def test_network_traffic_tcp_example(): h = stix2.TCPExt(src_flags_hex="00000002") nt = stix2.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, protocols="tcp", src_ref="0", extensions={'tcp-ext': h}) assert nt.extensions['tcp-ext'].src_flags_hex == "00000002"
def test_network_traffic_icmp_example(): h = stix2.ICMPExt(icmp_type_hex="08", icmp_code_hex="00") nt = stix2.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, protocols="tcp", src_ref="0", extensions={'icmp-ext': h}) assert nt.extensions['icmp-ext'].icmp_type_hex == "08" assert nt.extensions['icmp-ext'].icmp_code_hex == "00"
def test_network_traffic_example(): nt = stix2.NetworkTraffic(_valid_refs={ "0": "ipv4-addr", "1": "ipv4-addr" }, protocols="tcp", src_ref="0", dst_ref="1") assert nt.protocols == ["tcp"] assert nt.src_ref == "0" assert nt.dst_ref == "1"
def test_network_traffic_socket_example(): h = stix2.SocketExt(is_listening=True, address_family="AF_INET", protocol_family="PF_INET", socket_type="SOCK_STREAM") nt = stix2.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, protocols="tcp", src_ref="0", extensions={'socket-ext': h}) assert nt.extensions['socket-ext'].is_listening assert nt.extensions['socket-ext'].address_family == "AF_INET" assert nt.extensions['socket-ext'].protocol_family == "PF_INET" assert nt.extensions['socket-ext'].socket_type == "SOCK_STREAM"
def test_network_traffic_http_request_example(): h = stix2.HTTPRequestExt( request_method="get", request_value="/download.html", request_version="http/1.1", request_header={ "Accept-Encoding": "gzip,deflate", "User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113", "Host": "www.example.com" }) nt = stix2.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, protocols="tcp", src_ref="0", extensions={'http-request-ext': h}) assert nt.extensions['http-request-ext'].request_method == "get" assert nt.extensions['http-request-ext'].request_value == "/download.html" assert nt.extensions['http-request-ext'].request_version == "http/1.1" assert nt.extensions['http-request-ext'].request_header[ 'Accept-Encoding'] == "gzip,deflate" assert nt.extensions['http-request-ext'].request_header[ 'User-Agent'] == "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113" assert nt.extensions['http-request-ext'].request_header[ 'Host'] == "www.example.com"
def decode_packets(capture, count): """ :type count: int :type capture: Union[pyshark.LiveCapture, pyshark.FileCapture] """ pkt_no = 0 all_observed = [] observed_objs = [] decoder = PacketDecoder() global off_line global write_bundle global pattern_file pattern_list = [] if pattern_file is not None: try: with io.open(pattern_file, 'r') as patterns_in: for pattern in patterns_in: pattern = pattern.strip() if not pattern: continue # skip blank lines if pattern[0] == u"#": continue # skip commented out lines escaped_pattern = pattern.encode("unicode_escape").decode( "ascii") print(escaped_pattern) pattern_list.append(Pattern(escaped_pattern)) except PermissionError as e: raise e for i in range(4): t = src.stixthread.STIXPoster(i, obj_queue) threads.append(t) t.start() for packet in capture: pkt_no += 1 sniff_timestamp = float(packet.sniff_timestamp) args, objects = decoder.decode(packet) if not len(args): continue logging.debug("args: %s", args) logging.debug("objects: %s", objects) net_traffic = stix2.NetworkTraffic(**args) objects[str(decoder.refcount)] = net_traffic decoder.refcount += 1 device = 'device--' + settings.get_devuuid(online=not off_line) observed = StixObservedData( first_observed=str(datetime.utcfromtimestamp(sniff_timestamp)), last_observed=str(datetime.utcfromtimestamp(sniff_timestamp)), number_observed=1, objects=objects, device_ref=device) print(observed) # Debug # all_observed.append(json.loads(str(observed))) if len(pattern_list): matches = [] matched = False for p in pattern_list: matches = p.match([json.loads(observed.serialize())]) if len(matches): matched = True # print('matched: ', observed.serialize()) if not matched: observed = None if observed: logging.debug(observed) observed_objs.append(observed) if not off_line: print('Putting object into queue') obj_queue.put(observed) if 0 > count > pkt_no: break obj_queue.join() for t in threads: t.stop() t.join() if write_bundle is not None: try: fp = open(write_bundle, 'w') except PermissionError as e: raise e else: with fp: stix_bundle = Bundle(*observed_objs, allow_custom=True) fp.writelines(stix_bundle.serialize(pretty=True)) fp.close()