def test_pattern_multiple_all(self):
s = String(["foo", "bar", "baz"])
s.condition = "Equals"
s.apply_condition = "ALL"
# If we change @apply_condition from the default, it should match
# that value.
self.assertTrue(b'apply_condition="ALL"' in s.to_xml())
def from_obj(process_obj, process_cls = None):
if not process_obj:
return None
if process_cls == None:
process_ = Process()
else:
process_ = process_cls
ObjectProperties.from_obj(process_obj, process_)
process_.is_hidden = process_obj.get_is_hidden()
process_.pid = UnsignedInteger.from_obj(process_obj.get_PID())
process_.name = String.from_obj(process_obj.get_Name())
process_.creation_time = DateTime.from_obj(process_obj.get_Creation_Time())
process_.parent_pid = UnsignedInteger.from_obj(process_obj.get_Parent_PID())
process_.image_info = ImageInfo.from_obj(process_obj.get_Image_Info())
process_.environment_variable_list = EnvironmentVariableList.from_obj(process_obj.get_Environment_Variable_List())
process_.kernel_time = Duration.from_obj(process_obj.get_Kernel_Time())
process_.start_time = DateTime.from_obj(process_obj.get_Start_Time())
process_.username = String.from_obj(process_obj.get_Username())
process_.user_time = Duration.from_obj(process_obj.get_User_Time())
process_.extracted_features = None
if process_obj.get_Argument_List() is not None : process_.argument_list = [String.from_obj(x) for x in process_obj.get_Argument_List().get_Argument()]
if process_obj.get_Child_PID_List() is not None : process_.child_pid_list = [UnsignedInteger.from_obj(x) for x in process_obj.get_Child_PID_List().get_Child_PID()]
if process_obj.get_Port_List() is not None : process_.port_list = [Port.from_obj(x) for x in process_obj.get_Port_List().get_Port()]
if process_obj.get_Network_Connection_List() is not None : process_.network_connection_list = [NetworkConnection.from_obj(x) for x in process_obj.get_Network_Connection_List().get_Network_Connection()]
return process_
def from_obj(x509_certificate_signature_obj):
if not x509_certificate_signature_obj:
return None
x509_certificate_signature_ = X509CertificateSignature()
x509_certificate_signature_.signature_algorithm = String.from_obj(x509_certificate_signature_obj.get_Signature_Algorithm())
x509_certificate_signature_.signature = String.from_obj(x509_certificate_signature_obj.get_Signature())
return x509_certificate_signature_
def test_pattern_multiple_all(self):
s = String(["foo", "bar", "baz"])
s.condition = "Equals"
s.apply_condition = "ALL"
# If we change @apply_condition from the default, it should match
# that value.
self.assertTrue(b'apply_condition="ALL"' in s.to_xml())
def from_dict(x509_certificate_signature_dict):
if not x509_certificate_signature_dict:
return None
x509_certificate_signature_ = X509CertificateSignature()
x509_certificate_signature_.signature_algorithm = String.from_dict(x509_certificate_signature_dict.get('signature_algorithm'))
x509_certificate_signature_.signature = String.from_dict(x509_certificate_signature_dict.get('signature'))
return x509_certificate_signature_
def from_dict(process_dict, process_cls = None):
if not process_dict:
return None
if process_cls == None:
process_ = Process()
else:
process_ = process_cls
ObjectProperties.from_dict(process_dict, process_)
process_.is_hidden = process_dict.get('is_hidden')
process_.pid = UnsignedInteger.from_dict(process_dict.get('pid'))
process_.name = String.from_dict(process_dict.get('name'))
process_.creation_time = DateTime.from_dict(process_dict.get('creation_time'))
process_.parent_pid = UnsignedInteger.from_dict(process_dict.get('parent_pid'))
process_.child_pid_list = [UnsignedInteger.from_dict(x) for x in process_dict.get('child_pid_list', [])]
process_.image_info = ImageInfo.from_dict(process_dict.get('image_info'))
process_.argument_list = [String.from_dict(x) for x in process_dict.get('argument_list', [])]
process_.environment_variable_list = EnvironmentVariableList.from_list(process_dict.get('environment_variable_list'))
process_.kernel_time = Duration.from_dict(process_dict.get('kernel_time'))
process_.port_list = [Port.from_dict(x) for x in process_dict.get('port_list', [])]
process_.network_connection_list = [NetworkConnection.from_dict(x) for x in process_dict.get('network_connection_list', [])]
process_.start_time = DateTime.from_dict(process_dict.get('start_time'))
process_.username = String.from_dict(process_dict.get('username'))
process_.user_time = Duration.from_dict(process_dict.get('user_time'))
process_.extracted_features = None
return process_
def test_unicode_string(self):
s = u("A Unicode \ufffd string")
string = String(s)
unicode_string = six.text_type(string)
