def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
identity_dict = dict_repr.get('identity', None)
time_dict = dict_repr.get('time', None)
if identity_dict:
xsi_type = identity_dict.get('xsi:type')
if xsi_type:
type_name = xsi_type.split(":")[1]
if type_name == CIQIdentity3_0Instance._XML_TYPE:
return_obj.identity = CIQIdentity3_0Instance.from_dict(identity_dict)
else:
raise TypeError('No known class for xsi:type: %s' % (xsi_type))
else:
return_obj.identity = Identity.from_dict(identity_dict)
if time_dict:
return_obj.time = Time.from_dict(time_dict)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
identity_dict = dict_repr.get('identity')
time_dict = dict_repr.get('time')
tools_list = dict_repr.get('tools')
if identity_dict:
xsi_type = identity_dict.get('xsi:type')
if xsi_type:
type_name = xsi_type.split(":")[1]
if type_name == CIQIdentity3_0Instance._XML_TYPE:
return_obj.identity = CIQIdentity3_0Instance.from_dict(
identity_dict)
else:
raise TypeError('No known class for xsi:type: %s' %
(xsi_type))
else:
return_obj.identity = Identity.from_dict(identity_dict)
if time_dict:
return_obj.time = Time.from_dict(time_dict)
if tools_list:
return_obj.tools = ToolInformationList.from_list(tools_list)
return return_obj
def create_information_source(identity20_tuple):
identity_obj = identity20_tuple[0]
used_before = identity20_tuple[1]
if used_before:
return InformationSource(identity=Identity(idref=identity_obj.id_))
else:
identity20_tuple[1] = True
return InformationSource(identity=identity_obj)
def convert_identity(ident20):
if ("sectors" in ident20 or "contact_information" in ident20
or "labels" in ident20 or "identity_class" in ident20
or "description" in ident20):
ident1x = CIQIdentity3_0Instance()
id1x = convert_id20(ident20["id"])
ident1x.id_ = id1x
if ident20["identity_class"] != "organization":
ident1x.name = ident20["name"]
if "labels" in ident20:
ident1x.roles = ident20["labels"]
if ("sectors" in ident20 or "contact_information" in ident20
or "identity_class" in ident20 or "description" in ident20):
ident1x.specification = STIXCIQIdentity3_0()
if ident20["identity_class"] == "organization":
party_name = PartyName()
party_name.add_organisation_name(text_type(ident20["name"]))
ident1x.specification.party_name = party_name
if "sectors" in ident20:
first = True
for s in ident20["sectors"]:
if first:
ident1x.specification.organisation_info = \
OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0]))
first = False
else:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, "Identity", "sectors", s)
# Identity in 1.x has no description property, use free-text-lines
if "identity_class" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "identity_class",
ident20["identity_class"])
# Because there is format defined in the specification for this property, it is difficult to
# determine how to convert the information probably found within it to the CIQ fields, so it will be put
# in the free_text_lines
if "contact_information" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "contact_information",
ident20["contact_information"])
if "description" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "description",
ident20["description"])
else:
ident1x = Identity(id_=convert_id20(ident20["id"]),
name=ident20["name"])
if "object_marking_refs" in ident20:
for m_id in ident20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ident1x, ms, descendants=True)
if "granular_markings" in ident20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, ident20["id"])
return ident1x
def _make_information_source(self):
# Tool情報作成
tool = ToolInformation()
tool.name = const.SNS_TOOL_NAME
tool.vendor = const.SNS_TOOL_VENDOR
tools = ToolInformationList()
tools.append(tool)
# Identity 作成
identity = Identity(name=SNSConfig.get_sns_identity_name())
# Information Source 作成
information_source = InformationSource()
information_source.tools = tools
information_source.identity = identity
return information_source
def set_producer_identity(self, identity):
"""Sets the name of the producer of this indicator.
This is the same as calling
``indicator.producer.identity.name = identity``.
If the ``producer`` property is ``None``, it will be initialized to
an instance of
:class:`stix.common.information_source.InformationSource`.
If the ``identity`` property of the ``producer`` instance is ``None``,
it will be initialized to an instance of
:class:`stix.common.identity.Identity`.
Note:
if the `identity` parameter is not an instance
:class:`stix.common.identity.Identity` an attempt will be made
to convert it to one.
