def _run_inspector_test(self, inspector, directory_name):
# Output paths
output_dir_path = os.path.join('test', 'test_extracted_data',
directory_name)
inspected_data_file_path = os.path.join(output_dir_path,
INSPECTED_DATA_FILE_NAME)
source_data_file_path = os.path.join(output_dir_path,
SOURCE_DATA_FILE_NAME)
# Execute the inspector
inspected_objects, source_objects = inspector.execute(
self.device_info, output_dir_path)
# write the results
write_observables_xml_file(Observables(inspected_objects),
inspected_data_file_path,
simple_output=True)
write_observables_xml_file(Observables(source_objects),
source_data_file_path,
simple_output=True)
# Assert xml files were written
self.assertTrue(os.path.exists(inspected_data_file_path))
self.assertTrue(os.path.exists(source_data_file_path))
# Delete the created files
os.remove(inspected_data_file_path)
os.remove(source_data_file_path)
def test_round_trip_xml(self):
np = NetworkPacket.from_dict(self._full_dict)
xml = Observables(np).to_xml()
new_obj = Observables.from_obj(parseString(xml))
new_dict = new_obj.observables[0].object_.properties.to_dict()
self.maxDiff = None
self.assertEqual(self._full_dict, new_dict)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
def main():
print '<?xml version="1.0" encoding="UTF-8"?>'
v = AnyURI("www.sample1.com/index.html")
v.condition = "Equals"
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
o = Observables(u)
print o.to_xml()
def cybox_mutex(observable, observable_type, objects):
nsname, nsurl = observable.namespace.last().namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
m = Mutex()
m.name = obj.mutex_name
o = Observable(m)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def main():
fn = 'se_07.xml'
print "parsing input xml document..."
observables_obj = cybox_core_binding.parse(fn) # build a binding object
observables = Observables.from_obj(observables_obj) # build an api object from binding
observables_dict = observables.to_dict() # create dictionary from api object
pprint(observables_dict)
print "building xml from dictionary..."
observables_two = Observables.from_dict(observables_dict) # create copy api object from dictionary
xml = observables_two.to_xml() # generate xml from copied api object
print xml
def test_round_trip(self):
a = Address("*****@*****.**", Address.CAT_EMAIL)
a2 = Address("*****@*****.**", Address.CAT_EMAIL)
ms = MeasureSource()
ms.class_ = "System"
ms.source_type = "Analysis"
ms.description = StructuredText("A Description")
o = Observables([a, a2])
o.observable_package_source = ms
o2 = round_trip(o, output=True)
self.assertEqual(o.to_dict(), o2.to_dict())
def test_round_trip(self):
a = Address("*****@*****.**", Address.CAT_EMAIL)
a2 = Address("*****@*****.**", Address.CAT_EMAIL)
ms = MeasureSource()
ms.class_ = "System"
ms.source_type = "Analysis"
ms.description = StructuredText("A Description")
o = Observables([a, a2])
o.observable_package_source = ms
o2 = round_trip(o, output=True)
self.assertEqual(o.to_dict(), o2.to_dict())
def test_get_namespaces(self):
m = EmailMessage()
m.to = "*****@*****.**"
m.subject = "Here's a cool picture"
m.links = Links()
u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
m.links.append(u.parent.id_)
o = Observables([u, m])
logger.info(o.to_xml())
actual_namespaces = o._get_namespaces()
logger.info("\n".join([str(x) for x in actual_namespaces]))
self.assertEqual(5, len(actual_namespaces))
def cybox_http(observable, observable_type, objects):
nsname, nsurl = observable.namespace.last().namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
h = cybox_object_http(obj)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
o = Observable(h)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def cybox_http(observable, observable_type, objects):
nsname, nsurl = observable.namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
h = cybox_object_http(obj)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
o = Observable(h)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def test_get_namespaces(self):
m = EmailMessage()
m.to = "*****@*****.**"
m.subject = "Here's a cool picture"
m.links = Links()
u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
m.links.append(u.parent.id_)
o = Observables([u, m])
print o.to_xml()
actual_namespaces = o._get_namespaces()
print "\n".join([str(x) for x in actual_namespaces])
self.assertEqual(5, len(actual_namespaces))
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
if obj.Exploit_Targets:
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
if obj.Indicators:
return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
if obj.Threat_Actors:
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
