def create_url_observable(url):
url_object = URI.from_dict({'value': url, 'type': URI.TYPE_URL})
url_observable = Observable(url_object)
url_observable.title = "Malware Artifact - URL"
url_observable.description = "URL derived from sandboxed malware sample."
url_observable.short_description = "URL from malware."
return url_observable
def test_is_empty_observable(self):
# Check to see if the cybox.core.Observable object is empty by calling `is_empty_observable`
# Empty Observable
test = Observable()
self.assertTrue(utils.is_empty_observable(test))
# Observable is None
test = None
self.assertTrue(utils.is_empty_observable(test))
# Non empty Observable with Object
test = Observable(MockObject())
self.assertFalse(utils.is_empty_observable(test))
# Non empty Observable with Event
test = Observable(Event())
self.assertFalse(utils.is_empty_observable(test))
# Checks non empty observable_composition and observable_composition.observables
test = Observable()
obs = ObservableComposition()
test.observable_composition = obs
test.observable_composition.observables = obs
self.assertFalse(utils.is_empty_observable(test))
def to_cybox(self, exclude=None):
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(self, attr, None)
if val:
setattr(f, attr, val)
if self.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(self.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = self.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude:
data = self.filedata.read()
if data:
data = base64.b64encode(data)
a = Artifact(data=data, type_=Artifact.TYPE_FILE)
observables.append(Observable(a))
#if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
#f.file_format = self.filetype
observables.append(Observable(f))
return (observables, self.releasability)
def create_ipv4_observable(ipv4_address):
ipv4_object = Address.from_dict({"address_value": ipv4_address, "category": Address.CAT_IPV4})
ipv4_observable = Observable(ipv4_object)
ipv4_observable.title = "Malware Artifact - IP"
ipv4_observable.description = "IP derived from sandboxed malware sample."
ipv4_observable.short_description = "IP from malware."
return ipv4_observable
def create_url_observable(url):
url_object = URI.from_dict({"value": url, "type": URI.TYPE_URL})
url_observable = Observable(url_object)
url_observable.title = "Malware Artifact - URL"
url_observable.description = "URL derived from sandboxed malware sample."
url_observable.short_description = "URL from malware."
return url_observable
def create_domain_name_observable(domain_name):
domain_name_object = URI.from_dict({"value": domain_name, "type": URI.TYPE_DOMAIN})
domain_name_observable = Observable(domain_name_object)
domain_name_observable.title = "Malware Artifact - Domain"
domain_name_observable.description = "Domain derived from sandboxed malware sample."
domain_name_observable.short_description = "Domain from malware."
return domain_name_observable
def test_is_empty_observable(self):
# Check to see if the cybox.core.Observable object is empty by calling `is_empty_observable`
# Empty Observable
test = Observable()
self.assertTrue(utils.is_empty_observable(test))
# Observable is None
test = None
self.assertTrue(utils.is_empty_observable(test))
# Non empty Observable with Object
test = Observable(MockObject())
self.assertFalse(utils.is_empty_observable(test))
# Non empty Observable with Event
test = Observable(Event())
self.assertFalse(utils.is_empty_observable(test))
# Checks non empty observable_composition and observable_composition.observables
test = Observable()
obs = ObservableComposition()
test.observable_composition = obs
test.observable_composition.observables = [Observable()]
self.assertFalse(utils.is_empty_observable(test))
def to_cybox_observable(self):
"""
Convert a Certificate to a CybOX Observables.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
custom_prop = Property(
) # make a custom property so CRITs import can identify Certificate exports
custom_prop.name = "crits_type"
custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
custom_prop._value = "Certificate"
obj = File() # represent cert information as file
obj.md5 = self.md5
obj.file_name = self.filename
obj.file_format = self.filetype
obj.size_in_bytes = self.size
obj.custom_properties = CustomProperties()
obj.custom_properties.append(custom_prop)
obs = Observable(obj)
obs.description = self.description
data = self.filedata.read()
if data: # if cert data available
a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
a.packaging.append(Base64Encoding())
obj.add_related(a, "Child_Of") # relate artifact to file
return ([obs], self.releasability)
def main():
data = json.load(open("data.json"))
stix_package = STIXPackage(stix_header=STIXHeader(
title=data['title'], package_intents='Incident'))
ttps = {}
for info in data['ips']:
if info['bot'] not in ttps:
ttps[info['bot']] = TTP(title=info['bot'])
stix_package.add_ttp(ttps[info['bot']])
incident = Incident(title=info['ip'])
incident.time = Time()
incident.time.first_malicious_action = info['first_seen']
addr = Address(address_value=info['ip'], category=Address.CAT_IPV4)
observable = Observable(item=addr)
stix_package.add_observable(observable)
related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_),
relationship="Used Malware")
incident.leveraged_ttps.append(related_ttp)
related_observable = RelatedObservable(
Observable(idref=observable.id_))
incident.related_observables.append(related_observable)
stix_package.add_incident(incident)
print(stix_package.to_xml(encoding=None))
def _dostix(hashes):
'''This function creates a STIX packages containing hashes.'''
