def create_indicator_stix(self, entity): # Export to STIX bundle stix2_bundle = self.helper.api.stix2.export_entity( "Indicator", entity["id"], "simple", None, True, ) # Convert the STIX 2 bundle in STIX 1 try: initialize_options() stix_indicator = slide_string(stix2_bundle) payload = {"intelDoc": stix_indicator} intel_document = self._query( "post", "/plugin/products/detect3/api/v1/sources/" + self.source_id + "/intels", payload, "application/xml", "stix", ) return intel_document except Exception as e: self.helper.log_error(str(e)) return None
def test_setup_options(opts): options.ALL_OPTIONS = None # To make sure we can set it again initialize_options(opts) assert get_option_value("no_squirrel_gaps") is False assert get_option_value("use_namespace") == "foobar" assert get_option_value("log_level") == "DEBUG" assert get_option_value("disabled") == [201, 302]
def _get_stix_package(in_json): if in_json is not None and len(in_json) > 0: initialize_options() container = stixmarx.new() stix_package = container.package json_content = json.loads(in_json) if type(json_content) == list: for json_data in json_content: if "type" in json_data and json_data["type"] == "indicator": indicator = convert_indicator(json_data) stix_package.add_indicator(indicator) else: if "type" in json_content and json_content["type"] == "bundle": if "objects" in json_content and json_content["objects"] and type(json_content["objects"]) == list: for json_data in json_content["objects"]: if "type" in json_data and json_data["type"] == "indicator": indicator = convert_indicator(json_data) stix_package.add_indicator(indicator) elif "type" in json_content and json_content["type"] == "indicator": indicator = convert_indicator(json_content) stix_package.add_indicator(indicator) container.flush() container = None return stix_package else: raise RuntimeError('request body is empty.')
def test_override_default_namespace(): directory = os.path.dirname(__file__) json_idioms_dir = find_dir(directory, "idioms-json") json_path = os.path.join(json_idioms_dir, "cve-in-exploit-target.json") initialize_options() set_option_value("use_namespace", "somenamespace http://somenamespace.com") converted_xml = slide_file(json_path) assert "xmlns:somenamespace=\"http://somenamespace.com\"" in converted_xml assert "id=\"somenamespace:" in converted_xml
def main(): # Parse stix-slider command-line args slider_arg_parser = _get_arg_parser() slider_args = slider_arg_parser.parse_args() initialize_options(slider_args) result = slide_file(slider_args.file_) if result: print(result + "\n") else: sys.exit(1)
def test_idiom_mapping(test_file, stored_master): """Test fresh conversion from XML to JSON matches stored JSON samples.""" print("Checking - " + test_file) initialize_options() converted_new_xml = slide_file(test_file) converted_new_xml = StringIO(converted_new_xml) converted_new_xml = xml.to_etree(converted_new_xml) assert xml_compare(converted_new_xml.getroot(), stored_master.getroot(), reporter=print) marking_compare(converted_new_xml.getroot(), stored_master.getroot())
def _create_indicator_stix(self, entity, original_intel_document=None): if original_intel_document is None: intel_document = self._get_by_id(entity["id"]) if intel_document is not None: return intel_document stix2_bundle = self.helper.api.stix2.export_entity( entity["entity_type"], entity["id"], "simple", None, True, True, ) initialize_options() stix_indicator = slide_string(stix2_bundle) stix_indicator = re.sub( r"<indicator:Description>(.*?)<\/indicator:Description>", r"<indicator:Description>" + entity["id"] + "</indicator:Description>", stix_indicator, ) stix_indicator = re.sub( r"<indicator:Description ordinality=\"1\">(.*?)<\/indicator:Description>", r'<indicator:Description ordinality="1">' + entity["id"] + "</indicator:Description>", stix_indicator, ) payload = {"intelDoc": stix_indicator} if original_intel_document is not None: intel_document = self._query( "put", "/plugin/products/detect3/api/v1/intels/" + str(original_intel_document["id"]), stix_indicator, "application/xml", "stix", ) else: intel_document = self._query( "post", "/plugin/products/detect3/api/v1/sources/" + str(self.source_id) + "/intels", payload, "application/xml", "stix", ) return intel_document
def main(): # Parse stix-slider command-line args slider_arg_parser = _get_arg_parser() slider_args = slider_arg_parser.parse_args() initialize_options(slider_args) result = slide_file(slider_args.file_) if result: if slider_args.out_file: f = open(slider_args.out_file, "w+") f.write(result) f.close() else: print(result + "\n") else: sys.exit(1)
def stix2to1(): try: data_dir = os.path.abspath( os.path.join(os.path.dirname(os.path.abspath(__file__)), '../data')) in_str = read2str(data_dir + '/stixv2.json') initialize_options() container = stixmarx.new() stix_package = container.package json_content = json.loads(in_str) if type(json_content) == list: for json_data in json_content: if "type" in json_data and json_data["type"] == "indicator": indicator = convert_indicator(json_data) stix_package.add_indicator(indicator) else: if "type" in json_content and json_content["type"] == "bundle": if "objects" in json_content and json_content[ "objects"] and type(json_content["objects"]) == list: for json_data in json_content["objects"]: if "type" in json_data and json_data[ "type"] == "indicator": indicator = convert_indicator(json_data) stix_package.add_indicator(indicator) elif "type" in json_content and json_content["type"] == "indicator": indicator = convert_indicator(json_content) stix_package.add_indicator(indicator) container.flush() container = None # print stix_package.to_xml() out_fname = './stixv2.xml' write2file(out_fname, stix_package.to_xml()) except: print traceback.format_exc().decode('utf-8')
def update_indicator_stix(self, intel_id, entity): # Export to STIX bundle stix2_bundle = self.helper.api.stix2.export_entity( "Indicator", entity["id"], "simple", None, True, ) # Convert the STIX 2 bundle in STIX 1 try: initialize_options() stix_indicator = slide_string(stix2_bundle) intel_document = self._query( "put", "/plugin/products/detect3/api/v1/intels/" + intel_id, stix_indicator, "application/xml", "stix", ) return intel_document except Exception as e: self.helper.log_error(str(e)) return None