def generate_stix2x_id(stix2x_so_name, stix12_id=None, id_used=False): if not stix12_id or id_used: new_id = stix2x_so_name + "--" + str(uuid.uuid4()) add_ids_with_no_1x_object(new_id) if id_used and stix12_id: warn("%s already used, generated new id %s", 726, stix12_id, new_id) return new_id else: # this works for all versions of UUID result = re.search('^(.+)-([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})', stix12_id) if result: current_uuid = result.group(2) if stix2x_so_name is None: stx1x_type = result.group(1).split(":") if stx1x_type[1].lower() == "ttp" or stx1x_type[1].lower() == "et": error("Unable to determine the STIX 2.x type for %s", 604, stix12_id) return None else: return map_1x_type_to_20(stx1x_type[1]) + "--" + current_uuid else: return stix2x_so_name + "--" + current_uuid else: if stix2x_so_name: warn("Malformed id %s. Generated a new uuid", 605, stix12_id) return stix2x_so_name + "--" + str(uuid.uuid4()) else: error("Unable to determine the STIX 2.x type for %s, which is malformed", 629, stix12_id) return None
def record_ids(stix_id, new_id): if stix_id in _IDS_TO_NEW_IDS: info("%s is already associated other ids: %s", 703, str(stix_id), tuple(_IDS_TO_NEW_IDS[stix_id])) if new_id is None: error("Can not associate %s with None", 611, stix_id) return add_id_value(stix_id, new_id)
def convert_registry_key(reg_key): cybox_reg = {"type": "windows-registry-key"} if reg_key.key or reg_key.hive: full_key = "" if reg_key.hive: full_key += reg_key.hive.value + "\\" if reg_key.key: full_key += reg_key.key.value cybox_reg["key"] = full_key else: error("windows-registry-key is required to have a key property", 608) if reg_key.values: cybox_reg["values"] = [] for v in reg_key.values: reg_value = {} if hasattr(v, "data") and v.data: reg_value["data"] = text_type(v.data) if hasattr(v, "name") and v.name: reg_value["name"] = text_type(v.name) if hasattr(v, "datatype") and v.datatype: reg_value["data_type"] = text_type(v.datatype) cybox_reg["values"].append(reg_value) if reg_key.modified_time: cybox_reg["modified"] = convert_timestamp_to_string( reg_key.modified_time) return cybox_reg
def generate_stix20_id(stix20_so_name, stix12_id=None, id_used=False): if not stix12_id or id_used: new_id = stix20_so_name + "--" + text_type(uuid.uuid4()) add_ids_with_no_1x_object(new_id) return new_id else: result = re.search( '^(.+)-([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})', stix12_id) if result: current_uuid = result.group(2) if stix20_so_name is None: stx1x_type = result.group(1).split(":") if stx1x_type[1].lower() == "ttp" or stx1x_type[1].lower( ) == "et": error("Unable to determine the STIX 2.0 type for %s", 604, stix12_id) return None else: return map_1x_type_to_20( stx1x_type[1]) + "--" + current_uuid else: return stix20_so_name + "--" + current_uuid else: warn("Malformed id %s. Generated a new uuid", 605, stix12_id) return stix20_so_name + "--" + text_type(uuid.uuid4())
def record_ids(stix_id, new_id): if stix_id in _IDS_TO_NEW_IDS: info("%s is already associated other ids: %s", 703, text_type(stix_id), tuple(_IDS_TO_NEW_IDS[stix_id])) # info("associating " + new_id + " with " + id) if new_id is None: error("Could not associate %s with None", 611, stix_id) return add_id_value(stix_id, new_id)
def convert_file_properties(f): file_dict = {"type": "file"} dir_dict = None if f.size is not None: if isinstance(f.size.value, list): error( "File size window not allowed in top level observable, using first value", 511) file_dict["size"] = int(f.size.value[0]) else: file_dict["size"] = int(f.size) if f.hashes is not None: hashes = {} for h in f.hashes: if text_type(h.type_).startswith("SHA"): hash_type = "SHA" + "-" + text_type(h.type_)[3:] elif text_type(h.type_) == "SSDEEP": hash_type = text_type(h.type_).lower() else: hash_type = text_type(h.type_) hashes[hash_type] = h.simple_hash_value.value file_dict["hashes"] = hashes if f.file_name: file_dict["name"] = text_type(f.file_name) elif f.file_path and f.file_path.value: index = f.file_path.value.rfind("/") if index == -1: index = f.file_path.value.rfind("\\") if not (f.file_path.value.endswith("/") or f.file_path.value.endswith("\\")): file_dict["name"] = f.file_path.value[index + 1:] dir_path = f.file_path.value[0:index] if dir_path: dir_dict = { "type": "directory", "path": (f.device_path.value if f.device_path else "") + dir_path } if f.full_path: warn("1.x full file paths are not processed, yet", 802) return file_dict, dir_dict