def _run_inspector_test(self, inspector, directory_name):
# Output paths
output_dir_path = os.path.join('test', 'test_extracted_data',
directory_name)
inspected_data_file_path = os.path.join(output_dir_path,
INSPECTED_DATA_FILE_NAME)
source_data_file_path = os.path.join(output_dir_path,
SOURCE_DATA_FILE_NAME)
# Execute the inspector
inspected_objects, source_objects = inspector.execute(
self.device_info, output_dir_path)
# write the results
write_observables_xml_file(Observables(inspected_objects),
inspected_data_file_path,
simple_output=True)
write_observables_xml_file(Observables(source_objects),
source_data_file_path,
simple_output=True)
# Assert xml files were written
self.assertTrue(os.path.exists(inspected_data_file_path))
self.assertTrue(os.path.exists(source_data_file_path))
# Delete the created files
os.remove(inspected_data_file_path)
os.remove(source_data_file_path)
def targeted_technical_details(self, value):
if not value:
self._targeted_technical_details = None
elif isinstance(value, Observables):
self._targeted_technical_details = value
else:
self._targeted_technical_details = Observables(observables=[value])
def observable_characterization(self, value):
if not value:
self._observable_characterization = None
elif isinstance(value, Observables):
self._observable_characterization = value
else:
self._observable_characterization = Observables(observables=[value])
def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print pkg.to_xml()
def test_observable_iterable(self):
a = Address("*****@*****.**", Address.CAT_EMAIL)
a2 = Address("*****@*****.**", Address.CAT_EMAIL)
o = Observables([a, a2])
for obs in o:
self.assertTrue(obs.object_.properties in [a, a2])
def structured_description(self, value):
if not value:
self._structured_description = None
elif isinstance(value, Observables):
self._structured_description = value
else:
self._structured_description = Observables(value)
def test_correct_namespace_output(self):
link = Link()
link.value = u("https://www.example.com")
xml = Observables(link).to_xml()
self.assertTrue(b"cybox:Properties" in xml)
self.assertTrue(b"LinkObj:Properties" not in xml)
def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None,
related_packages=None,
reports=None):
super(STIXPackage, self).__init__()
self.id_ = id_ or idgen.create_id("Package")
self.idref = idref
self.version = STIXPackage._version
self.stix_header = stix_header
self.campaigns = campaigns or Campaigns()
self.courses_of_action = courses_of_action or CoursesOfAction()
self.exploit_targets = exploit_targets or ExploitTargets()
self.observables = observables or Observables()
self.indicators = indicators or Indicators()
self.incidents = incidents or Incidents()
self.threat_actors = threat_actors or ThreatActors()
self.ttps = ttps or TTPs()
self.related_packages = related_packages
self.reports = reports or Reports()
self.timestamp = timestamp
def test_missing_related_object(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# If we only include the domain, the dereference will fail.
o2 = self._test_round_trip(Observables([self.domain]))
rel_obj = o2.observables[0].object_.related_objects[0]
self.assertRaises(CacheMiss, rel_obj.get_properties)
def main():
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml())
def test_round_trip_xml(self):
np = NetworkPacket.from_dict(self._full_dict)
xml = Observables(np).to_xml()
new_obj = Observables.from_obj(parseString(xml))
new_dict = new_obj.observables[0].object_.properties.to_dict()
self.maxDiff = None
self.assertEqual(self._full_dict, new_dict)
def main():
v = AnyURI("http://www.example.com/index1.html")
v.condition = "Equals"
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml(encoding=None))
def test_inline(self):
self.domain.add_related(self.ip, "Resolves To", inline=True)
o2 = self._test_round_trip(Observables(self.domain))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the first observable, and has an inlined object with an id
actual_id = o2.observables[0].object_.related_objects[0].id_
self.assertEqual(expected_id, actual_id)
def main():
m = EmailMessage()
m.from_ = ["*****@*****.**",
"*****@*****.**",
"*****@*****.**"]
m.from_.condition = "Equals"
m.subject = "New modifications to the specification"
m.subject.condition = "Equals"
print(Observables(m).to_xml())
def execute(self, device_info, data_dir_path, simple_output=False, html_output=False):
"""
:param device_info: DeviceInfo
:param data_dir_path: string
"""
extracted_data_dir_path = os.path.join(data_dir_path, EXTRACTED_DATA_DIR_NAME)
try:
os.makedirs(extracted_data_dir_path)
except OSError as exception:
if exception.errno != errno.EEXIST:
raise
self.extractor.execute(extracted_data_dir_path, self.param_values)
set_id_method(IDGenerator.METHOD_INT if simple_output else IDGenerator.METHOD_UUID)
inspected_objects, source_objects = self.inspector.execute(device_info, extracted_data_dir_path)
inspected_observables = Observables(inspected_objects)
source_observables = Observables(source_objects)
tool_info = ToolInformation()
tool_info.name = 'Android Inspector'
tool_info.version = '1.0'
measure_source = MeasureSource()
measure_source.tool_type = ToolType.TERM_DIGITAL_FORENSICS
measure_source.tools = ToolInformationList([tool_info])
measure_source.time = Time(produced_time=datetime.now().isoformat())
inspected_observables.observable_package_source = measure_source
source_observables.observable_package_source = measure_source
write_observables_xml_file(inspected_observables,
os.path.join(data_dir_path, INSPECTED_DATA_FILE_NAME),
simple_output)
write_observables_xml_file(source_observables,
os.path.join(data_dir_path, SOURCE_DATA_FILE_NAME),
simple_output)
if html_output:
generate_html_files(data_dir_path)
def main():
m = EmailMessage()
m.to = ["*****@*****.**", "*****@*****.**"]
m.from_ = "*****@*****.**"
m.subject = "New modifications to the specification"
a = Address("192.168.1.1", Address.CAT_IPV4)
m.add_related(a, "Received_From", inline=False)
print(Observables([m, a]).to_xml(encoding=None))
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print Observables(u).to_xml()
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
def test_backward_relationship(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# IP should already be known before Domain is parsed
o2 = self._test_round_trip(Observables([self.ip, self.domain]))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the second observable, and should only have an IDREF
actual_id = o2.observables[1].object_.related_objects[0].idref
self.assertEqual(expected_id, actual_id)
def test_forward_relationship(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# The "related" IP object will be encountered in the Domain object