self.assertEqual(s, unicode_string)
self.assertEqual(s.encode("utf-8"), unicode_string.encode("utf-8"))
self.assertTrue(s.encode("utf-8") in string.to_xml())
def test_unicode_string(self):
s = u("A Unicode \ufffd string")
string = String(s)
unicode_string = six.text_type(string)
self.assertEqual(s, unicode_string)
self.assertEqual(s.encode("utf-8"), unicode_string.encode("utf-8"))
self.assertTrue(s.encode("utf-8") in string.to_xml())
def from_obj(global_flag_obj):
if not global_flag_obj:
return None
global_flag_ = GlobalFlag()
global_flag_.abbreviation = String.from_obj(global_flag_obj.get_Abbreviation())
global_flag_.destination = String.from_obj(global_flag_obj.get_Destination())
global_flag_.hexadecimal_value = HexBinary.from_obj(global_flag_obj.get_Hexadecimal_Value())
global_flag_.symbolic_name = String.from_obj(global_flag_obj.get_Symbolic_Name())
return global_flag_
def from_dict(x509_non_standard_extensions_dict):
if not x509_non_standard_extensions_dict:
return None
x509_non_standard_extensions_ = X509NonStandardExtensions()
x509_non_standard_extensions_.netscape_comment = String.from_dict(x509_non_standard_extensions_dict.get('netscape_comment'))
x509_non_standard_extensions_.netscape_certificate_type = String.from_dict(x509_non_standard_extensions_dict.get('netscape_certificate_type'))
x509_non_standard_extensions_.old_authority_key_identifier = String.from_dict(x509_non_standard_extensions_dict.get('old_authority_key_identifier'))
x509_non_standard_extensions_.old_primary_key_attributes = String.from_dict(x509_non_standard_extensions_dict.get('old_primary_key_attributes'))
return x509_non_standard_extensions_
def from_dict(environment_variable_dict):
if not environment_variable_dict:
return None
environment_variable_ = EnvironmentVariable()
environment_variable_.name = String.from_dict(environment_variable_dict.get('name'))
environment_variable_.value = String.from_dict(environment_variable_dict.get('value'))
return environment_variable_
def from_dict(global_flag_dict):
if not global_flag_dict:
return None
global_flag_ = GlobalFlag()
global_flag_.abbreviation = String.from_dict(global_flag_dict.get('abbreviation'))
global_flag_.destination = String.from_dict(global_flag_dict.get('destination'))
global_flag_.hexadecimal_value = HexBinary.from_dict(global_flag_dict.get('hexadecimal_value'))
global_flag_.symbolic_name = String.from_dict(global_flag_dict.get('symbolic_name'))
return global_flag_
def from_obj(x509_non_standard_extensions_obj):
if not x509_non_standard_extensions_obj:
return None
x509_non_standard_extensions_ = X509NonStandardExtensions()
x509_non_standard_extensions_.netscape_comment = String.from_obj(x509_non_standard_extensions_obj.get_Netscape_Comment())
x509_non_standard_extensions_.netscape_certificate_type = String.from_obj(x509_non_standard_extensions_obj.get_Netscape_Certificate_Type())
x509_non_standard_extensions_.old_authority_key_identifier = String.from_obj(x509_non_standard_extensions_obj.get_Old_Authority_Key_Identifier())
x509_non_standard_extensions_.old_primary_key_attributes = String.from_obj(x509_non_standard_extensions_obj.get_Old_Primary_Key_Attributes())
return x509_non_standard_extensions_
def from_obj(environment_variable_obj):
if not environment_variable_obj:
return None
environment_variable_ = EnvironmentVariable()
environment_variable_.name = String.from_obj(environment_variable_obj.Name)
environment_variable_.value = String.from_obj(environment_variable_obj.Value)
return environment_variable_
def from_obj(bios_info_obj):
if not bios_info_obj:
return None
bios_info_ = BIOSInfo()
bios_info_.bios_date = Date.from_obj(bios_info_obj.get_BIOS_Date())
bios_info_.bios_version = String.from_obj(bios_info_obj.get_BIOS_Version())
bios_info_.bios_manufacturer = String.from_obj(bios_info_obj.get_BIOS_Manufacturer())
bios_info_.bios_release_date = Date.from_obj(bios_info_obj.get_BIOS_Release_Date())
bios_info_.bios_serial_number = String.from_obj(bios_info_obj.get_BIOS_Serial_Number())
return bios_info_
def from_dict(bios_info_dict):
if not bios_info_dict:
return None
bios_info_ = BIOSInfo()
bios_info_.bios_date = Date.from_dict(bios_info_dict.get('bios_date'))
bios_info_.bios_version = String.from_dict(bios_info_dict.get('bios_version'))
bios_info_.bios_manufacturer = String.from_dict(bios_info_dict.get('bios_manufacturer'))
bios_info_.bios_release_date = Date.from_dict(bios_info_dict.get('bios_release_date'))
bios_info_.bios_serial_number = String.from_dict(bios_info_dict.get('bios_serial_number'))
return bios_info_
def to_cybox(self, exclude=None):
"""
Convert an email to a CybOX Observables.
