def test_setup_options(opts): options.ALL_OPTIONS = None # To make sure we can set it again initialize_options(opts) assert get_option_value("no_squirrel_gaps") is False assert get_option_value("use_namespace") == "foobar" assert get_option_value("log_level") == "DEBUG" assert get_option_value("disabled") == [201, 302]
def convert_process_extensions(process2x, process1x, obs2x_id): extensions = process2x["extensions"] if "windows-process-ext" in extensions: windows_process = extensions["windows-process-ext"] convert_obj(windows_process, process1x, WINDOWS_PROCESS_EXTENSION_MAP, obs2x_id) if "startup_info" in windows_process: process1x.startup_info = StartupInfo() convert_obj(windows_process["startup_info"], process1x.startup_info, STARTUP_INFO_MAP) elif "integrity_level" in windows_process and get_option_value("version_of_stix2x") == "2.1": warn("%s not representable in a STIX 1.x %s. Found in %s", 503, "WinProcess", "integrity_level", obs2x_id) if "windows-service-ext" in extensions: windows_service = extensions["windows-service-ext"] convert_obj(windows_service, process1x, WINDOWS_SERVICE_EXTENSION_MAP, obs2x_id) if "service_dll_refs" in windows_service: if windows_service["service_dll_refs"][0] in _STIX1X_OBJS: file_object = _STIX1X_OBJS[windows_service["service_dll_refs"][0]] if "name" in file_object: process1x.service_dll = file_object.file_name else: warn("%s is not an index found in %s", 306, windows_service["service_dll_refs"][0], obs2x_id) if len(windows_service["service_dll_refs"]) > 1: for dll_ref in windows_service["service_dll_refs"][1:]: warn("%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted", 401, obs2x_id, "service_dll_refs", dll_ref) if "descriptions" in windows_service: process1x.description_list = ServiceDescriptionList() for d in windows_service["descriptions"]: process1x.description_list.append(d)
def slide_file(fn, encoding="utf-8"): cybox.utils.caches.cache_clear() setup_logger(fn) validator_options = get_validator_options() with io.open(fn, "r", encoding=encoding) as json_data: json_content = json.load(json_data) obj = stix2.parse(json_content, allow_custom=True, version=get_option_value("version_of_stix2x")) stix_package = convert_bundle(obj) if stix_package: xml = stix_package.to_xml(encoding=None) validator_options.in_files = io.StringIO(xml) try: scripts.set_output_level(validator_options) validation_results = scripts.validate_file( validator_options.in_files, validator_options) results = {stix_package.id_: validation_results} # Print stix-validator results scripts.print_results(results, validator_options) except (errors.ValidationError, IOError) as ex: scripts.error("Validation error occurred: '%s'" % str(ex), codes.EXIT_VALIDATION_ERROR) except Exception: log.exception("Fatal error occurred", extra={'ecode': 0}) sys.exit(codes.EXIT_FAILURE) return xml
def convert_file_c_o(file2x, file1x, obs2x_id): if "hashes" in file2x: for k, v in sort_objects_into_processing_order(file2x["hashes"]): add_hashes_property(file1x, k, v) convert_obj(file2x, file1x, FILE_MAP, obs2x_id) if "parent_directory_ref" in file2x: if file2x["parent_directory_ref"] in _STIX1X_OBJS: directory_object = _STIX1X_OBJS[file2x["parent_directory_ref"]] directory_string = str(directory_object.full_path) file1x.full_path = directory_string + ("\\" if is_windows_directory(directory_string) else "/") + file2x["name"] else: warn("%s is not an index found in %s", 306, file2x["parent_directory_ref"], obs2x_id) if "is_encrypted" in file2x and get_option_value("version_of_stix2x") == "2.0": if file2x["is_encrypted"]: if "encryption_algorithm" in file2x: file1x.encryption_algorithm = file2x["encryption_algorithm"] else: info("is_encrypted in %s is true, but no encryption_algorithm is given", 309, obs2x_id) if "decryption_key" in file2x: file1x.decryption_key = file2x["decryption_key"] else: info("is_encrypted in %s is true, but no decryption_key is given", 311, obs2x_id) else: if "encryption_algorithm" in file2x: info("is_encrypted in %s is false, but encryption_algorithm is given", 310, obs2x_id) if "decryption_key" in file2x: info("is_encrypted in %s is false, but decryption_key is given", 312, obs2x_id) if "extensions" in file2x: convert_file_extensions(file2x, file1x, obs2x_id) # in STIX 2.0, there are two contains_ref properties, one in the basic File object, and one on the Archive File extension # the slider does not handle the one in the basic File object if "contains_refs" in file2x: warn("contains_refs in %s not handled", 607, obs2x_id) return file1x
