def walkobservables(obs): '''Recursive function for checking observables in an Observables, Observable_composition, Observable tree''' try: remove = Observables() for x in obs.observables: if walkobservables(x) is None: remove.add(x) for x in remove: obs.remove(x) return obs except AttributeError: pass try: remove = Observables() for x in obs.observable_composition.observables: if walkobservables(x) is None: remove.add(x) for x in remove: obs.observable_composition.observables.remove(x) return obs except AttributeError: pass try: if not checkcompatible_observable(obs): return None except AttributeError: pass return obs
def cybox_mutex(observable, observable_type, objects): nsname, nsurl = observable.namespace.last().namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: m = Mutex() m.name = obj.mutex_name o = Observable(m) o.title = observable.name o.description = observable.description observables.add(o) return observables
def cybox_http(observable, observable_type, objects): nsname, nsurl = observable.namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: h = cybox_object_http(obj) # get related objects related_objects_list = get_related_objects_for_object(obj.id, observable_type) o = Observable(h) o.title = observable.name o.description = observable.description observables.add(o) return observables
def cybox_http(observable, observable_type, objects): nsname, nsurl = observable.namespace.last().namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: h = cybox_object_http(obj) # get related objects related_objects_list = get_related_objects_for_object(obj.id, observable_type) o = Observable(h) o.title = observable.name o.description = observable.description observables.add(o) return observables
def cybox_file(observable, observable_type, objects): nsname, nsurl = observable.namespace.last().namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: for meta in obj.file_meta.all(): f = cybox_object_file(obj, meta) # get related objects related_objects_list = get_related_objects_for_object(obj.id, observable_type) for rel_obj_dict in related_objects_list: for rel_obj in rel_obj_dict['objects']: if isinstance(rel_obj, EmailMessage_Object): rel_o, attachments_list = cybox_object_email(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) for att in attachments_list: observables.add(Observable(att)) continue elif isinstance(rel_obj, File_Object): for rel_meta in rel_obj.file_meta.all(): rel_o = cybox_object_file(rel_obj, rel_meta) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, Address_Object): rel_o = cybox_object_address(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, URI_Object): rel_o = cybox_object_uri(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, HTTPSession_Object): rel_o = cybox_object_http(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue o = Observable(f) o.title = observable.name o.description = observable.description observables.add(o) return observables
def strip_observables(pkg_path): '''Strips observable from a package, support multiple structures''' result = Observables() pkg = STIXPackage.from_xml(pkg_path) processed = [] for ind in pkg.indicators: if ind.composite_indicator_expression: """The indicator is a compsite structure, this references other indicators, which reference the observables...""" cyboxobject = ObservableComposition() cyboxobject.operator = str(ind.observable_composition_operator) for x in ind.composite_indicator_expression: """For every indicator in the composite list, get referenced indicator""" ref_ind = getindicator_by_id(pkg, str(x._idref)) if ref_ind.observables: for y in ref_ind.observables: """For every referenced observable, get the object""" ref_obs = getobservable_by_id(pkg, y._idref) if ref_obs: cyboxobject.add(ref_obs) processed.append(ref_obs.id_) result.add(cyboxobject) if ind.observables: for x in ind.observables: if x is not None: if x.id_ not in processed: result.add(x) processed.append(x.id_) if pkg.observables: for x in pkg.observables: if x is not None: if x.id_ not in processed: result.add(x) scanfile = open(os.path.join(iocname,"scan.json"),'w') scanfile.write(json.dumps(walkobservables(result).to_dict(), indent=4)) scanfile.close()
def cybox_file(observable, observable_type, objects): nsname, nsurl = observable.namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: for meta in obj.file_meta.all(): f = cybox_object_file(obj, meta) # get related objects related_objects_list = get_related_objects_for_object(obj.id, observable_type) for rel_obj_dict in related_objects_list: for rel_obj in rel_obj_dict['objects']: if isinstance(rel_obj, EmailMessage_Object): rel_o, attachments_list = cybox_object_email(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) for att in attachments_list: observables.add(Observable(att)) continue elif isinstance(rel_obj, File_Object): for rel_meta in rel_obj.file_meta.all(): rel_o = cybox_object_file(rel_obj, rel_meta) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, Address_Object): rel_o = cybox_object_address(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, URI_Object): rel_o = cybox_object_uri(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, HTTPSession_Object): rel_o = cybox_object_http(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue o = Observable(f) o.title = observable.name o.description = observable.description observables.add(o) return observables