Args:
identity: An instance of ``str`` or
``stix.common.identity.Identity``.
"""
def unset_producer_identity():
try:
self.producer.identity.name = None
except AttributeError:
pass
if not identity:
unset_producer_identity()
return
if not self.producer:
self.producer = InformationSource()
if isinstance(identity, Identity):
self.producer.identity = identity
return
if not self.producer.identity:
self.producer.identity = Identity()
self.producer.identity.name = str(identity)
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
if obj.get_Identity():
identity_obj = obj.get_Identity()
if isinstance(identity_obj, ciq_identity_binding.CIQIdentity3_0InstanceType):
return_obj.identity = CIQIdentity3_0Instance.from_obj(identity_obj)
elif type(identity_obj) == stix_common_binding.IdentityType:
return_obj.identity = Identity.from_obj(identity_obj)
if obj.get_Time():
return_obj.time = Time.from_obj(obj.get_Time())
return return_obj
def to_stix_indicator(obj):
"""
Creates a STIX Indicator object from a CybOX object.
Returns the STIX Indicator and the original CRITs object's
releasability list.
"""
from stix.indicator import Indicator as S_Ind
from stix.common.identity import Identity
ind = S_Ind()
obs, releas = to_cybox_observable(obj)
for ob in obs:
ind.add_observable(ob)
#TODO: determine if a source wants its name shared. This will
# probably have to happen on a per-source basis rather than a per-
# object basis.
identity = Identity(name=settings.COMPANY_NAME)
ind.set_producer_identity(identity)
return (ind, releas)
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
if obj.get_Identity():
identity_obj = obj.get_Identity()
if isinstance(identity_obj,
ciq_identity_binding.CIQIdentity3_0InstanceType):
return_obj.identity = CIQIdentity3_0Instance.from_obj(
identity_obj)
elif type(identity_obj) == stix_common_binding.IdentityType:
return_obj.identity = Identity.from_obj(identity_obj)
if obj.get_Time():
return_obj.time = Time.from_obj(obj.get_Time())
if obj.get_Tools():
return_obj.tools = ToolInformationList.from_obj(obj.get_Tools())
return return_obj
def _fix_value(self, value):
return Identity(name=value)
def to_stix(obj, items_to_convert=[], loaded=False, bin_fmt="raw"):
"""
Converts a CRITs object to a STIX document.
The resulting document includes standardized representations
of all related objects noted within items_to_convert.
:param items_to_convert: The list of items to convert to STIX/CybOX
:type items_to_convert: Either a list of CRITs objects OR
a list of {'_type': CRITS_TYPE, '_id': CRITS_ID} dicts
:param loaded: Set to True if you've passed a list of CRITs objects as
the value for items_to_convert, else leave False.
:type loaded: bool
:param bin_fmt: Specifies the format for Sample data encoding.
Options: None (don't include binary data in STIX output),
"raw" (include binary data as is),
"base64" (base64 encode binary data)
:returns: A dict indicating which items mapped to STIX indicators, ['stix_indicators']
which items mapped to STIX observables, ['stix_observables']
which items are included in the resulting STIX doc, ['final_objects']
and the STIX doc itself ['stix_obj'].
"""