print("[+] Creating STIX Package")
title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
_custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = title
stix_package.stix_header.handling = _marking()
try:
indicator = Indicator()
indicator.set_producer_identity(SETTINGS['stix']['producer'])
indicator.set_produced_time(indicator.timestamp)
indicator.set_received_time(indicator.timestamp)
indicator.add_kill_chain_phase(PHASE_DELIVERY)
indicator.confidence = "Low"
indicator.title = title
indicator.add_indicator_type("File Hash Watchlist")
indicator.description = SETTINGS['stix']['ind_desc']
try:
indicator.add_indicated_ttp(
TTP(idref=SETTINGS['indicated_ttp'],
timestamp=indicator.timestamp))
indicator.suggested_coas.append(
CourseOfAction(idref=SETTINGS['suggested_coa'],
timestamp=indicator.timestamp))
except KeyError:
pass
for info in hashes:
try:
file_name = info['filename']
file_object = File()
file_object.file_name = file_name
file_object.file_name.condition = "Equals"
file_object.file_extension = "." + file_name.split('.')[-1]
file_object.file_extension.condition = "Equals"
file_object.size_in_bytes = info['filesize']
file_object.size_in_bytes.condition = "Equals"
file_object.file_format = info['fileformat']
file_object.file_format.condition = "Equals"
file_object.add_hash(Hash(info['md5']))
file_object.add_hash(Hash(info['sha1']))
file_object.add_hash(Hash(info['sha256']))
file_object.add_hash(Hash(info['sha512']))
file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
for hashobj in file_object.hashes:
hashobj.simple_hash_value.condition = "Equals"
hashobj.type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + file_name
indicator.add_observable(file_obs)
except TypeError:
pass
stix_package.add_indicator(indicator)
return stix_package
except KeyError:
pass
def main():
pkg = STIXPackage()
file_object1 = File()
file_object1.file_name = "readme.doc.exe"
file_object1.size_in_bytes = 40891
file_object1.add_hash(
Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
))
observable1 = Observable(file_object1)
file_object2 = File()
file_object2.file_name = "readme.doc.exe"
file_object2.size_in_bytes = 40891
file_object2.add_hash(
Hash("d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"
))
observable2 = Observable(file_object2)
incident = Incident(title="Malicious files detected")
related_observable1 = RelatedObservable(
observable1, relationship="Malicious Artifact Detected")
related_observable2 = RelatedObservable(
observable2, relationship="Malicious Artifact Detected")
incident.related_observables.append(related_observable1)
incident.related_observables.append(related_observable2)
pkg.add_incident(incident)
print(pkg.to_xml(encoding=None))
def test_observble_init(self):
obj = Object()
dobj = ObjectProperties()
a = Address()
oc = ObservableComposition()
e = Event()
obs1 = Observable(obj)
self.assertTrue(obs1.object_ is obj)
self.assertFalse(obs1.observable_composition)
self.assertFalse(obs1.event)
obs2 = Observable(dobj)
self.assertTrue(obs2.object_)
self.assertTrue(obs2.object_.properties is dobj)
self.assertFalse(obs2.observable_composition)
self.assertFalse(obs2.event)
obs3 = Observable(a)
self.assertTrue(obs3.object_)
self.assertTrue(obs3.object_.properties is a)
self.assertFalse(obs3.event)
self.assertFalse(obs3.observable_composition)
obs4 = Observable(oc)
self.assertFalse(obs4.object_)
self.assertFalse(obs4.event)
self.assertTrue(obs4.observable_composition is oc)
obs5 = Observable(e)
self.assertFalse(obs5.object_)
self.assertTrue(obs5.event is e)
self.assertFalse(obs5.observable_composition)
def to_cybox_observable(self):
"""
Convert a Certificate to a CybOX Observables.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
custom_prop = Property() # make a custom property so CRITs import can identify Certificate exports
custom_prop.name = "crits_type"
custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
custom_prop._value = "Certificate"
