def buildObservable(input_dict): # add incident and confidence observable = Observable() observable.description = input_dict['description'] observable.title = input_dict['title'] source = MeasureSource() source.name = input_dict['source'] observable.observable_source = [source] # figure out why this is necessary if input_dict['keyword']: observable.add_keyword(input_dict['keyword']) """ event = Event() event.description = input_dict['event'] observable.event = event """ if input_dict['objectType'] and input_dict['object']: cybObj = Object() if input_dict['objectType'] == 'Address': cybObj.properties = Address(input_dict['object']) elif input_dict['objectType'] == 'File': cybObj.properties = File() cybObj.properties.file_path = FilePath(input_dict['object']) elif input_dict['objectType'] == 'URI': cybObj.properties = URI(input_dict['object']) if cybObj: observable.object_ = cybObj print observable.to_xml() return observable
def test_round_trip(self): a = Address("*****@*****.**", Address.CAT_EMAIL) a2 = Address("*****@*****.**", Address.CAT_EMAIL) ms = MeasureSource() ms.class_ = "System" ms.source_type = "Analysis" ms.description = StructuredText("A Description") o = Observables([a, a2]) o.observable_package_source = ms o2 = round_trip(o, output=True) self.assertEqual(o.to_dict(), o2.to_dict())
def from_dict(observable_dict): if not observable_dict: return None from cybox.core import PatternFidelity obs = Observable() obs.id_ = observable_dict.get('id') obs.title = observable_dict.get('title') obs.description = StructuredText.from_dict( observable_dict.get('description')) obs.object_ = Object.from_dict(observable_dict.get('object')) obs.event = Object.from_dict(observable_dict.get('event')) obs.observable_composition = ObservableComposition.from_dict( observable_dict.get('observable_composition')) obs.idref = observable_dict.get('idref') obs.sighting_count = observable_dict.get('sighting_count') if observable_dict.get('observable_source'): obs.observable_source = [ MeasureSource.from_dict(x) for x in observable_dict.get('observable_source') ] obs.keywords = Keywords.from_dict(observable_dict.get('keywords')) obs.pattern_fidelity = PatternFidelity.from_dict( observable_dict.get('pattern_fidelity')) return obs
def from_obj(observable_obj): if not observable_obj: return None from cybox.core import PatternFidelity obs = Observable() obs.id_ = observable_obj.id obs.title = observable_obj.Title obs.description = StructuredText.from_obj(observable_obj.Description) obs.object_ = Object.from_obj(observable_obj.Object) obs.event = Event.from_obj(observable_obj.Event) obs.observable_composition = ObservableComposition.from_obj( observable_obj.Observable_Composition) obs.idref = observable_obj.idref obs.sighting_count = observable_obj.sighting_count if observable_obj.Observable_Source: obs.observable_source = [ MeasureSource.from_obj(x) for x in observable_obj.Observable_Source ] obs.keywords = Keywords.from_obj(observable_obj.Keywords) obs.pattern_fidelity = PatternFidelity.from_obj( observable_obj.Pattern_Fidelity) return obs
def _create_observables(self, msg): o = Observables(self.__parse_email_message(msg)) t = ToolInformation() t.name = os.path.basename(__file__) t.description = StructuredText("Email to CybOX conversion script") t.vendor = "The MITRE Corporation" t.version = __version__ t_list = ToolInformationList() t_list.append(t) m = MeasureSource() m.tools = t_list o.observable_package_source = m return o
def execute(self, device_info, data_dir_path, simple_output=False, html_output=False): """ :param device_info: DeviceInfo :param data_dir_path: string """ extracted_data_dir_path = os.path.join(data_dir_path, EXTRACTED_DATA_DIR_NAME) try: os.makedirs(extracted_data_dir_path) except OSError as exception: if exception.errno != errno.EEXIST: raise self.extractor.execute(extracted_data_dir_path, self.param_values) set_id_method(IDGenerator.METHOD_INT if simple_output else IDGenerator.METHOD_UUID) inspected_objects, source_objects = self.inspector.execute(device_info, extracted_data_dir_path) inspected_observables = Observables(inspected_objects) source_observables = Observables(source_objects) tool_info = ToolInformation() tool_info.name = 'Android Inspector' tool_info.version = '1.0' measure_source = MeasureSource() measure_source.tool_type = ToolType.TERM_DIGITAL_FORENSICS measure_source.tools = ToolInformationList([tool_info]) measure_source.time = Time(produced_time=datetime.now().isoformat()) inspected_observables.observable_package_source = measure_source source_observables.observable_package_source = measure_source write_observables_xml_file(inspected_observables, os.path.join(data_dir_path, INSPECTED_DATA_FILE_NAME), simple_output) write_observables_xml_file(source_observables, os.path.join(data_dir_path, SOURCE_DATA_FILE_NAME), simple_output) if html_output: generate_html_files(data_dir_path)
def from_dict(observables_dict): if observables_dict is None: return None #TODO: look at major_version and minor_version obs = Observables() for o in observables_dict.get("observables", []): obs.add(Observable.from_dict(o)) obs.observable_package_source = MeasureSource.from_dict(observables_dict.get('observable_package_source')) return obs
def from_obj(observables_obj): if not observables_obj: return None #TODO: look at major_version and minor_version obs = Observables() # get_Observable() actually returns a list for o in observables_obj.Observable: obs.add(Observable.from_obj(o)) obs.observable_package_source = MeasureSource.from_obj(observables_obj.Observable_Package_Source) return obs
