def addsec_to_cybox_file(as_observables): f = File() for observable in as_observables: if observable.dataType == 10: # DataTypeFile f.full_path = observable.data elif observable.dataType == 2: # DataTypeSHA1 (binary bytes) f.sha1 = Hash(observable.data.encode('hex')) return f
def addsec_to_cybox(as_obtype, as_obdata): # # Addition Security to CybOX mappings, for discrete/separate observables # # 30: DataTypeSymbolName if as_obtype == 30: a = API() a.function_name = as_obdata return a # 32: DataTypeLibraryName if as_obtype == 32: l = Library() l.name = as_obdata l.path = as_obdata return l # 14: DataTypeUsername if as_obtype == 14: u = UserAccount() u.username = as_obdata return u # 10: DataTypeFile if as_obtype == 10: f = File() f.full_path = as_obdata return f # 23: DataTypeHostname if as_obtype == 23: h = Hostname() h.hostname_value = as_obdata return h # 29: DataTypeEnvString if as_obtype == 29: # Here, Process is meant to represent the hosting process; then we # attach the actual environment variable value p = Process() p.environment_variable_list = as_obdata return p # 17: DataTypeApplication if as_obtype == 17: # Particularly on Android, identification of an installed package fits # somewhere between File and Process, but not quite either. The closest # fit is around LinuxPackage, which is what we use. We should technically # derive from it, but we're trying to keep things simple. p = LinuxPackage() p.name = as_obdata return p # 11: DataTypeX509 # 12: DataTypeX509Subject # 13: DataTypeX509Issuer if as_obtype == 11 or as_obtype == 12 or as_obtype == 13: c = X509Certificate() if as_obtype == 11: c.raw_certificate = as_obdata.encode('hex') if as_obtype == 12: c.certificate.subject = as_obdata if as_obtype == 13: c.certificate.issuer = as_obdata return c # 2: DataTypeSHA1Hash # 7: DataTypeVersionString # 18: DataTypeString # 31: DataTypePropertyName # TODO: find the proper CybOX to represent these; for now, we don't # report them return None