Pass parameter exclude to specify fields that should not be
included in the returned object.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
if exclude == None:
exclude = []
observables = []
obj = EmailMessage()
# Assume there is going to be at least one header
obj.header = EmailHeader()
if 'message_id' not in exclude:
obj.header.message_id = String(self.message_id)
if 'subject' not in exclude:
obj.header.subject = String(self.subject)
if 'sender' not in exclude:
obj.header.sender = Address(self.reply_to, Address.CAT_EMAIL)
if 'reply_to' not in exclude:
obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL)
if 'x_originating_ip' not in exclude:
obj.header.x_originating_ip = Address(self.x_originating_ip,
Address.CAT_IPV4)
if 'raw_body' not in exclude:
obj.raw_body = self.raw_body
if 'raw_header' not in exclude:
obj.raw_header = self.raw_header
#copy fields where the names differ between objects
if 'helo' not in exclude and 'email_server' not in exclude:
obj.email_server = String(self.helo)
if ('from_' not in exclude and 'from' not in exclude
and 'from_address' not in exclude):
obj.header.from_ = EmailAddress(self.from_address)
if 'date' not in exclude and 'isodate' not in exclude:
obj.header.date = DateTime(self.isodate)
observables.append(Observable(obj))
return (observables, self.releasability)
def from_dict(image_info_dict):
if not image_info_dict:
return None
image_info_ = ImageInfo()
image_info_.file_name = String.from_dict(image_info_dict.get('file_name'))
image_info_.command_line = String.from_dict(image_info_dict.get('command_line'))
image_info_.current_directory = String.from_dict(image_info_dict.get('current_directory'))
image_info_.path = String.from_dict(image_info_dict.get('path'))
return image_info_
def from_dict(environment_variable_dict):
if not environment_variable_dict:
return None
environment_variable_ = EnvironmentVariable()
environment_variable_.name = String.from_dict(
environment_variable_dict.get('name'))
environment_variable_.value = String.from_dict(
environment_variable_dict.get('value'))
return environment_variable_
def from_obj(image_info_obj):
if not image_info_obj:
return None
image_info_ = ImageInfo()
image_info_.file_name = String.from_obj(image_info_obj.get_File_Name())
image_info_.command_line = String.from_obj(image_info_obj.get_Command_Line())
image_info_.current_directory = String.from_obj(image_info_obj.get_Current_Directory())
image_info_.path = String.from_obj(image_info_obj.get_Path())
return image_info_
def from_dict(os_dict):
if not os_dict:
return None
os_ = OS()
os_.bitness = String.from_dict(os_dict.get('bitness'))
os_.build_number = String.from_dict(os_dict.get('build_number'))
os_.environment_variable_list = EnvironmentVariableList.from_list(os_dict.get('environment_variable_list'))
os_.install_date = Date.from_dict(os_dict.get('install_date'))
os_.patch_level = String.from_dict(os_dict.get('patch_level'))
os_.platform = None #TODO: add support for platform specification
return os_
def from_dict(registry_value_dict):
if not registry_value_dict:
return None
registry_value_ = RegistryValue()
registry_value_.name = String.from_dict(registry_value_dict.get('name'))
registry_value_.data = String.from_dict(registry_value_dict.get('data'))
registry_value_.datatype = String.from_dict(registry_value_dict.get('datatype'))
#registry_value_.byte_runs = ByteRuns.from_dict(registry_value_dict.get('byte_runs'))
return registry_value_
def from_obj(environment_variable_obj):
if not environment_variable_obj:
return None
environment_variable_ = EnvironmentVariable()
environment_variable_.name = String.from_obj(
environment_variable_obj.Name)
environment_variable_.value = String.from_obj(
environment_variable_obj.Value)
return environment_variable_
def from_obj(registry_value_obj):
if not registry_value_obj:
return None
registry_value_ = RegistryValue()
registry_value_.name = String.from_obj(registry_value_obj.get_Name())
registry_value_.data = String.from_obj(registry_value_obj.get_Data())
registry_value_.datatype = String.from_obj(registry_value_obj.get_Datatype())
#registry_value_.byte_runs = ByteRuns.from_obj(registry_value_obj.get_Byte_Runs())
return registry_value_
def from_obj(os_obj):
if not os_obj:
return None
os_ = OS()
os_.bitness = String.from_obj(os_obj.get_Bitness())
os_.build_number = String.from_obj(os_obj.get_Build_Number())
os_.environment_variable_list = EnvironmentVariableList.from_obj(os_obj.get_Environment_Variable_List())
os_.install_date = Date.from_obj(os_obj.get_Install_Date())
os_.patch_level = String.from_obj(os_obj.get_Patch_Level())
os_.platform = None #TODO: add support for platform specification
return os_
def from_obj(digital_signature_obj):
if not digital_signature_obj:
return None
digital_signature_ = DigitalSignature()
digital_signature_.signature_exists = digital_signature_obj.get_signature_exists()
