def create_indicator_stix(self, entity):
# Export to STIX bundle
stix2_bundle = self.helper.api.stix2.export_entity(
"Indicator",
entity["id"],
"simple",
None,
True,
)
# Convert the STIX 2 bundle in STIX 1
try:
initialize_options()
stix_indicator = slide_string(stix2_bundle)
payload = {"intelDoc": stix_indicator}
intel_document = self._query(
"post",
"/plugin/products/detect3/api/v1/sources/" + self.source_id + "/intels",
payload,
"application/xml",
"stix",
)
return intel_document
except Exception as e:
self.helper.log_error(str(e))
return None
def test_setup_options(opts):
options.ALL_OPTIONS = None # To make sure we can set it again
initialize_options(opts)
assert get_option_value("no_squirrel_gaps") is False
assert get_option_value("use_namespace") == "foobar"
assert get_option_value("log_level") == "DEBUG"
assert get_option_value("disabled") == [201, 302]
def _get_stix_package(in_json):
if in_json is not None and len(in_json) > 0:
initialize_options()
container = stixmarx.new()
stix_package = container.package
json_content = json.loads(in_json)
if type(json_content) == list:
for json_data in json_content:
if "type" in json_data and json_data["type"] == "indicator":
indicator = convert_indicator(json_data)
stix_package.add_indicator(indicator)
else:
if "type" in json_content and json_content["type"] == "bundle":
if "objects" in json_content and json_content["objects"] and type(json_content["objects"]) == list:
for json_data in json_content["objects"]:
if "type" in json_data and json_data["type"] == "indicator":
indicator = convert_indicator(json_data)
stix_package.add_indicator(indicator)
elif "type" in json_content and json_content["type"] == "indicator":
indicator = convert_indicator(json_content)
stix_package.add_indicator(indicator)
container.flush()
container = None
return stix_package
else:
raise RuntimeError('request body is empty.')
def test_override_default_namespace():
directory = os.path.dirname(__file__)
json_idioms_dir = find_dir(directory, "idioms-json")
json_path = os.path.join(json_idioms_dir, "cve-in-exploit-target.json")
initialize_options()
set_option_value("use_namespace", "somenamespace http://somenamespace.com")
converted_xml = slide_file(json_path)
assert "xmlns:somenamespace=\"http://somenamespace.com\"" in converted_xml
assert "id=\"somenamespace:" in converted_xml
def main():
# Parse stix-slider command-line args
slider_arg_parser = _get_arg_parser()
slider_args = slider_arg_parser.parse_args()
initialize_options(slider_args)
result = slide_file(slider_args.file_)
if result:
print(result + "\n")
else:
sys.exit(1)
def test_idiom_mapping(test_file, stored_master):
"""Test fresh conversion from XML to JSON matches stored JSON samples."""
print("Checking - " + test_file)
initialize_options()
converted_new_xml = slide_file(test_file)
converted_new_xml = StringIO(converted_new_xml)
converted_new_xml = xml.to_etree(converted_new_xml)
assert xml_compare(converted_new_xml.getroot(), stored_master.getroot(), reporter=print)
marking_compare(converted_new_xml.getroot(), stored_master.getroot())
def _create_indicator_stix(self, entity, original_intel_document=None):
if original_intel_document is None:
intel_document = self._get_by_id(entity["id"])
if intel_document is not None:
return intel_document
stix2_bundle = self.helper.api.stix2.export_entity(
entity["entity_type"],
entity["id"],
"simple",
None,
True,
True,
)
initialize_options()
stix_indicator = slide_string(stix2_bundle)
stix_indicator = re.sub(
r"<indicator:Description>(.*?)<\/indicator:Description>",
r"<indicator:Description>" + entity["id"] + "</indicator:Description>",
stix_indicator,
)
stix_indicator = re.sub(
r"<indicator:Description ordinality=\"1\">(.*?)<\/indicator:Description>",
r'<indicator:Description ordinality="1">'
+ entity["id"]
+ "</indicator:Description>",
stix_indicator,
)
payload = {"intelDoc": stix_indicator}
if original_intel_document is not None:
intel_document = self._query(
"put",
"/plugin/products/detect3/api/v1/intels/"
+ str(original_intel_document["id"]),
stix_indicator,
"application/xml",
"stix",
)
else:
intel_document = self._query(
"post",
"/plugin/products/detect3/api/v1/sources/"
+ str(self.source_id)
+ "/intels",
payload,
"application/xml",
"stix",
)
return intel_document
def main():
# Parse stix-slider command-line args
slider_arg_parser = _get_arg_parser()
slider_args = slider_arg_parser.parse_args()
initialize_options(slider_args)
result = slide_file(slider_args.file_)
if result:
if slider_args.out_file:
f = open(slider_args.out_file, "w+")
f.write(result)
f.close()
else:
print(result + "\n")
else:
sys.exit(1)
def stix2to1():
try:
data_dir = os.path.abspath(
os.path.join(os.path.dirname(os.path.abspath(__file__)),
'../data'))
in_str = read2str(data_dir + '/stixv2.json')
initialize_options()
container = stixmarx.new()
stix_package = container.package
json_content = json.loads(in_str)
if type(json_content) == list:
for json_data in json_content:
if "type" in json_data and json_data["type"] == "indicator":
indicator = convert_indicator(json_data)
stix_package.add_indicator(indicator)
else:
if "type" in json_content and json_content["type"] == "bundle":
if "objects" in json_content and json_content[
"objects"] and type(json_content["objects"]) == list:
for json_data in json_content["objects"]:
if "type" in json_data and json_data[
"type"] == "indicator":
indicator = convert_indicator(json_data)
stix_package.add_indicator(indicator)
elif "type" in json_content and json_content["type"] == "indicator":
indicator = convert_indicator(json_content)
stix_package.add_indicator(indicator)
container.flush()
container = None
# print stix_package.to_xml()
out_fname = './stixv2.xml'
write2file(out_fname, stix_package.to_xml())
except:
print traceback.format_exc().decode('utf-8')
def update_indicator_stix(self, intel_id, entity):
# Export to STIX bundle
stix2_bundle = self.helper.api.stix2.export_entity(
"Indicator",
entity["id"],
"simple",
None,
True,
)
# Convert the STIX 2 bundle in STIX 1
try:
initialize_options()
stix_indicator = slide_string(stix2_bundle)
intel_document = self._query(
"put",
"/plugin/products/detect3/api/v1/intels/" + intel_id,
stix_indicator,
"application/xml",
"stix",
)
return intel_document
except Exception as e:
self.helper.log_error(str(e))
return None