def buildObservable(input_dict):
# add incident and confidence
observable = Observable()
observable.description = input_dict['description']
observable.title = input_dict['title']
source = MeasureSource()
source.name = input_dict['source']
observable.observable_source = [source] # figure out why this is necessary
if input_dict['keyword']:
observable.add_keyword(input_dict['keyword'])
"""
event = Event()
event.description = input_dict['event']
observable.event = event
"""
if input_dict['objectType'] and input_dict['object']:
cybObj = Object()
if input_dict['objectType'] == 'Address':
cybObj.properties = Address(input_dict['object'])
elif input_dict['objectType'] == 'File':
cybObj.properties = File()
cybObj.properties.file_path = FilePath(input_dict['object'])
elif input_dict['objectType'] == 'URI':
cybObj.properties = URI(input_dict['object'])
if cybObj:
observable.object_ = cybObj
print observable.to_xml()
return observable
def test_round_trip(self):
a = Address("*****@*****.**", Address.CAT_EMAIL)
a2 = Address("*****@*****.**", Address.CAT_EMAIL)
ms = MeasureSource()
ms.class_ = "System"
ms.source_type = "Analysis"
ms.description = StructuredText("A Description")
o = Observables([a, a2])
o.observable_package_source = ms
o2 = round_trip(o, output=True)
self.assertEqual(o.to_dict(), o2.to_dict())
def test_round_trip(self):
a = Address("*****@*****.**", Address.CAT_EMAIL)
a2 = Address("*****@*****.**", Address.CAT_EMAIL)
ms = MeasureSource()
ms.class_ = "System"
ms.source_type = "Analysis"
ms.description = StructuredText("A Description")
o = Observables([a, a2])
o.observable_package_source = ms
o2 = round_trip(o, output=True)
self.assertEqual(o.to_dict(), o2.to_dict())
def from_dict(observable_dict):
if not observable_dict:
return None
from cybox.core import PatternFidelity
obs = Observable()
obs.id_ = observable_dict.get('id')
obs.title = observable_dict.get('title')
obs.description = StructuredText.from_dict(
observable_dict.get('description'))
obs.object_ = Object.from_dict(observable_dict.get('object'))
obs.event = Object.from_dict(observable_dict.get('event'))
obs.observable_composition = ObservableComposition.from_dict(
observable_dict.get('observable_composition'))
obs.idref = observable_dict.get('idref')
obs.sighting_count = observable_dict.get('sighting_count')
if observable_dict.get('observable_source'):
obs.observable_source = [
MeasureSource.from_dict(x)
for x in observable_dict.get('observable_source')
]
obs.keywords = Keywords.from_dict(observable_dict.get('keywords'))
obs.pattern_fidelity = PatternFidelity.from_dict(
observable_dict.get('pattern_fidelity'))
return obs
def from_obj(observable_obj):
if not observable_obj:
return None
from cybox.core import PatternFidelity
obs = Observable()
obs.id_ = observable_obj.id
obs.title = observable_obj.Title
obs.description = StructuredText.from_obj(observable_obj.Description)
obs.object_ = Object.from_obj(observable_obj.Object)
obs.event = Event.from_obj(observable_obj.Event)
obs.observable_composition = ObservableComposition.from_obj(
observable_obj.Observable_Composition)
obs.idref = observable_obj.idref
obs.sighting_count = observable_obj.sighting_count
if observable_obj.Observable_Source:
obs.observable_source = [
MeasureSource.from_obj(x)
for x in observable_obj.Observable_Source
]
obs.keywords = Keywords.from_obj(observable_obj.Keywords)
obs.pattern_fidelity = PatternFidelity.from_obj(
observable_obj.Pattern_Fidelity)
return obs
def _create_observables(self, msg):
o = Observables(self.__parse_email_message(msg))
t = ToolInformation()
t.name = os.path.basename(__file__)
t.description = StructuredText("Email to CybOX conversion script")
t.vendor = "The MITRE Corporation"
t.version = __version__
t_list = ToolInformationList()
t_list.append(t)
m = MeasureSource()
m.tools = t_list
o.observable_package_source = m
return o