digital_signature_.signature_verified = digital_signature_obj.get_signature_verified()
digital_signature_.certificate_issuer = String.from_obj(digital_signature_obj.get_Certificate_Issuer())
digital_signature_.certificate_subject = String.from_obj(digital_signature_obj.get_Certificate_Subject())
digital_signature_.signature_description = String.from_obj(digital_signature_obj.get_Signature_Description())
return digital_signature_
def __create_dns_query_object(self, domain, record_type, nameserver=None):
"""Creates a CybOX DNSQueryType Object"""
question = DNSQuestion()
question.qname = self.__create_domain_name_object(domain)
question.qtype = String(record_type)
question.qclass = String('IN')
query = DNSQuery()
query.successful = False
query.question = question
return query
def from_dict(digital_signature_dict):
if not digital_signature_dict:
return None
digital_signature_ = DigitalSignature()
digital_signature_.signature_exists = digital_signature_dict.get('signature_exists')
digital_signature_.signature_verified = digital_signature_dict.get('signature_verified')
digital_signature_.certificate_issuer = String.from_dict(digital_signature_dict.get('certificate_issuer'))
digital_signature_.certificate_subject = String.from_dict(digital_signature_dict.get('certificate_subject'))
digital_signature_.signature_description = String.from_dict(digital_signature_dict.get('signature_description'))
return digital_signature_
def from_dict(win_handle_dict):
if not win_handle_dict:
return None
win_handle_ = WinHandle()
win_handle_.id = UnsignedInteger.from_dict(win_handle_dict.get('id'))
win_handle_.name = String.from_dict(win_handle_dict.get('name'))
win_handle_.type = String.from_dict(win_handle_dict.get('type'))
win_handle_.object_address = UnsignedLong.from_dict(win_handle_dict.get('id'))
win_handle_.access_mask = UnsignedLong.from_dict(win_handle_dict.get('access_mask'))
win_handle_.pointer_count = UnsignedLong.from_dict(win_handle_dict.get('id'))
return win_handle_
def from_obj(win_handle_obj):
if not win_handle_obj:
return None
win_handle_ = WinHandle()
win_handle_.id = UnsignedInteger.from_obj(win_handle_obj.get_ID())
win_handle_.name = String.from_obj(win_handle_obj.get_Name())
win_handle_.type = String.from_obj(win_handle_obj.get_Type())
win_handle_.object_address = UnsignedLong.from_obj(win_handle_obj.get_Object_Address())
win_handle_.access_mask = UnsignedLong.from_obj(win_handle_obj.get_Access_Mask())
win_handle_.pointer_count = UnsignedLong.from_obj(win_handle_obj.get_Pointer_Count())
return win_handle_
def from_dict(packer_dict):
if not packer_dict:
return None
packer = Packer()
packer.name = String.from_dict(packer_dict.get('name'))
packer.version = String.from_dict(packer_dict.get('version'))
packer.entry_point = HexBinary.from_dict(packer_dict.get('entry_point'))
packer.signature = String.from_dict(packer_dict.get('signature'))
packer.type_ = String.from_dict(packer_dict.get('type'))
return packer
def from_obj(packer_obj):
if not packer_obj:
return None
packer = Packer()
packer.name = String.from_obj(packer_obj.get_Name())
packer.version = String.from_obj(packer_obj.get_Version())
packer.entry_point = HexBinary.from_obj(packer_obj.get_Entry_Point())
packer.signature = String.from_obj(packer_obj.get_Signature())
packer.type_ = String.from_obj(packer_obj.get_Type())
return packer
def from_dict(network_interface_dict):
if not network_interface_dict:
return None
network_interface_ = NetworkInterface()
network_interface_.adapter = String.from_dict(network_interface_dict.get('adapter'))
network_interface_.description = String.from_dict(network_interface_dict.get('description'))
network_interface_.dhcp_lease_expires = DateTime.from_dict(network_interface_dict.get('dhcp_lease_expires'))
network_interface_.dhcp_lease_obtained = DateTime.from_dict(network_interface_dict.get('dhcp_lease_obtained'))
network_interface_.dhcp_server_list = DHCPServerList.from_list(network_interface_dict.get('dhcp_server_list'))
network_interface_.ip_gateway_list = IPGatewayList.from_list(network_interface_dict.get('ip_gateway_list'))
network_interface_.ip_list = IPInfoList.from_list(network_interface_dict.get('ip_list'))
network_interface_.mac = String.from_dict(network_interface_dict.get('mac'))
return network_interface_
def from_obj(network_interface_obj):
if not network_interface_obj:
return None
network_interface_ = NetworkInterface()
network_interface_.adapter = String.from_obj(network_interface_obj.get_Adapter())
network_interface_.description = String.from_obj(network_interface_obj.get_Description())
network_interface_.dhcp_lease_expires = DateTime.from_obj(network_interface_obj.get_DHCP_Lease_Expires())
network_interface_.dhcp_lease_obtained = DateTime.from_obj(network_interface_obj.get_DHCP_Lease_Obtained())
network_interface_.dhcp_server_list = DHCPServerList.from_obj(network_interface_obj.get_DHCP_Server_List())