from cybox.common import Time, ToolInformationList, ToolInformation
from stix.common import StructuredText, InformationSource
from stix.core import STIXPackage, STIXHeader
from stix.common.identity import Identity
# These lists are used to determine which CRITs objects
# go in which part of the STIX document.
ind_list = ['Indicator']
obs_list = [
'Certificate', 'Domain', 'Email', 'IP', 'PCAP', 'RawData', 'Sample'
]
actor_list = ['Actor']
# Store message
stix_msg = {
'stix_incidents': [],
'stix_indicators': [],
'stix_observables': [],
'stix_actors': [],
'final_objects': []
}
if not loaded: # if we have a list of object metadata, load it before processing
items_to_convert = [
class_from_id(item['_type'], item['_id'])
for item in items_to_convert
]
# add self to the list of items to STIXify
if obj not in items_to_convert:
items_to_convert.append(obj)
# add any email attachments
attachments = []
for obj in items_to_convert:
if obj._meta['crits_type'] == 'Email':
for rel in obj.relationships:
if rel.relationship == RelationshipTypes.CONTAINS:
atch = class_from_id('Sample', rel.object_id)
if atch not in items_to_convert:
attachments.append(atch)
items_to_convert.extend(attachments)
# grab ObjectId of items
refObjs = {key.id: 0 for key in items_to_convert}
relationships = {}
stix = []
from stix.indicator import Indicator as S_Ind
for obj in items_to_convert:
obj_type = obj._meta['crits_type']
if obj_type == class_from_type('Event')._meta['crits_type']:
stx, release = to_stix_incident(obj)
stix_msg['stix_incidents'].append(stx)
elif obj_type in ind_list: # convert to STIX indicators
stx, releas = to_stix_indicator(obj)
stix_msg['stix_indicators'].append(stx)
refObjs[obj.id] = S_Ind(idref=stx.id_)
elif obj_type in obs_list: # convert to CybOX observable
if obj_type == class_from_type('Sample')._meta['crits_type']:
stx, releas = to_cybox_observable(obj, bin_fmt=bin_fmt)
else:
stx, releas = to_cybox_observable(obj)
# wrap in stix Indicator
ind = S_Ind()
for ob in stx:
ind.add_observable(ob)
ind.title = "CRITs %s Top-Level Object" % obj_type
ind.description = ("This is simply a CRITs %s top-level "
"object, not actually an Indicator. "
"The Observable is wrapped in an Indicator"
" to facilitate documentation of the "
"relationship." % obj_type)
ind.confidence = 'None'
stx = ind
stix_msg['stix_indicators'].append(stx)
refObjs[obj.id] = S_Ind(idref=stx.id_)
elif obj_type in actor_list: # convert to STIX actor
stx, releas = to_stix_actor(obj)
stix_msg['stix_actors'].append(stx)
# get relationships from CRITs objects
for rel in obj.relationships:
if rel.object_id in refObjs:
relationships.setdefault(stx.id_, {})
relationships[stx.id_][rel.object_id] = (
rel.relationship, rel.rel_confidence.capitalize(),
rel.rel_type)
stix_msg['final_objects'].append(obj)
stix.append(stx)
# set relationships on STIX objects
for stix_obj in stix:
for rel in relationships.get(stix_obj.id_, {}):
if isinstance(refObjs.get(rel), S_Ind): # if is STIX Indicator
stix_obj.related_indicators.append(refObjs[rel])
rel_meta = relationships.get(stix_obj.id_)[rel]
stix_obj.related_indicators[-1].relationship = rel_meta[0]
stix_obj.related_indicators[-1].confidence = rel_meta[1]
# Add any Email Attachments to CybOX EmailMessage Objects
if isinstance(stix_obj, S_Ind):
if 'EmailMessage' in stix_obj.observable.object_.id_:
if rel_meta[0] == 'Contains' and rel_meta[
2] == 'Sample':
email = stix_obj.observable.object_.properties
email.attachments.append(refObjs[rel].idref)
tool_list = ToolInformationList()
tool = ToolInformation("CRITs", "MITRE")
tool.version = settings.CRITS_VERSION
tool_list.append(tool)
i_s = InformationSource(time=Time(produced_time=datetime.now()),
identity=Identity(name=settings.COMPANY_NAME),
tools=tool_list)
if obj._meta['crits_type'] == "Event":
stix_desc = obj.description()
stix_int = obj.event_type()
stix_title = obj.title()
else:
stix_desc = "STIX from %s" % settings.COMPANY_NAME
stix_int = "Collective Threat Intelligence"
stix_title = "Threat Intelligence Sharing"
header = STIXHeader(information_source=i_s,
description=StructuredText(value=stix_desc),
package_intents=[stix_int],
title=stix_title)
stix_msg['stix_obj'] = STIXPackage(incidents=stix_msg['stix_incidents'],
indicators=stix_msg['stix_indicators'],
threat_actors=stix_msg['stix_actors'],
stix_header=header,
id_=uuid.uuid4())
return stix_msg
tool.type_ = AttackerToolType('Malware')
tool.description = 'Tool Description'
tool.short_description = 'Tool Short Description'
infrastructure = Infrastructure(title='Leveraged Domains')
infrastructure.types = AttackerInfrastructureType('Domain Registration')
infrastructure.description = 'Infrastructure Description'
infrastructure.short_description = 'Infrastructure Short Description'
domain = DomainName()
domain.value = 'totally-not-malware.biz'
observable = Observable(domain)
infrastructure.observable_characterization = Observables(
Observable(idref=observable.id_))
personas = Personas()
personas.append(Identity(name='Stephen Golub'))
resource = Resource(tools=Tools(tool),
infrastructure=infrastructure,
personas=personas)
ttp.resources = resource
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
# TTP - Related Threat Actor (basic; by id)
ta = ThreatActor(title='Adversary Bravo')
ta.observed_ttps.append(related_ttp)
# TTP - Related TTP2 (Malware; by id)
ttp2 = TTP(title='Poison Ivy Variant')
malware_instance = MalwareInstance(title='Poison Ivy Variant d1c6')
def to_stix(self, username=None):
"""
Converts a CRITs event to a STIX document.