def execute(self, device_info, data_dir_path, simple_output=False, html_output=False):
"""
:param device_info: DeviceInfo
:param data_dir_path: string
"""
extracted_data_dir_path = os.path.join(data_dir_path, EXTRACTED_DATA_DIR_NAME)
try:
os.makedirs(extracted_data_dir_path)
except OSError as exception:
if exception.errno != errno.EEXIST:
raise
self.extractor.execute(extracted_data_dir_path, self.param_values)
set_id_method(IDGenerator.METHOD_INT if simple_output else IDGenerator.METHOD_UUID)
inspected_objects, source_objects = self.inspector.execute(device_info, extracted_data_dir_path)
inspected_observables = Observables(inspected_objects)
source_observables = Observables(source_objects)
tool_info = ToolInformation()
tool_info.name = 'Android Inspector'
tool_info.version = '1.0'
measure_source = MeasureSource()
measure_source.tool_type = ToolType.TERM_DIGITAL_FORENSICS
measure_source.tools = ToolInformationList([tool_info])
measure_source.time = Time(produced_time=datetime.now().isoformat())
inspected_observables.observable_package_source = measure_source
source_observables.observable_package_source = measure_source
write_observables_xml_file(inspected_observables,
os.path.join(data_dir_path, INSPECTED_DATA_FILE_NAME),
simple_output)
write_observables_xml_file(source_observables,
os.path.join(data_dir_path, SOURCE_DATA_FILE_NAME),
simple_output)
if html_output:
generate_html_files(data_dir_path)
def from_dict(observables_dict):
if observables_dict is None:
return None
#TODO: look at major_version and minor_version
obs = Observables()
for o in observables_dict.get("observables", []):
obs.add(Observable.from_dict(o))
obs.observable_package_source = MeasureSource.from_dict(observables_dict.get('observable_package_source'))
return obs
def from_obj(observables_obj):
if not observables_obj:
return None
#TODO: look at major_version and minor_version
obs = Observables()
# get_Observable() actually returns a list
for o in observables_obj.Observable:
obs.add(Observable.from_obj(o))
obs.observable_package_source = MeasureSource.from_obj(observables_obj.Observable_Package_Source)
return obs
def from_obj(observable_obj):
if not observable_obj:
return None
obs = Observable()
obs.id_ = observable_obj.get_id()
obs.title = observable_obj.get_Title()
obs.description = StructuredText.from_obj(observable_obj.get_Description())
obs.object_ = Object.from_obj(observable_obj.get_Object())
obs.event = Event.from_obj(observable_obj.get_Event())
obs.observable_composition = ObservableComposition.from_obj(observable_obj.get_Observable_Composition())
obs.idref = observable_obj.get_idref()
obs.sighting_count = observable_obj.get_sighting_count()
if observable_obj.get_Observable_Source():
obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.get_Observable_Source()]
return obs
def from_dict(observable_dict):
if not observable_dict:
return None
obs = Observable()
obs.id_ = observable_dict.get('id')
obs.title = observable_dict.get('title')
obs.description = StructuredText.from_dict(observable_dict.get('description'))
obs.object_ = Object.from_dict(observable_dict.get('object'))
obs.event = Object.from_dict(observable_dict.get('event'))
obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
obs.idref = observable_dict.get('idref')
obs.sighting_count = observable_dict.get('sighting_count')
if observable_dict.get('observable_source'):
obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')]
return obs
def from_dict(observable_dict):
if not observable_dict:
return None
from cybox.core import PatternFidelity
obs = Observable()
obs.id_ = observable_dict.get('id')
obs.title = observable_dict.get('title')
obs.description = StructuredText.from_dict(observable_dict.get('description'))
obs.object_ = Object.from_dict(observable_dict.get('object'))
obs.event = Object.from_dict(observable_dict.get('event'))
obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