network_interface_.ip_gateway_list = IPGatewayList.from_obj(network_interface_obj.get_IP_Gateway_List())
network_interface_.ip_list = IPInfoList.from_obj(network_interface_obj.get_IP_List())
network_interface_.mac = String.from_obj(network_interface_obj.get_MAC())
return network_interface_
def from_obj(win_kernel_hook_obj):
if not win_kernel_hook_obj:
return None
win_kernel_hook_ = WinKernelHook()
win_kernel_hook_.digital_signature_hooking = DigitalSignature.from_obj(win_kernel_hook_obj.get_Digital_Signature_Hooking())
win_kernel_hook_.digital_signature_hooked = DigitalSignature.from_obj(win_kernel_hook_obj.get_Digital_Signature_Hooked())
win_kernel_hook_.hooked_address = UnsignedLong.from_obj(win_kernel_hook_obj.get_Hooked_Address())
win_kernel_hook_.hook_description = String.from_obj(win_kernel_hook_obj.get_Hook_Description())
win_kernel_hook_.hooked_function = String.from_obj(win_kernel_hook_obj.get_Hooked_Function())
win_kernel_hook_.hooked_module = String.from_dict(win_kernel_hook_obj.get_Hooked_Module())
win_kernel_hook_.type = String.from_obj(win_kernel_hook_obj.get_Type())
return win_kernel_hook_
def from_dict(win_kernel_hook_dict):
if not win_kernel_hook_dict:
return None
win_kernel_hook_ = WinKernelHook()
win_kernel_hook_.digital_signature_hooking = DigitalSignature.from_dict(win_kernel_hook_dict.get('digital_signature_hooking'))
win_kernel_hook_.digital_signature_hooked = DigitalSignature.from_dict(win_kernel_hook_dict.get('digital_signature_hooked'))
win_kernel_hook_.hooked_address = UnsignedLong.from_dict(win_kernel_hook_dict.get('hooked_address'))
win_kernel_hook_.hook_description = String.from_dict(win_kernel_hook_dict.get('hook_description'))
win_kernel_hook_.hooked_function = String.from_dict(win_kernel_hook_dict.get('hooked_function'))
win_kernel_hook_.hooked_module = String.from_dict(win_kernel_hook_dict.get('hooked_module'))
win_kernel_hook_.type = String.from_dict(win_kernel_hook_dict.get('type'))
return win_kernel_hook_
def to_obj(self, return_obj=None, ns_info=None):
self._collect_ns_info(ns_info)
datasize_obj = String.to_obj(self, return_obj=return_obj, ns_info=ns_info)
if self.units is not None:
datasize_obj.units = self.units
return datasize_obj
def to_obj(self, return_obj=None, ns_info=None):
self._collect_ns_info(ns_info)
filepath_obj = String.to_obj(self, return_obj=return_obj, ns_info=ns_info)
if self.fully_qualified is not None:
filepath_obj.fully_qualified = self.fully_qualified
return filepath_obj
def __parse_email_message(self, msg):
""" Parses the supplied message
Returns a map of message parts expressed as cybox objects.
Keys: 'message', 'files', 'urls'
"""
files = []
url_list = []
domain_list = []
message = EmailMessage()
# Headers are required (for now)
message.header = self.__create_cybox_headers(msg)
if self.include_attachments:
files = self.__create_cybox_files(msg)
message.attachments = Attachments()
for f in files:
message.attachments.append(f.parent.id_)
f.add_related(message, "Contained_Within", inline=False)
if self.include_raw_headers:
raw_headers_str = self.__get_raw_headers(msg).strip()
if raw_headers_str:
message.raw_header = String(raw_headers_str)
# need this for parsing urls AND raw body text
raw_body = "\n".join(self.__get_raw_body_text(msg)).strip()
if self.include_raw_body and raw_body:
message.raw_body = String(raw_body)
if self.include_urls:
(url_list, domain_list) = self.__parse_urls(raw_body)
if url_list:
links = Links()
for u in url_list:
links.append(LinkReference(u.parent.id_))
if links:
message.links = links
# Return a list of all objects we've built
return [message] + files + url_list + domain_list
def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def test_subject_TypedField(self):
h = EmailHeader()
# Set using actual object
h.subject = String("Howdy")
self.assertEqual(String, type(h.subject))
# Set using implied cast
h.subject = "Howdy"
self.assertEqual(String, type(h.subject))
s = "http://badsubject.com"
bad_object = URI(s)
self.assertRaises(ValueError, setattr, h, 'subject', bad_object)
def from_obj(extracted_string_obj):
if not extracted_string_obj:
return None
extracted_string_ = ExtractedString()
extracted_string_.encoding = VocabString.from_obj(
extracted_string_obj.get_Encoding())
extracted_string_.string_value = String.from_obj(
extracted_string_obj.get_String_Value())
extracted_string_.byte_string_value = HexBinary.from_obj(
extracted_string_obj.get_Byte_String_Value())
extracted_string_.hashes = HashList.from_obj(
extracted_string_obj.get_Hashes())
extracted_string_.address = HexBinary.from_obj(
extracted_string_obj.get_Address())
extracted_string_.length = PositiveInteger.from_obj(
extracted_string_obj.get_Length())
extracted_string_.language = String.from_obj(
extracted_string_obj.get_Language())
extracted_string_.english_translation = String.from_obj(
extracted_string_obj.get_English_Translation())
return extracted_string_