# ReportBaseType fields
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
# ReportType fields
if isinstance(obj, cls._binding_class):
return_obj.header = Header.from_obj(obj.Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
# ReportBaseType fields
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
# ReportType fields
if isinstance(obj, cls._binding_class):
return_obj.header = Header.from_obj(obj.Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
def targeted_technical_details(self, value):
if not value:
self._targeted_technical_details = None
elif isinstance(value, Observables):
self._targeted_technical_details = value
else:
self._targeted_technical_details = Observables(observables=[value])
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.stage = VocabString.from_dict(dict_repr.get('stage'))
return_obj.type_ = VocabString.from_dict(dict_repr.get('type'))
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.objective = Objective.from_dict(dict_repr.get('objective'))
return_obj.parameter_observables = \
Observables.from_dict(dict_repr.get('parameter_observables'))
return_obj.impact = Statement.from_dict(dict_repr.get('impact'))
return_obj.cost = Statement.from_dict(dict_repr.get('cost'))
return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.related_coas = \
RelatedCOAs.from_dict(dict_repr.get('related_coas'))
return_obj.related_packages = \
RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def observable_characterization(self, value):
if not value:
self._observable_characterization = None
elif isinstance(value, Observables):
self._observable_characterization = value
else:
self._observable_characterization = Observables(observables=[value])
def parse(xml_file):
# create binding object from xml file
observables_obj = cybox_core_binding.parse(xml_file)
# convert binding object into python-cybox object
observables = Observables.from_obj(observables_obj)
return observables
def parse(xml_file):
# create binding object from xml file
observables_obj = cybox_core_binding.parse(xml_file)
# convert binding object into python-cybox object
observables = Observables.from_obj(observables_obj)
return observables
def main():
infilename = ''
outfilename = ''
#Get the command-line arguments
args = sys.argv[1:]
if len(args) < 4:
usage()
sys.exit(1)
for i in range(0,len(args)):
if args[i] == '-i':
infilename = args[i+1]
elif args[i] == '-o':
outfilename = args[i+1]
if os.path.isfile(infilename):
try:
# Perform the translation using the methods from the OpenIOC to CybOX Script
openioc_indicators = openioc.parse(infilename)
observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True)
observables_cls = Observables.from_obj(observables_obj)
# Set the namespace to be used in the STIX Package
stix.utils.set_id_namespace({"https://github.com/STIXProject/openioc-to-stix":"openiocToSTIX"})
# Wrap the created Observables in a STIX Package/Indicator
stix_package = STIXPackage()
# Add the OpenIOC namespace
input_namespaces = {"http://openioc.org/":"openioc"}
stix_package.__input_namespaces__ = input_namespaces
for observable in observables_cls.observables:
indicator_dict = {}
producer_dict = {}
producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}]
indicator_dict['producer'] = producer_dict
indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File"
indicator = Indicator.from_dict(indicator_dict)
indicator.add_observable(observables_cls.observables[0])
stix_package.add_indicator(indicator)
# Create and write the STIX Header
stix_header = STIXHeader()
stix_header.package_intent = "Indicators - Malware Artifacts"
stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File"
stix_package.stix_header = stix_header
# Write the generated STIX Package as XML to the output file
outfile = open(outfilename, 'w')
# Ignore any warnings - temporary fix for no schemaLocation w/ namespace
with warnings.catch_warnings():
warnings.simplefilter("ignore")
outfile.write(stix_package.to_xml())
warnings.resetwarnings()
outfile.flush()
outfile.close()
except Exception, err:
print('\nError: %s\n' % str(err))
traceback.print_exc()
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(
obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(
obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(
obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
def structured_description(self, value):
if not value:
self._structured_description = None
elif isinstance(value, Observables):
self._structured_description = value
else:
self._structured_description = Observables(value)
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.stage = VocabString.from_dict(dict_repr.get('stage'))