def add_missing_list_property_to_description(obj1x, property_name, property_values): if not get_option_value("no_squirrel_gaps"): if not obj1x.parent.description: obj1x.parent.description = StructuredText("") new_text = property_name + ": " + ", ".join( text_type(x) for x in property_values) obj1x.parent.description.value = obj1x.parent.description.value + "\n" + new_text
def convert_archive_file_extension(archive_ext, file1x, obs2x_id): if "version" in archive_ext and get_option_value("version_of_stix2x") == "2.0": file1x.version = archive_ext["version"] if "comment" in archive_ext: file1x.comment = archive_ext["comment"] for ref in archive_ext["contains_refs"]: if ref in _STIX1X_OBJS: file1x.archived_file.append(_STIX1X_OBJS[ref]) else: warn("%s is not an index found in %s", 306, ref, obs2x_id)
def convert_image_file_extension(image_ext, file1x, obs2x_id): convert_obj(image_ext, file1x, IMAGE_FILE_EXTENSION_MAP_2_0 if get_option_value("version_of_stix2x") == "2.0" else IMAGE_FILE_EXTENSION_MAP_2_1, obs2x_id) if "exif_tags" in image_ext: exif_tags = image_ext["exif_tags"] if "Compression" in exif_tags: file1x.image_is_compressed = (exif_tags["Compression"] != 1) else: warn("%s not representable in a STIX 1.x %s. Found in %s", 503, "exif_tags", "ImageFile", obs2x_id)
def convert_network_traffic_to_network_socket(socket_ext, nc, obs2x_id): obj1x = NetworkSocket() convert_obj(socket_ext, obj1x, SOCKET_MAP_2_0 if get_option_value("version_of_stix2x") == "2.0" else SOCKET_MAP_2_1, obs2x_id) if "options" in socket_ext: obj1x.options = SocketOptions() convert_obj(socket_ext["options"], obj1x.options, SOCKET_OPTIONS_MAP, obs2x_id) if "socket_handle" in socket_ext: warn("%s not representable in a STIX 1.x %s. Found in %s", 503, "socket_handle", "NetworkSocket", obs2x_id) nc.add_related(obj1x, VocabString("Related_Socket"), inline=True)
def add_missing_property_to_description(obj1x, property_name, property_value): if not get_option_value("no_squirrel_gaps"): if not obj1x.parent.description: obj1x.parent.description = StructuredText("") new_text = property_name + ": " + text_type(property_value) obj1x.parent.description.value = obj1x.parent.description.value + "\n" if obj1x.parent.description.value else "" + new_text
def add_missing_property_to_free_text_lines(ident1x, property_name, property_value): if not get_option_value("no_squirrel_gaps"): ident1x.add_free_text_line(property_name + ": " + property_value)
def add_missing_list_property_to_description(obj1x, property_name, property_values): if not get_option_value("no_squirrel_gaps"): obj1x.add_description(property_name + ": " + ", ".join(property_values))
def add_missing_property_to_description(obj1x, property_name, property_value): if not get_option_value("no_squirrel_gaps"): obj1x.add_description(property_name + ": " + text_type(property_value))
def convert_bundle(bundle_obj): global _ID_OBJECT_MAPPING global _EXPLICIT_OBJECT_USED global _ID_NAMESPACE global _VICTIM_TARGET_TTPS global _KILL_CHAINS global CONTAINER _ID_OBJECT_MAPPING = {} _EXPLICIT_OBJECT_USED = {} _VICTIM_TARGET_TTPS = [] _KILL_CHAINS = {} if get_option_value("use_namespace"): option_value = get_option_value("use_namespace").split(" ") _ID_NAMESPACE = option_value[0] set_default_namespace(*option_value) CONTAINER = stixmarx.new() pkg = CONTAINER.package pkg.id_ = convert_id20(bundle_obj["id"]) for identity in (v for v in bundle_obj["objects"] if v["type"] == "identity"): debug("Found '%s'", 0, identity["id"]) i1x = convert_identity(identity) record_id_object_mapping(identity["id"], i1x, used=False) for marking_definition in (v for v in bundle_obj["objects"] if v["type"] == "marking-definition"): debug("Found '%s'", 0, marking_definition["id"]) m1x = convert_marking_definition(marking_definition) if not pkg.stix_header: pkg.stix_header = STIXHeader(handling=Marking()) pkg.stix_header.handling.add_marking(m1x) for o in bundle_obj["objects"]: if o["type"] == "attack-pattern": pkg.add_ttp(convert_attack_pattern(o)) elif