def from_dict(extracted_string_dict):
if not extracted_string_dict:
return None
extracted_string_ = ExtractedString()
extracted_string_.encoding = VocabString.from_dict(
extracted_string_dict.get('encoding'))
extracted_string_.string_value = String.from_dict(
extracted_string_dict.get('string_value'))
extracted_string_.byte_string_value = HexBinary.from_dict(
extracted_string_dict.get('byte_string_value'))
extracted_string_.hashes = HashList.from_list(
extracted_string_dict.get('hashes'))
extracted_string_.address = HexBinary.from_dict(
extracted_string_dict.get('address'))
extracted_string_.length = PositiveInteger.from_dict(
extracted_string_dict.get('length'))
extracted_string_.language = String.from_dict(
extracted_string_dict.get('language'))
extracted_string_.english_translation = String.from_dict(
extracted_string_dict.get('english_translation'))
return extracted_string_
def __create_dns_record_object(self, domain, record_type, nameserver=None):
"""Creates a CybOX DNSRecordType Object"""
record = self.__get_dns_record(domain, record_type, nameserver)
if not record:
return None
dns_record = DNSRecord()
dns_record.domain_name = self.__create_domain_name_object(record.get('Domain_Name'))
dns_record.ip_address = self.__create_ip_address_object(record.get('IP_Address'))
dns_record.entry_type = String(record.get('Entry_Type'))
dns_record.flags = HexBinary(record.get('Flags'))
dns_record.record_data = record.get('Record_Data')
return dns_record
def test_observable_init(self):
# Can pass an Object into the Observable constructor
o = Object()
obs = Observable(o)
# Can pass an Event into the Observable constructor
e = Event()
obs = Observable(e)
# Can pass an ObservableComposition into the Observable constructor
oc = ObservableComposition()
obs = Observable(oc)
# Can pass an ObjectProperties subclass into the Observable constructor
a = Address()
obs = Observable(a)
# Cannot pass a String into the Observable constructor.
s = String()
self.assertRaises(TypeError, Observable, s)
def test_instance_multiple(self):
s = String(["foo", "bar", "baz"])
# @apply_condition should not be set on instances.
self.assertFalse(b'apply_condition' in s.to_xml())
def test_list_of_strings_with_comma(self):
s = String([u("string,1"), u("string,1"), u("string,3")])
s2 = cybox.test.round_trip(s)
self.assertEqual(s, s2)
def to_dict(self):
datasize_dict = String.to_dict(self)
if self.units is not None:
datasize_dict['units'] = self.units
return datasize_dict
def test_instance_multiple_all(self):
s = String(["foo", "bar", "baz"])
s.apply_condition = "ALL"
# Even though we set it, this is not a pattern so @apply_condition
# shouldn't be output.
self.assertFalse(b'apply_condition' in s.to_xml())
def test_pattern_single(self):
s = String("foo")
s.condition = "Equals"
# @apply_condition should not be set if the value is not a list.
self.assertFalse(b'apply_condition' in s.to_xml())
def __init__(self, *args, **kwargs):
String.__init__(self, *args, **kwargs)
self.units = None
def test_string(self):
s = String("test_string")
self.assertEqual(s.datatype, "string")
self.assertEqual(s.value, "test_string")
def test_pattern_multiple(self):
s = String(["foo", "bar", "baz"])
s.condition = "Equals"
# @apply_condition should be set when there is a @condition and the
# value is a list.
self.assertTrue(b'apply_condition="ANY"' in s.to_xml())
def test_delimiter(self):
s = String(["string1", "string2"])
s.delimiter = "##delim##"
self.assertTrue(b"##comma##" not in s.to_xml())
self.assertTrue(b"string1##delim##string2" in s.to_xml())
def test_string_with_comma(self):
s = String("test_string,")
s2 = cybox.test.round_trip(s)
self.assertEqual(s, s2)
def __create_cybox_headers(self, msg):
""" Returns a CybOX EmailHeaderType object """
if self.__verbose_output:
sys.stderr.write("** parsing headers\n")
headers = EmailHeader()
if 'received' in self.headers:
lines = self._parse_received_headers(msg)
if lines:
headers.received_lines = lines
if 'to' in self.headers:
headers.to = _get_email_recipients(msg['to'])
if msg['delivered-to'] and not headers.to:
headers.to = _get_email_recipients(msg['delivered-to'])
if 'cc' in self.headers:
headers.cc = _get_email_recipients(msg['cc'])
if 'bcc' in self.headers:
headers.bcc = _get_email_recipients(msg['bcc'])
if 'from' in self.headers:
headers.from_ = _get_single_email_address(msg['from'])
if 'sender' in self.headers:
headers.sender = _get_single_email_address(msg['sender'])
if 'reply-to' in self.headers:
headers.reply_to = _get_single_email_address(msg['reply-to'])
if 'subject' in self.headers and 'subject' in msg:
headers.subject = String(msg['subject'])
if 'in-reply-to' in self.headers and 'in-reply-to' in msg:
headers.in_reply_to = String(msg['in-reply-to'])
if 'errors-to' in self.headers and 'errors-to' in msg:
headers.errors_to = String(msg['errors-to'])
if 'date' in self.headers and 'date' in msg:
headers.date = DateTime(msg['date'])