obj = File() # represent cert information as file
obj.md5 = self.md5
obj.file_name = self.filename
obj.file_format = self.filetype
obj.size_in_bytes = self.size
obj.custom_properties = CustomProperties()
obj.custom_properties.append(custom_prop)
obs = Observable(obj)
obs.description = self.description
data = self.filedata.read()
if data: # if cert data available
a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
a.packaging.append(Base64Encoding())
obj.add_related(a, "Child_Of") # relate artifact to file
return ([obs], self.releasability)
def test_id_idref_exclusive(self):
o = Observable()
self.assertTrue(o.id_ is not None)
self.assertTrue(o.idref is None)
o.idref = "foo"
self.assertTrue(o.idref is not None)
self.assertTrue(o.id_ is None)
def createArtifactObject(indicator, attribute):
artifact = Artifact(data=attribute["data"])
artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":ArtifactObject-" + attribute[
"uuid"]
observable = Observable(artifact)
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute[
"uuid"]
indicator.add_observable(observable)
def test_id_idref_exclusive(self):
o = Observable()
self.assertTrue(o.id_ is not None)
self.assertTrue(o.idref is None)
o.idref = "foo"
self.assertTrue(o.idref is not None)
self.assertTrue(o.id_ is None)
def test_set_indicator_observables_to_list_of_one_observable(self):
# https://github.com/STIXProject/python-stix/issues/325
i = Indicator()
o1 = Observable()
o2 = Observable()
i.observables = [o1]
self.assertEqual(type([]), type(i.observables))
self.assertEqual(1, len(i.observables))
def test_set_indicator_observables_to_list_of_two_observables(self):
# https://github.com/STIXProject/python-stix/issues/325
i = Indicator()
o1 = Observable()
o2 = Observable()
i.observables = [o1, o2]
self.assertEqual(mixbox.typedlist.TypedList, type(i.observables))
self.assertEqual(2, len(i.observables))
def create_file_hash_observable(filename, hash_value):
hash_ = Hash(hash_value)
file_ = File()
file_.file_name = filename
file_.add_hash(hash_)
file_observable = Observable(file_)
file_observable.title = "Malware Artifact - File Hash"
file_observable.description = "File hash derived from sandboxed malware sample."
file_observable.short_description = "File hash from malware."
return file_observable
def create_domain_name_observable(domain_name):
domain_name_object = URI.from_dict({
'value': domain_name,
'type': URI.TYPE_DOMAIN
})
domain_name_observable = Observable(domain_name_object)
domain_name_observable.title = "Malware Artifact - Domain"
domain_name_observable.description = "Domain derived from sandboxed malware sample."
domain_name_observable.short_description = "Domain from malware."
return domain_name_observable
def create_ipv4_observable(ipv4_address):
ipv4_object = Address.from_dict({
'address_value': ipv4_address,
'category': Address.CAT_IPV4
})
ipv4_observable = Observable(ipv4_object)
ipv4_observable.title = "Malware Artifact - IP"
ipv4_observable.description = "IP derived from sandboxed malware sample."
ipv4_observable.short_description = "IP from malware."
return ipv4_observable
def add_url_observable(self, url):
if url in self.__urls:
return
self.__urls.add(url)
url_object = URI.from_dict({'value': url, 'type': URI.TYPE_URL})
url_observable = Observable(url_object)
url_observable.title = "Malware Artifact - URL"
url_observable.description = "URL derived from sandboxed malware sample."
url_observable.short_description = "URL from malware."
self.url_indicator.add_observable(url_observable)
def add_domain_name_observable(self, domain_name):
if domain_name in self.__domains:
return
self.__domains.add(domain_name)
domain_name_object = URI.from_dict({'value': domain_name, 'type': URI.TYPE_DOMAIN})
domain_name_observable = Observable(domain_name_object)
domain_name_observable.title = "Malware Artifact - Domain"
domain_name_observable.description = "Domain derived from sandboxed malware sample."