class STIXPackage(stix.Entity): _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.1.1" def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None): self.id_ = id_ or stix.utils.create_id("Package") self.idref = idref self.version = self._version self.stix_header = stix_header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_packages = RelatedPackages() if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None @property def id_(self): return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): return self._idref @idref.setter def idref(self, value): if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): return self._timestamp @timestamp.setter def timestamp(self, value): self._timestamp = utils.dates.parse_value(value) @property def stix_header(self): return self._stix_header @stix_header.setter def stix_header(self, value): self._set_var(STIXHeader, try_cast=False, stix_header=value) @property def indicators(self): return self._indicators @indicators.setter def indicators(self, value): self._indicators = Indicators(value) def add_indicator(self, indicator): self.indicators.append(indicator) @property def campaigns(self): return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = Campaigns(value) def add_campaign(self, campaign): self.campaigns.append(campaign) @property def observables(self): return self._observables @observables.setter def observables(self, value): self._set_var(Observables, observables=value) def add_observable(self, observable): if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): return self._incidents @incidents.setter def incidents(self, value): self._incidents = Incidents(value) def add_incident(self, incident): self.incidents.append(incident) @property def threat_actors(self): return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = ThreatActors(value) def add_threat_actor(self, threat_actor): self._threat_actors.append(threat_actor) @property def courses_of_action(self): return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = CoursesOfAction(value) def add_course_of_action(self, course_of_action): self._courses_of_action.append(course_of_action) @property def exploit_targets(self): return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = ExploitTargets(value) def add_exploit_target(self, exploit_target): self._exploit_targets.append(exploit_target) @property def ttps(self): return self._ttps @ttps.setter def ttps(self, value): if isinstance(value, TTPs): self._ttps = value else: self._ttps = TTPs(value) def add_ttp(self, ttp): self.ttps.append(ttp) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_threat_actor, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) def to_obj(self, return_obj=None, ns_info=None): super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info) if not return_obj: return_obj = self._binding_class() return_obj.id = self.id_ return_obj.idref = self.idref return_obj.version = self.version return_obj.timestamp = utils.dates.serialize_value(self.timestamp) if self.stix_header: return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info) if self.campaigns: return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info) if self.courses_of_action: return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info) if self.exploit_targets: return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info) if self.indicators: return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info) if self.observables: return_obj.Observables = self.observables.to_obj(ns_info=ns_info) if self.incidents: return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info) if self.threat_actors: return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info) if self.ttps: return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info) if self.related_packages: return_obj.Related_Packages = self.related_packages.to_obj(ns_info=ns_info) return return_obj def to_dict(self): return super(STIXPackage, self).to_dict() @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header')) return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns')) return_obj.courses_of_action = CoursesOfAction.from_dict(dict_repr.get('courses_of_action')) return_obj.exploit_targets = ExploitTargets.from_dict(dict_repr.get('exploit_targets')) return_obj.indicators = Indicators.from_dict(dict_repr.get('indicators')) return_obj.observables = Observables.from_dict(dict_repr.get('observables')) return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents')) return_obj.threat_actors = ThreatActors.from_dict(dict_repr.get('threat_actors')) return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages')) return return_obj @classmethod def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ entity_parser = parser.EntityParser() return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity): """A STIX Package object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref: **DEPRECATED** An identifier reference. If set this will unset the ``id_`` property. timestamp: **DEPRECATED** A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. course_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_packages: **DEPRECATED**. A collection of :class:`.RelatedPackage` objects. reports: A collection of :class:`.Report` objects. """ _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.2" _ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2") id_ = fields.IdField("id") idref = fields.IdrefField("idref", preset_hook=deprecated.field) version = fields.TypedField("version") timestamp = fields.DateTimeField("timestamp", preset_hook=deprecated.field) stix_header = fields.TypedField("STIX_Header", STIXHeader) campaigns = fields.TypedField("Campaigns", Campaigns) courses_of_action = fields.TypedField("Courses_Of_Action", CoursesOfAction) exploit_targets = fields.TypedField("Exploit_Targets", ExploitTargets) observables = fields.TypedField("Observables", Observables) indicators = fields.TypedField("Indicators", Indicators) incidents = fields.TypedField("Incidents", Incidents) threat_actors = fields.TypedField("Threat_Actors", ThreatActors) ttps = fields.TypedField("TTPs", TTPs) related_packages = fields.TypedField("Related_Packages", RelatedPackages) reports = fields.TypedField("Reports", Reports) def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None): super(STIXPackage, self).__init__() self.id_ = id_ or idgen.create_id("Package") self.idref = idref self.version = STIXPackage._version self.stix_header = stix_header self.campaigns = campaigns or Campaigns() self.courses_of_action = courses_of_action or CoursesOfAction() self.exploit_targets = exploit_targets or ExploitTargets() self.observables = observables or Observables() self.indicators = indicators or Indicators() self.incidents = incidents or Incidents() self.threat_actors = threat_actors or ThreatActors() self.ttps = ttps or TTPs() self.related_packages = related_packages self.reports = reports or Reports() self.timestamp = timestamp def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ if self.indicators is None: self.indicators = Indicators() self.indicators.append(indicator) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ if self.campaigns is None: self.campaigns = Campaigns() self.campaigns.append(campaign) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ if self.incidents is None: self.incidents = Incidents() self.incidents.append(incident) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ if self.threat_actors is None: self.threat_actors = ThreatActors() self.threat_actors.append(threat_actor) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ if self.courses_of_action is None: self.courses_of_action = CoursesOfAction() self.courses_of_action.append(course_of_action) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ if self.exploit_targets is None: self.exploit_targets = ExploitTargets() self.exploit_targets.append(exploit_target) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ if self.ttps is None: self.ttps = TTPs() self.ttps.append(ttp) def add_report(self, report): """Adds a :class:`.Report` object to the :attr:`reports` collection. """ if self.reports is None: self.reports = Reports() self.reports.append(report) def add_related_package(self, related_package): """Adds a :class:`.RelatedPackage` object to the :attr:`related_packages` collection. """ if self.related_packages is None: self.related_packages = RelatedPackages() self.related_packages.append(related_package) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_ttp, Report: self.add_report, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) @classmethod def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ entity_parser = parser.EntityParser() return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity): _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.1.1" def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None): self.id_ = id_ or stix.utils.create_id("Package") self.idref = idref self.version = self._version self.stix_header = stix_header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_packages = RelatedPackages() if timestamp: self.timestamp = timestamp else: self.timestamp = datetime.now(tzutc()) if not idref else None @property def id_(self): return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): return self._idref @idref.setter def idref(self, value): if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): return self._timestamp @timestamp.setter def timestamp(self, value): self._timestamp = dates.parse_value(value) @property