Esempio n. 1
0
def elevate_string(string):
    warn(
        "Results produced by the stix2-elevator are not for production purposes.",
        201)
    clear_id_mapping()
    clear_pattern_mapping()

    validator_options = get_validator_options()

    try:
        output.set_level(validator_options.verbose)

        io = StringIO(string)
        stix_package = EntityParser().parse_xml(io)

        if not isinstance(stix_package, STIXPackage):
            raise TypeError("Must be an instance of stix.core.STIXPackage")

        setup_logger(stix_package.id_)
        json_string = json.dumps(convert_package(
            stix_package, get_option_value("package_created_by_id"),
            get_option_value("default_timestamp")),
                                 indent=4,
                                 separators=(',', ': '),
                                 sort_keys=True)
        validation_results = validate_string(json_string, validator_options)
        output.print_results(validation_results)
        return json_string

    except ValidationError as ex:
        output.error("Validation error occurred: '%s'" % ex,
                     codes.EXIT_VALIDATION_ERROR)
    except OSError as ex:
        log.error(ex, extra={"ecode": 210})
Esempio n. 2
0
    def from_xml(cls, xml_file, encoding=None):
        """Parses the `xml_file` file-like object and returns a
        :class:`STIXPackage` instance.

        Args:
            xml_file: A file, file-like object, etree._Element, or
                etree._ElementTree instance.
            encoding: The character encoding of the `xml_file` input. If
                ``None``, an attempt will be made to determine the input
                character encoding. Default is ``None``.

        Returns:
            An instance of :class:`STIXPackage`.

        """
        parser = EntityParser()
        return parser.parse_xml(xml_file, encoding=encoding)
Esempio n. 3
0
def elevate_file(fn):
    warn(
        "WARNING: Results produced by the stix-elevator are not for production purposes."
    )
    clear_id_mapping()
    clear_pattern_mapping()

    stix_package = EntityParser().parse_xml(fn)

    if isinstance(stix_package, STIXPackage):
        json_string = json.dumps(convert_package(stix_package),
                                 indent=4,
                                 separators=(',', ': '),
                                 sort_keys=True)
        validation_results = validate_string(json_string, ValidationOptions())
        print_results(validation_results)
        return json_string
    else:
        raise TypeError("Must be an instance of stix.core.STIXPackage")
 def from_xml(cls, xml_file):
     parser = EntityParser()
     return parser.parse_xml(xml_file)
Esempio n. 5
0
def main():

    # This is a work-around for the fact that the 1.0 indicator type was removed from the STIX python
    # library, even though it is the essentially the same as the 1.1 type. We want to still support 1.0
    # indicators since they are out there, and there is no difference for the purposes of this script.
    # vocabs._VOCAB_MAP["stixVocabs:IndicatorTypeVocab-1.0"] = IndicatorType

    # Create XML parser that can strip namespaces
    xmlParser = EntityParser()

    stix_package = None

    argParser = get_parser()
    args = argParser.parse_args()

    if args[0].help:
        print_help(argParser)

    # Import from a TAXII server
    elif args[0].referenceset and args[0].taxii:
        begin_ts = None
        end_ts = None

        try:
            if args[0].begin_ts:
                structTime = time.strptime(args[0].begin_ts,
                                           '%Y-%m-%d %H:%M:%S')
                begin_ts = datetime.datetime(*structTime[:6])
                begin_ts = begin_ts.replace(tzinfo=pytz.UTC)
            else:
                begin_ts = None

            if args[0].end_ts:
                structTime = time.strptime(args[0].end_ts, '%Y-%m-%d %H:%M:%S')
                end_ts = datetime.datetime(*structTime[:6])
                end_ts = end_ts.replace(tzinfo=pytz.UTC)
            else:
                end_ts = None

        except ValueError:
            print >> sys.stderr, "Could not parse either start or end time"
            raise

#Create Request Header
        poll_req = tm11.PollRequest(
            message_id=tm11.generate_message_id(),
            collection_name=args[0].collection,
            exclusive_begin_timestamp_label=begin_ts,
            inclusive_end_timestamp_label=end_ts,
            poll_parameters=tm11.PollRequest.PollParameters())

        poll_req_xml = poll_req.to_xml()

        #Create request client object
        client = tc.HttpClient()

        #HTTPS Setting
        if args[0].taxii_ssl:
            client.set_use_https(True)