domain_name_observable.short_description = "Domain from malware."
self.domain_indicator.add_observable(domain_name_observable)
def create_file_hash_observable(filename, hash_value):
hash_ = Hash(hash_value)
file_ = File()
file_.file_name = filename
file_.add_hash(hash_)
file_observable = Observable(file_)
file_observable.title = "Malware Artifact - File Hash"
file_observable.description = "File hash derived from sandboxed malware sample."
file_observable.short_description = "File hash from malware."
return file_observable
def add_ipv4_observable(self, ipv4_address):
if ipv4_address in self.__ipv4:
return
self.__ipv4.add(ipv4_address)
ipv4_object = Address.from_dict({'address_value': ipv4_address, 'category': Address.CAT_IPV4})
ipv4_observable = Observable(ipv4_object)
ipv4_observable.title = "Malware Artifact - IP"
ipv4_observable.description = "IP derived from sandboxed malware sample."
ipv4_observable.short_description = "IP from malware."
self.ip_indicator.add_observable(ipv4_observable)
def generateIPObservable(indicator, attribute):
indicator.add_indicator_type("IP Watchlist")
address_object = resolveIPType(attribute["value"], attribute["type"])
address_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":AddressObject-" + attribute[
"uuid"]
if ("|" in attribute["value"]):
port = attribute["value"].split('|')[1]
address_observable = Observable(address_object)
address_observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":Address-" + attribute[
"uuid"]
port_object = Port()
port_object.port_value = attribute["value"].split('|')[1]
port_object.port_value.condition = "Equals"
port_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":PortObject-" + attribute[
"uuid"]
port_observable = Observable(port_object)
port_observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":Port-" + attribute[
"uuid"]
compositeObject = ObservableComposition(
observables=[address_observable, port_observable])
compositeObject.operator = "AND"
observable = Observable(
id_=cybox.utils.idgen.__generator.namespace.prefix +
":ObservableComposition-" + attribute["uuid"])
observable.observable_composition = compositeObject
return observable
else:
return address_object
def main():
stix_package = STIXPackage()
addr1 = Observable(Address(address_value="198.51.100.2", category=Address.CAT_IPV4))
addr2 = Observable(Address(address_value="198.51.100.17", category=Address.CAT_IPV4))
addr3 = Observable(Address(address_value="203.0.113.19", category=Address.CAT_IPV4))
stix_package.add_observable(addr1)
stix_package.add_observable(addr2)
stix_package.add_observable(addr3)
obs_addr1 = Observable()
obs_addr2 = Observable()
obs_addr3 = Observable()
obs_addr1.id_ = None
obs_addr2.id_ = None
obs_addr3.id_ = None
obs_addr1.idref = addr1.id_
obs_addr2.idref = addr2.id_
obs_addr3.idref = addr3.id_
infrastructure = Infrastructure()
infrastructure.observable_characterization = Observables([obs_addr1, obs_addr2, obs_addr3])
resource = Resource()
resource.infrastructure = infrastructure
ttp = TTP(title="Malware C2 Channel")
ttp.resources = resource
stix_package.add_ttp(ttp)
print stix_package.to_xml()
def generateDomainIPObservable(indicator, attribute):
indicator.add_indicator_type("Domain Watchlist")
domain = attribute["value"].split('|')[0]
ip = attribute["value"].split('|')[1]
address_object = resolveIPType(ip, attribute["type"])
address_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":AddressObject-" + attribute[
"uuid"]
address_observable = Observable(address_object)
address_observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":Address-" + attribute[
"uuid"]
domain_object = DomainName()
domain_object.value = domain
domain_object.value.condition = "Equals"
domain_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":DomainNameObject-" + attribute[
"uuid"]
domain_observable = Observable(domain_object)
domain_observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":DomainName-" + attribute[
"uuid"]
compositeObject = ObservableComposition(
observables=[address_observable, domain_observable])
compositeObject.operator = "AND"
observable = Observable(
id_=cybox.utils.idgen.__generator.namespace.prefix +
":ObservableComposition-" + attribute["uuid"])
observable.observable_composition = compositeObject
return observable
def test_observables_property_standard(self):
f = File()
f.file_name = "README.txt"
obs = Observable(f)
ind = Indicator()
ind.observable = obs
ind2 = Indicator.from_dict(ind.to_dict())
self.assertEqual([obs.to_dict()],
[x.to_dict() for x in ind2.observables])
def test_observables_property_standard(self):
