def createSubjectUrl(self, url):
"""Create a URL subject entity.
@param url: URL path.
@return: subject object.
"""
subject = maec.SubjectType()
subject.set_Object_Reference(
maec.ObjectReferenceType(type_="URI",
object_id=self.idMap["urlmd5"]))
self.idMap["subject"] = self.idMap["urlmd5"]
return subject
def createSubjectFile(self, file):
"""Create a file subject entity.
@param file: file as in cuckoo dict.
@return: subject object.
"""
subject = maec.SubjectType()
subject.set_Object_Reference(
maec.ObjectReferenceType(type_="Object",
object_id=self.idMap[file["name"]]))
self.idMap["subject"] = self.idMap[file["name"]]
return subject
def createSubject(self, file):
"""Create a subject entity.
@param file: file as in cuckoo dict.
@return: subject object.
"""
subject = maec.SubjectType()
subject.set_Object_Reference(
maec.ObjectReferenceType(type_='Object',
object_id=self.idMap[file['name']]))
self.idMap['subject'] = self.idMap[file['name']]
return subject
def createActionAPI(self, process):
"""Creates an action object which describes a process.
@param process: process from cuckoo dict.
"""
pid = self.getProcessId()
pos = 1
for call in process["calls"]:
act = maec.ActionType(id="%s:act:%s" %
(self.idMap["prefix"], self.getActionId()),
ordinal_position=pos,
timestamp=call["timestamp"],
successful=call["category"])
try:
initiator = self.idMap[process["process_name"]]
except KeyError:
initiator = self.idMap["subject"]
act.set_Action_Initiator(
maec.Action_InitiatorType(
type_="Process",
Initiator_Object=maec.ObjectReferenceType(
type_="Object", object_id=initiator)))
ai = maec.ActionImplementationType(
type_="API_Call",
id="%s:imp:%s" % (self.idMap["prefix"], self.getActImpId()),
)
apicall = maec.APICallType(
id="%s:api:%s" % (self.idMap["prefix"], self.getApiCallId()),
apifunction_name=call["api"],
ReturnValue=call["return"])
apos = 1
for arg in call["arguments"]:
apicall.add_APICall_Parameter(
maec.APICall_ParameterType(ordinal_position=apos,
Name=arg["name"],
Value=arg["value"]))
apos = apos + 1
ai.set_API_Call(apicall)
act.set_Action_Implementation(ai)
self.actions.add_Action(act)
pos = pos + 1
def createActionAPI(self, process):
"""Creates an action object which describes a process.
@param process: process from cuckoo dict.
"""
pid = self.getProcessId()
pos = 1
for call in process['calls']:
act = maec.ActionType(id="%s:act:%s" %
(self.idMap['prefix'], self.getActionId()),
ordinal_position=pos,
timestamp=call['timestamp'],
successful=call['category'])
try:
initiator = self.idMap[process['process_name']]
except KeyError:
initiator = self.idMap['subject']
act.set_Action_Initiator(
maec.Action_InitiatorType(
type_='Process',
Initiator_Object=maec.ObjectReferenceType(
type_='Object', object_id=initiator)))
ai = maec.ActionImplementationType(
type_='API_Call',
id="%s:imp:%s" % (self.idMap['prefix'], self.getActImpId()),
)
apicall = maec.APICallType(
id="%s:api:%s" % (self.idMap['prefix'], self.getApiCallId()),
apifunction_name=call['api'],
ReturnValue=call['return'])
apos = 1
for arg in call['arguments']:
apicall.add_APICall_Parameter(
maec.APICall_ParameterType(ordinal_position=apos,
Name=arg['name'],
Value=arg['value']))
apos = apos + 1
ai.set_API_Call(apicall)
act.set_Action_Implementation(ai)
self.actions.add_Action(act)
pos = pos + 1
def createActionNet(self, packet):
"""Create a network action.
@return: action.
"""
act = maec.ActionType(id="%s:act:%s" %
(self.idMap["prefix"], self.getActionId()), )
act.set_Action_Initiator(
maec.Action_InitiatorType(
type_="Process",
Initiator_Object=maec.ObjectReferenceType(
type_="Object", object_id=self.idMap["subject"])))
ai = maec.ActionImplementationType(
type_="Other",
id="%s:imp:%s" % (self.idMap["prefix"], self.getActImpId()),
)
net = maec.Network_Action_AttributesType(
Internal_Port=packet["sport"],
External_Port=packet["dport"],
Internal_IP_Address=packet["src"],
External_IP_Address=packet["dst"])
ai.set_Network_Action_Attributes(net)
act.set_Action_Implementation(ai)
self.actions.add_Action(act)