# Basic Auth
        if args[0].taxii_username:
            if not args[0].taxii_password:
                args[0].taxii_password = getpass.getpass(
                    "Enter your taxii password: "******"content_blocks"]:
                bindingId = content["content_binding"]["binding_id"]

                if bindingId and bindingId.startswith(
                        "urn:stix.mitre.org:xml"):
                    if args[0].verbose:
                        print >> sys.stderr, "RECIEVED STIX DATA:\n"
                        print >> sys.stderr, content["content"]

                    try:
                        # This string replace is a workaround for some invalid documents in my test server, if you don't need it, remove it
                        xmlString = content["content"].replace(
                            'low',
                            'Low').replace('medium',
                                           'Medium').replace('high', 'High')
                        stix_package = xmlParser.parse_xml(
                            io.BytesIO(xmlString), False)
                        indicators += process_package_dict(
                            args, stix_package.to_dict())

                    except ValueError:
                        print >> sys.stderr, "Could not parse STIX document: "
                        print >> sys.stderr, content["content"]
                        raise

            print "Imported", indicators, "indicators into reference set", args[
                0].referenceset
        else:
            print >> sys.stderr, "Invalid reponse from TAXII server"
            pprint.pprint(response_dict, sys.stderr)
            exit(255)

    # Import from a XML file on disk
    elif args[0].referenceset and args[0].file:
        stix_package = xmlParser.parse_xml(args[0].file, False)
        indicators = process_package_dict(args, stix_package.to_dict())
        print "Imported", indicators, "indicators into reference set", args[
            0].referenceset
    else:
        print >> sys.stderr, "Invalid arguments. Type 'python stix_import.py --help' for usage.\n"
Esempio n. 6
0
def main():
	
	# This is a work-around for the fact that the 1.0 indicator type was removed from the STIX python 
	# library, even though it is the essentially the same as the 1.1 type. We want to still support 1.0
	# indicators since they are out there, and there is no difference for the purposes of this script.
	vocabs._VOCAB_MAP["stixVocabs:IndicatorTypeVocab-1.0"] = IndicatorType
	
	# Create XML parser that can strip namespaces
	xmlParser = EntityParser()
	
	stix_package = None
	
	argParser = get_parser()
	args = argParser.parse_args()

	if args[0].help:
		print_help(argParser)
	
	# Import from a TAXII server
	elif args[0].referenceset and args[0].taxii:
		begin_ts = None
		end_ts = None
		
		try:
			if args[0].begin_ts:
				structTime = time.strptime(args[0].begin_ts,'%Y-%m-%d %H:%M:%S')
				begin_ts = datetime.datetime(*structTime[:6])
				begin_ts = begin_ts.replace(tzinfo=pytz.UTC)
			else:
				begin_ts = None	
				


			if args[0].end_ts:
				structTime = time.strptime(args[0].end_ts,'%Y-%m-%d %H:%M:%S')
				end_ts = datetime.datetime(*structTime[:6])
				end_ts = end_ts.replace(tzinfo=pytz.UTC)
			else:
				end_ts = None
					
		except ValueError:
			print >> sys.stderr, "Could not parse either start or end time"
			raise

		poll_req = tm11.PollRequest(message_id=tm11.generate_message_id(),
		collection_name=args[0].collection,
		exclusive_begin_timestamp_label=begin_ts,
		inclusive_end_timestamp_label=end_ts,
		poll_parameters=tm11.PollRequest.PollParameters())

		poll_req_xml = poll_req.to_xml()
		
		client = tc.HttpClient()
		
		if args[0].taxii_ssl:
			client.setUseHttps(True)
		
		if args[0].taxii_username:
			client.setAuthType(1)

			if not args[0].taxii_password:
				args[0].taxii_password = getpass.getpass("Enter your taxii password: "******"/poll/", t.VID_TAXII_XML_11, poll_req_xml, args[0].taxiiport)
		
		response_message = t.get_message_from_http_response(resp, '0')
		
		response_dict = response_message.to_dict();

		indicators = 0
		
		if 'content_blocks' in response_dict:
			for content in response_dict["content_blocks"]:
				bindingId = content["content_binding"]["binding_id"]
				
				if bindingId and bindingId.startswith("urn:stix.mitre.org:xml"):
					if args[0].verbose:
						print >> sys.stderr, "RECIEVED STIX DATA:\n"
						print >> sys.stderr, content["content"]
			
					try:
						# This string replace is a workaround for some invalid documents in my test server, if you don't need it, remove it
						xmlString = content["content"].replace('low','Low').replace('medium','Medium').replace('high','High')
						stix_package = xmlParser.parse_xml(io.BytesIO(xmlString), False)
						indicators += process_package_dict( args, stix_package.to_dict() )
					
					except ValueError:
						print >> sys.stderr, "Could not parse STIX document: "
						print >> sys.stderr, content["content"]
						raise
			
			print "Imported", indicators, "indicators into reference set", args[0].referenceset
		else:
			print >> sys.stderr, "Invalid reponse from TAXII server"
			pprint.pprint( response_dict, sys.stderr )
			exit(255)

