def _get_email_recipients(header): """Parse a string into an EmailRecipients list""" if not header: return None recips = EmailRecipients() for match in EMAIL_PATTERN.findall(header): recips.append(match[0]) return recips
def test_list5(self): recips = EmailRecipients() recips.append(EmailAddress(self.email1)) recips.append(EmailAddress(self.email2)) self._compare(recips)
def test_list4(self): recips = EmailRecipients() recips.append(self.email1) recips.append(self.email2) self._compare(recips)
def test_list(self): recips = EmailRecipients(Address(self.email1, Address.CAT_EMAIL), Address(self.email2, Address.CAT_EMAIL)) self._compare(recips)
def test_list3(self): recips = EmailRecipients(self.email1, self.email2) self._compare(recips)
def test_list2(self): recips = EmailRecipients(EmailAddress(self.email1), EmailAddress(self.email2)) self._compare(recips)
def populate_email(self, cybox_email, attribute): # returns a cybox email object out of a ce1sus object def_name = attribute.definition.name if def_name == 'email_attachment_file_name': attachment = File() attachment.file_name = attribute.value attachment.file_name.condition = self.get_condition(attribute) # cybox_email.attachments = Attachments() # cybox_email.attachments.append(File) elif def_name == 'email_bcc': self.__check_set_email_header(cybox_email) if not cybox_email.header.bcc: cybox_email.header.bcc = EmailRecipients() cybox_email.header.bcc.append(self.create_EmailAddress(attribute)) elif def_name == 'email_cc': self.__check_set_email_header(cybox_email) if not cybox_email.header.cc: cybox_email.header.cc = EmailRecipients() cybox_email.header.bcc.append(self.create_EmailAddress(attribute)) elif def_name == 'email_errors_to': self.__check_set_email_header(cybox_email) self.set_check_attr(cybox_email, 'header.errors_to', attribute) elif def_name == 'email_message_id': self.__check_set_email_header(cybox_email) self.set_check_attr(cybox_email, 'header.message_id', attribute) elif def_name == 'email_mime_version': self.__check_set_email_header(cybox_email) self.set_check_attr(cybox_email, 'header.mime_version', attribute) elif def_name == 'email_raw_body': self.set_check_attr(cybox_email, 'raw_body', attribute) elif def_name == 'email_raw_header': self.set_check_attr(cybox_email, 'raw_header', attribute) elif def_name == 'email_reply_to': if not cybox_email.header.in_reply_to: self.__check_set_email_header(cybox_email) cybox_email.header.in_reply_to = EmailRecipients() cybox_email.header.in_reply_to.append( self.create_EmailAddress(attribute)) elif def_name == 'email_server': self.set_check_attr(cybox_email, 'email_server', attribute) elif def_name == 'email_subject': self.set_check_attr(cybox_email, 'subject', attribute) elif def_name == 'email_from': self.__check_set_email_header(cybox_email) if not cybox_email.header.from_: cybox_email.header.from_ = self.create_EmailAddress(attribute) elif def_name == 'email_to': self.__check_set_email_header(cybox_email) if not cybox_email.header.to: cybox_email.header.to = EmailRecipients() cybox_email.header.to.append(self.create_EmailAddress(attribute)) elif def_name == 'email_x_mailer': self.set_check_attr(cybox_email, 'header.x_mailer', attribute) elif def_name == 'email_x_originating_ip': self.set_check_attr(cybox_email, 'header.x_originating_ip', attribute) elif 'hash' in def_name: raise CyboxMapperException('Not defined') elif def_name == 'email_link': if not cybox_email.links: cybox_email.links = Links() cybox_email.links.append(Link(attribute.value)) elif def_name == 'email_send_date': cybox_email.date = attribute.value elif def_name == 'email_in_reply_to': self.__check_set_email_header(cybox_email) cybox_email.header.in_reply_to = attribute.value else: raise CyboxMapperException('Not defined for {0}'.format(def_name))
def cybox_object_email(obj): e = EmailMessage() e.raw_body = obj.raw_body e.raw_header = obj.raw_header # Links e.links = Links() for link in obj.links.all(): pass # Attachments e.attachments = Attachments() attachment_objects = [] for att in obj.attachments.all(): for meta in att.file_meta.all(): fobj = cybox_object_file(att, meta) e.attachments.append(fobj.parent.id_) fobj.add_related(e, "Contained_Within", inline=False) attachment_objects.append(fobj) # construct header information h = EmailHeader() h.subject = obj.subject h.date = obj.email_date h.message_id = obj.message_id h.content_type = obj.content_type h.mime_version = obj.mime_version h.user_agent = obj.user_agent h.x_mailer = obj.x_mailer # From for from_ in obj.from_string.all(): from_address = EmailAddress(from_.sender) from_address.is_spoofed = from_.is_spoofed from_address.condition = from_.condition h.from_ = from_address # Sender for sender in obj.sender.all(): sender_address = EmailAddress(sender.sender) sender_address.is_spoofed = sender.is_spoofed sender_address.condition = sender.condition h.sender.add(sender_address) # To recipients = EmailRecipients() for recipient in obj.recipients.all(): rec_address = EmailAddress(recipient.recipient) rec_address.is_spoofed = recipient.is_spoofed rec_address.condition = recipient.condition recipients.append(rec_address) h.to = recipients # CC recipients = EmailRecipients() for recipient in obj.recipients_cc.all(): rec_address = EmailAddress(recipient.recipient) rec_address.is_spoofed = recipient.is_spoofed rec_address.condition = recipient.condition recipients.append(rec_address) h.cc = recipients # BCC recipients = EmailRecipients() for recipient in obj.recipients_bcc.all(): rec_address = EmailAddress(recipient.recipient) rec_address.is_spoofed = recipient.is_spoofed rec_address.condition = recipient.condition recipients.append(rec_address) h.bcc = recipients e.header = h return e, attachment_objects