return_obj.type_ = VocabString.from_dict(dict_repr.get('type'))
return_obj.description = StructuredText.from_dict(
dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(
dict_repr.get('short_description'))
return_obj.objective = Objective.from_dict(dict_repr.get('objective'))
return_obj.parameter_observables = \
Observables.from_dict(dict_repr.get('parameter_observables'))
return_obj.impact = Statement.from_dict(dict_repr.get('impact'))
return_obj.cost = Statement.from_dict(dict_repr.get('cost'))
return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy'))
return_obj.information_source = InformationSource.from_dict(
dict_repr.get('information_source'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.related_coas = \
RelatedCOAs.from_dict(dict_repr.get('related_coas'))
return_obj.related_packages = \
RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj,
cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.stage = VocabString.from_obj(obj.get_Stage())
return_obj.type_ = VocabString.from_obj(obj.get_Type())
return_obj.description = StructuredText.from_obj(
obj.get_Description())
return_obj.short_description = StructuredText.from_obj(
obj.get_Short_Description())
return_obj.objective = Objective.from_obj(obj.get_Objective())
return_obj.parameter_observables = \
Observables.from_obj(obj.get_Parameter_Observables())
return_obj.impact = Statement.from_obj(obj.get_Impact())
return_obj.cost = Statement.from_obj(obj.get_Cost())
return_obj.efficacy = Statement.from_obj(obj.get_Efficacy())
return_obj.information_source = InformationSource.from_obj(
obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.get_Related_COAs())
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def test_correct_namespace_output(self):
link = Link()
link.value = u("https://www.example.com")
xml = Observables(link).to_xml()
self.assertTrue(b"cybox:Properties" in xml)
self.assertTrue(b"LinkObj:Properties" not in xml)
def parse(xml_file):
obs_obj = cybox_core_binding.parse(xml_file) # create binding object from xml file
obs = Observables.from_obj(obs_obj) # convert binding object into python-cybox object
#pro = process_binding.parse(xml_file)
#p = Process.from_obj(pro)
#print p.pid
return obs
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(CourseOfAction, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.stage = VocabString.from_dict(get('stage'))
return_obj.type_ = VocabString.from_dict(get('type'))
return_obj.objective = Objective.from_dict(get('objective'))
return_obj.parameter_observables = \
Observables.from_dict(get('parameter_observables'))
return_obj.impact = Statement.from_dict(get('impact'))
return_obj.cost = Statement.from_dict(get('cost'))
return_obj.efficacy = Statement.from_dict(get('efficacy'))
return_obj.related_coas = \
RelatedCOAs.from_dict(get('related_coas'))
return_obj.related_packages = \
related.RelatedPackageRefs.from_dict(get('related_packages'))
return_obj.structured_coa = \
_BaseStructuredCOA.from_dict(get('structured_coa'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(CourseOfAction, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj,
cls._binding_class): # CourseOfActionType properties
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
related.RelatedPackageRefs.from_obj(obj.Related_Packages)
return_obj.structured_coa = \
_BaseStructuredCOA.from_obj(obj.Structured_COA)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(
dict_repr.get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(
dict_repr.get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(
dict_repr.get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(
dict_repr.get('indicators'))
return_obj.observables = Observables.from_dict(
dict_repr.get('observables'))
return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(
dict_repr.get('threat_actors'))
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(
dict_repr.get('related_packages'))
return return_obj
def test_observable_iterable(self):
a = Address("*****@*****.**", Address.CAT_EMAIL)
a2 = Address("*****@*****.**", Address.CAT_EMAIL)
o = Observables([a, a2])
for obs in o:
self.assertTrue(obs.object_.properties in [a, a2])
def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print pkg.to_xml()
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.stage = VocabString.from_obj(obj.get_Stage())
return_obj.type_ = VocabString.from_obj(obj.get_Type())
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.objective = Objective.from_obj(obj.get_Objective())
return_obj.parameter_observables = \
Observables.from_obj(obj.get_Parameter_Observables())
return_obj.impact = Statement.from_obj(obj.get_Impact())
return_obj.cost = Statement.from_obj(obj.get_Cost())