obs.idref = observable_dict.get('idref')
obs.sighting_count = observable_dict.get('sighting_count')
if observable_dict.get('observable_source'):
obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')]
obs.keywords = Keywords.from_dict(observable_dict.get('keywords'))
obs.pattern_fidelity = PatternFidelity.from_dict(observable_dict.get('pattern_fidelity'))
return obs
def from_obj(observable_obj):
if not observable_obj:
return None
from cybox.core import PatternFidelity
obs = Observable()
obs.id_ = observable_obj.id
obs.title = observable_obj.Title
obs.description = StructuredText.from_obj(observable_obj.Description)
obs.object_ = Object.from_obj(observable_obj.Object)
obs.event = Event.from_obj(observable_obj.Event)
obs.observable_composition = ObservableComposition.from_obj(observable_obj.Observable_Composition)
obs.idref = observable_obj.idref
obs.sighting_count = observable_obj.sighting_count
if observable_obj.Observable_Source:
obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.Observable_Source]
obs.keywords = Keywords.from_obj(observable_obj.Keywords)
obs.pattern_fidelity = PatternFidelity.from_obj(observable_obj.Pattern_Fidelity)
return obs
def from_dict(action_dict, action_cls = None):
if not action_dict:
return None
if action_cls == None:
action_cls = Action()
action_ = action_cls
action_.id = action_dict.get('id')
action_.idref = action_dict.get('idref')
action_.ordinal_position = action_dict.get('ordinal_position')
action_.action_status = action_dict.get('action_status')
action_.context = action_dict.get('context')
action_.timestamp = action_dict.get('timestamp')
action_.type = VocabString.from_dict(action_dict.get('type'))
action_.name = VocabString.from_dict(action_dict.get('name'))
action_.description = StructuredText.from_dict(action_dict.get('description'))
action_.action_aliases = action_dict.get('action_aliases', [])
action_.action_arguments = ActionArguments.from_list(action_dict.get('action_arguments', []))
action_.discovery_method = MeasureSource.from_dict(action_dict.get('discovery_method'))
action_.associated_objects = AssociatedObjects.from_list(action_dict.get('associated_objects', []))
action_.relationships = ActionRelationships.from_list(action_dict.get('relationships', []))
#action_.frequency = Frequency.from_dict(action_dict.get('frequency')) #TODO: add support
return action_
def from_obj(action_obj, action_cls = None):
if not action_obj:
return None
if action_cls == None:
action_cls = Action()
action_ = action_cls
action_.id = action_obj.get_id()
action_.idref = action_obj.get_idref()
action_.ordinal_position = action_obj.get_ordinal_position()
action_.action_status = action_obj.get_action_status()
action_.context = action_obj.get_context()
action_.timestamp = action_obj.get_timestamp()
action_.type = VocabString.from_obj(action_obj.get_Type())
action_.name = VocabString.from_obj(action_obj.get_Name())
action_.description = StructuredText.from_obj(action_obj.get_Description())
if action_obj.get_Action_Arguments() is not None: action_.action_arguments = ActionArguments.from_obj(action_obj.get_Action_Arguments())
action_.discovery_method = MeasureSource.from_obj(action_obj.get_Discovery_Method())
if action_obj.get_Associated_Objects() is not None : action_.associated_objects = AssociatedObjects.from_obj(action_obj.get_Associated_Objects())
if action_obj.get_Relationships() is not None : action_.relationships = ActionRelationships.from_obj(action_obj.get_Relationships())
#action_.frequency = Frequency.from_dict(action_dict.get('frequency')) #TODO: add support
if action_obj.get_Action_Aliases() is not None :
action_.action_aliases = action_obj.get_Action_Aliases().get_Action_Alias()
return action_
def test_measure_source(self):
o = MeasureSource()
o.name = UNICODE_STR
o2 = round_trip(o)
def test_measure_source(self):
o = MeasureSource()
o.name = UNICODE_STR
o2 = round_trip(o)
