def cybox_object_http(obj): http_session = HTTPSession() hh = HTTPRequestResponse() hc = HTTPClientRequest() if obj.client_request.message_body: hm = HTTPMessage() hm.lenght = len(obj.client_request.message_body) hm.message_body = String(obj.client_request.message_body) hc.http_message_body = hm rh = HTTPRequestHeader() if obj.client_request.raw_header: rh.raw_header = String(obj.client_request.raw_header) hhf = HTTPRequestHeaderFields() hhf.user_agent = String(obj.client_request.user_agent) host_field = HostField() host_field.domain_name = URI(value=obj.client_request.domain_name) port = Port() port.port_value = PositiveInteger(obj.client_request.port.port) host_field.port = port hhf.host = host_field rh.parsed_header = hhf hc.http_request_header = rh hl = HTTPRequestLine() hl.http_method = String(obj.client_request.request_method) hl.version = String(obj.client_request.request_version) hl.value = String(obj.client_request.request_uri) hc.http_request_line = hl hh.http_client_request = hc http_session.http_request_response = [hh] return http_session
def __create_cybox_http_message(self, msg): if not msg: return None _illegal_xml_chars_RE = re.compile(u"[\x00-\x08\x0b\x0c\x0e-\x1F\uD800-\uDFFF\uFFFE\uFFFF\n]") http_mess = HTTPMessage() http_mess.length = int(len(msg)) http_mess.message_body = String(_illegal_xml_chars_RE.sub("?", msg)) return http_mess
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id): obj1x = HTTPSession() nc.layer7_connections = Layer7Connections() nc.layer7_connections.http_session = obj1x rr = HTTPRequestResponse() obj1x.http_request_response.append(rr) rr.http_client_request = HTTPClientRequest() request_line = HTTPRequestLine() request_line.http_method = http_request_ext["request_method"] request_line.value = http_request_ext["request_value"] if "request_version" in http_request_ext: request_line.version = http_request_ext["request_version"] rr.http_client_request.http_request_line = request_line if "request_header" in http_request_ext: rr.http_client_request.http_request_header = HTTPRequestHeader() rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields( ) convert_obj(http_request_ext["request_header"], rr.http_client_request.http_request_header.parsed_header, HTTP_REQUEST_HEADERS_MAP, obs20_id) if "Host" in http_request_ext["request_header"]: rr.http_client_request.http_request_header.parsed_header.host = \ add_host(http_request_ext["request_header"]["Host"]) if "From" in http_request_ext["request_header"]: rr.http_client_request.http_request_header.parsed_header.from_ = \ EmailAddress(http_request_ext["request_header"]["From"]) if "Referer" in http_request_ext["request_header"]: rr.http_client_request.http_request_header.parsed_header.referer = \ URI(http_request_ext["request_header"]["Referer"]) if "X_Wap_Profile" in http_request_ext["request_header"]: rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \ URI(http_request_ext["request_header"]["X_Wap_Profile"]) if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext: body = HTTPMessage() if "message_body_length" in http_request_ext: body.length = http_request_ext["message_body_length"] if "message_body_data_ref" in http_request_ext: if http_request_ext["message_body_length"] in _STIX1X_OBJS: artifact_obj = _STIX1X_OBJS[ http_request_ext["message_body_length"]] body.message_body = artifact_obj.packed_data else: warn("%s is not an index found in %s", 306, http_request_ext["message_body_length"], obs20_id) rr.http_client_request.http_message_body = body
def http_conversations(httpconv): a = MalwareAction() ao = AssociatedObject() a.name = "Connect to URL" a.type_ = "Connect" ao.properties = NetworkConnection() ao.properties.layer4_protocol = httpconv["protocol"] header = HTTPResponseHeader() headerfiled = HTTPResponseHeaderFields() response = HTTPServerResponse() if httpconv["response_headers"].has_key("Transfer-Encoding"): headerfiled.transfer_encoding = httpconv["response_headers"]["Transfer-Encoding"] headerfiled.content_type = httpconv["response_headers"]["Content-Type"] headerfiled.server = httpconv["response_headers"]["Server"] headerfiled.connection = httpconv["response_headers"]["Connection"] #headerfiled.date = DateTime(httpconv["response_headers"]["Date"]) t = datetime.strptime(httpconv["response_headers"]["Date"],'%a, %d %b %Y %H:%M:%S %Z').replace(tzinfo=pytz.utc) #print t headerfiled.date = DateTime(t) headerfiled.content_type = httpconv["response_headers"]["type"] header.parsed_header = headerfiled if httpconv.has_key("download_content"): body = HTTPMessage() body.message_body = str(httpconv["download_content"]).encode('string-escape') response.http_message_body = body line = HTTPStatusLine() tmp = httpconv["response_headers"]["Status-Line"].split() line.version = tmp[0] line.status_code = PositiveInteger(tmp[1]) line.reason_phrase = tmp[2] response.http_status_line = line response.http_response_header = header client = HTTPClientRequest() line = HTTPRequestLine() tmp = httpconv["url"].split() line.http_method = tmp[0] line.value = tmp[1] line.version = tmp[2] client.http_request_line = line cheader = HTTPRequestHeader() cheaderfiled = HTTPRequestHeaderFields() host = HostField() host.domain_name = URI(httpconv["dst_host"]) val = Port() val.port_value = PositiveInteger(httpconv["dst_port"]) host.port = val cheaderfiled.host = host cheader.parsed_header = cheaderfiled client.http_request_header = cheader httpsession = HTTPSession() requestresponse = HTTPRequestResponse() requestresponse.http_client_request = client requestresponse.http_server_response = response httpsession.http_request_response = [requestresponse] layer7 = Layer7Connections() layer7.http_session = httpsession ao.properties.layer7_connections = layer7 #print ao.properties.to_dict() a.associated_objects = AssociatedObjects() a.associated_objects.append(ao) return a