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"): """ Convert a CRITs TLO to a CybOX Observable. :param obj: The TLO to convert. :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes` :param exclude: Attributes to exclude. :type exclude: list :param bin_fmt: The format for the binary (if applicable). :type bin_fmt: str """ type_ = obj._meta['crits_type'] if type_ == 'Certificate': custom_prop = Property() # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obje = File() # represent cert information as file obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.filetype obje.size_in_bytes = obj.size obje.custom_properties = CustomProperties() obje.custom_properties.append(custom_prop) obs = Observable(obje) obs.description = obj.description data = obj.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obje.add_related(a, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'Domain': obje = DomainName() obje.value = obj.domain obje.type_ = obj.record_type return ([Observable(obje)], obj.releasability) elif type_ == 'Email': if exclude == None: exclude = [] observables = [] obje = EmailMessage() # Assume there is going to be at least one header obje.header = EmailHeader() if 'message_id' not in exclude: obje.header.message_id = String(obj.message_id) if 'subject' not in exclude: obje.header.subject = String(obj.subject) if 'sender' not in exclude: obje.header.sender = Address(obj.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obje.header.x_originating_ip = Address(obj.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obje.header.x_mailer = String(obj.x_mailer) if 'boundary' not in exclude: obje.header.boundary = String(obj.boundary) if 'raw_body' not in exclude: obje.raw_body = obj.raw_body if 'raw_header' not in exclude: obje.raw_header = obj.raw_header #adding rest of email fields obje.header.cc = EmailRecipients(obj.cc) obje.header.to = EmailRecipients(obj.to) #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obje.email_server = String(obj.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obje.header.from_ = EmailAddress(obj.from_address) if 'date' not in exclude and 'isodate' not in exclude: obje.header.date = DateTime(obj.isodate) obje.attachments = Attachments() observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'Indicator': observables = [] obje = make_cybox_object(obj.ind_type, obj.value) observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'IP': obje = Address() obje.address_value = obj.ip if obj.ip_type == IPTypes.IPV4_ADDRESS: obje.category = "ipv4-addr" elif obj.ip_type == IPTypes.IPV6_ADDRESS: obje.category = "ipv6-addr" elif obj.ip_type == IPTypes.IPV4_SUBNET: obje.category = "ipv4-net" elif obj.ip_type == IPTypes.IPV6_SUBNET: obje.category = "ipv6-subnet" return ([Observable(obje)], obj.releasability) elif type_ == 'PCAP': obje = File() obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.contentType obje.size_in_bytes = obj.length obs = Observable(obje) obs.description = obj.description art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK) art.packaging.append(Base64Encoding()) obje.add_related(art, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'RawData': obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE) obje.packaging.append(Base64Encoding()) obs = Observable(obje) obs.description = obj.description return ([obs], obj.releasability) elif type_ == 'Sample': if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256', 'source']: if attr not in exclude: val = getattr(obj, attr, None) if val: setattr(f, attr, val) if obj.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(obj.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = obj.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude and bin_fmt: data = obj.filedata.read() if data: # if sample data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data if bin_fmt == "zlib": a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) elif bin_fmt == "base64": a.packaging.append(Base64Encoding()) f.add_related(a, "Child_Of") # relate artifact to file if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. f.file_format = obj.filetype f.extracted_features = ExtractedFeatures() f.extracted_features.strings = ExtractedStrings() for name in obj.filenames: f.extracted_features.strings.append(ExtractedString(name)) observables.append(Observable(f)) return (observables, obj.releasability) else: return (None, None)