def main(): fn = 'ex_01.xml' stix_package = STIXPackage.from_xml(fn) stix_dict = stix_package.to_dict() # parse to dictionary pprint(stix_dict) stix_package_two = STIXPackage.from_dict(stix_dict) # create python-stix object from dictionary xml = stix_package_two.to_xml() # generate xml from python-stix object print(xml)
def main(): fn = 'ex_01.xml' stix_package = STIXPackage.from_xml(fn) stix_dict = stix_package.to_dict() # parse to dictionary pprint(stix_dict) stix_package_two = STIXPackage.from_dict( stix_dict) # create python-stix object from dictionary xml = stix_package_two.to_xml() # generate xml from python-stix object print(xml)
def test_all_versions_in_single_package(self): package = STIXPackage.from_xml(StringIO(XML_GLOBAL)) self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[0], stix_edh.isa_markings.ISAMarkings)) self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[1], stix_edh.isa_markings_assertions.ISAMarkingsAssertion)) print(package.to_xml()) package = STIXPackage.from_dict(package.to_dict()) self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[0], stix_edh.isa_markings.ISAMarkings)) self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[1], stix_edh.isa_markings_assertions.ISAMarkingsAssertion)) json_string = json.dumps(package.to_dict()) print(json_string) print("-" * 40)
def test(files): '''Parses each file in the list of files and performs a to_obj(), from_obj() to_dict(), from_dict(), and to_xml() on each STIXPackage ''' info("testing [%s] files" % (len(files))) for fn in files: with open(fn, 'rb') as f: try: sp = STIXPackage.from_xml(f) o = sp.to_obj() sp2 = STIXPackage.from_obj(o) d = sp.to_dict() sp3 = STIXPackage.from_dict(d) xml = sp.to_xml() print "[+] Sucessfully tested %s" % fn except Exception as ex: tb = traceback.format_exc() print "[!] Error with %s : %s" % (fn, str(ex)) print tb
def main(): FILENAME = 'sample.xml' # Parse input file stix_package = STIXPackage.from_xml(FILENAME) # Convert STIXPackage to a Python dictionary via the to_dict() method. stix_dict = stix_package.to_dict() # Print the dictionary! pprint(stix_dict) # Convert the first STIXPackage dictionary into another STIXPackage via # the from_dict() method. stix_package_two = STIXPackage.from_dict(stix_dict) # Serialize the new STIXPackage object to XML xml = stix_package_two.to_xml() # Print the XML! print(xml)
def main(): FILENAME = 'sample.xml' # Parse input file stix_package = STIXPackage.from_xml(FILENAME) # Convert STIXPackage to a Python dictionary via the to_dict() method. stix_dict = stix_package.to_dict() # Print the dictionary! pprint(stix_dict) # Convert the first STIXPackage dictionary into another STIXPackage via # the from_dict() method. stix_package_two = STIXPackage.from_dict(stix_dict) # Serialize the new STIXPackage object to XML xml = stix_package_two.to_xml() # Print the XML! print(xml)
def toStixXml(self, confidence, efficacy): """ This method converts a list of FASGuard generated Snort rules into a STIX compliant XML string ready for output. It first converts the object into a hash of the right format and then converts it into XML using STIXPackage.from_dict and to_xml on the resulting object. Arguments: confidence - High, Medium or Low. High means low false alarm rate. efficacy - High, Medium or Low. High means a low missed detection rate. Returns: Reference to string containing STIX/CybOX XML file. """ logger = logging.getLogger('simple_example') self.logger = logger self.logger.debug('In asg.fasguardStixRule') stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "Unknown" et = ExploitTarget(title="From FASGuard") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="FASGuard Produced Signatures") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title="Snort Signature from FASGuard") indicator.confidence = Confidence(confidence) tm = SnortTestMechanism() tm.rules = self.ruleList tm.efficacy = efficacy tm.producer = InformationSource(identity=Identity(name="FASGuard")) tm.producer.references = ["http://fasguard.github.io/"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) return stix_package.to_xml() # stixDict = {'campaigns': [{}], # 'courses_of_action': [{}], # 'exploit_targets': [{}], # 'id': 'INSERT_PACKAGE_ID_HERE'} # stixDict['indicators'] = [{'indicator': # {'title': # 'Automatically Generated FASGuard Signatures', # 'test_mechanisms': # {'test_mechanism': # {'efficacy':'Low', # 'producer': # {'Identity':'FASGuard'}, # 'rule':'xyz'}}}} # ] stix_package = STIXPackage.from_dict(stixDict) stix_xml = stix_package.to_xml() return stix_xml
def toStixXml(self): """ This method converts a DetectorEvent object into a STIX compliant XML string ready for output. It first converts the object into a hash of the right format and then converts it into XML using STIXPackage.from_dict and to_xml on the resulting object. Returns: Reference to string containing STIX/CybOX XML file. """ self.logger.debug('In toStixXml') stixDict = {'campaigns': [{}], 'courses_of_action': [{}], 'exploit_targets': [{}], 'id': 'INSERT_PACKAGE_ID_HERE'} stixDict['incidents'] = [] stixDict['indicators'] = [{}] stixDict['observables'] = {'major_version': 2, 'minor_version': 1, 'observables': [{}], 'update_version': 0} stixDict['stix_header'] = {'description': 'DESCRIPTION', # 'handling': # [{'controlled_structure': # '//node()', # 'marking_structures': # [{'color': 'WHITE', # 