o["type"] == "campaign": pkg.add_campaign(convert_campaign(o)) elif o["type"] == 'course-of-action': pkg.add_course_of_action(convert_coa(o)) elif o["type"] == "indicator": pkg.add_indicator(convert_indicator(o)) elif o["type"] == "intrusion-set": error( "Cannot convert STIX 2.0 content that contains intrusion-sets", 524) return None elif o["type"] == "malware": pkg.add_ttp(convert_malware(o)) elif o["type"] == "observed-data": pkg.add_observable(convert_observed_data(o)) elif o["type"] == "report": pkg.add_report(convert_report(o)) elif o["type"] == "threat-actor": pkg.add_threat_actor(convert_threat_actor(o)) elif o["type"] == "tool": pkg.add_ttp(convert_tool(o)) elif o["type"] == "vulnerability": pkg.add_exploit_target(convert_vulnerability(o)) # second passes for o in bundle_obj["objects"]: if o["type"] == "relationship": process_relationships(o) for o in bundle_obj["objects"]: if "created_by_ref" in o: process_created_by_ref(o) if "external_references" in o: create_references(o) for o in bundle_obj["objects"]: if o["type"] == "sighting": process_sighting(o) for k, v in _KILL_CHAINS.items(): pkg.ttps.kill_chains.append(v["kill_chain"]) CONTAINER.flush() CONTAINER = None return pkg
def convert_process_c_o(process2x, process1x, obs2x_id): convert_obj(process2x, process1x, PROCESS_MAP_2_0 if get_option_value("version_of_stix2x") == "2.0" else PROCESS_MAP_2_1, obs2x_id) if "cwd" in process2x: if not process1x.image_info: process1x.image_info = ImageInfo() process1x.image_info.current_directory = process2x["cwd"] if "arguments" in process2x and get_option_value("version_of_stix2x") == "2.0": process1x.argument_list = ArgumentList() for a in process2x["arguments"]: process1x.argument_list.append(a) if "command_line" in process2x: if not process1x.image_info: process1x.image_info = ImageInfo() process1x.image_info.command_line = process2x["command_line"] if "environment_variables" in process2x: process1x.environment_variable_list = EnvironmentVariableList() for k, v in process2x["environment_variables"].items(): ev = EnvironmentVariable() process1x.environment_variable_list.append(ev) ev.name = k ev.value = v if "opened_connection_refs" in process2x: process1x.network_connection_list = NetworkConnectionList() for conn_ref in process2x["opened_connection_refs"]: if conn_ref in _STIX1X_OBJS: process1x.network_connection_list.append(_STIX1X_OBJS[conn_ref]) else: warn("%s is not an index found in %s", 306, conn_ref, obs2x_id) if "creator_user_ref" in process2x: if process2x["creator_user_ref"] in _STIX1X_OBJS: account_object = _STIX1X_OBJS[process2x["creator_user_ref"]] if "account_login" in account_object: process1x.username = account_object.username else: warn("%s is not an index found in %s", 306, process2x["creator_user_ref"], obs2x_id) if ("binary_ref" in process2x and get_option_value("version_of_stix2x") == "2.0" or "image_ref" in process2x and get_option_value("version_of_stix2x") == "2.1"): if "binary_ref" in process2x: ref = "binary_ref" elif "image_ref" in process2x: ref = "image_ref" if process2x[ref] in _STIX1X_OBJS: file_obj = _STIX1X_OBJS[process2x[ref]] if file_obj.file_name: if not process1x.image_info: process1x.image_info = ImageInfo() process1x.image_info.file_name = file_obj.file_name # TODO: file_obj.full_path if file_obj.hashes: warn("Hashes of the binary_ref of %s process cannot be represented in the STIX 1.x Process object", 517, obs2x_id) else: warn("No file name provided for binary_ref of %s, therefore it cannot be represented in the STIX 1.x Process object", 516, obs2x_id) else: warn("%s is not an index found in %s", 306, process2x[ref], obs2x_id) if "parent_ref" in process2x: if process2x["parent_ref"] in _STIX1X_OBJS: process_object = _STIX1X_OBJS[process2x["parent_ref"]] if "pid" in process_object: process1x.parent_pid = process_object.pid else: warn("%s is not an index found in %s", 306, process2x["parent_ref"], obs2x_id) if "child_refs" in process2x: process1x.child_pid_list = ChildPIDList() for cr in process2x["child_refs"]: process_object = _STIX1X_OBJS[cr] if "pid" in process_object: process1x.child_pid_list.append(process_object.pid) if "extensions" in process2x: convert_process_extensions(process2x, process1x, obs2x_id)