f = File()
f.file_name = "README.txt"
obs = Observable(f)
ind = Indicator()
ind.observable = obs
ind2 = Indicator.from_dict(ind.to_dict())
self.assertEqual([obs.to_dict()],
[x.to_dict() for x in ind2.observables])
def _merge_observables(self, observables, operator='AND'):
observable_composition = ObservableComposition()
observable_composition.operator = operator
for observable_ in observables:
observable_composition.add(observable_)
root_observable = Observable()
root_observable.observable_composition = observable_composition
return root_observable
def returnAttachmentComposition(attribute):
file_object = File()
file_object.file_name = attribute["value"]
observable = Observable()
if "data" in attribute:
artifact = Artifact(data = attribute["data"])
composition = ObservableComposition(observables = [artifact, file_object])
observable.observable_composition = composition
else:
observable = Observable(file_object)
return observable
def _merge_observables(self, observables):
observable_composition = ObservableComposition()
observable_composition.operator = self.observable_composition_operator
for observable in observables:
observable_composition.add(observable)
root_observable = Observable()
root_observable.observable_composition = observable_composition
return root_observable
def _merge_observables(self, observables):
observable_composition = ObservableComposition()
observable_composition.operator = self.observable_composition_operator
for observable in observables:
observable_composition.add(observable)
root_observable = Observable()
root_observable.observable_composition = observable_composition
return root_observable
def _merge_observables(self, observables, operator='AND'):
observable_composition = ObservableComposition()
observable_composition.operator = operator
for observable_ in observables:
observable_composition.add(observable_)
root_observable = Observable()
root_observable.observable_composition = observable_composition
return root_observable
def test_round_trip_observable(self):
# Wrap the object in an observable before trying a round_trip test.
# Don't run this test on the base class
if type(self) == type(ObjectTestCase):
return
obj = self.klass.from_dict(self._full_dict)
observable = Observable(obj)
observable2 = cybox.test.round_trip(observable, output=True)
self.maxDiff = None
self.assertEqual(observable.to_dict(), observable2.to_dict())
def create_artifact_object(self, attribute, artifact=None):
try:
artifact = Artifact(data=bytes(attribute.data, encoding='utf-8'))
except TypeError:
artifact = Artifact(data=bytes(attribute.data))
artifact.parent.id_ = "{}:ArtifactObject-{}".format(self.namespace_prefix, attribute.uuid)
observable = Observable(artifact)
id_type = "observable"
if artifact is not None:
id_type += "-artifact"
observable.id_ = "{}:{}-{}".format(self.namespace_prefix, id_type, attribute.uuid)
return observable
def generateEmailAttachmentObject(indicator, attribute):
file_object = File()
file_object.file_name = attribute["value"]
email = EmailMessage()
email.attachments = Attachments()
email.add_related(file_object, "Contains", inline=True)
file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
email.attachments.append(file_object.parent.id_)
email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
observable = Observable(email)
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
indicator.observable = observable
def returnAttachmentComposition(attribute):
file_object = File()
file_object.file_name = attribute["value"]
observable = Observable()
if "data" in attribute:
artifact = Artifact(data=attribute["data"])
composition = ObservableComposition(
observables=[artifact, file_object])
observable.observable_composition = composition
else:
observable = Observable(file_object)
return observable
def to_cybox_observable(self):
"""
Convert a RawData to a CybOX Observables.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
obj = Artifact(self.data, Artifact.TYPE_FILE)
obj.packaging.append(Base64Encoding())
obs = Observable(obj)
obs.description = self.description
return ([obs], self.releasability)
def add_file_dropped_observable(self, filename):
if filename in self.__files:
return
self.__files.add(filename)
#hash_ = Hash(hash_value)
file_ = File()
file_.file_name = filename
#file_.add_hash(hash_)
file_observable = Observable(file_)
file_observable.title = "Malware Artifact - File Dropped"
file_observable.description = "File Dropped derived from sandboxed malware sample."
file_observable.short_description = "File Dropped from malware."