return_obj.efficacy = Statement.from_obj(obj.get_Efficacy())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.get_Related_COAs())
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None,
related_packages=None,
reports=None):
super(STIXPackage, self).__init__()
self.id_ = id_ or idgen.create_id("Package")
self.idref = idref
self.version = STIXPackage._version
self.stix_header = stix_header
self.campaigns = campaigns or Campaigns()
self.courses_of_action = courses_of_action or CoursesOfAction()
self.exploit_targets = exploit_targets or ExploitTargets()
self.observables = observables or Observables()
self.indicators = indicators or Indicators()
self.incidents = incidents or Incidents()
self.threat_actors = threat_actors or ThreatActors()
self.ttps = ttps or TTPs()
self.related_packages = related_packages
self.reports = reports or Reports()
self.timestamp = timestamp
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(CourseOfAction, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
related.RelatedPackageRefs.from_obj(obj.Related_Packages)
return_obj.structured_coa = \
_BaseStructuredCOA.from_obj(obj.Structured_COA)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(CourseOfAction, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.stage = VocabString.from_dict(get('stage'))
return_obj.type_ = VocabString.from_dict(get('type'))
return_obj.objective = Objective.from_dict(get('objective'))
return_obj.parameter_observables = \
Observables.from_dict(get('parameter_observables'))
return_obj.impact = Statement.from_dict(get('impact'))
return_obj.cost = Statement.from_dict(get('cost'))
return_obj.efficacy = Statement.from_dict(get('efficacy'))
return_obj.related_coas = \
RelatedCOAs.from_dict(get('related_coas'))
return_obj.related_packages = \
related.RelatedPackageRefs.from_dict(get('related_packages'))
return_obj.structured_coa = \
_BaseStructuredCOA.from_dict(get('structured_coa'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()]
if obj.get_Indicators():
return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()]
if obj.get_Threat_Actors():
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def main():
infilename = ''
outfilename = ''
#Get the command-line arguments
args = sys.argv[1:]
#Basic argument checking
if len(args) < 4:
usage()
sys.exit(1)
for i in range(0, len(args)):
if args[i] == '-i':
infilename = args[i + 1]
elif args[i] == '-o':
outfilename = args[i + 1]
#Basic input file checking
if os.path.isfile(infilename):
#Get the raw lines from the input file
raw_lines = get_input(infilename)
#Breakup each certificate into its corresponding lines
cert_strings = split_certs(raw_lines)
observables_list = []
#Process each certificate array into its CybOX representation
for cert_array in cert_strings:
#Get the Python dictionary corresponding to the certificate
cert_dict = tokenize_input(cert_array)
observables_list.append(cert_to_cybox(cert_dict))
observables = Observables(observables_list)
#Open the output file for writing and write out the generated Observables
out_file = open(outfilename, 'w')
out_file.write("<?xml version='1.0' encoding='UTF-8'?>\n")
out_file.write(
"<!-- Generated by X509 to CybOX Utility\nhttps://github.com/CybOXProject/Tools/-->\n"
)
out_file.write("<!DOCTYPE doc [<!ENTITY comma ','>]>\n")
out_file.write(
observables.to_xml(
namespace_dict={
'https://github.com/CybOXProject/Tools': 'x509_to_cybox'
}))
out_file.close()
else:
print('\nError: Input file not found or inaccessible.')
sys.exit(1)
def _create_observables(self, msg):
o = Observables(self.__parse_email_message(msg))
t = ToolInformation()
t.name = os.path.basename(__file__)
t.description = StructuredText("Email to CybOX conversion script")
t.vendor = "The MITRE Corporation"
t.version = __version__
t_list = ToolInformationList()
t_list.append(t)
m = MeasureSource()
m.tools = t_list
o.observable_package_source = m
return o
def test_missing_related_object(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# If we only include the domain, the dereference will fail.
o2 = self._test_round_trip(Observables([self.domain]))
rel_obj = o2.observables[0].object_.related_objects[0]
self.assertRaises(CacheMiss, rel_obj.get_properties)
def main():
v = AnyURI("http://www.example.com/index1.html")
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml())
def strip_observables(pkg_path):
'''Strips observable from a package, support multiple structures'''
result = Observables()
pkg = STIXPackage.from_xml(pkg_path)
processed = []
for ind in pkg.indicators:
if ind.composite_indicator_expression:
"""The indicator is a compsite structure, this references other indicators, which reference the observables..."""
