def main():
fn = 'ex_01.xml'
stix_package = STIXPackage.from_xml(fn)
stix_dict = stix_package.to_dict() # parse to dictionary
pprint(stix_dict)
stix_package_two = STIXPackage.from_dict(stix_dict) # create python-stix object from dictionary
xml = stix_package_two.to_xml() # generate xml from python-stix object
print(xml)
def main():
fn = 'ex_01.xml'
stix_package = STIXPackage.from_xml(fn)
stix_dict = stix_package.to_dict() # parse to dictionary
pprint(stix_dict)
stix_package_two = STIXPackage.from_dict(
stix_dict) # create python-stix object from dictionary
xml = stix_package_two.to_xml() # generate xml from python-stix object
print(xml)
def test_all_versions_in_single_package(self):
package = STIXPackage.from_xml(StringIO(XML_GLOBAL))
self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[0], stix_edh.isa_markings.ISAMarkings))
self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[1], stix_edh.isa_markings_assertions.ISAMarkingsAssertion))
print(package.to_xml())
package = STIXPackage.from_dict(package.to_dict())
self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[0], stix_edh.isa_markings.ISAMarkings))
self.assertTrue(isinstance(package.stix_header.handling[0].marking_structures[1], stix_edh.isa_markings_assertions.ISAMarkingsAssertion))
json_string = json.dumps(package.to_dict())
print(json_string)
print("-" * 40)
def test(files):
'''Parses each file in the list of files and performs a to_obj(), from_obj()
to_dict(), from_dict(), and to_xml() on each STIXPackage
'''
info("testing [%s] files" % (len(files)))
for fn in files:
with open(fn, 'rb') as f:
try:
sp = STIXPackage.from_xml(f)
o = sp.to_obj()
sp2 = STIXPackage.from_obj(o)
d = sp.to_dict()
sp3 = STIXPackage.from_dict(d)
xml = sp.to_xml()
print "[+] Sucessfully tested %s" % fn
except Exception as ex:
tb = traceback.format_exc()
print "[!] Error with %s : %s" % (fn, str(ex))
print tb
def main():
FILENAME = 'sample.xml'
# Parse input file
stix_package = STIXPackage.from_xml(FILENAME)
# Convert STIXPackage to a Python dictionary via the to_dict() method.
stix_dict = stix_package.to_dict()
# Print the dictionary!
pprint(stix_dict)
# Convert the first STIXPackage dictionary into another STIXPackage via
# the from_dict() method.
stix_package_two = STIXPackage.from_dict(stix_dict)
# Serialize the new STIXPackage object to XML
xml = stix_package_two.to_xml()
# Print the XML!
print(xml)
def main():
FILENAME = 'sample.xml'
# Parse input file
stix_package = STIXPackage.from_xml(FILENAME)
# Convert STIXPackage to a Python dictionary via the to_dict() method.
stix_dict = stix_package.to_dict()
# Print the dictionary!
pprint(stix_dict)
# Convert the first STIXPackage dictionary into another STIXPackage via
# the from_dict() method.
stix_package_two = STIXPackage.from_dict(stix_dict)
# Serialize the new STIXPackage object to XML
xml = stix_package_two.to_xml()
# Print the XML!
print(xml)
def toStixXml(self, confidence, efficacy):
"""
This method converts a list of FASGuard generated Snort rules into a STIX
compliant XML string ready for output. It first converts the object
into a hash of the right format and then converts it into XML using
STIXPackage.from_dict and to_xml on the resulting object.
Arguments:
confidence - High, Medium or Low. High means low false alarm rate.
efficacy - High, Medium or Low. High means a low missed detection rate.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
logger = logging.getLogger('simple_example')
self.logger = logger
self.logger.debug('In asg.fasguardStixRule')
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "Unknown"
et = ExploitTarget(title="From FASGuard")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="FASGuard Produced Signatures")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature from FASGuard")
indicator.confidence = Confidence(confidence)
tm = SnortTestMechanism()
tm.rules = self.ruleList
tm.efficacy = efficacy
tm.producer = InformationSource(identity=Identity(name="FASGuard"))
tm.producer.references = ["http://fasguard.github.io/"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
return stix_package.to_xml()
# stixDict = {'campaigns': [{}],
# 'courses_of_action': [{}],
# 'exploit_targets': [{}],
# 'id': 'INSERT_PACKAGE_ID_HERE'}
# stixDict['indicators'] = [{'indicator':
# {'title':
# 'Automatically Generated FASGuard Signatures',
# 'test_mechanisms':
# {'test_mechanism':
# {'efficacy':'Low',
# 'producer':
# {'Identity':'FASGuard'},
# 'rule':'xyz'}}}}
# ]
stix_package = STIXPackage.from_dict(stixDict)
stix_xml = stix_package.to_xml()
return stix_xml
def toStixXml(self):
"""
This method converts a DetectorEvent object into a STIX compliant XML
string ready for output. It first converts the object into a hash of the
right format and then converts it into XML using STIXPackage.from_dict
and to_xml on the resulting object.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
self.logger.debug('In toStixXml')
stixDict = {'campaigns': [{}],
'courses_of_action': [{}],
'exploit_targets': [{}],
'id': 'INSERT_PACKAGE_ID_HERE'}
stixDict['incidents'] = []
stixDict['indicators'] = [{}]
stixDict['observables'] = {'major_version': 2,
'minor_version': 1,
'observables': [{}],
'update_version': 0}
stixDict['stix_header'] = {'description': 'DESCRIPTION',
# 'handling':
# [{'controlled_structure':
# '//node()',
# 'marking_structures':
# [{'color': 'WHITE',
# 'xsi:type':
# 'tlpMarking:TLPMarkingStructureType'}]},
# {'controlled_structure':
# '//node()',
# 'marking_structures':
# [{'xsi:type':
# 'simpleMarking:SimpleMarkingStructureType'}]},
# {'controlled_structure': '//node()',
# 'marking_structures':
# [{'xsi:type':
# 'TOUMarking:TermsOfUseMarkingStructureType'}]}],
'information_source': {'identity': {},
'time':
{'produced_time':
'2014-12-31T08:00:00+00:00'},
'tools': [{}]},
'package_intents': [{'value': 'Incident',
'xsi:type':
'stixVocabs:PackageIntentVocab-1.0'}],
'title': 'TITLE'}
stixDict['threat_actors'] = [{}]
# stixDict['ttps'] = {'kill_chains':
# {'kill_chains': [{'kill_chain_phases': [{}]}]},
# 'ttps': [{}]}
stixDict['version'] = '1.1.1'
if (((not self.multiAttackFlag) or (not self.attackBoundaryFlag))
and
len(self.attackInstanceList) != 1):
self.logger.error('For non-multiple attack or non-boundary attack '+
'had more than one attack instance')
sys.exit(-1)
description_string = '\n\t\t\t\tMultipleAttack = '
description_string += 'TRUE' if self.multiAttackFlag else 'FALSE'
description_string += '\n\t\t\t\tAttackBoundaries = '
description_string += 'TRUE' if self.attackBoundaryFlag else 'FALSE'
description_string += '\n\t\t\t'
for attack_instance in self.attackInstanceList:
related_observables_hash = {'description' : description_string,
'related_observables':
{'observables': [],
'scope':'exclusive'}}
observables_list = (related_observables_hash['related_observables']
['observables'])
stixDict['incidents'].append(related_observables_hash)
for packet in attack_instance.packetList:
f_sec,sec = math.modf(packet.timeStamp)
