def generate_stix2x_id(stix2x_so_name, stix12_id=None, id_used=False):
if not stix12_id or id_used:
new_id = stix2x_so_name + "--" + str(uuid.uuid4())
add_ids_with_no_1x_object(new_id)
if id_used and stix12_id:
warn("%s already used, generated new id %s", 726, stix12_id, new_id)
return new_id
else:
# this works for all versions of UUID
result = re.search('^(.+)-([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})',
stix12_id)
if result:
current_uuid = result.group(2)
if stix2x_so_name is None:
stx1x_type = result.group(1).split(":")
if stx1x_type[1].lower() == "ttp" or stx1x_type[1].lower() == "et":
error("Unable to determine the STIX 2.x type for %s", 604, stix12_id)
return None
else:
return map_1x_type_to_20(stx1x_type[1]) + "--" + current_uuid
else:
return stix2x_so_name + "--" + current_uuid
else:
if stix2x_so_name:
warn("Malformed id %s. Generated a new uuid", 605, stix12_id)
return stix2x_so_name + "--" + str(uuid.uuid4())
else:
error("Unable to determine the STIX 2.x type for %s, which is malformed", 629, stix12_id)
return None
def record_ids(stix_id, new_id):
if stix_id in _IDS_TO_NEW_IDS:
info("%s is already associated other ids: %s", 703, str(stix_id), tuple(_IDS_TO_NEW_IDS[stix_id]))
if new_id is None:
error("Can not associate %s with None", 611, stix_id)
return
add_id_value(stix_id, new_id)
def convert_registry_key(reg_key):
cybox_reg = {"type": "windows-registry-key"}
if reg_key.key or reg_key.hive:
full_key = ""
if reg_key.hive:
full_key += reg_key.hive.value + "\\"
if reg_key.key:
full_key += reg_key.key.value
cybox_reg["key"] = full_key
else:
error("windows-registry-key is required to have a key property", 608)
if reg_key.values:
cybox_reg["values"] = []
for v in reg_key.values:
reg_value = {}
if hasattr(v, "data") and v.data:
reg_value["data"] = text_type(v.data)
if hasattr(v, "name") and v.name:
reg_value["name"] = text_type(v.name)
if hasattr(v, "datatype") and v.datatype:
reg_value["data_type"] = text_type(v.datatype)
cybox_reg["values"].append(reg_value)
if reg_key.modified_time:
cybox_reg["modified"] = convert_timestamp_to_string(
reg_key.modified_time)
return cybox_reg
def generate_stix20_id(stix20_so_name, stix12_id=None, id_used=False):
if not stix12_id or id_used:
new_id = stix20_so_name + "--" + text_type(uuid.uuid4())
add_ids_with_no_1x_object(new_id)
return new_id
else:
result = re.search(
'^(.+)-([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})',
stix12_id)
if result:
current_uuid = result.group(2)
if stix20_so_name is None:
stx1x_type = result.group(1).split(":")
if stx1x_type[1].lower() == "ttp" or stx1x_type[1].lower(
) == "et":
error("Unable to determine the STIX 2.0 type for %s", 604,
stix12_id)
return None
else:
return map_1x_type_to_20(
stx1x_type[1]) + "--" + current_uuid
else:
return stix20_so_name + "--" + current_uuid
else:
warn("Malformed id %s. Generated a new uuid", 605, stix12_id)
return stix20_so_name + "--" + text_type(uuid.uuid4())
def record_ids(stix_id, new_id):
if stix_id in _IDS_TO_NEW_IDS:
info("%s is already associated other ids: %s", 703, text_type(stix_id),
tuple(_IDS_TO_NEW_IDS[stix_id]))
# info("associating " + new_id + " with " + id)
if new_id is None:
error("Could not associate %s with None", 611, stix_id)
return
add_id_value(stix_id, new_id)
def convert_file_properties(f):
file_dict = {"type": "file"}
dir_dict = None
if f.size is not None:
if isinstance(f.size.value, list):
error(
"File size window not allowed in top level observable, using first value",
511)
file_dict["size"] = int(f.size.value[0])
else:
file_dict["size"] = int(f.size)
if f.hashes is not None:
hashes = {}
for h in f.hashes:
if text_type(h.type_).startswith("SHA"):
hash_type = "SHA" + "-" + text_type(h.type_)[3:]
elif text_type(h.type_) == "SSDEEP":
hash_type = text_type(h.type_).lower()
else:
hash_type = text_type(h.type_)
hashes[hash_type] = h.simple_hash_value.value
file_dict["hashes"] = hashes
if f.file_name:
file_dict["name"] = text_type(f.file_name)
elif f.file_path and f.file_path.value:
index = f.file_path.value.rfind("/")
if index == -1:
index = f.file_path.value.rfind("\\")
if not (f.file_path.value.endswith("/")
or f.file_path.value.endswith("\\")):
file_dict["name"] = f.file_path.value[index + 1:]
dir_path = f.file_path.value[0:index]
if dir_path:
dir_dict = {
"type": "directory",
"path":
(f.device_path.value if f.device_path else "") + dir_path
}
if f.full_path:
warn("1.x full file paths are not processed, yet", 802)
return file_dict, dir_dict