cyboxobject = ObservableComposition()
cyboxobject.operator = str(ind.observable_composition_operator)
for x in ind.composite_indicator_expression:
"""For every indicator in the composite list, get referenced indicator"""
ref_ind = getindicator_by_id(pkg, str(x._idref))
if ref_ind.observables:
for y in ref_ind.observables:
"""For every referenced observable, get the object"""
ref_obs = getobservable_by_id(pkg, y._idref)
if ref_obs:
cyboxobject.add(ref_obs)
processed.append(ref_obs.id_)
result.add(cyboxobject)
if ind.observables:
for x in ind.observables:
if x is not None:
if x.id_ not in processed:
result.add(x)
processed.append(x.id_)
if pkg.observables:
for x in pkg.observables:
if x is not None:
if x.id_ not in processed:
result.add(x)
scanfile = open(os.path.join(iocname,"scan.json"),'w')
scanfile.write(json.dumps(walkobservables(result).to_dict(), indent=4))
scanfile.close()
def test_inline(self):
self.domain.add_related(self.ip, "Resolves To", inline=True)
o2 = self._test_round_trip(Observables(self.domain))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the first observable, and has an inlined object with an id
actual_id = o2.observables[0].object_.related_objects[0].id_
self.assertEqual(expected_id, actual_id)
def test_round_trip_xml(self):
np = NetworkPacket.from_dict(self._full_dict)
xml = Observables(np).to_xml(encoding=None)
new_obj = Observables.from_obj(parseString(xml))
new_dict = new_obj.observables[0].object_.properties.to_dict()
self.maxDiff = None
self.assertEqual(self._full_dict, new_dict)
def main():
'''Build a CybOX Observables document and write it to stdout'''
domain = api.create_domain_name_observable('www.example.com')
url = api.create_url_observable('http://www.example.com')
ipv4 = api.create_ipv4_observable('127.0.0.1')
email = api.create_email_address_observable('*****@*****.**')
file_ = api.create_file_hash_observable('foo.bar','94f93e00fd122466d68a6ae3b8c7f908')
observables_doc = Observables([
domain,
ipv4,
url,
email,
file_,
])
observables_doc.to_obj().export(sys.stdout, 0)
pprint(observables_doc.to_dict())
def main():
v = AnyURI("http://www.example.com/index1.html")
v.condition = "Equals"
u = URI()
u.value = v
u.type_ = URI.TYPE_URL
print(Observables(u).to_xml(encoding=None))
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
def main():
infilename = ''
outfilename = ''
#Get the command-line arguments
args = sys.argv[1:]
#Basic argument checking
if len(args) < 4:
usage()
sys.exit(1)
for i in range(0,len(args)):
if args[i] == '-i':
infilename = args[i+1]
elif args[i] == '-o':
outfilename = args[i+1]
#Basic input file checking
if os.path.isfile(infilename):
#Get the raw lines from the input file
raw_lines = get_input(infilename)
#Breakup each certificate into its corresponding lines
cert_strings = split_certs(raw_lines)
observables_list = []
#Process each certificate array into its CybOX representation
for cert_array in cert_strings:
#Get the Python dictionary corresponding to the certificate
cert_dict = tokenize_input(cert_array)
observables_list.append(cert_to_cybox(cert_dict))
observables = Observables(observables_list)
#Open the output file for writing and write out the generated Observables
out_file = open(outfilename, 'w')
out_file.write("<?xml version='1.0' encoding='UTF-8'?>\n")
out_file.write("<!-- Generated by X509 to CybOX Utility\nhttps://github.com/CybOXProject/Tools/-->\n")
out_file.write("<!DOCTYPE doc [<!ENTITY comma ','>]>\n")
out_file.write(observables.to_xml(namespace_dict={'https://github.com/CybOXProject/Tools': 'x509_to_cybox'}))
out_file.close()
else:
print('\nError: Input file not found or inaccessible.')
