def _stix_ip_observable(namespace, indicator, value): category = cybox.objects.address_object.Address.CAT_IPV4 if value['type'] == 'IPv6': category = cybox.objects.address_object.Address.CAT_IPV6 indicators = [indicator] if '-' in indicator: # looks like an IP Range, let's try to make it a CIDR a1, a2 = indicator.split('-', 1) if a1 == a2: # same IP indicators = [a1] else: # use netaddr builtin algo to summarize range into CIDR iprange = netaddr.IPRange(a1, a2) cidrs = iprange.cidrs() indicators = map(str, cidrs) observables = [] for i in indicators: id_ = '{}:observable-{}'.format(namespace, uuid.uuid4()) ao = cybox.objects.address_object.Address(address_value=i, category=category) o = cybox.core.Observable(title='{}: {}'.format(value['type'], i), id_=id_, item=ao) observables.append(o) return observables
def _stix_socket_observable(namespace, indicator, value): id_ = '{}:observable-{}'.format( namespace, uuid.uuid4() ) so = cybox.objects.socket_address_object.SocketAddress() elems = indicator.split('|') if ('.port' in value['type']): po = cybox.objects.port_object.Port() po.port_value = elems[1] so.port = po if ('hostname.' in value['type']): ho = cybox.objects.hostname_object.Hostname() ho.hostname_value = elems[0] so.hostname = ho if ('IP' in value['type']): category = cybox.objects.address_object.Address.CAT_IPV4 if ('IPv6' in value['type']): category = cybox.objects.address_object.Address.CAT_IPV6 indicators = [elems[0]] if '-' in indicator: # looks like an IP Range, let's try to make it a CIDR a1, a2 = elems[0].split('-', 1) if a1 == a2: # same IP indicators = [a1] else: # use netaddr builtin algo to summarize range into CIDR iprange = netaddr.IPRange(a1, a2) cidrs = iprange.cidrs() indicators = map(str, cidrs) ao = cybox.objects.address_object.Address( address_value=indicators[0], category=category ) so.ip_address = ao o = cybox.core.Observable( title='{}: {}'.format(value['type'], indicator), id_=id_, item=so ) return [o]
def _stix_whois_observable(namespace, indicator, value): id_ = '{}:observable-{}'.format( namespace, uuid.uuid4() ) elems = indicator.split('|') wo = cybox.objects.whois_object.WhoisEntry() wo.domain_name = cybox.objects.uri_object.URI( value=elems[0] ) category = cybox.objects.address_object.Address.CAT_IPV4 if ('IPv6' in value['type']): category = cybox.objects.address_object.Address.CAT_IPV6 indicators = [elems[1]] if '-' in indicator: # looks like an IP Range, let's try to make it a CIDR a1, a2 = elems[1].split('-', 1) if a1 == a2: # same IP indicators = [a1] else: # use netaddr builtin algo to summarize range into CIDR iprange = netaddr.IPRange(a1, a2) cidrs = iprange.cidrs() indicators = map(str, cidrs) ao = cybox.objects.address_object.Address( address_value=indicators[0], category=category ) wo.ip_address = ao o = cybox.core.Observable( title='{}: {}'.format(value['type'], indicator), id_=id_, item=wo ) return [o]
def _stix_ip_observable(namespace, indicator, value): category = cybox.objects.address_object.Address.CAT_IPV4 if value['type'] == 'IPv6': category = cybox.objects.address_object.Address.CAT_IPV6 indicators = [indicator] if '-' in indicator: # looks like an IP Range, let's try to make it a CIDR a1, a2 = indicator.split('-', 1) if a1 == a2: # same IP indicators = [a1] else: # use netaddr builtin algo to summarize range into CIDR iprange = netaddr.IPRange(a1, a2) cidrs = iprange.cidrs() indicators = map(str, cidrs) observables = [] for i in indicators: id_ = '{}:observable-{}'.format( namespace, uuid.uuid4() ) ao = cybox.objects.address_object.Address( address_value=i, category=category ) o = cybox.core.Observable( title='{}: {}'.format(value['type'], i), id_=id_, item=ao ) observables.append(o) return observables
def _stix_filename_hash_observable(namespace, indicator, value): id_ = '{}:observable-{}'.format( namespace, uuid.uuid4() ) splitted = indicator.split('|') filename = splitted[0] hash = splitted[1] uo = cybox.objects.file_object.File() # add_hash automatically detects type of hash using the length of the given # parameter. Currently ssdeep hashes are not correctly supported by the library uo.add_hash(hash) uo.file_name = filename o = cybox.core.Observable( title='{}: {}'.format(value['type'], indicator), id_=id_, item=uo ) return [o]
def _stix_registry_key_observable(namespace, indicator, value): id_ = '{}:observable-{}'.format( namespace, uuid.uuid4() ) ro = cybox.objects.win_registry_key_object.WinRegistryKey() if 'value' in value['type']: elems = indicator.split('|') ro.key = elems[0] vo = cybox.objects.win_registry_key_object.RegistryValue() vo.name = elems[1] ro.values = cybox.objects.win_registry_key_object.RegistryValues() ro.values.value = [vo] else: ro.key = indicator o = cybox.core.Observable( title='{}: {}'.format(value['type'], indicator), id_=id_, item=ro ) return [o]