def buildObservable(input_dict): # add incident and confidence observable = Observable() observable.description = input_dict['description'] observable.title = input_dict['title'] source = MeasureSource() source.name = input_dict['source'] observable.observable_source = [source] # figure out why this is necessary if input_dict['keyword']: observable.add_keyword(input_dict['keyword']) """ event = Event() event.description = input_dict['event'] observable.event = event """ if input_dict['objectType'] and input_dict['object']: cybObj = Object() if input_dict['objectType'] == 'Address': cybObj.properties = Address(input_dict['object']) elif input_dict['objectType'] == 'File': cybObj.properties = File() cybObj.properties.file_path = FilePath(input_dict['object']) elif input_dict['objectType'] == 'URI': cybObj.properties = URI(input_dict['object']) if cybObj: observable.object_ = cybObj print observable.to_xml() return observable
def test_round_trip(self): o = Object() o.idref = "example:a1" o.properties = Address("1.2.3.4", Address.CAT_IPV4) o2 = cybox.test.round_trip(o) self.assertEqual(o.to_dict(), o2.to_dict())
def test_round_trip(self): o = Object() o.idref = "example:a1" o.properties = Address("1.2.3.4", Address.CAT_IPV4) o2 = round_trip(o) self.assertEqual(o.to_dict(), o2.to_dict())
def prune_objects(self, candidate_indicator_objects): """Perform contraindicator and required property checking and prune un-wanted properties from the input list of candidate Indicator CybOX Objects. Args: candidate_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing the initial list of CybOX Objects that may be used in the STIX Indicators. Returns: A list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing the final list of checked and pruned CybOX Objects that will be used for the STIX Indicators. """ final_indicator_objects = [] # Prune any unwanted properties from Objects for entry in candidate_indicator_objects: object = entry.object xsi_type = object.properties._XSI_TYPE # Do the contraindicator check if xsi_type in self.config.supported_objects and not self._contraindicator_check( entry): object_type_conf = self.config.supported_objects[xsi_type] # Prune the properties of the Object to correspond to the input config file # First, test for the presence of only the required properties if self._required_property_check( object, self.config.supported_objects[xsi_type]): # If the required properties are found, prune based on the full set (optional + required) full_properties = {} full_properties.update(object_type_conf["required"]) full_properties.update(object_type_conf["optional"]) full_properties.update( object_type_conf["mutually_exclusive"]) full_pruned_properties = self._prune_object_properties( object.properties.to_dict(), full_properties) full_pruned_properties["xsi:type"] = xsi_type # Create a new Object with the pruned ObjectProperties pruned_object = Object() pruned_object.properties = ObjectProperties.from_dict( full_pruned_properties) entry.object = pruned_object # Add the updated Object History entry to the final list of Indicators final_indicator_objects.append(entry) return final_indicator_objects
def prune_objects(self, candidate_indicator_objects): """Perform contraindicator and required property checking and prune un-wanted properties from the input list of candidate Indicator CybOX Objects. Args: candidate_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing the initial list of CybOX Objects that may be used in the STIX Indicators. Returns: A list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing the final list of checked and pruned CybOX Objects that will be used for the STIX Indicators. """ final_indicator_objects = [] # Prune any unwanted properties from Objects for entry in candidate_indicator_objects: object = entry.object xsi_type = object.properties._XSI_TYPE # Do the contraindicator check if xsi_type in self.config.supported_objects and not self._contraindicator_check(entry): object_type_conf = self.config.supported_objects[xsi_type] # Prune the properties of the Object to correspond to the input config file # First, test for the presence of only the required properties if self._required_property_check(object, self.config.supported_objects[xsi_type]): # If the required properties are found, prune based on the full set (optional + required) full_properties = {} full_properties.update(object_type_conf["required"]) full_properties.update(object_type_conf["optional"]) full_properties.update(object_type_conf["mutually_exclusive"]) full_pruned_properties = self._prune_object_properties(object.properties.to_dict(), full_properties) full_pruned_properties["xsi:type"] = xsi_type # Create a new Object with the pruned ObjectProperties pruned_object = Object() pruned_object.properties = ObjectProperties.from_dict(full_pruned_properties) entry.object = pruned_object # Add the updated Object History entry to the final list of Indicators final_indicator_objects.append(entry) return final_indicator_objects
from maec.bundle import Bundle, Collections, MalwareAction, Capability from maec.package import Analysis, MalwareSubject, Package from cybox.utils import Namespace import maec.utils # Instantiate the ID generator class (for automatic ID generation) with our example namespace NS = Namespace("http://example.com/", "example") maec.utils.set_id_namespace(NS) # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = 'foobar.exe' subject_object.properties.size_in_bytes = '35532' subject_object.properties.hashes = HashList() subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll' associated_object.properties.size_in_bytes = '123456' associated_object.association_type = VocabString() associated_object.association_type.value = 'output' associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' # Create the Action from another dictionary
subject = MalwareSubject() analysis = Analysis() # Populate the Analysis with the metadata relating to the Analysis that was performed analysis.method = "dynamic" analysis.type_ = "triage" analysis.set_findings_bundle(bundle.id_) t = ToolInformation() t.name = "APIMonitor" t.vendor = "APIMonitor" analysis.add_tool(t) # Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?) subject_object = Object() #オブジェクト subject_object.properties = File() #ファイルオブジェクト subject_object.properties.file_name = 'seminor.doc' # ファイル名(マルウェアを含んだファイル) subject_object.properties.size_in_bytes = '154173' #ファイルサイズ subject_object.properties.add_hash("54CC941747FA99A3521314B9969D4964") # 辞書から構築されたオブジェクトとマルウェアインスタンスオブジェクト属性を設定 subject.set_malware_instance_object_attributes(subject_object) # Actionで使うための関連オブジェクトのディクショナリーを作成 def associated(name,path,byte,value="output"): associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = name associated_object.properties.file_path = path associated_object.properties.size_in_bytes = byte associated_object.association_type = VocabString() #これはなんだ?
a.type_ = "triage" a.summary = "A basic static triage of the subject binary using PEiD." a.set_findings_bundle(b.id_) a.source = Source() a.source.name = "Frankie Li" a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814" t = ToolInformation() t.name = "PEiD" t.version = "0.94" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Static Analysis findings b.defined_subject = False b.content_type = "static analysis tool output" o = Object() o.properties = WinExecutableFile() o.properties.headers = PEHeaders() o.properties.headers.optional_header = PEOptionalHeader() o.properties.headers.optional_header.major_linker_version = "06" o.properties.headers.optional_header.minor_linker_version = "00" o.properties.headers.optional_header.address_of_entry_point = "036418" o.properties.headers.optional_header.subsystem = "Windows_GUI" # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_object(o) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
# - A single Capability embedded in the Bundle from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType from cybox.common import Hash, HashList, VocabString from cybox.objects.file_object import File from maec.bundle import Bundle, MalwareAction, Capability from maec.package import Analysis, MalwareSubject, Package # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = 'foobar.exe' subject_object.properties.size_in_bytes = '35532' subject_object.properties.hashes = HashList() subject_object.properties.hashes.append( Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll' associated_object.properties.size_in_bytes = '123456' associated_object.association_type = VocabString() associated_object.association_type.value = 'output' associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'