def to_cybox_observable(self): """ Convert a Certificate to a CybOX Observables. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ custom_prop = Property( ) # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obj = File() # represent cert information as file obj.md5 = self.md5 obj.file_name = self.filename obj.file_format = self.filetype obj.size_in_bytes = self.size obj.custom_properties = CustomProperties() obj.custom_properties.append(custom_prop) obs = Observable(obj) obs.description = self.description data = self.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obj.add_related(a, "Child_Of") # relate artifact to file return ([obs], self.releasability)
def to_cybox_observable(self): """ Convert a Certificate to a CybOX Observables. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ custom_prop = Property() # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obj = File() # represent cert information as file obj.md5 = self.md5 obj.file_name = self.filename obj.file_format = self.filetype obj.size_in_bytes = self.size obj.custom_properties = CustomProperties() obj.custom_properties.append(custom_prop) obs = Observable(obj) obs.description = self.description data = self.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obj.add_related(a, "Child_Of") # relate artifact to file return ([obs], self.releasability)
def set_property(self, property_name, property_value): p = self.get_property(property_name) if p is None: p = Property() p.name = property_name self.custom_properties.append(p) p.value = property_value
def add_custom_property(self, instance, attribute): if not instance.custom_properties: cust_props = CustomProperties() instance.custom_properties = cust_props custom_prop = Property() custom_prop.name = attribute.definition.name custom_prop.description = attribute.definition.description custom_prop._value = attribute.value if hasattr(custom_prop._value, 'condition'): custom_prop._value.condition = self.get_condition(attribute) if hasattr(custom_prop, 'condition'): custom_prop.condition = self.get_condition(attribute) instance.custom_properties.append(custom_prop)
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"): """ Convert a CRITs TLO to a CybOX Observable. :param obj: The TLO to convert. :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes` :param exclude: Attributes to exclude. :type exclude: list :param bin_fmt: The format for the binary (if applicable). :type bin_fmt: str """ type_ = obj._meta['crits_type'] if type_ == 'Certificate': custom_prop = Property( ) # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obje = File() # represent cert information as file obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.filetype obje.size_in_bytes = obj.size obje.custom_properties = CustomProperties() obje.custom_properties.append(custom_prop) obs = Observable(obje) obs.description = obj.description data = obj.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obje.add_related(a, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'Domain': obje = DomainName() obje.value = obj.domain obje.type_ = obj.record_type return ([Observable(obje)], obj.releasability) elif type_ == 'Email': if exclude == None: exclude = [] observables = [] obje = EmailMessage() # Assume there is going to be at least one header obje.header = EmailHeader() if 'message_id' not in exclude: obje.header.message_id = String(obj.message_id) if 'subject' not in exclude: obje.header.subject = String(obj.subject) if 'sender' not in exclude: obje.header.sender = Address(obj.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obje.header.x_originating_ip = Address(obj.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obje.header.x_mailer = String(obj.x_mailer) if 'boundary' not in exclude: obje.header.boundary = String(obj.boundary) if 'raw_body' not in exclude: obje.raw_body = obj.raw_body if 'raw_header' not in exclude: obje.raw_header = obj.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obje.email_server = String(obj.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obje.header.from_ = EmailAddress(obj.from_address) if 'date' not in exclude and 'isodate' not in exclude: obje.header.date = DateTime(obj.isodate) obje.attachments = Attachments() observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'Indicator': observables = [] obje = make_cybox_object(obj.ind_type, obj.value) observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'IP': obje = Address() obje.address_value = obj.ip if obj.ip_type == IPTypes.IPv4_ADDRESS: obje.category = "ipv4-addr" elif obj.ip_type == IPTypes.IPv6_ADDRESS: obje.category = "ipv6-addr" elif obj.ip_type == IPTypes.IPv4_SUBNET: obje.category = "ipv4-net" elif obj.ip_type == IPTypes.IPv6_SUBNET: obje.category = "ipv6-subnet" return ([Observable(obje)], obj.releasability) elif type_ == 'PCAP': obje = File() obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.contentType obje.size_in_bytes = obj.length obs = Observable(obje) obs.description = obj.description art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK) art.packaging.append(Base64Encoding()) obje.add_related(art, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'RawData': obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE) obje.packaging.append(Base64Encoding()) obs = Observable(obje) obs.description = obj.description return ([obs], obj.releasability) elif type_ == 'Sample': if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256']: if attr not in exclude: val = getattr(obj, attr, None) if val: setattr(f, attr, val) if obj.