def merge_packages(package_list, namespace=None): '''Merge a list of input MAEC Packages and return a merged Package instance.''' malware_subjects = [] # Instantiate the ID generator class (for automatic ID generation) if not namespace: NS = Namespace("https://github.com/MAECProject/python-maec", "merged") else: NS = namespace maec.utils.set_id_namespace(NS) # Build the list of Malware Subjects for package in package_list: for malware_subject in package.malware_subjects: malware_subjects.append(malware_subject) # Merge the Malware Subjects merged_subjects = merge_malware_subjects(malware_subjects) # Merge the input namespace/schemaLocation dictionaries merged_namespaces = {} merged_schemalocations = {} for package in package_list: merged_namespaces.update(package.__input_namespaces__) merged_schemalocations.update(package.__input_schemalocations__) # Create a new Package with the merged Malware Subjects merged_package = Package() merged_package.malware_subjects = MalwareSubjectList(merged_subjects) merged_package.__input_namespaces__ = merged_namespaces merged_package.__input_schemalocations__ = merged_schemalocations return merged_package
def merge_packages(package_list, namespace = None): '''Merge a list of input MAEC Packages and return a merged Package instance.''' malware_subjects = [] # Instantiate the ID generator class (for automatic ID generation) if not namespace: NS = Namespace("https://github.com/MAECProject/python-maec", "merged") else: NS = namespace maec.utils.set_id_namespace(NS) # Build the list of Malware Subjects for package in package_list: for malware_subject in package.malware_subjects: malware_subjects.append(malware_subject) # Merge the Malware Subjects merged_subjects = merge_malware_subjects(malware_subjects) # Merge the input namespace/schemaLocation dictionaries merged_namespaces = {} merged_schemalocations = {} for package in package_list: merged_namespaces.update(package.__input_namespaces__) merged_schemalocations.update(package.__input_schemalocations__) # Create a new Package with the merged Malware Subjects merged_package = Package() merged_package.malware_subjects = MalwareSubjectList(merged_subjects) merged_package.__input_namespaces__ = merged_namespaces merged_package.__input_schemalocations__ = merged_schemalocations return merged_package
def create_maec(self, url_indicator): package = Package() ms = MalwareSubject() ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = URI(type_=URI.TYPE_URL) ms.malware_instance_object_attributes.properties.value = url_indicator package.add_malware_subject(ms) return package
def create_maec(self, url_indicator): package = Package() ms = MalwareSubject() ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = URI( type_=URI.TYPE_URL) ms.malware_instance_object_attributes.properties.value = url_indicator package.add_malware_subject(ms) return package
# - A single Capability embedded in the Bundle from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType from cybox.common import Hash, HashList, VocabString from cybox.objects.file_object import File from maec.bundle import Bundle, Collections, MalwareAction, Capability from maec.package import Analysis, MalwareSubject, Package from cybox.utils import Namespace import maec.utils # Instantiate the ID generator class (for automatic ID generation) with our example namespace NS = Namespace("http://example.com/", "example") maec.utils.set_id_namespace(NS) # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = 'foobar.exe' subject_object.properties.size_in_bytes = '35532' subject_object.properties.hashes = HashList() subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll'
def test_round_trip(self): o = Package() o2 = round_trip(o) self.assertEqual(o.to_dict(), o2.to_dict())
def test_id_autoset(self): o = Package() self.assertNotEqual(o.id_, None)
# Example 1 - Simple Package Generation Example # Generates and exports MAEC Package with: # - A single Malware Subject # - A single Bundle embedded in the Malware Subject # - A single Action embedded in the Bundle # - A single Capability embedded in the Bundle from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType from cybox.common import Hash, HashList, VocabString from cybox.objects.file_object import File from maec.bundle import Bundle, MalwareAction, Capability from maec.package import Analysis, MalwareSubject, Package # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = 'foobar.exe' subject_object.properties.size_in_bytes = '35532' subject_object.properties.hashes = HashList() subject_object.properties.hashes.append( Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File()
# Example 1 - Simple Package Generation Example # Generates and exports MAEC Package with: # - A single Malware Subject # - A single Bundle embedded in the Malware Subject # - A single Action embedded in the Bundle # - A single Capability embedded in the Bundle from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType from cybox.common import Hash, HashList, VocabString from cybox.objects.file_object import File from maec.bundle import Bundle, MalwareAction, Capability from maec.package import Analysis, MalwareSubject, Package # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = 'foobar.exe' subject_object.properties.size_in_bytes = '35532' subject_object.properties.hashes = HashList() subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll'