def test_setup_options(opts):
options.ALL_OPTIONS = None # To make sure we can set it again
initialize_options(opts)
assert get_option_value("no_squirrel_gaps") is False
assert get_option_value("use_namespace") == "foobar"
assert get_option_value("log_level") == "DEBUG"
assert get_option_value("disabled") == [201, 302]
def convert_process_extensions(process2x, process1x, obs2x_id):
extensions = process2x["extensions"]
if "windows-process-ext" in extensions:
windows_process = extensions["windows-process-ext"]
convert_obj(windows_process, process1x, WINDOWS_PROCESS_EXTENSION_MAP, obs2x_id)
if "startup_info" in windows_process:
process1x.startup_info = StartupInfo()
convert_obj(windows_process["startup_info"], process1x.startup_info, STARTUP_INFO_MAP)
elif "integrity_level" in windows_process and get_option_value("version_of_stix2x") == "2.1":
warn("%s not representable in a STIX 1.x %s. Found in %s", 503, "WinProcess",
"integrity_level",
obs2x_id)
if "windows-service-ext" in extensions:
windows_service = extensions["windows-service-ext"]
convert_obj(windows_service, process1x, WINDOWS_SERVICE_EXTENSION_MAP, obs2x_id)
if "service_dll_refs" in windows_service:
if windows_service["service_dll_refs"][0] in _STIX1X_OBJS:
file_object = _STIX1X_OBJS[windows_service["service_dll_refs"][0]]
if "name" in file_object:
process1x.service_dll = file_object.file_name
else:
warn("%s is not an index found in %s", 306, windows_service["service_dll_refs"][0], obs2x_id)
if len(windows_service["service_dll_refs"]) > 1:
for dll_ref in windows_service["service_dll_refs"][1:]:
warn("%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401,
obs2x_id, "service_dll_refs", dll_ref)
if "descriptions" in windows_service:
process1x.description_list = ServiceDescriptionList()
for d in windows_service["descriptions"]:
process1x.description_list.append(d)
def slide_file(fn, encoding="utf-8"):
cybox.utils.caches.cache_clear()
setup_logger(fn)
validator_options = get_validator_options()
with io.open(fn, "r", encoding=encoding) as json_data:
json_content = json.load(json_data)
obj = stix2.parse(json_content,
allow_custom=True,
version=get_option_value("version_of_stix2x"))
stix_package = convert_bundle(obj)
if stix_package:
xml = stix_package.to_xml(encoding=None)
validator_options.in_files = io.StringIO(xml)
try:
scripts.set_output_level(validator_options)
validation_results = scripts.validate_file(
validator_options.in_files, validator_options)
results = {stix_package.id_: validation_results}
# Print stix-validator results
scripts.print_results(results, validator_options)
except (errors.ValidationError, IOError) as ex:
scripts.error("Validation error occurred: '%s'" % str(ex),
codes.EXIT_VALIDATION_ERROR)
except Exception:
log.exception("Fatal error occurred", extra={'ecode': 0})
sys.exit(codes.EXIT_FAILURE)
return xml
def convert_file_c_o(file2x, file1x, obs2x_id):
if "hashes" in file2x:
for k, v in sort_objects_into_processing_order(file2x["hashes"]):
add_hashes_property(file1x, k, v)
convert_obj(file2x, file1x, FILE_MAP, obs2x_id)
if "parent_directory_ref" in file2x:
if file2x["parent_directory_ref"] in _STIX1X_OBJS:
directory_object = _STIX1X_OBJS[file2x["parent_directory_ref"]]
directory_string = str(directory_object.full_path)
file1x.full_path = directory_string + ("\\" if is_windows_directory(directory_string) else "/") + file2x["name"]
else:
warn("%s is not an index found in %s", 306, file2x["parent_directory_ref"], obs2x_id)
if "is_encrypted" in file2x and get_option_value("version_of_stix2x") == "2.0":
if file2x["is_encrypted"]:
if "encryption_algorithm" in file2x:
file1x.encryption_algorithm = file2x["encryption_algorithm"]
else:
info("is_encrypted in %s is true, but no encryption_algorithm is given", 309, obs2x_id)
if "decryption_key" in file2x:
file1x.decryption_key = file2x["decryption_key"]
else:
info("is_encrypted in %s is true, but no decryption_key is given", 311, obs2x_id)
else:
if "encryption_algorithm" in file2x:
info("is_encrypted in %s is false, but encryption_algorithm is given", 310, obs2x_id)
if "decryption_key" in file2x:
info("is_encrypted in %s is false, but decryption_key is given", 312, obs2x_id)
if "extensions" in file2x:
convert_file_extensions(file2x, file1x, obs2x_id)
# in STIX 2.0, there are two contains_ref properties, one in the basic File object, and one on the Archive File extension
# the slider does not handle the one in the basic File object
if "contains_refs" in file2x:
warn("contains_refs in %s not handled", 607, obs2x_id)
return file1x
def add_missing_list_property_to_description(obj1x, property_name,
property_values):
if not get_option_value("no_squirrel_gaps"):
if not obj1x.parent.description:
obj1x.parent.description = StructuredText("")
new_text = property_name + ": " + ", ".join(
text_type(x) for x in property_values)
obj1x.parent.description.value = obj1x.parent.description.value + "\n" + new_text
def convert_archive_file_extension(archive_ext, file1x, obs2x_id):
if "version" in archive_ext and get_option_value("version_of_stix2x") == "2.0":
file1x.version = archive_ext["version"]
if "comment" in archive_ext:
file1x.comment = archive_ext["comment"]
for ref in archive_ext["contains_refs"]:
if ref in _STIX1X_OBJS:
file1x.archived_file.append(_STIX1X_OBJS[ref])
else:
warn("%s is not an index found in %s", 306, ref, obs2x_id)
def convert_image_file_extension(image_ext, file1x, obs2x_id):
convert_obj(image_ext, file1x, IMAGE_FILE_EXTENSION_MAP_2_0 if get_option_value("version_of_stix2x") == "2.0" else IMAGE_FILE_EXTENSION_MAP_2_1,
obs2x_id)
if "exif_tags" in image_ext:
exif_tags = image_ext["exif_tags"]
if "Compression" in exif_tags:
file1x.image_is_compressed = (exif_tags["Compression"] != 1)
else:
warn("%s not representable in a STIX 1.x %s. Found in %s", 503,
"exif_tags",
"ImageFile",
obs2x_id)
def convert_network_traffic_to_network_socket(socket_ext, nc, obs2x_id):
obj1x = NetworkSocket()
convert_obj(socket_ext,
obj1x,
SOCKET_MAP_2_0 if get_option_value("version_of_stix2x") == "2.0" else SOCKET_MAP_2_1,
obs2x_id)
if "options" in socket_ext:
obj1x.options = SocketOptions()
convert_obj(socket_ext["options"],
obj1x.options,
SOCKET_OPTIONS_MAP,
obs2x_id)
if "socket_handle" in socket_ext:
warn("%s not representable in a STIX 1.x %s. Found in %s", 503, "socket_handle", "NetworkSocket", obs2x_id)
nc.add_related(obj1x, VocabString("Related_Socket"), inline=True)
def add_missing_property_to_description(obj1x, property_name, property_value):
if not get_option_value("no_squirrel_gaps"):
if not obj1x.parent.description:
obj1x.parent.description = StructuredText("")
new_text = property_name + ": " + text_type(property_value)
obj1x.parent.description.value = obj1x.parent.description.value + "\n" if obj1x.parent.description.value else "" + new_text
def add_missing_property_to_free_text_lines(ident1x, property_name,
property_value):
if not get_option_value("no_squirrel_gaps"):
ident1x.add_free_text_line(property_name + ": " + property_value)
def add_missing_list_property_to_description(obj1x, property_name,
property_values):
if not get_option_value("no_squirrel_gaps"):
obj1x.add_description(property_name + ": " +
", ".join(property_values))
def add_missing_property_to_description(obj1x, property_name, property_value):
if not get_option_value("no_squirrel_gaps"):
obj1x.add_description(property_name + ": " + text_type(property_value))
def convert_bundle(bundle_obj):
global _ID_OBJECT_MAPPING
global _EXPLICIT_OBJECT_USED
global _ID_NAMESPACE
global _VICTIM_TARGET_TTPS
global _KILL_CHAINS
global CONTAINER
_ID_OBJECT_MAPPING = {}
_EXPLICIT_OBJECT_USED = {}
_VICTIM_TARGET_TTPS = []
_KILL_CHAINS = {}
if get_option_value("use_namespace"):
option_value = get_option_value("use_namespace").split(" ")
_ID_NAMESPACE = option_value[0]
set_default_namespace(*option_value)
CONTAINER = stixmarx.new()
pkg = CONTAINER.package
pkg.id_ = convert_id20(bundle_obj["id"])
for identity in (v for v in bundle_obj["objects"]
if v["type"] == "identity"):
debug("Found '%s'", 0, identity["id"])
i1x = convert_identity(identity)
record_id_object_mapping(identity["id"], i1x, used=False)
for marking_definition in (v for v in bundle_obj["objects"]
if v["type"] == "marking-definition"):
debug("Found '%s'", 0, marking_definition["id"])
m1x = convert_marking_definition(marking_definition)
if not pkg.stix_header:
pkg.stix_header = STIXHeader(handling=Marking())
pkg.stix_header.handling.add_marking(m1x)
for o in bundle_obj["objects"]:
if o["type"] == "attack-pattern":
pkg.add_ttp(convert_attack_pattern(o))
elif o["type"] == "campaign":
pkg.add_campaign(convert_campaign(o))
elif o["type"] == 'course-of-action':
pkg.add_course_of_action(convert_coa(o))
elif o["type"] == "indicator":
pkg.add_indicator(convert_indicator(o))
elif o["type"] == "intrusion-set":
error(
"Cannot convert STIX 2.0 content that contains intrusion-sets",
524)
return None
elif o["type"] == "malware":
pkg.add_ttp(convert_malware(o))
elif o["type"] == "observed-data":
pkg.add_observable(convert_observed_data(o))
elif o["type"] == "report":
pkg.add_report(convert_report(o))
elif o["type"] == "threat-actor":
pkg.add_threat_actor(convert_threat_actor(o))
elif o["type"] == "tool":
pkg.add_ttp(convert_tool(o))
elif o["type"] == "vulnerability":
pkg.add_exploit_target(convert_vulnerability(o))
# second passes
for o in bundle_obj["objects"]:
if o["type"] == "relationship":
process_relationships(o)
for o in bundle_obj["objects"]:
if "created_by_ref" in o:
process_created_by_ref(o)
if "external_references" in o:
create_references(o)
for o in bundle_obj["objects"]:
if o["type"] == "sighting":
process_sighting(o)
for k, v in _KILL_CHAINS.items():
pkg.ttps.kill_chains.append(v["kill_chain"])
CONTAINER.flush()
CONTAINER = None
return pkg
def convert_process_c_o(process2x, process1x, obs2x_id):
convert_obj(process2x,
process1x,
PROCESS_MAP_2_0 if get_option_value("version_of_stix2x") == "2.0" else PROCESS_MAP_2_1,
obs2x_id)
if "cwd" in process2x:
if not process1x.image_info:
process1x.image_info = ImageInfo()
process1x.image_info.current_directory = process2x["cwd"]
if "arguments" in process2x and get_option_value("version_of_stix2x") == "2.0":
process1x.argument_list = ArgumentList()
for a in process2x["arguments"]:
process1x.argument_list.append(a)
if "command_line" in process2x:
if not process1x.image_info:
process1x.image_info = ImageInfo()
process1x.image_info.command_line = process2x["command_line"]
if "environment_variables" in process2x:
process1x.environment_variable_list = EnvironmentVariableList()
for k, v in process2x["environment_variables"].items():
ev = EnvironmentVariable()
process1x.environment_variable_list.append(ev)
ev.name = k
ev.value = v
if "opened_connection_refs" in process2x:
process1x.network_connection_list = NetworkConnectionList()
for conn_ref in process2x["opened_connection_refs"]:
if conn_ref in _STIX1X_OBJS:
process1x.network_connection_list.append(_STIX1X_OBJS[conn_ref])
else:
warn("%s is not an index found in %s", 306, conn_ref, obs2x_id)
if "creator_user_ref" in process2x:
if process2x["creator_user_ref"] in _STIX1X_OBJS:
account_object = _STIX1X_OBJS[process2x["creator_user_ref"]]
if "account_login" in account_object:
process1x.username = account_object.username
else:
warn("%s is not an index found in %s", 306, process2x["creator_user_ref"], obs2x_id)
if ("binary_ref" in process2x and get_option_value("version_of_stix2x") == "2.0" or
"image_ref" in process2x and get_option_value("version_of_stix2x") == "2.1"):
if "binary_ref" in process2x:
ref = "binary_ref"
elif "image_ref" in process2x:
ref = "image_ref"
if process2x[ref] in _STIX1X_OBJS:
file_obj = _STIX1X_OBJS[process2x[ref]]
if file_obj.file_name:
if not process1x.image_info:
process1x.image_info = ImageInfo()
process1x.image_info.file_name = file_obj.file_name
# TODO: file_obj.full_path
if file_obj.hashes:
warn("Hashes of the binary_ref of %s process cannot be represented in the STIX 1.x Process object", 517, obs2x_id)
else:
warn("No file name provided for binary_ref of %s, therefore it cannot be represented in the STIX 1.x Process object", 516, obs2x_id)
else:
warn("%s is not an index found in %s", 306, process2x[ref], obs2x_id)
if "parent_ref" in process2x:
if process2x["parent_ref"] in _STIX1X_OBJS:
process_object = _STIX1X_OBJS[process2x["parent_ref"]]
if "pid" in process_object:
process1x.parent_pid = process_object.pid
else:
warn("%s is not an index found in %s", 306, process2x["parent_ref"], obs2x_id)
if "child_refs" in process2x:
process1x.child_pid_list = ChildPIDList()
for cr in process2x["child_refs"]:
process_object = _STIX1X_OBJS[cr]
if "pid" in process_object:
process1x.child_pid_list.append(process_object.pid)
if "extensions" in process2x:
convert_process_extensions(process2x, process1x, obs2x_id)