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(obj.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = obj.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude and bin_fmt: data = obj.filedata.read() if data: # if sample data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data if bin_fmt == "zlib": a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) elif bin_fmt == "base64": a.packaging.append(Base64Encoding()) f.add_related(a, "Child_Of") # relate artifact to file if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. f.file_format = obj.filetype observables.append(Observable(f)) return (observables, obj.releasability) else: return (None, None)
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"): """ Convert a CRITs TLO to a CybOX Observable. :param obj: The TLO to convert. :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes` :param exclude: Attributes to exclude. :type exclude: list :param bin_fmt: The format for the binary (if applicable). :type bin_fmt: str """ type_ = obj._meta['crits_type'] if type_ == 'Certificate': custom_prop = Property() # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obje = File() # represent cert information as file obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.filetype obje.size_in_bytes = obj.size obje.custom_properties = CustomProperties() obje.custom_properties.append(custom_prop) obs = Observable(obje) obs.description = obj.description data = obj.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obje.add_related(a, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'Domain': obje = DomainName() obje.value = obj.domain obje.type_ = obj.record_type return ([Observable(obje)], obj.releasability) elif type_ == 'Email': if exclude == None: exclude = [] observables = [] obje = EmailMessage() # Assume there is going to be at least one header obje.header = EmailHeader() if 'message_id' not in exclude: obje.header.message_id = String(obj.message_id) if 'subject' not in exclude: obje.header.subject = String(obj.subject) if 'sender' not in exclude: obje.header.sender = Address(obj.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obje.header.x_originating_ip = Address(obj.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obje.header.x_mailer = String(obj.x_mailer) if 'boundary' not in exclude: obje.header.boundary = String(obj.boundary) if 'raw_body' not in exclude: obje.raw_body = obj.raw_body if 'raw_header' not in exclude: obje.raw_header = obj.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obje.email_server = String(obj.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obje.header.from_ = EmailAddress(obj.from_address) if 'date' not in exclude and 'isodate' not in exclude: obje.header.date = DateTime(obj.isodate) obje.attachments = Attachments() observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'Indicator': observables = [] obje = make_cybox_object(obj.ind_type, obj.value) observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'IP': obje = Address() obje.address_value = obj.ip if obj.ip_type == IPTypes.IPv4_ADDRESS: obje.category = "ipv4-addr" elif obj.ip_type == IPTypes.IPv6_ADDRESS: obje.category = "ipv6-addr" elif obj.ip_type == IPTypes.IPv4_SUBNET: obje.category = "ipv4-net" elif obj.ip_type == IPTypes.IPv6_SUBNET: obje.category = "ipv6-subnet" return ([Observable(obje)], obj.releasability) elif type_ == 'PCAP': obje = File() obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.contentType obje.size_in_bytes = obj.length obs = Observable(obje) obs.description = obj.description art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK) art.packaging.append(Base64Encoding()) obje.add_related(art, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'RawData': obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE) obje.packaging.append(Base64Encoding()) obs = Observable(obje) obs.description = obj.description return ([obs], obj.releasability) elif type_ == 'Sample': if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256']: if attr not in exclude: val = getattr(obj, attr, None) if val: setattr(f, attr, val) if obj.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(obj.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = obj.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude and bin_fmt: data = obj.filedata.read() if data: # if sample data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data if bin_fmt == "zlib": a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) elif bin_fmt == "base64": a.packaging.append(Base64Encoding()) f.add_related(a, "Child_Of") # relate artifact to file if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. f.file_format = obj.filetype observables.append(Observable(f)) return (observables, obj.releasability) else: return (None, None)