	# Import from a XML file on disk
	elif args[0].referenceset and args[0].file:
		
		stix_package = xmlParser.parse_xml(args[0].file, False)

		indicators = process_package_dict( args, stix_package.to_dict() )
		
		print "Imported", indicators, "indicators into reference set", args[0].referenceset
	
	else:
		print >> sys.stderr, "Invalid arguments. Type 'python stix_import.py --help' for usage.\n"
 def from_xml(cls, xml_file):
     parser = EntityParser()
     return parser.parse_xml(xml_file)
Esempio n. 8
0
def main():

    # Create XML parser that can strip namespaces
    xmlParser = EntityParser()

    stix_package = None

    argParser = get_parser()
    args = argParser.parse_args()

    if args[0].help:
        print_help(argParser)

    # Import from a TAXII server
    elif args[0].taxii:
        begin_ts = None
        end_ts = None

        try:
            if args[0].begin_ts:
                structTime = time.strptime(args[0].begin_ts,
                                           '%Y-%m-%d %H:%M:%S')
                begin_ts = datetime.datetime(*structTime[:6])
                begin_ts = begin_ts.replace(tzinfo=pytz.UTC)
            else:
                begin_ts = None

            if args[0].end_ts:
                structTime = time.strptime(args[0].end_ts, '%Y-%m-%d %H:%M:%S')
                end_ts = datetime.datetime(*structTime[:6])
                end_ts = end_ts.replace(tzinfo=pytz.UTC)
            else:
                end_ts = None

        except ValueError:
            print >> sys.stderr, "Could not parse either start or end time"
            raise

        poll_req = tm11.PollRequest(
            message_id=tm11.generate_message_id(),
            collection_name=args[0].collection,
            exclusive_begin_timestamp_label=begin_ts,
            inclusive_end_timestamp_label=end_ts,
            poll_parameters=tm11.PollRequest.PollParameters())

        poll_req_xml = poll_req.to_xml()

        client = tc.HttpClient()

        if args[0].taxii_ssl:
            client.setUseHttps(True)

        if args[0].taxii_username:
            client.setAuthType(1)

        if not args[0].taxii_password:
            args[0].taxii_password = getpass.getpass(
                "Enter your taxii password: "******"/poll/",
                                        t.VID_TAXII_XML_11, poll_req_xml,
                                        args[0].taxiiport)

        response_message = t.get_message_from_http_response(resp, '0')
        response_dict = response_message.to_dict()
        indicators = 0
        if 'content_blocks' in response_dict:
            for content in response_dict["content_blocks"]:
                bindingId = content["content_binding"]["binding_id"]

                if bindingId and bindingId.startswith(
                        "urn:stix.mitre.org:xml"):
                    #if args[0].verbose:
                    #	print >> sys.stderr, "RECIEVED STIX DATA:\n"
                    #print >> sys.stderr, content["content"]

                    try:
                        # Parse the information
                        stix_pkg = STIXPackage.from_xml(
                            io.BytesIO(content["content"]))
                        stix_package = stix_pkg
                        indicators += process_package_dict(
                            args, stix_package.to_dict())

                    except ValueError:
                        print >> sys.stderr, "Could not parse STIX document: "
                        print >> sys.stderr, content["content"]
                        raise

            print "Imported", indicators, "indicators into set"
        else:
            print >> sys.stderr, "Invalid reponse from TAXII server"
            pprint.pprint(response_dict, sys.stderr)
            exit(255)

    # Import from a XML file on disk
    elif args[0].file:

        stix_package = STIXPackage.from_xml(args[0].file)

        indicators = process_package_dict(args, stix_package.to_dict())

        print "Imported", indicators, "indicators into set"

    else:
        print >> sys.stderr, "Invalid arguments. Type 'python stix_Arcsight.py --help' for usage.\n"