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package
from cybox.utils import Namespace
import maec.utils

# Instantiate the ID generator class (for automatic ID generation) with our example namespace
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File() 
Ejemplo n.º 2
0
import pprint
import maec.bindings.maec_bundle as maec_bundle_binding
from maec.bundle import Bundle
# Matching properties dictionary
match_on_dictionary = {'FileObjectType': ['file_name'],
                       'WindowsRegistryKeyObjectType': ['hive', 'values.name/data'],
                       'WindowsMutexObjectType': ['name']}
# Parse in the input Bundle documents and create their python-maec Bundle class representations
bundle1 = Bundle.from_obj(maec_bundle_binding.parse("zeus_threatexpert_maec.xml"))
bundle2 = Bundle.from_obj(maec_bundle_binding.parse("zeus_anubis_maec.xml"))
# Perform the comparison and get the results
comparison_results = Bundle.compare([bundle1, bundle2], match_on = match_on_dictionary, case_sensitive = False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"
# Example 1 - Simple Package Generation Example
# Generates and exports MAEC Package with:
# - A single Malware Subject
# - A single Bundle embedded in the Malware Subject
# - A single Action embedded in the Bundle
# - A single Capability embedded in the Bundle

from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType
from cybox.common import Hash, HashList, VocabString
from cybox.objects.file_object import File
from maec.bundle import Bundle, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package

# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(
    Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
 pl1 = ms.createcompatibleplatform(description='testing platform',identifiers=[ident1,ident2])
 ms.addcompatibleplatform(compatible_platform=pl1)
 ####################################################################################################################
 #Add relationship
 reference1 = ms.createrelationshipreference(malware_subject_idref='Test idref 1')
 reference2 = ms.createrelationshipreference(malware_subject_idref='Test idref 2')
 reference3 = ms.createrelationshipreference(malware_subject_idref='Test idref 3')
 reference4 = ms.createrelationshipreference(malware_subject_idref='Test idref 4')
 relationship1=ms.createrelationship(type='downloads',malware_subject_reference=[reference1,reference2])
 relationship2=ms.createrelationship(type='downloaded by',malware_subject_reference=[reference3,reference4])
 ms.addrelationship(relationship=relationship1)
 ms.addrelationship(relationship=relationship2)
 ####################################################################################################################
 #Add findings bundle
 from maec.bundle import Bundle
 bundle1 = Bundle()
 bundle1.content_type='dynamic analysis tool output'
 bundle2 = Bundle()
 bundle2.content_type='static analysis tool output'
 ms.addbundleinfindingbundles(bundle2)
 ms.addbundleinfindingbundles(bundle1)
 mr1 = ms.createfindingbundlesmetaanalysisobjectequivalencereference(object_idref=create_id(prefix='obj_ref'))
 mr2 = ms.createfindingbundlesmetaanalysisobjectequivalencereference(object_idref=create_id(prefix='obj_ref'))
 object_eq = ms.createfindingbundlesmetaanalysisobjectequivalence(id=create_id(prefix='obj_equiv'),object_references=[mr1,mr2])
 ar1 = ms.createfindingbundlesmetaanalysisactionequivalencereference(action_id='test action id 1')
 ar2 = ms.createfindingbundlesmetaanalysisactionequivalencereference(action_id='test action id 2')
 action_eq = ms.createfindingbundlesmetaanalysisactionequivalence(action_references=[ar1,ar2])
 meta_analysis = ms.createfindingbundlesmetaanalysis(object_equivalences=[object_eq],action_equivalences=[action_eq])
 ms.addmetaanalysisinfindingbundles(meta_analysis=meta_analysis)
 ms.addexternalreferenceinfindingbundles(['testing refer qname 1','testing refer qname 2'])
 #Printing results
Ejemplo n.º 5
0
import pprint
import maec.bindings.maec_bundle as maec_bundle_binding
from maec.bundle import Bundle
# Matching properties dictionary
match_on_dictionary = {
    'FileObjectType': ['file_name'],
    'WindowsRegistryKeyObjectType': ['hive', 'values.name/data'],
    'WindowsMutexObjectType': ['name']
}
# Parse in the input Bundle documents and create their python-maec Bundle class representations
bundle1 = Bundle.from_obj(
    maec_bundle_binding.parse("zeus_threatexpert_maec.xml"))
bundle2 = Bundle.from_obj(maec_bundle_binding.parse("zeus_anubis_maec.xml"))
# Perform the comparison and get the results
comparison_results = Bundle.compare([bundle1, bundle2],
                                    match_on=match_on_dictionary,
                                    case_sensitive=False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"