def make_cybox_object(type_, name=None, value=None): """ Converts type_, name, and value to a CybOX object instance. :param type_: The object type. :type type_: str :param name: The object name. :type name: str :param value: The object value. :type value: str :returns: CybOX object """ if type_ == "Account": acct = Account() acct.description = value return acct elif type_ == "Address": return Address(category=name, address_value=value) elif type_ == "Email Message": e = EmailMessage() e.raw_body = value return e elif type_ == "API": api = API() api.description = value return api elif type_ == "Artifact": if name == "Data Region": atype = Artifact.TYPE_GENERIC elif name == 'FileSystem Fragment': atype = Artifact.TYPE_FILE_SYSTEM elif name == 'Memory Region': atype = Artifact.TYPE_MEMORY else: raise UnsupportedCybOXObjectTypeError(type_, name) return Artifact(value, atype) elif type_ == "Code": obj = Code() obj.code_segment = value obj.type = name return obj elif type_ == "Disk": disk = Disk() disk.disk_name = type_ disk.type = name return disk elif type_ == "Disk Partition": disk = DiskPartition() disk.device_name = type_ disk.type = name return disk elif type_ == "DNS Query": r = URI() r.value = value dq = DNSQuestion() dq.qname = r d = DNSQuery() d.question = dq return d elif type_ == "DNS Record": # DNS Record indicators in CRITs are just a free form text box, there # is no good way to map them into the attributes of a DNSRecord cybox # object. So just stuff it in the description until someone tells me # otherwise. d = StructuredText(value=value) dr = DNSRecord() dr.description = d return dr elif type_ == "GUI Dialogbox": obj = GUIDialogbox() obj.box_text = value return obj elif type_ == "GUI Window": obj = GUIWindow() obj.window_display_name = value return obj elif type_ == "HTTP Request Header Fields" and name and name == "User-Agent": # TODO/NOTE: HTTPRequestHeaderFields has a ton of fields for info. # we should revisit this as UI is reworked or CybOX is improved. obj = HTTPRequestHeaderFields() obj.user_agent = value return obj elif type_ == "Library": obj = Library() obj.name = value obj.type = name return obj elif type_ == "Memory": obj = Memory() obj.memory_source = value return obj elif type_ == "Mutex": m = Mutex() m.named = True m.name = String(value) return m elif type_ == "Network Connection": obj = NetworkConnection() obj.layer7_protocol = value return obj elif type_ == "Pipe": p = Pipe() p.named = True p.name = String(value) return p elif type_ == "Port": p = Port() try: p.port_value = PositiveInteger(value) except ValueError: # XXX: Raise a better exception... raise UnsupportedCybOXObjectTypeError(type_, name) return p elif type_ == "Process": p = Process() p.name = String(value) return p elif type_ == "String": c = Custom() c.custom_name = "crits:String" c.description = ("This is a generic string used as the value of an " "Indicator or Object within CRITs.") c.custom_properties = CustomProperties() p1 = Property() p1.name = "value" p1.description = "Generic String" p1.value = value c.custom_properties.append(p1) return c elif type_ == "System": s = System() s.hostname = String(value) return s elif type_ == "URI": r = URI() r.type_ = name r.value = value return r elif type_ == "User Account": obj = UserAccount() obj.username = value return obj elif type_ == "Volume": obj = Volume() obj.name = value return obj elif type_ == "Win Driver": w = WinDriver() w.driver_name = String(value) return w elif type_ == "Win Event Log": obj = WinEventLog() obj.log = value return obj elif type_ == "Win Event": w = WinEvent() w.name = String(value) return w elif type_ == "Win Handle": obj = WinHandle() obj.type_ = name obj.object_address = value return obj elif type_ == "Win Kernel Hook": obj = WinKernelHook() obj.description = value return obj elif type_ == "Win Mailslot": obj = WinMailslot() obj.name = value return obj elif type_ == "Win Network Share": obj = WinNetworkShare() obj.local_path = value return obj elif type_ == "Win Process": obj = WinProcess() obj.window_title = value return obj elif type_ == "Win Registry Key": obj = WinRegistryKey() obj.key = value return obj elif type_ == "Win Service": obj = WinService() obj.service_name = value return obj elif type_ == "Win System": obj = WinSystem() obj.product_name = value return obj elif type_ == "Win Task": obj = WinTask() obj.name = value return obj elif type_ == "Win User Account": obj = WinUser() obj.security_id = value return obj elif type_ == "Win Volume": obj = WinVolume() obj.drive_letter = value return obj elif type_ == "X509 Certificate": obj = X509Certificate() obj.raw_certificate = value return obj """ The following are types that are listed in the 'Indicator Type' box of the 'New Indicator' dialog in CRITs. These types, unlike those handled above, cannot be written to or read from CybOX at this point. The reason for the type being omitted is written as a comment inline. This can (and should) be revisited as new versions of CybOX are released. NOTE: You will have to update the corresponding make_crits_object function with handling for the reverse direction. In the mean time, these types will raise unsupported errors. """ #elif type_ == "Device": # No CybOX API #elif type_ == "DNS Cache": # No CybOX API #elif type_ == "GUI": # revisit when CRITs supports width & height specification #elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs #elif type_ == "Linux Package": # No CybOX API #elif type_ == "Network Packet": # No good