self.hash_indicator.add_observable(file_observable)
def add_file_hash_observable(self, filename, md5_value, sha1_value):
if (filename, md5_value, sha1_value) in self.__hashes:
return
self.__hashes.add((filename, md5_value, sha1_value))
file_ = File()
file_.file_name = filename
file_.add_hash(Hash(md5_value))
file_.add_hash(Hash(sha1_value))
file_observable = Observable(file_)
file_observable.title = "Malware Artifact - File Hash"
file_observable.description = "File hash derived from sandboxed malware sample."
file_observable.short_description = "File hash from malware."
self.hash_indicator.add_observable(file_observable)
def to_cybox_observable(self):
"""
Convert a RawData to a CybOX Observables.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
obj = Artifact(self.data, Artifact.TYPE_FILE)
obj.packaging.append(Base64Encoding())
obs = Observable(obj)
obs.description = self.description
return ([obs], self.releasability)
def cybox_mutex(observable, observable_type, objects):
nsname, nsurl = observable.namespace.last().namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
m = Mutex()
m.name = obj.mutex_name
o = Observable(m)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def generateEmailAttachmentObject(indicator, attribute):
file_object = File()
file_object.file_name = attribute["value"]
file_object.file_name.condition = "Equals"
email = EmailMessage()
email.attachments = Attachments()
email.add_related(file_object, "Contains", inline=True)
file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
email.attachments.append(file_object.parent.id_)
email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
observable = Observable(email)
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
indicator.observable = observable
def add_registry_observable(self, mode, value):
if (mode, value) in self.__regkeys:
return
self.__regkeys.add((mode, value))
# FIXME value is not parse properly
_key = '\\'.join(value.split('\\')[3:])
hive = value.split('\\')[2]
reg_object = WinRegistryKey.from_dict({'key': _key, 'hive': hive})
reg_observable = Observable(reg_object)
reg_observable.title = "Malware Artifact - Registry"
reg_observable.description = "Registry access derived from sandboxed malware sample."
reg_observable.short_description = "Registry access from malware."
self.reg_indicator.add_observable(reg_observable)
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
def generate_email_attachment_object(self, indicator, attribute):
attribute_uuid = attribute.uuid
file_object = File()
file_object.file_name = attribute.value
file_object.file_name.condition = "Equals"
file_object.parent.id_ = "{}:FileObject-{}".format(self.namespace_prefix, attribute_uuid)
email = EmailMessage()
email.attachments = Attachments()
email.add_related(file_object, "Contains", inline=True)
email.attachments.append(file_object.parent.id_)
email.parent.id_ = "{}:EmailMessageObject-{}".format(self.namespace_prefix, attribute_uuid)
observable = Observable(email)
observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute_uuid)
indicator.observable = observable
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
def convert_observed_data(od20):
o1x = Observable(id_=convert_id20(od20["id"]))
if "object_marking_refs" in od20:
for m_id in od20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(o1x, ms, descendants=True)
if "granular_markings" in od20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, od20["id"])
# observable-data has no description
o1x.object_ = convert_cyber_observables(od20["objects"], od20["id"])
return o1x
def generateObservable(indicator, attribute):
if (attribute["type"] in ("snort", "yara")):
generateTM(indicator, attribute)
else:
observable = None;
if (attribute["type"] in simple_type_to_method.keys()):
action = getattr(this_module, simple_type_to_method[attribute["type"]], None)
if (action != None):
property = action(attribute)
object = Object(property)
object.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":" + property.__class__.__name__ + "-" + attribute["uuid"]
observable = Observable(object)
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
indicator.add_observable(observable)
def test_keywords(self):
o = Observable()
o.title = "Test"
self.assertTrue("eyword" not in o.to_xml())
o.add_keyword("Foo")
print o.to_xml()
self.assertTrue("<cybox:Keyword>Foo</cybox:Keyword>" in o.to_xml())
o2 = round_trip(o)
self.assertEqual(1, len(o2.keywords))
def cybox_http(observable, observable_type, objects):
nsname, nsurl = observable.namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
