def update_maec(infilename, outfilename): # Parse the input document using the parse_xml_instance() method maec_objects = maec.parse_xml_instance(infilename, check_version = False) # Get the API Object from the parsed input api_object = maec_objects['api'] # Determine if we're dealing with a Package or Bundle if isinstance(api_object, Package): # Update the Package schema_version api_object.schema_version = "2.1" for malware_subject in api_object.malware_subjects: for analysis in malware_subject.analyses: # Replace the Analysis type value of "manual" with "in-depth" if analysis.type and analysis.type == "manual": analysis.type = "in-depth" # Update the schema_versions on the Bundles for bundle in malware_subject.findings_bundles.bundles: bundle.schema_version = "4.1" elif isinstance(api_object, Bundle): # Update the Bundle schema_version api_object.schema_version = "4.1" # Output the updated MAEC object to XML api_object.to_xml_file(outfilename)
def extract_indicators(package, config_directory=None): """Extract STIX Indicators from a MAEC Package file. Args: package: The MAEC Package file or file-like object to wrap. config_directory: (optional) The path to the directory housing the indicator extraction configuration files. Returns: If indicators were extracted, a ``stix.STIXPackage`` instance with the extracted STIX Indicators. Otherwise, if no indicators were extracted, ``None``. """ # Parse the input MAEC Package maec_package = maec.parse_xml_instance(package)['api'] # Test if the MAEC Package is a filename or not package_filename = None if isinstance(package, basestring) and os.path.isfile(package): package_filename = package # Extract the STIX Indicators from the MAEC Package indicator_extractor = IndicatorExtractor(maec_package, package_filename, config_directory) return indicator_extractor.extract()
def process_maec_file(filename): new_filename = filename[:filename.find(".xml")] + "_deduplicated.xml" parsed_objects = maec.parse_xml_instance(filename) if parsed_objects and isinstance(parsed_objects['api'], Package): parsed_objects['api'].deduplicate_malware_subjects() parsed_objects['api'].to_xml_file(new_filename) elif parsed_objects and isinstance(parsed_objects['api'], Bundle): parsed_objects['api'].deduplicate() parsed_objects['api'].to_xml_file(new_filename)
def process_maec_file(filename, bundle_list): parsed_objects = maec.parse_xml_instance(filename, check_version = False) if parsed_objects and isinstance(parsed_objects['api'], Package): package_obj = parsed_objects['api'] if package_obj.malware_subjects: for malware_subject in package_obj.malware_subjects: for bundle in malware_subject.get_all_bundles(): bundle_list.append(bundle) elif parsed_objects and isinstance(parsed_objects['api'], Bundle): bundle_list.append(parsed_objects['api'])
def process_maec_file(filename, bundle_list): parsed_objects = maec.parse_xml_instance(filename, check_version=False) if parsed_objects and isinstance(parsed_objects['api'], Package): package_obj = parsed_objects['api'] if package_obj.malware_subjects: for malware_subject in package_obj.malware_subjects: for bundle in malware_subject.get_all_bundles(): bundle_list.append(bundle) elif parsed_objects and isinstance(parsed_objects['api'], Bundle): bundle_list.append(parsed_objects['api'])
def main(): # Setup the argument parser parser = argparse.ArgumentParser(description="MAEC Distance Calculation script") group = parser.add_mutually_exclusive_group() group.add_argument("-l", "-list", nargs="+", help="a space separated list of MAEC Package files to calculate the distances for") group.add_argument("-d", "-directory", help="the path to a directory of MAEC Package files to calculate the distances for") parser.add_argument("--only_static", "--only_static", help="use only static features in the distance calculation", action="store_true") parser.add_argument("--only_dynamic", "--only_dynamic", help="use only dynamic features (Actions) in the distance calculation", action="store_true") parser.add_argument("output", help="the name of the CSV file to which the calculated distances will be written") args = parser.parse_args() package_list = [] # Parse the input files if args.l: for file in args.l: api_obj = maec.parse_xml_instance(file)['api'] if isinstance(api_obj, Package): package_list.append(api_obj) elif args.d: for filename in os.listdir(args.d): if '.xml' not in filename: pass else: api_obj = maec.parse_xml_instance(os.path.join(args.d, filename))['api'] if isinstance(api_obj, Package): package_list.append(api_obj) # Perform the distance calculation dist = Distance(package_list) # Set the particular features that will be used if args.only_static: dist.options_dict['use_dynamic_features'] = False if args.only_dynamic: dist.options_dict['use_static_features'] = False dist.calculate() # Write the results to the specified CSV file out_file = open(args.output, mode='w') dist.print_distances(out_file) out_file.close()