def from_obj(observable_obj): if not observable_obj: return None obs = Observable() obs.id_ = observable_obj.get_id() obs.title = observable_obj.get_Title() obs.description = StructuredText.from_obj(observable_obj.get_Description()) obs.object_ = Object.from_obj(observable_obj.get_Object()) obs.event = Event.from_obj(observable_obj.get_Event()) obs.observable_composition = ObservableComposition.from_obj(observable_obj.get_Observable_Composition()) obs.idref = observable_obj.get_idref() obs.sighting_count = observable_obj.get_sighting_count() if observable_obj.get_Observable_Source(): obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.get_Observable_Source()] return obs
def from_dict(observable_dict): if not observable_dict: return None obs = Observable() obs.id_ = observable_dict.get('id') obs.title = observable_dict.get('title') obs.description = StructuredText.from_dict(observable_dict.get('description')) obs.object_ = Object.from_dict(observable_dict.get('object')) obs.event = Object.from_dict(observable_dict.get('event')) obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition')) obs.idref = observable_dict.get('idref') obs.sighting_count = observable_dict.get('sighting_count') if observable_dict.get('observable_source'): obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')] return obs
def from_dict(observable_dict): if not observable_dict: return None from cybox.core import PatternFidelity obs = Observable() obs.id_ = observable_dict.get('id') obs.title = observable_dict.get('title') obs.description = StructuredText.from_dict(observable_dict.get('description')) obs.object_ = Object.from_dict(observable_dict.get('object')) obs.event = Object.from_dict(observable_dict.get('event')) obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition')) obs.idref = observable_dict.get('idref') obs.sighting_count = observable_dict.get('sighting_count') if observable_dict.get('observable_source'): obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')] obs.keywords = Keywords.from_dict(observable_dict.get('keywords')) obs.pattern_fidelity = PatternFidelity.from_dict(observable_dict.get('pattern_fidelity')) return obs
def from_obj(observable_obj): if not observable_obj: return None from cybox.core import PatternFidelity obs = Observable() obs.id_ = observable_obj.id obs.title = observable_obj.Title obs.description = StructuredText.from_obj(observable_obj.Description) obs.object_ = Object.from_obj(observable_obj.Object) obs.event = Event.from_obj(observable_obj.Event) obs.observable_composition = ObservableComposition.from_obj(observable_obj.Observable_Composition) obs.idref = observable_obj.idref obs.sighting_count = observable_obj.sighting_count if observable_obj.Observable_Source: obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.Observable_Source] obs.keywords = Keywords.from_obj(observable_obj.Keywords) obs.pattern_fidelity = PatternFidelity.from_obj(observable_obj.Pattern_Fidelity) return obs
def from_dict(action_dict, action_cls = None): if not action_dict: return None if action_cls == None: action_cls = Action() action_ = action_cls action_.id = action_dict.get('id') action_.idref = action_dict.get('idref') action_.ordinal_position = action_dict.get('ordinal_position') action_.action_status = action_dict.get('action_status') action_.context = action_dict.get('context') action_.timestamp = action_dict.get('timestamp') action_.type = VocabString.from_dict(action_dict.get('type')) action_.name = VocabString.from_dict(action_dict.get('name')) action_.description = StructuredText.from_dict(action_dict.get('description')) action_.action_aliases = action_dict.get('action_aliases', []) action_.action_arguments = ActionArguments.from_list(action_dict.get('action_arguments', [])) action_.discovery_method = MeasureSource.from_dict(action_dict.get('discovery_method')) action_.associated_objects = AssociatedObjects.from_list(action_dict.get('associated_objects', [])) action_.relationships = ActionRelationships.from_list(action_dict.get('relationships', [])) #action_.frequency = Frequency.from_dict(action_dict.get('frequency')) #TODO: add support return action_
def from_obj(action_obj, action_cls = None): if not action_obj: return None if action_cls == None: action_cls = Action() action_ = action_cls action_.id = action_obj.get_id() action_.idref = action_obj.get_idref() action_.ordinal_position = action_obj.get_ordinal_position() action_.action_status = action_obj.get_action_status() action_.context = action_obj.get_context() action_.timestamp = action_obj.get_timestamp() action_.type = VocabString.from_obj(action_obj.get_Type()) action_.name = VocabString.from_obj(action_obj.get_Name()) action_.description = StructuredText.from_obj(action_obj.get_Description()) if action_obj.get_Action_Arguments() is not None: action_.action_arguments = ActionArguments.from_obj(action_obj.get_Action_Arguments()) action_.discovery_method = MeasureSource.from_obj(action_obj.get_Discovery_Method()) if action_obj.get_Associated_Objects() is not None : action_.associated_objects = AssociatedObjects.from_obj(action_obj.get_Associated_Objects()) if action_obj.get_Relationships() is not None : action_.relationships = ActionRelationships.from_obj(action_obj.get_Relationships()) #action_.frequency = Frequency.from_dict(action_dict.get('frequency')) #TODO: add support if action_obj.get_Action_Aliases() is not None : action_.action_aliases = action_obj.get_Action_Aliases().get_Action_Alias() return action_
def test_measure_source(self): o = MeasureSource() o.name = UNICODE_STR o2 = round_trip(o)