if 'message-id' in self.headers and 'message-id' in msg:
headers.message_id = String(msg['message-id'])
if 'boundary' in self.headers and 'boundary' in msg:
headers.boundary = String(msg['boundary'])
if 'content-type' in self.headers and 'content-type' in msg:
headers.content_type = String(msg['content-type'])
if 'mime-version' in self.headers and 'mime-version' in msg:
headers.mime_version = String(msg['mime-version'])
if 'precedence' in self.headers and 'precedence' in msg:
headers.precedence = String(msg['precedence'])
if 'user-agent' in self.headers and 'user-agent' in msg:
headers.user_agent = String(msg['user-agent'])
if 'x-mailer' in self.headers and 'x-mailer' in msg:
headers.x_mailer = String(msg['x-mailer'])
if 'x-originating-ip' in self.headers and msg['x-originating-ip']:
headers.x_originating_ip = Address(msg['x-originating-ip'],
Address.CAT_IPV4)
if 'x-priority' in self.headers and 'x-priority' in msg:
#Must be a digit - pull one out of anything that could be a string such as 3 (Normal)
import re
priority = ''
for p in re.findall(r'\d+',msg['x-priority']):
if p.isdigit():
priority = p
if priority:
headers.x_priority = String(priority)
return headers
def __create_cybox_headers(self, msg):
""" Returns a CybOX EmailHeaderType object """
if self.__verbose_output:
sys.stderr.write("** parsing headers\n")
headers = EmailHeader()
if 'received' in self.headers:
headers.received_lines = self._parse_received_headers(msg)
if 'to' in self.headers:
headers.to = _get_email_recipients(msg['to'])
if 'cc' in self.headers:
headers.cc = _get_email_recipients(msg['cc'])
if 'bcc' in self.headers:
headers.bcc = _get_email_recipients(msg['bcc'])
if 'from' in self.headers:
headers.from_ = _get_single_email_address(msg['from'])
if 'sender' in self.headers:
headers.sender = _get_single_email_address(msg['sender'])
if 'reply-to' in self.headers:
headers.reply_to = _get_single_email_address(msg['reply-to'])
if 'subject' in self.headers:
headers.subject = String(msg['subject'])
if 'in-reply-to' in self.headers:
headers.in_reply_to = String(msg['in-reply-to'])
if 'errors-to' in self.headers:
headers.errors_to = String(msg['errors-to'])
if 'date' in self.headers:
headers.date = DateTime(msg['date'])
if 'message-id' in self.headers:
headers.message_id = String(msg['message-id'])
if 'boundary' in self.headers:
headers.boundary = String(msg['boundary'])
if 'content-type' in self.headers:
headers.content_type = String(msg['content-type'])
if 'mime-version' in self.headers:
headers.mime_version = String(msg['mime-version'])
if 'precedence' in self.headers:
headers.precedence = String(msg['precedence'])
if 'user-agent' in self.headers:
headers.user_agent = String(msg['user-agent'])
if 'x-mailer' in self.headers:
headers.x_mailer = String(msg['x-mailer'])
if 'x-originating-ip' in self.headers:
headers.x_originating_ip = Address(msg['x-originating-ip'],
Address.CAT_IPV4)
if 'x-priority' in self.headers:
headers.x_priority = String(msg['x-priority'])
return headers
def __create_whois_object(self, domain):
""" Creates a CybOX WHOISObjectType object """
if not domain:
return None
if(self.__verbose_output):
sys.stderr.write("** creating Whois object for: %s\n" % domain)
if self.http_whois:
record = self.__get_whois_record_http(domain)
else:
record = self.__get_whois_record(domain)
if not record:
return None
whois = WhoisEntry()
record['status'] = ['OK' if status == 'ACTIVE' else status for status in record['status']]
#Only build registrar info objects if we have the relevant info
if (record['registrar'] or record['whois_server'] or
record['registrar_address'] or record['referral_url'] or
record['registrar_contacts']):
registrar = WhoisRegistrar()
registrar.name = String(record.get('registrar'))
registrar.address = String(record.get('registrar_address'))
registrar.whois_server = URI(record.get('whois_server'))
registrar.referral_url = URI(record.get('referral_url'))
contacts = WhoisContacts()
for email in record['registrar_contacts']:
contact = WhoisContact()
contact.contact_type = 'ADMIN'
contact.name = String(record.get('registrar'))
contact.email_address = EmailAddress(email)
contacts.append(contact)
registrar.contacts = contacts
whois.registrar_info = registrar
whois.domain_name = self.__create_domain_name_object(record.get('domain_name'))
nservers = WhoisNameservers()
for url in record.get('name_servers', []):
nservers.append(self.__create_url_object(url))
if nservers:
whois.nameservers = nservers
status = WhoisStatuses()
for s in record.get('status', []):
status.append(WhoisStatus(s))
if status:
whois.status = status
whois.updated_date = DateTime(record.get('updated_date'))
whois.creation_date = DateTime(record.get('creation_date'))
whois.expiration_date = DateTime(record.get('expiration_date'))
return whois
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"):
"""
Convert a CRITs TLO to a CybOX Observable.
