def _stix_ip_observable(namespace, indicator, value):
category = cybox.objects.address_object.Address.CAT_IPV4
if value['type'] == 'IPv6':
category = cybox.objects.address_object.Address.CAT_IPV6
indicators = [indicator]
if '-' in indicator:
# looks like an IP Range, let's try to make it a CIDR
a1, a2 = indicator.split('-', 1)
if a1 == a2:
# same IP
indicators = [a1]
else:
# use netaddr builtin algo to summarize range into CIDR
iprange = netaddr.IPRange(a1, a2)
cidrs = iprange.cidrs()
indicators = map(str, cidrs)
observables = []
for i in indicators:
id_ = '{}:observable-{}'.format(namespace, uuid.uuid4())
ao = cybox.objects.address_object.Address(address_value=i,
category=category)
o = cybox.core.Observable(title='{}: {}'.format(value['type'], i),
id_=id_,
item=ao)
observables.append(o)
return observables
def _stix_socket_observable(namespace, indicator, value):
id_ = '{}:observable-{}'.format(
namespace,
uuid.uuid4()
)
so = cybox.objects.socket_address_object.SocketAddress()
elems = indicator.split('|')
if ('.port' in value['type']):
po = cybox.objects.port_object.Port()
po.port_value = elems[1]
so.port = po
if ('hostname.' in value['type']):
ho = cybox.objects.hostname_object.Hostname()
ho.hostname_value = elems[0]
so.hostname = ho
if ('IP' in value['type']):
category = cybox.objects.address_object.Address.CAT_IPV4
if ('IPv6' in value['type']):
category = cybox.objects.address_object.Address.CAT_IPV6
indicators = [elems[0]]
if '-' in indicator:
# looks like an IP Range, let's try to make it a CIDR
a1, a2 = elems[0].split('-', 1)
if a1 == a2:
# same IP
indicators = [a1]
else:
# use netaddr builtin algo to summarize range into CIDR
iprange = netaddr.IPRange(a1, a2)
cidrs = iprange.cidrs()
indicators = map(str, cidrs)
ao = cybox.objects.address_object.Address(
address_value=indicators[0],
category=category
)
so.ip_address = ao
o = cybox.core.Observable(
title='{}: {}'.format(value['type'], indicator),
id_=id_,
item=so
)
return [o]
def _stix_whois_observable(namespace, indicator, value):
id_ = '{}:observable-{}'.format(
namespace,
uuid.uuid4()
)
elems = indicator.split('|')
wo = cybox.objects.whois_object.WhoisEntry()
wo.domain_name = cybox.objects.uri_object.URI(
value=elems[0]
)
category = cybox.objects.address_object.Address.CAT_IPV4
if ('IPv6' in value['type']):
category = cybox.objects.address_object.Address.CAT_IPV6
indicators = [elems[1]]
if '-' in indicator:
# looks like an IP Range, let's try to make it a CIDR
a1, a2 = elems[1].split('-', 1)
if a1 == a2:
# same IP
indicators = [a1]
else:
# use netaddr builtin algo to summarize range into CIDR
iprange = netaddr.IPRange(a1, a2)
cidrs = iprange.cidrs()
indicators = map(str, cidrs)
ao = cybox.objects.address_object.Address(
address_value=indicators[0],
category=category
)
wo.ip_address = ao
o = cybox.core.Observable(
title='{}: {}'.format(value['type'], indicator),
id_=id_,
item=wo
)
return [o]
def _stix_ip_observable(namespace, indicator, value):
category = cybox.objects.address_object.Address.CAT_IPV4
if value['type'] == 'IPv6':
category = cybox.objects.address_object.Address.CAT_IPV6
indicators = [indicator]
if '-' in indicator:
# looks like an IP Range, let's try to make it a CIDR
a1, a2 = indicator.split('-', 1)
if a1 == a2:
# same IP
indicators = [a1]
else:
# use netaddr builtin algo to summarize range into CIDR
iprange = netaddr.IPRange(a1, a2)
cidrs = iprange.cidrs()
indicators = map(str, cidrs)
observables = []
for i in indicators:
id_ = '{}:observable-{}'.format(
namespace,
uuid.uuid4()
)
ao = cybox.objects.address_object.Address(
address_value=i,
category=category
)
o = cybox.core.Observable(
title='{}: {}'.format(value['type'], i),
id_=id_,
item=ao
)
observables.append(o)
return observables
def _stix_filename_hash_observable(namespace, indicator, value):
id_ = '{}:observable-{}'.format(
namespace,
uuid.uuid4()
)
splitted = indicator.split('|')
filename = splitted[0]
hash = splitted[1]
uo = cybox.objects.file_object.File()
# add_hash automatically detects type of hash using the length of the given
# parameter. Currently ssdeep hashes are not correctly supported by the library
uo.add_hash(hash)
uo.file_name = filename
o = cybox.core.Observable(
title='{}: {}'.format(value['type'], indicator),
id_=id_,
item=uo
)
return [o]
def _stix_registry_key_observable(namespace, indicator, value):
id_ = '{}:observable-{}'.format(
namespace,
uuid.uuid4()
)
ro = cybox.objects.win_registry_key_object.WinRegistryKey()
if 'value' in value['type']:
elems = indicator.split('|')
ro.key = elems[0]
vo = cybox.objects.win_registry_key_object.RegistryValue()
vo.name = elems[1]
ro.values = cybox.objects.win_registry_key_object.RegistryValues()
ro.values.value = [vo]
else:
ro.key = indicator
o = cybox.core.Observable(
title='{}: {}'.format(value['type'], indicator),
id_=id_,
item=ro
)
return [o]