# before the actual IP has been seen. Make sure this doesn't break.
o2 = self._test_round_trip(Observables([self.domain, self.ip]))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the second observable, and should only have an IDREF
actual_id = o2.observables[0].object_.related_objects[0].idref
self.assertEqual(expected_id, actual_id)
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
m = EmailMessage()
m.from_ = ["*****@*****.**",
"*****@*****.**",
"*****@*****.**"]
m.from_.condition = "Equals"
m.subject = "New modifications to the specification"
m.subject.condition = "Equals"
print Observables(m).to_xml()
def cybox_mutex(observable, observable_type, objects):
nsname, nsurl = observable.namespace.last().namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
m = Mutex()
m.name = obj.mutex_name
o = Observable(m)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def test_round_trip(self):
a = Address("*****@*****.**", Address.CAT_EMAIL)
a2 = Address("*****@*****.**", Address.CAT_EMAIL)
ms = MeasureSource()
ms.class_ = "System"
ms.source_type = "Analysis"
ms.description = StructuredText("A Description")
o = Observables([a, a2])
o.observable_package_source = ms
o2 = round_trip(o, output=True)
self.assertEqual(o.to_dict(), o2.to_dict())
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
m = EmailMessage()
m.to = ["*****@*****.**", "*****@*****.**"]
m.from_ = "*****@*****.**"
m.subject = "New modifications to the specification"
a = Address("192.168.1.1", Address.CAT_IPV4)
m.add_related(a, "Received_From", inline=False)
print Observables([m, a]).to_xml()
def cybox_http(observable, observable_type, objects):
nsname, nsurl = observable.namespace.last().namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
h = cybox_object_http(obj)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
o = Observable(h)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def export_cybox(iocs):
'''export to cybox observables document'''
domain_fn = helper.create_domain_name_observable
ipv4_fn = helper.create_ipv4_observable
email_fn = helper.create_email_address_observable
hash_fn = helper.create_file_hash_observable
observables = [domain_fn(o) for o in iocs['domain']] + \
[ipv4_fn(o) for o in iocs['ipv4']] + \
[email_fn(o) for o in iocs['email']] + \
[hash_fn('', o)
for o in iocs['md5']+iocs['sha1']+iocs['sha256']]
cybox_observables = Observables(observables)
return cybox_observables
def test_get_namespaces(self):
m = EmailMessage()
m.to = "*****@*****.**"
m.subject = "Here's a cool picture"
m.links = Links()
u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
m.links.append(u.parent.id_)
o = Observables([u, m])
print o.to_xml()
actual_namespaces = o._get_namespaces()
print "\n".join([str(x) for x in actual_namespaces])
self.assertEqual(5, len(actual_namespaces))
def main():
infilename = ''
outfilename = ''
#Get the command-line arguments
args = sys.argv[1:]
#Basic argument checking
if len(args) < 4:
usage()
sys.exit(1)
for i in range(0, len(args)):
if args[i] == '-i':
infilename = args[i + 1]
elif args[i] == '-o':
outfilename = args[i + 1]
#Basic input file checking
if os.path.isfile(infilename):
#Get the raw lines from the input file
raw_lines = get_input(infilename)
#Breakup each certificate into its corresponding lines
cert_strings = split_certs(raw_lines)
observables_list = []
#Process each certificate array into its CybOX representation
for cert_array in cert_strings:
#Get the Python dictionary corresponding to the certificate
cert_dict = tokenize_input(cert_array)
observables_list.append(cert_to_cybox(cert_dict))
observables = Observables(observables_list)
#Open the output file for writing and write out the generated Observables
out_file = open(outfilename, 'w')
out_file.write("<?xml version='1.0' encoding='UTF-8'?>\n")
out_file.write(
"<!-- Generated by X509 to CybOX Utility\nhttps://github.com/CybOXProject/Tools/-->\n"
)
out_file.write("<!DOCTYPE doc [<!ENTITY comma ','>]>\n")
out_file.write(
observables.to_xml(
namespace_dict={
'https://github.com/CybOXProject/Tools': 'x509_to_cybox'
}))
out_file.close()
else:
print('\nError: Input file not found or inaccessible.')
sys.exit(1)
def _create_observables(self, msg):
o = Observables(self.__parse_email_message(msg))
t = ToolInformation()
t.name = os.path.basename(__file__)
t.description = StructuredText("Email to CybOX conversion script")
t.vendor = "The MITRE Corporation"
t.version = __version__
t_list = ToolInformationList()
t_list.append(t)
m = MeasureSource()
m.tools = t_list
o.observable_package_source = m
return o