:param obj: The TLO to convert.
:type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes`
:param exclude: Attributes to exclude.
:type exclude: list
:param bin_fmt: The format for the binary (if applicable).
:type bin_fmt: str
"""
type_ = obj._meta['crits_type']
if type_ == 'Certificate':
custom_prop = Property(
) # make a custom property so CRITs import can identify Certificate exports
custom_prop.name = "crits_type"
custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
custom_prop._value = "Certificate"
obje = File() # represent cert information as file
obje.md5 = obj.md5
obje.file_name = obj.filename
obje.file_format = obj.filetype
obje.size_in_bytes = obj.size
obje.custom_properties = CustomProperties()
obje.custom_properties.append(custom_prop)
obs = Observable(obje)
obs.description = obj.description
data = obj.filedata.read()
if data: # if cert data available
a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
a.packaging.append(Base64Encoding())
obje.add_related(a, "Child_Of") # relate artifact to file
return ([obs], obj.releasability)
elif type_ == 'Domain':
obje = DomainName()
obje.value = obj.domain
obje.type_ = obj.record_type
return ([Observable(obje)], obj.releasability)
elif type_ == 'Email':
if exclude == None:
exclude = []
observables = []
obje = EmailMessage()
# Assume there is going to be at least one header
obje.header = EmailHeader()
if 'message_id' not in exclude:
obje.header.message_id = String(obj.message_id)
if 'subject' not in exclude:
obje.header.subject = String(obj.subject)
if 'sender' not in exclude:
obje.header.sender = Address(obj.sender, Address.CAT_EMAIL)
if 'reply_to' not in exclude:
obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL)
if 'x_originating_ip' not in exclude:
obje.header.x_originating_ip = Address(obj.x_originating_ip,
Address.CAT_IPV4)
if 'x_mailer' not in exclude:
obje.header.x_mailer = String(obj.x_mailer)
if 'boundary' not in exclude:
obje.header.boundary = String(obj.boundary)
if 'raw_body' not in exclude:
obje.raw_body = obj.raw_body
if 'raw_header' not in exclude:
obje.raw_header = obj.raw_header
#copy fields where the names differ between objects
if 'helo' not in exclude and 'email_server' not in exclude:
obje.email_server = String(obj.helo)
if ('from_' not in exclude and 'from' not in exclude
and 'from_address' not in exclude):
obje.header.from_ = EmailAddress(obj.from_address)
if 'date' not in exclude and 'isodate' not in exclude:
obje.header.date = DateTime(obj.isodate)
obje.attachments = Attachments()
observables.append(Observable(obje))
return (observables, obj.releasability)
elif type_ == 'Indicator':
observables = []
obje = make_cybox_object(obj.ind_type, obj.value)
observables.append(Observable(obje))
return (observables, obj.releasability)
elif type_ == 'IP':
obje = Address()
obje.address_value = obj.ip
if obj.ip_type == IPTypes.IPv4_ADDRESS:
obje.category = "ipv4-addr"
elif obj.ip_type == IPTypes.IPv6_ADDRESS:
obje.category = "ipv6-addr"
elif obj.ip_type == IPTypes.IPv4_SUBNET:
obje.category = "ipv4-net"
elif obj.ip_type == IPTypes.IPv6_SUBNET:
obje.category = "ipv6-subnet"
return ([Observable(obje)], obj.releasability)
elif type_ == 'PCAP':
obje = File()
obje.md5 = obj.md5
obje.file_name = obj.filename
obje.file_format = obj.contentType
obje.size_in_bytes = obj.length
obs = Observable(obje)
obs.description = obj.description
art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK)
art.packaging.append(Base64Encoding())
obje.add_related(art, "Child_Of") # relate artifact to file
return ([obs], obj.releasability)
elif type_ == 'RawData':
obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE)
obje.packaging.append(Base64Encoding())
obs = Observable(obje)
obs.description = obj.description
return ([obs], obj.releasability)
elif type_ == 'Sample':
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(obj, attr, None)
if val:
setattr(f, attr, val)
if obj.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(obj.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = obj.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude and bin_fmt:
data = obj.filedata.read()
if data: # if sample data available
a = Artifact(data,
Artifact.TYPE_FILE) # create artifact w/data
if bin_fmt == "zlib":
a.packaging.append(ZlibCompression())
a.packaging.append(Base64Encoding())
elif bin_fmt == "base64":
a.packaging.append(Base64Encoding())
f.add_related(a, "Child_Of") # relate artifact to file
if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
f.file_format = obj.filetype
observables.append(Observable(f))
return (observables, obj.releasability)
else:
return (None, None)
def test_double_encode(self):
s = String(UNICODE_STR)
s2 = round_trip(s)