h = cybox_object_http(obj)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
o = Observable(h)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def test_observables_property_composition(self):
f1 = File()
f1.file_name = "README.txt"
f2 = File()
f2.file_name = "README2.txt"
obs1 = Observable(f1)
obs2 = Observable(f2)
comp = Observable(ObservableComposition('AND', [obs1, obs2]))
ind = Indicator()
ind.observable = comp
ind2 = Indicator.from_dict(ind.to_dict())
self.assertEqual([obs1.to_dict(), obs2.to_dict()],
[x.to_dict() for x in ind2.observables])
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Indicator, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.negate = get('negate')
return_obj.alternative_id = get('alternative_id')
return_obj.indicated_ttps = _IndicatedTTPs.from_dict(get('indicated_ttps'))
return_obj.test_mechanisms = TestMechanisms.from_list(get('test_mechanisms'))
return_obj.suggested_coas = SuggestedCOAs.from_dict(get('suggested_coas'))
return_obj.sightings = Sightings.from_dict(get('sightings'))
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(get('composite_indicator_expression'))
return_obj.kill_chain_phases = KillChainPhasesReference.from_dict(get('kill_chain_phases'))
return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators'))
return_obj.likely_impact = Statement.from_dict(get('likely_impact'))
return_obj.indicator_types = IndicatorTypes.from_list(get('indicator_types'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.valid_time_positions = _ValidTimePositions.from_dict(get('valid_time_positions'))
return_obj.observable = Observable.from_dict(get('observable'))
return_obj.producer = InformationSource.from_dict(get('producer'))
return_obj.related_campaigns = RelatedCampaignRefs.from_dict(get('related_campaigns'))
return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def _affectsoft(data):
affect_soft = AffectedSoftware()
for software in data['vulnerable_configuration']:
id_list = software['id'].split(':')
prod_obj = Product()
prod_obj.product = software['title']
prod_obj.Device_Details = software['id']
prod_obj.vendor = id_list[3].title()
if len(id_list) > 6:
prod_obj.version = id_list[5] + " " + id_list[6]
elif len(id_list) == 6:
prod_obj.version = id_list[5]
prod_obs = Observable(prod_obj)
prod_obs.title = "Product: " + software['title']
affect_soft.append(prod_obs)
return affect_soft
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Indicator, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.negate = obj.negate
return_obj.producer = InformationSource.from_obj(obj.Producer)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.sightings = Sightings.from_obj(obj.Sightings)
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_obj(obj.Composite_Indicator_Expression)
return_obj.kill_chain_phases = KillChainPhasesReference.from_obj(obj.Kill_Chain_Phases)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.likely_impact = Statement.from_obj(obj.Likely_Impact)
return_obj.indicator_types = IndicatorTypes.from_obj(obj.Type)
return_obj.test_mechanisms = TestMechanisms.from_obj(obj.Test_Mechanisms)
return_obj.suggested_coas = SuggestedCOAs.from_obj(obj.Suggested_COAs)
return_obj.alternative_id = obj.Alternative_ID
return_obj.indicated_ttps = _IndicatedTTPs.from_obj(obj.Indicated_TTP)
return_obj.valid_time_positions = _ValidTimePositions.from_obj(obj.Valid_Time_Position)
return_obj.observable = Observable.from_obj(obj.Observable)
return_obj.related_campaigns = RelatedCampaignRefs.from_obj(obj.Related_Campaigns)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.title = dict_repr.get('title')
observable_dict = dict_repr.get('observable')
producer_dict = dict_repr.get('producer')
description_dict = dict_repr.get('description')
indicator_type_dict = dict_repr.get('indicator_type')
if observable_dict:
return_obj.add_observable(Observable.from_dict(observable_dict))
if producer_dict:
return_obj.producer = InformationSource.from_dict(producer_dict)
if description_dict:
return_obj.description = StructuredText.from_dict(description_dict)
if indicator_type_dict:
return_obj.indicator_type = IndicatorType.from_dict(indicator_type_dict)
return return_obj
def main():
test_file = os.path.join(os.path.dirname(__file__), "test.pcap")
with open(test_file, "rb") as f:
data = f.read()
a = Artifact(data, Artifact.TYPE_NETWORK)
a.packaging.append(Base64Encoding())
o = Observable(a)
o.description = ("This Observable specifies an instance of an Artifact "
"object, specifically some network traffic that was "
"captured in a PCAP file and then base64 encoded for "
"transport.")
print(Observables(o).to_xml(encoding=None))