def process_maec_file(filename): new_filename = filename[:filename.find(".xml")] + "_deduplicated.xml" start_time = timeit.default_timer() parsed_objects = maec.parse_xml_instance(filename) print "Parsing: " + str(timeit.default_timer() - start_time) start_time = timeit.default_timer() if parsed_objects and isinstance(parsed_objects['api'], Package): parsed_objects['api'].deduplicate_malware_subjects() parsed_objects['api'].to_xml_file(new_filename) elif parsed_objects and isinstance(parsed_objects['api'], Bundle): parsed_objects['api'].deduplicate() parsed_objects['api'].to_xml_file(new_filename) elapsed = timeit.default_timer() - start_time print "Deduplicating: " + str(timeit.default_timer() - start_time)
def merge_documents(input_list, output_file): '''Merge a list of input MAEC documents and write them to an output file''' parsed_documents = [] # Parse the documents and get their API representation for input_file in input_list: api_representation = maec.parse_xml_instance(input_file)['api'] parsed_documents.append(api_representation) # Do a sanity check on the input list of documents for document in parsed_documents: if isinstance(document, Package): continue else: print 'Error: unsupported document type. Currently only MAEC Packages are supported' # Merge the MAEC packages merge_packages(parsed_documents, output_file)
def process_maec_file(filename): fn, ext = os.path.splitext(filename) new_filename = "%s_deduplicated.xml" % fn start_time = timeit.default_timer() parsed_objects = maec.parse_xml_instance(filename) print "Parsing: " + str(timeit.default_timer() - start_time) start_time = timeit.default_timer() if parsed_objects and isinstance(parsed_objects['api'], Package): parsed_objects['api'].deduplicate_malware_subjects() parsed_objects['api'].to_xml_file(new_filename) elif parsed_objects and isinstance(parsed_objects['api'], Bundle): parsed_objects['api'].deduplicate() parsed_objects['api'].to_xml_file(new_filename) elapsed = timeit.default_timer() - start_time print "Deduplicating: %s" % elapsed
def merge_documents(input_list, output_file): '''Merge a list of input MAEC documents and write them to an output file''' parsed_documents = [] # Parse the documents and get their API representation for input_file in input_list: api_representation = maec.parse_xml_instance(input_file)['api'] parsed_documents.append(api_representation) # Do a sanity check on the input list of documents for document in parsed_documents: if isinstance(document, Package): continue else: print 'Error: unsupported document type. Currently only MAEC Packages are supported' # Merge the MAEC packages merged_package = merge_packages(parsed_documents) # Write the merged package to the output file merged_package.to_xml_file(output_file, {"https://github.com/MAECProject/python-maec":"merged"})
def merge_documents(input_list, output_file): '''Merge a list of input MAEC documents and write them to an output file''' parsed_documents = [] # Parse the documents and get their API representation for input_file in input_list: api_representation = maec.parse_xml_instance(input_file)['api'] parsed_documents.append(api_representation) # Do a sanity check on the input list of documents for document in parsed_documents: if isinstance(document, Package): continue else: print( 'Error: unsupported document type. Currently only MAEC Packages are supported' ) # Merge the MAEC packages merged_package = merge_packages(parsed_documents) # Write the merged package to the output file merged_package.to_xml_file( output_file, {"https://github.com/MAECProject/python-maec": "merged"})
def wrap_maec_package(package): """Wrap a MAEC Package file in a STIX Package/TTP. Args: package: The MAEC Package file or file-like object to wrap. Returns: A ``stix.STIXPackage`` instance with the wrapped MAEC data. """ # Parse the input MAEC Package maec_package = maec.parse_xml_instance(package)['api'] # Test if the MAEC Package is a filename or not package_filename = None if isinstance(package, basestring) and os.path.isfile(package): package_filename = package # Wrap the MAEC Package in STIX stix_package = wrap_maec(maec_package, package_filename) return stix_package
# MAEC Example 2 - Simple Parsing Example # Demonstrates how to parse existing MAEC documents the parse_xml_instance() method # Uses the MAEC Package created by the package_generation_example as input import maec # Parse the input document using the parse_xml_instance() method maec_objects = maec.parse_xml_instance("sample_maec_package.xml") # Get the Package Object from the parsed input maec_package = maec_objects['api'] # For this example, iterate through the Malware Subjects # in the input Package, and print the ID of each for malware_subject in maec_package.malware_subjects: print malware_subject.id_