The resulting document includes all related emails, samples, and
indicators converted to CybOX Observable objects.
Returns the STIX document and releasability constraints.
(NOTE: the following statement is untrue until the
releasability checking is finished, which includes setting
releasability on all CRITs objects.)
Raises UnreleasableEventError if the releasability on the
relationships and the event do not share any common releasability
sources.
"""
from crits.emails.email import Email
from crits.samples.sample import Sample
from crits.indicators.indicator import Indicator
from cybox.common import Time, ToolInformationList, ToolInformation
from cybox.core import Observables
from stix.common import StructuredText
from stix.core import STIXPackage, STIXHeader
from stix.common import InformationSource
from stix.common.identity import Identity
stix_indicators = []
stix_observables = []
final_objects = []
# create a list of sources to send as part of the results.
# list should be limited to the sources this user is allowed to use.
# this list should be used along with the list of objects to set the
# appropriate source's 'released' key to True for each object.
final_sources = []
user_source_list = user_sources(username)
for f in self.releasability:
if f.name in user_source_list:
final_sources.append(f.name)
final_sources = set(final_sources)
# TODO: eventually we can use class_from_id instead of the if block
# but only once we support all CRITs types.
for r in self.relationships:
obj = None
if r.rel_type == Email._meta['crits_type']:
obj = Email.objects(id=r.object_id,
source__name__in=user_source_list).first()
if obj:
ind, releas = obj.to_cybox()
stix_observables.append(ind[0])
elif r.rel_type == Sample._meta['crits_type']:
obj = Sample.objects(id=r.object_id,
source__name__in=user_source_list).first()
if obj:
ind, releas = obj.to_cybox()
for i in ind:
stix_observables.append(i)
elif r.rel_type == Indicator._meta['crits_type']:
#NOTE: Currently this will raise an exception if there
# are multiple indicators with the same value.
# Should be fixed automatically once we transition
# indicators to be related based on ObjectId rather
# than value.
obj = Indicator.objects(id=r.object_id,
source__name__in=user_source_list).first()
if obj:
ind, releas = obj.to_stix_indicator()
stix_indicators.append(ind)
else:
continue
#Create a releasability list that is the intersection of
# each related item's releasability with the event's
# releasability. If the resulting set is empty, raise exception
#TODO: Set releasability on all objects so that we actually
# get results here instead of always raising an exception.
if obj:
releas_sources = set([rel.name for rel in releas])
final_sources = final_sources.intersection(releas_sources)
#TODO: uncomment the following lines when objects have
# releasability set.
#if not final_sources:
# raise UnreleasableEventError(r.value)
# add to the final_objects list to send as part of the results
final_objects.append(obj)
tool_list = ToolInformationList()
tool = ToolInformation("CRITs", "MITRE")
tool.version = settings.CRITS_VERSION
tool_list.append(tool)
i_s = InformationSource(
time=Time(produced_time= datetime.datetime.now()),
identity = Identity(name=settings.COMPANY_NAME),
tools = tool_list
)
description = StructuredText(value=self.description)
header = STIXHeader(information_source=i_s,
description=description,
package_intent=self.event_type,
title=self.title)
return (STIXPackage(indicators=stix_indicators,
observables=Observables(stix_observables),
stix_header=header,
id_=self.event_id),
final_sources,
final_objects)