self.logger.debug('%f %f',sec,f_sec)
dtime = datetime.datetime.fromtimestamp(
int(sec)).strftime('%Y-%m-%dT%H:%M:%S')+'.'+(
str(int(f_sec*1000000)))
#dtime = '2014-10-13T14:08:00.002000+00:00'
self.logger.debug('dtime = '+dtime)
observable_dict = {}
data_dict = {}
properties_dict = {}
packet_dict = {}
observable_dict['observable'] = data_dict
data_dict['keywords'] = ['LinkType=ethernet',
u'ProbAttack=' +
str(packet.probAttack)]
data_dict['object'] = properties_dict
properties_dict['properties'] = packet_dict
packet_dict['packaging'] = [{'algorithm': 'Base64',
'packaging_type': 'encoding'}]
packet_dict['raw_artifact'] = base64.b64encode(
str(packet.packet))
eth = dpkt.ethernet.Ethernet(str(packet.packet))
self.logger.debug('eth as string: %s',pformat(eth))
b64_decode = base64.b64decode(base64.b64encode(packet.packet))
v1 = pformat(packet.packet)
self.logger.debug('First version: %s',str(packet.packet).encode('hex'))
v2 = pformat(packet.packet)
self.logger.debug('Second version: %s',b64_decode.encode('hex'))
pprint(b64_decode)
# if b64_decode != packet.packet:
# self.logger.debug('Round trip failed')
# self.logger.debug('Types: %s, %s',type(b64_decode),
# type(packet.packet))
# self.logger.debug('Length %d -> %d',
# len(b64_decode),len(packet.packet))
# packet_list = list(packet.packet)
# b64_list = list(b64_decode)
# for i in range(len(packet.packet)):
# if packet_list[i] != b64_list[i]:
# self.logger.debug('%s != %s',packet_list[i],
# b64_list[i])
# # for i in list(packet.packet):
# # self.logger.debug('Orig: %s',i)
# # for i in list(b64_decode):
# # self.logger.debug('Decode: %s',i)
# sys.exit(-1)
packet_dict['type'] = 'Network Traffic'
packet_dict['xsi:type'] = 'ArtifactObjectType'
data_dict['observable_source'] = [
{'time':{'received_time':dtime}
}
]
observables_list.append(observable_dict)
ofh = open('stix_dict.out', 'w')
ofh.write(pformat(stixDict))
self.logger.debug('Wrote stix dictionary to stix_dict.out')
stix_package = STIXPackage.from_dict(stixDict)
self.logger.debug('After constructor')
stix_xml = stix_package.to_xml()
return stix_xml
def toStixXml(self, confidence, efficacy):
"""
This method converts a list of FASGuard generated Snort rules into a STIX
compliant XML string ready for output. It first converts the object
into a hash of the right format and then converts it into XML using
STIXPackage.from_dict and to_xml on the resulting object.
Arguments:
confidence - High, Medium or Low. High means low false alarm rate.
efficacy - High, Medium or Low. High means a low missed detection rate.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
logger = logging.getLogger('simple_example')
self.logger = logger
self.logger.debug('In asg.fasguardStixRule')
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "Unknown"
et = ExploitTarget(title="From FASGuard")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="FASGuard Produced Signatures")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title = "Snort Signature from FASGuard")
indicator.confidence = Confidence(confidence)
tm = SnortTestMechanism()
tm.rules = self.ruleList
tm.efficacy = efficacy
tm.producer = InformationSource(identity=Identity(name="FASGuard"))
tm.producer.references = ["http://fasguard.github.io/"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
return stix_package.to_xml()
# stixDict = {'campaigns': [{}],
# 'courses_of_action': [{}],
# 'exploit_targets': [{}],
# 'id': 'INSERT_PACKAGE_ID_HERE'}
# stixDict['indicators'] = [{'indicator':
# {'title':
# 'Automatically Generated FASGuard Signatures',
# 'test_mechanisms':
# {'test_mechanism':
# {'efficacy':'Low',
# 'producer':
# {'Identity':'FASGuard'},
# 'rule':'xyz'}}}}
# ]
stix_package = STIXPackage.from_dict(stixDict)
stix_xml = stix_package.to_xml()
return stix_xml