sys.exit(1)
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.targeted_systems = [VocabString.from_dict(x) for x in dict_repr.get('targeted_systems', [])]
return_obj.targeted_information = [VocabString.from_dict(x) for x in dict_repr.get('targeted_information', [])]
return_obj.targeted_technical_details = Observables.from_dict(dict_repr.get('targeted_technical_details'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details)
return_obj.targeted_systems = TargetedSystems.from_obj(obj.Targeted_Systems)
return_obj.targeted_information = TargetedInformation.from_obj(obj.Targeted_Information)
return return_obj
def cybox_file(observable, observable_type, objects):
nsname, nsurl = observable.namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
for meta in obj.file_meta.all():
f = cybox_object_file(obj, meta)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
for rel_obj_dict in related_objects_list:
for rel_obj in rel_obj_dict['objects']:
if isinstance(rel_obj, EmailMessage_Object):
rel_o, attachments_list = cybox_object_email(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
for att in attachments_list:
observables.add(Observable(att))
continue
elif isinstance(rel_obj, File_Object):
for rel_meta in rel_obj.file_meta.all():
rel_o = cybox_object_file(rel_obj, rel_meta)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, Address_Object):
rel_o = cybox_object_address(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, URI_Object):
rel_o = cybox_object_uri(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, HTTPSession_Object):
rel_o = cybox_object_http(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
o = Observable(f)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables
def walkobservables(obs):
'''Recursive function for checking observables in an Observables, Observable_composition, Observable tree'''
try:
remove = Observables()
for x in obs.observables:
if walkobservables(x) is None:
remove.add(x)
for x in remove:
obs.remove(x)
return obs
except AttributeError:
pass
try:
remove = Observables()
for x in obs.observable_composition.observables:
if walkobservables(x) is None:
remove.add(x)
for x in remove:
obs.observable_composition.observables.remove(x)
return obs
except AttributeError:
pass
try:
if not checkcompatible_observable(obs):
return None
except AttributeError:
pass
return obs
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.types = [AttackerInfrastructureType.from_dict(x) for x in dict_repr.get('types', [])]
return_obj.observable_characterization = Observables.from_dict(dict_repr.get('observable_characterization'))
return return_obj
def main():
infilename = ''
outfilename = ''
#Get the command-line arguments
args = sys.argv[1:]
if len(args) < 4:
usage()
sys.exit(1)
for i in range(0,len(args)):
if args[i] == '-i':
infilename = args[i+1]
elif args[i] == '-o':
outfilename = args[i+1]
if os.path.isfile(infilename):
try:
# Perform the translation using the methods from the OpenIOC to CybOX Script
openioc_indicators = openioc.parse(infilename)
observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True)
observables_cls = Observables.from_obj(observables_obj)
# Wrap the created Observables in a STIX Package/Indicator
stix_package = STIXPackage()
for observable in observables_cls.observables:
indicator_dict = {}
producer_dict = {}
producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}]
indicator_dict['producer'] = producer_dict
indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File"
indicator = Indicator.from_dict(indicator_dict)
indicator.add_observable(observables_cls.observables[0])
stix_package.add_indicator(indicator)
# Create and write the STIX Header
stix_header = STIXHeader()
stix_header.package_intent = "Indicators - Malware Artifacts"
stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File"
stix_package.stix_header = stix_header
# Write the generated STIX Package as XML to the output file
outfile = open(outfilename, 'w')
outfile.write(stix_package.to_xml())
outfile.flush()
outfile.close()
except Exception, err:
print('\nError: %s\n' % str(err))
traceback.print_exc()
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
get = dict_repr.get
return_obj.identity = Identity.from_dict(get('identity'))
return_obj.targeted_systems = TargetedSystems.from_dict(get('targeted_systems'))
return_obj.targeted_information = TargetedInformation.from_dict(get('targeted_information'))
return_obj.targeted_technical_details = Observables.from_dict(get('targeted_technical_details'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.get_Identity())
return_obj.targeted_technical_details = Observables.from_obj(obj.get_Targeted_Technical_Details())
if obj.get_Targeted_Systems():
return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.get_Targeted_Systems()]
if obj.get_Targeted_Information():
return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.get_Targeted_Information()]
return return_obj
