def update_maec(infilename, outfilename):
# Parse the input document using the parse_xml_instance() method
maec_objects = maec.parse_xml_instance(infilename, check_version = False)
# Get the API Object from the parsed input
api_object = maec_objects['api']
# Determine if we're dealing with a Package or Bundle
if isinstance(api_object, Package):
# Update the Package schema_version
api_object.schema_version = "2.1"
for malware_subject in api_object.malware_subjects:
for analysis in malware_subject.analyses:
# Replace the Analysis type value of "manual" with "in-depth"
if analysis.type and analysis.type == "manual":
analysis.type = "in-depth"
# Update the schema_versions on the Bundles
for bundle in malware_subject.findings_bundles.bundles:
bundle.schema_version = "4.1"
elif isinstance(api_object, Bundle):
# Update the Bundle schema_version
api_object.schema_version = "4.1"
# Output the updated MAEC object to XML
api_object.to_xml_file(outfilename)
def update_maec(infilename, outfilename):
# Parse the input document using the parse_xml_instance() method
maec_objects = maec.parse_xml_instance(infilename, check_version = False)
# Get the API Object from the parsed input
api_object = maec_objects['api']
# Determine if we're dealing with a Package or Bundle
if isinstance(api_object, Package):
# Update the Package schema_version
api_object.schema_version = "2.1"
for malware_subject in api_object.malware_subjects:
for analysis in malware_subject.analyses:
# Replace the Analysis type value of "manual" with "in-depth"
if analysis.type and analysis.type == "manual":
analysis.type = "in-depth"
# Update the schema_versions on the Bundles
for bundle in malware_subject.findings_bundles.bundles:
bundle.schema_version = "4.1"
elif isinstance(api_object, Bundle):
# Update the Bundle schema_version
api_object.schema_version = "4.1"
# Output the updated MAEC object to XML
api_object.to_xml_file(outfilename)
def extract_indicators(package, config_directory=None):
"""Extract STIX Indicators from a MAEC Package file.
Args:
package: The MAEC Package file or file-like object to wrap.
config_directory: (optional) The path to the directory housing the indicator
extraction configuration files.
Returns:
If indicators were extracted, a ``stix.STIXPackage`` instance with the
extracted STIX Indicators. Otherwise, if no indicators were extracted,
``None``.
"""
# Parse the input MAEC Package
maec_package = maec.parse_xml_instance(package)['api']
# Test if the MAEC Package is a filename or not
package_filename = None
if isinstance(package, basestring) and os.path.isfile(package):
package_filename = package
# Extract the STIX Indicators from the MAEC Package
indicator_extractor = IndicatorExtractor(maec_package, package_filename,
config_directory)
return indicator_extractor.extract()
def process_maec_file(filename):
new_filename = filename[:filename.find(".xml")] + "_deduplicated.xml"
parsed_objects = maec.parse_xml_instance(filename)
if parsed_objects and isinstance(parsed_objects['api'], Package):
parsed_objects['api'].deduplicate_malware_subjects()
parsed_objects['api'].to_xml_file(new_filename)
elif parsed_objects and isinstance(parsed_objects['api'], Bundle):
parsed_objects['api'].deduplicate()
parsed_objects['api'].to_xml_file(new_filename)
def process_maec_file(filename, bundle_list):
parsed_objects = maec.parse_xml_instance(filename, check_version = False)
if parsed_objects and isinstance(parsed_objects['api'], Package):
package_obj = parsed_objects['api']
if package_obj.malware_subjects:
for malware_subject in package_obj.malware_subjects:
for bundle in malware_subject.get_all_bundles():
bundle_list.append(bundle)
elif parsed_objects and isinstance(parsed_objects['api'], Bundle):
bundle_list.append(parsed_objects['api'])
def process_maec_file(filename, bundle_list):
parsed_objects = maec.parse_xml_instance(filename, check_version=False)
if parsed_objects and isinstance(parsed_objects['api'], Package):
package_obj = parsed_objects['api']
if package_obj.malware_subjects:
for malware_subject in package_obj.malware_subjects:
for bundle in malware_subject.get_all_bundles():
bundle_list.append(bundle)
elif parsed_objects and isinstance(parsed_objects['api'], Bundle):
bundle_list.append(parsed_objects['api'])
def main():
# Setup the argument parser
parser = argparse.ArgumentParser(description="MAEC Distance Calculation script")