mapping between CybOX/CRITs #elif type_ == "Network Route Entry": # No CybOX API #elif type_ == "Network Route": # No CybOX API #elif type_ == "Network Subnet": # No CybOX API #elif type_ == "Semaphore": # No CybOX API #elif type_ == "Socket": # No good mapping between CybOX/CRITs #elif type_ == "UNIX File": # No CybOX API #elif type_ == "UNIX Network Route Entry": # No CybOX API #elif type_ == "UNIX Pipe": # No CybOX API #elif type_ == "UNIX Process": # No CybOX API #elif type_ == "UNIX User Account": # No CybOX API #elif type_ == "UNIX Volume": # No CybOX API #elif type_ == "User Session": # No CybOX API #elif type_ == "Whois": # No good mapping between CybOX/CRITs #elif type_ == "Win Computer Account": # No CybOX API #elif type_ == "Win Critical Section": # No CybOX API #elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs #elif type_ == "Win File": # No good mapping between CybOX/CRITs #elif type_ == "Win Kernel": # No CybOX API #elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs #elif type_ == "Win Network Route Entry": # No CybOX API #elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs #elif type_ == "Win Prefetch": # No CybOX API #elif type_ == "Win Semaphore": # No CybOX API #elif type_ == "Win System Restore": # No CybOX API #elif type_ == "Win Thread": # No good mapping between CybOX/CRITs #elif type_ == "Win Waitable Timer": # No CybOX API raise UnsupportedCybOXObjectTypeError(type_, name)
def transform(addsec_data): # # Parse the Addition Security protobuf object, which contains a STIX report representation # as_report = addsec_cti_pb2.Report() as_report.ParseFromString(addsec_data) # # Create a new STIX package & report container # stix_package = STIXPackage() stix_package.stix_header = STIXHeader() stix_package.stix_header.description = "Addition Security Report" stix_report = Report() # # Addition Security includes various identification information re: the entity of the report. # We are going to convert it into three CybOX objects: Product, Device, and Custom # cybox_product = Product() cybox_product.product = "MobileAwareness" cybox_product.vendor = "Addition Security" cybox_device = Device() cybox_device.device_type = "Mobile Device" cybox_custom_sourceapp = Custom() cybox_custom_sourceapp.custom_name = "addsec:sourceApplication" cybox_custom_sourceapp.custom_properties = CustomProperties() p = Property() p.name = "organizationId" p.value = as_report.organizationId.encode( 'hex') # NOTE: this is binary bytes cybox_custom_sourceapp.custom_properties.append(p) p = Property() p.name = "application" p.value = as_report.applicationId # NOTE: bundleId/packageId of hosting app cybox_custom_sourceapp.custom_properties.append(p) p = Property() p.name = "instanceId" p.value = as_report.systemId.encode('hex') # NOTE: this is binary bytes cybox_custom_sourceapp.custom_properties.append(p) stix_report.add_observable(cybox_product) stix_report.add_observable(cybox_device) stix_report.add_observable(cybox_custom_sourceapp) # # Enumerate the Addition Security reported sightings # for as_sighting in as_report.observations: # # Addition Security lets customers transit custom messages over the reporting channel; these # messages show up as a "Customer Message" indicator with string-based payload. Since these # messages are both proprietary in nature and potentially unrelated to STIX, we are going to # filter them out from this processing. # if as_sighting.observationType == 8: continue # 8: CustomerData # # Sightings are used to report device information as well; let's expel device-related # sightings and re-route their data into the CybOX device object (instead of including # as an indicator w/ sighting) # if as_sighting.testId == 1 or as_sighting.testId == 2: # addsec_to_cybox_device(cybox_device, as_sighting) continue # Ditto for reported product information as well if as_sighting.testId == 8: # 8: SDKVersionInfo addsec_to_cybox_product(cybox_product, as_sighting) continue # # Compose a STIX-appropriate indicator value from the Addition Security indicator ID & SubID # indicator_id = "addsec:asma-%d-%d" % (as_sighting.testId, as_sighting.testSubId) stix_indicator = Indicator(id_=indicator_id) stix_indicator.title = addsec_title_lookup(as_sighting.testId, as_sighting.testSubId) # # Create a sighting for this indicator # stix_sighting = Sighting() stix_indicator.sightings = stix_sighting stix_sighting.timestamp = datetime.datetime.fromtimestamp( as_sighting.timestamp) if as_sighting.confidence > 0: stix_sighting.confidence = addsec_to_stix_confidence( as_sighting.confidence) # # Enumerate the observables for this sighting # for as_observable in as_sighting.datas: cybox_obj = addsec_to_cybox(as_observable.dataType, as_observable.data) if not cybox_obj is None: stix_sighting.related_observables.append( RelatedObservable(Observable(cybox_obj))) # # Finally, add this indicator (w/ sightings & related observables) to the top level report # stix_report.add_indicator(stix_indicator) # # Finalize the STIX report and output the XML # stix_package.reports = stix_report return stix_package.to_xml()
def create_custom_properties(object, propertyName, propertyValue): prop = Property() prop.name = propertyName prop.value = str(propertyValue) object.custom_properties.append(prop)