'xsi:type': # 'tlpMarking:TLPMarkingStructureType'}]}, # {'controlled_structure': # '//node()', # 'marking_structures': # [{'xsi:type': # 'simpleMarking:SimpleMarkingStructureType'}]}, # {'controlled_structure': '//node()', # 'marking_structures': # [{'xsi:type': # 'TOUMarking:TermsOfUseMarkingStructureType'}]}], 'information_source': {'identity': {}, 'time': {'produced_time': '2014-12-31T08:00:00+00:00'}, 'tools': [{}]}, 'package_intents': [{'value': 'Incident', 'xsi:type': 'stixVocabs:PackageIntentVocab-1.0'}], 'title': 'TITLE'} stixDict['threat_actors'] = [{}] # stixDict['ttps'] = {'kill_chains': # {'kill_chains': [{'kill_chain_phases': [{}]}]}, # 'ttps': [{}]} stixDict['version'] = '1.1.1' if (((not self.multiAttackFlag) or (not self.attackBoundaryFlag)) and len(self.attackInstanceList) != 1): self.logger.error('For non-multiple attack or non-boundary attack '+ 'had more than one attack instance') sys.exit(-1) description_string = '\n\t\t\t\tMultipleAttack = ' description_string += 'TRUE' if self.multiAttackFlag else 'FALSE' description_string += '\n\t\t\t\tAttackBoundaries = ' description_string += 'TRUE' if self.attackBoundaryFlag else 'FALSE' description_string += '\n\t\t\t' for attack_instance in self.attackInstanceList: related_observables_hash = {'description' : description_string, 'related_observables': {'observables': [], 'scope':'exclusive'}} observables_list = (related_observables_hash['related_observables'] ['observables']) stixDict['incidents'].append(related_observables_hash) for packet in attack_instance.packetList: f_sec,sec = math.modf(packet.timeStamp) self.logger.debug('%f %f',sec,f_sec) dtime = datetime.datetime.fromtimestamp( int(sec)).strftime('%Y-%m-%dT%H:%M:%S')+'.'+( str(int(f_sec*1000000))) #dtime = '2014-10-13T14:08:00.002000+00:00' self.logger.debug('dtime = '+dtime) observable_dict = {} data_dict = {} properties_dict = {} packet_dict = {} observable_dict['observable'] = data_dict data_dict['keywords'] = ['LinkType=ethernet', u'ProbAttack=' + str(packet.probAttack)] data_dict['object'] = properties_dict properties_dict['properties'] = packet_dict packet_dict['packaging'] = [{'algorithm': 'Base64', 'packaging_type': 'encoding'}] packet_dict['raw_artifact'] = base64.b64encode( str(packet.packet)) eth = dpkt.ethernet.Ethernet(str(packet.packet)) self.logger.debug('eth as string: %s',pformat(eth)) b64_decode = base64.b64decode(base64.b64encode(packet.packet)) v1 = pformat(packet.packet) self.logger.debug('First version: %s',str(packet.packet).encode('hex')) v2 = pformat(packet.packet) self.logger.debug('Second version: %s',b64_decode.encode('hex')) pprint(b64_decode) # if b64_decode != packet.packet: # self.logger.debug('Round trip failed') # self.logger.debug('Types: %s, %s',type(b64_decode), # type(packet.packet)) # self.logger.debug('Length %d -> %d', # len(b64_decode),len(packet.packet)) # packet_list = list(packet.packet) # b64_list = list(b64_decode) # for i in range(len(packet.packet)): # if packet_list[i] != b64_list[i]: # self.logger.debug('%s != %s',packet_list[i], # b64_list[i]) # # for i in list(packet.packet): # # self.logger.debug('Orig: %s',i) # # for i in list(b64_decode): # # self.logger.debug('Decode: %s',i) # sys.exit(-1) packet_dict['type'] = 'Network Traffic' packet_dict['xsi:type'] = 'ArtifactObjectType' data_dict['observable_source'] = [ {'time':{'received_time':dtime} } ] observables_list.append(observable_dict) ofh = open('stix_dict.out', 'w') ofh.write(pformat(stixDict)) self.logger.debug('Wrote stix dictionary to stix_dict.out') stix_package = STIXPackage.from_dict(stixDict) self.logger.debug('After constructor') stix_xml = stix_package.to_xml() return stix_xml
def toStixXml(self, confidence, efficacy): """ This method converts a list of FASGuard generated Snort rules into a STIX compliant XML string ready for output. It first converts the object into a hash of the right format and then converts it into XML using STIXPackage.from_dict and to_xml on the resulting object. Arguments: confidence - High, Medium or Low. High means low false alarm rate. efficacy - High, Medium or Low. High means a low missed detection rate. Returns: Reference to string containing STIX/CybOX XML file. """ logger = logging.getLogger('simple_example') self.logger = logger self.logger.debug('In asg.fasguardStixRule') stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "Unknown" et = ExploitTarget(title="From FASGuard") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="FASGuard Produced Signatures") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title = "Snort Signature from FASGuard") indicator.confidence = Confidence(confidence) tm = SnortTestMechanism() tm.rules = self.ruleList tm.efficacy = efficacy tm.producer = InformationSource(identity=Identity(name="FASGuard")) tm.producer.references = ["http://fasguard.github.io/"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) return stix_package.to_xml() # stixDict = {'campaigns': [{}], # 'courses_of_action': [{}], # 'exploit_targets': [{}], # 'id': 'INSERT_PACKAGE_ID_HERE'} # stixDict['indicators'] = [{'indicator': # {'title': # 'Automatically Generated FASGuard Signatures', # 'test_mechanisms': # {'test_mechanism': # {'efficacy':'Low', # 'producer': # {'Identity':'FASGuard'}, # 'rule':'xyz'}}}} # ] stix_package = STIXPackage.from_dict(stixDict) stix_xml = stix_package.to_xml() return stix_xml