group = parser.add_mutually_exclusive_group()
group.add_argument("-l", "-list", nargs="+", help="a space separated list of MAEC Package files to calculate the distances for")
group.add_argument("-d", "-directory", help="the path to a directory of MAEC Package files to calculate the distances for")
parser.add_argument("--only_static", "--only_static", help="use only static features in the distance calculation", action="store_true")
parser.add_argument("--only_dynamic", "--only_dynamic", help="use only dynamic features (Actions) in the distance calculation", action="store_true")
parser.add_argument("output", help="the name of the CSV file to which the calculated distances will be written")
args = parser.parse_args()
package_list = []
# Parse the input files
if args.l:
for file in args.l:
api_obj = maec.parse_xml_instance(file)['api']
if isinstance(api_obj, Package):
package_list.append(api_obj)
elif args.d:
for filename in os.listdir(args.d):
if '.xml' not in filename:
pass
else:
api_obj = maec.parse_xml_instance(os.path.join(args.d, filename))['api']
if isinstance(api_obj, Package):
package_list.append(api_obj)
# Perform the distance calculation
dist = Distance(package_list)
# Set the particular features that will be used
if args.only_static:
dist.options_dict['use_dynamic_features'] = False
if args.only_dynamic:
dist.options_dict['use_static_features'] = False
dist.calculate()
# Write the results to the specified CSV file
out_file = open(args.output, mode='w')
dist.print_distances(out_file)
out_file.close()
def main():
# Setup the argument parser
parser = argparse.ArgumentParser(description="MAEC Distance Calculation script")
group = parser.add_mutually_exclusive_group()
group.add_argument("-l", "-list", nargs="+", help="a space separated list of MAEC Package files to calculate the distances for")
group.add_argument("-d", "-directory", help="the path to a directory of MAEC Package files to calculate the distances for")
parser.add_argument("--only_static", "--only_static", help="use only static features in the distance calculation", action="store_true")
parser.add_argument("--only_dynamic", "--only_dynamic", help="use only dynamic features (Actions) in the distance calculation", action="store_true")
parser.add_argument("output", help="the name of the CSV file to which the calculated distances will be written")
args = parser.parse_args()
package_list = []
# Parse the input files
if args.l:
for file in args.l:
api_obj = maec.parse_xml_instance(file)['api']
if isinstance(api_obj, Package):
package_list.append(api_obj)
elif args.d:
for filename in os.listdir(args.d):
if '.xml' not in filename:
pass
else:
api_obj = maec.parse_xml_instance(os.path.join(args.d, filename))['api']
if isinstance(api_obj, Package):
package_list.append(api_obj)
# Perform the distance calculation
dist = Distance(package_list)
# Set the particular features that will be used
if args.only_static:
dist.options_dict['use_dynamic_features'] = False
if args.only_dynamic:
dist.options_dict['use_static_features'] = False
dist.calculate()
# Write the results to the specified CSV file
out_file = open(args.output, mode='w')
dist.print_distances(out_file)
out_file.close()
def process_maec_file(filename):
new_filename = filename[:filename.find(".xml")] + "_deduplicated.xml"
start_time = timeit.default_timer()
parsed_objects = maec.parse_xml_instance(filename)
print "Parsing: " + str(timeit.default_timer() - start_time)
start_time = timeit.default_timer()
if parsed_objects and isinstance(parsed_objects['api'], Package):
parsed_objects['api'].deduplicate_malware_subjects()
parsed_objects['api'].to_xml_file(new_filename)
elif parsed_objects and isinstance(parsed_objects['api'], Bundle):
parsed_objects['api'].deduplicate()
parsed_objects['api'].to_xml_file(new_filename)
elapsed = timeit.default_timer() - start_time
print "Deduplicating: " + str(timeit.default_timer() - start_time)
def merge_documents(input_list, output_file):
'''Merge a list of input MAEC documents and write them to an output file'''
parsed_documents = []
# Parse the documents and get their API representation
for input_file in input_list:
api_representation = maec.parse_xml_instance(input_file)['api']
parsed_documents.append(api_representation)
# Do a sanity check on the input list of documents
for document in parsed_documents:
if isinstance(document, Package):
continue
else:
print 'Error: unsupported document type. Currently only MAEC Packages are supported'
# Merge the MAEC packages
merge_packages(parsed_documents, output_file)
def process_maec_file(filename):
fn, ext = os.path.splitext(filename)
new_filename = "%s_deduplicated.xml" % fn
start_time = timeit.default_timer()
parsed_objects = maec.parse_xml_instance(filename)
print "Parsing: " + str(timeit.default_timer() - start_time)
start_time = timeit.default_timer()
if parsed_objects and isinstance(parsed_objects['api'], Package):
parsed_objects['api'].deduplicate_malware_subjects()
parsed_objects['api'].to_xml_file(new_filename)
elif parsed_objects and isinstance(parsed_objects['api'], Bundle):
parsed_objects['api'].deduplicate()
parsed_objects['api'].to_xml_file(new_filename)
elapsed = timeit.default_timer() - start_time
print "Deduplicating: %s" % elapsed
def process_maec_file(filename):
fn, ext = os.path.splitext(filename)
new_filename = "%s_deduplicated.xml" % fn
start_time = timeit.default_timer()
parsed_objects = maec.parse_xml_instance(filename)
print "Parsing: " + str(timeit.default_timer() - start_time)
start_time = timeit.default_timer()
if parsed_objects and isinstance(parsed_objects['api'], Package):
parsed_objects['api'].deduplicate_malware_subjects()
parsed_objects['api'].to_xml_file(new_filename)
elif parsed_objects and isinstance(parsed_objects['api'], Bundle):
parsed_objects['api'].deduplicate()
parsed_objects['api'].to_xml_file(new_filename)
elapsed = timeit.default_timer() - start_time
print "Deduplicating: %s" % elapsed
def merge_documents(input_list, output_file):
'''Merge a list of input MAEC documents and write them to an output file'''
parsed_documents = []
# Parse the documents and get their API representation
for input_file in input_list:
api_representation = maec.parse_xml_instance(input_file)['api']
parsed_documents.append(api_representation)
# Do a sanity check on the input list of documents
for document in parsed_documents:
if isinstance(document, Package):
continue
else:
print 'Error: unsupported document type. Currently only MAEC Packages are supported'
# Merge the MAEC packages
merged_package = merge_packages(parsed_documents)
# Write the merged package to the output file
merged_package.to_xml_file(output_file, {"https://github.com/MAECProject/python-maec":"merged"})
def merge_documents(input_list, output_file):
'''Merge a list of input MAEC documents and write them to an output file'''
parsed_documents = []
# Parse the documents and get their API representation
for input_file in input_list:
api_representation = maec.parse_xml_instance(input_file)['api']
parsed_documents.append(api_representation)
# Do a sanity check on the input list of documents
for document in parsed_documents:
if isinstance(document, Package):
continue
else:
print(
'Error: unsupported document type. Currently only MAEC Packages are supported'
)
# Merge the MAEC packages
merged_package = merge_packages(parsed_documents)
# Write the merged package to the output file
merged_package.to_xml_file(
output_file, {"https://github.com/MAECProject/python-maec": "merged"})
def wrap_maec_package(package):
"""Wrap a MAEC Package file in a STIX Package/TTP.
Args:
package: The MAEC Package file or file-like object to wrap.
Returns:
A ``stix.STIXPackage`` instance with the wrapped MAEC data.
"""
# Parse the input MAEC Package
maec_package = maec.parse_xml_instance(package)['api']
# Test if the MAEC Package is a filename or not
package_filename = None
if isinstance(package, basestring) and os.path.isfile(package):
package_filename = package
# Wrap the MAEC Package in STIX
stix_package = wrap_maec(maec_package, package_filename)
return stix_package
# MAEC Example 2 - Simple Parsing Example
# Demonstrates how to parse existing MAEC documents the parse_xml_instance() method
# Uses the MAEC Package created by the package_generation_example as input
import maec
# Parse the input document using the parse_xml_instance() method
maec_objects = maec.parse_xml_instance("sample_maec_package.xml")
# Get the Package Object from the parsed input
maec_package = maec_objects['api']
# For this example, iterate through the Malware Subjects
# in the input Package, and print the ID of each
for malware_subject in maec_package.malware_subjects:
print malware_subject.id_