def stix_header(self): return self._stix_header @stix_header.setter def stix_header(self, value): if value and not isinstance(value, STIXHeader): raise ValueError('value must be instance of STIXHeader') self._stix_header = value @property def indicators(self): return self._indicators @indicators.setter def indicators(self, value): self._indicators = [] if not value: return elif isinstance(value, list): for v in value: self.add_indicator(v) else: self.add_indicator(value) def add_indicator(self, indicator): if not indicator: return elif isinstance(indicator, Indicator): self.indicators.append(indicator) else: raise ValueError('indicator must be instance of stix.indicator.Indicator') @property def campaigns(self): return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = [] if not value: return elif isinstance(value, list): for v in value: self.add_campaign(v) else: self.add_campaign(value) def add_campaign(self, campaign): if not campaign: return elif isinstance(campaign, Campaign): self.campaigns.append(campaign) else: raise ValueError('indicator must be instance of stix.campaign.Campaign') @property def observables(self): return self._observables @observables.setter def observables(self, value): if value and not isinstance(value, Observables): raise ValueError('value must be instance of cybox.core.Observables') self._observables = value def add_observable(self, observable): if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): return self._incidents @incidents.setter def incidents(self, value): self._incidents = [] if not value: return elif isinstance(value, list): for v in value: self.add_incident(v) else: self.add_incident(value) def add_incident(self, incident): if not incident: return elif isinstance(incident, Incident): self.incidents.append(incident) else: raise ValueError('Cannot add %s to incident list' % type(incident)) @property def threat_actors(self): return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = [] if not value: return elif isinstance(value, list): for v in value: self.add_threat_actor(v) else: self.add_threat_actor(value) def add_threat_actor(self, threat_actor): if not threat_actor: return elif isinstance(threat_actor, ThreatActor): self._threat_actors.append(threat_actor) else: raise ValueError('Cannot add %s to threat actor list' % type(threat_actor)) @property def courses_of_action(self): return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = [] if not value: return elif isinstance(value, list): for v in value: self.add_course_of_action(v) else: self.add_course_of_action(value) def add_course_of_action(self, course_of_action): if not course_of_action: return elif isinstance(course_of_action, CourseOfAction): self._courses_of_action.append(course_of_action) else: raise ValueError('Cannot add %s to course of action list' % type(course_of_action)) @property def exploit_targets(self): return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = [] if not value: return elif isinstance(value, list): for v in value: self.add_exploit_target(v) else: self.add_exploit_target(value) def add_exploit_target(self, exploit_target): if not exploit_target: return elif isinstance(exploit_target, ExploitTarget): self._exploit_targets.append(exploit_target) else: raise ValueError('Cannot add %s to exploit target list' % type(exploit_target)) @property def ttps(self): return self._ttps @ttps.setter def ttps(self, value): if not value: self._ttps = None elif isinstance(value, TTPs): self._ttps = value elif isinstance(value, list): for v in value: self.add_ttp(v) else: self.add_ttp(value) def add_ttp(self, ttp): if not ttp: return if not self.ttps: self.ttps = TTPs() self.ttps.add_ttp(ttp) def to_obj(self, return_obj=None): if not return_obj: return_obj = self._binding_class() return_obj.set_id(self.id_) return_obj.set_idref(self.idref) return_obj.set_version(self.version) return_obj.set_timestamp(dates.serialize_value(self.timestamp)) if self.stix_header: return_obj.set_STIX_Header(self.stix_header.to_obj()) if self.campaigns: coas_obj = self._binding.CampaignsType() coas_obj.set_Campaign([x.to_obj() for x in self.campaigns]) return_obj.set_Campaigns(coas_obj) if self.courses_of_action: coas_obj = self._binding.CoursesOfActionType() coas_obj.set_Course_Of_Action([x.to_obj() for x in self.courses_of_action]) return_obj.set_Courses_Of_Action(coas_obj) if self.exploit_targets: et_obj = stix_common_binding.ExploitTargetsType() et_obj.set_Exploit_Target([x.to_obj() for x in self.exploit_targets]) return_obj.set_Exploit_Targets(et_obj) if self.indicators: indicators_obj = self._binding.IndicatorsType() indicators_obj.set_Indicator([x.to_obj() for x in self.indicators]) return_obj.set_Indicators(indicators_obj) if self.observables: return_obj.set_Observables(self.observables.to_obj()) if self.incidents: incidents_obj = self._binding.IncidentsType() incidents_obj.set_Incident([x.to_obj() for x in self.incidents]) return_obj.set_Incidents(incidents_obj) if self.threat_actors: threat_actors_obj = self._binding.ThreatActorsType() threat_actors_obj.set_Threat_Actor([x.to_obj() for x in self.threat_actors]) return_obj.set_Threat_Actors(threat_actors_obj) if self.ttps: return_obj.set_TTPs(self.ttps.to_obj()) if self.related_packages: return_obj.set_Related_Packages(self.related_packages.to_obj()) return return_obj def to_dict(self): d = {} if self.id_: d['id'] = self.id_ if self.idref: d['idref'] = self.idref if self.version: d['version'] = self.version if self.idref: d['idref'] = self.idref if self.timestamp: d['timestamp'] = dates.serialize_value(self.timestamp) if self.stix_header: d['stix_header'] = self.stix_header.to_dict() if self.campaigns: d['campaigns'] = [x.to_dict() for x in self.campaigns] if self.courses_of_action: d['courses_of_action'] = [x.to_dict() for x in self.courses_of_action] if self.exploit_targets: d['exploit_targets'] = [x.to_dict() for x in self.exploit_targets] if self.indicators: d['indicators'] = [x.to_dict() for x in self.indicators] if self.observables: d['observables'] = self.observables.to_dict() if self.incidents: d['incidents'] = [x.to_dict() for x in self.incidents] if self.threat_actors: d['threat_actors'] = [x.to_dict() for x in self.threat_actors] if self.ttps: d['ttps'] = self.ttps.to_dict() if self.related_packages: d['related_packages'] = self.related_packages.to_dict() return d @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()] if obj.get_Indicators(): return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()] if obj.get_Observables(): return_obj.observables = Observables.from_obj(obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()] if obj.get_Threat_Actors(): return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id', None) return_obj.idref = dict_repr.get('idref', None) return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) header_dict = dict_repr.get('stix_header', None) return_obj.stix_header = STIXHeader.from_dict(header_dict) return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])] return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])] return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])] return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])] return_obj.observables = Observables.from_dict(dict_repr.get('observables')) return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])] return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])] return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages')) return return_obj @classmethod def from_xml(cls, xml_file): parser = EntityParser() return parser.parse_xml(xml_file)
class STIXPackage(stix.Entity): _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.1.1" def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None): self.id_ = id_ or stix.utils.create_id("Package") self.idref = idref self.version = self._version self.stix_header = stix_header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_packages = RelatedPackages() if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None @property def id_(self): return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): return self._idref @idref.setter def idref(self, value): if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): return self._timestamp @timestamp.setter def timestamp(self, value): self._timestamp = utils.dates.parse_value(value) @property def stix_header(self): return self._stix_header @stix_header.setter def stix_header(self, value): self._set_var(STIXHeader, try_cast=False, stix_header=value) @property def indicators(self): return self._indicators @indicators.setter def indicators(self, value): self._indicators = Indicators(value) def add_indicator(self, indicator): self.indicators.append(indicator) @property def campaigns(self): return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = Campaigns(value) def add_campaign(self, campaign): self.campaigns.append(campaign) @property def observables(self): return self._observables @observables.setter def observables(self, value): self._set_var(Observables, observables=value) def add_observable(self, observable): if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): return self._incidents @incidents.setter def incidents(self, value): self._incidents = Incidents(value) def add_incident(self, incident): self.incidents.append(incident) @property def threat_actors(self): return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = ThreatActors(value) def add_threat_actor(self, threat_actor): self._threat_actors.append(threat_actor) @property def courses_of_action(self): return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = CoursesOfAction(value) def add_course_of_action(self, course_of_action): self._courses_of_action.append(course_of_action) @property def exploit_targets(self): return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = ExploitTargets(value) def add_exploit_target(self, exploit_target): self._exploit_targets.append(exploit_target) @property def ttps(self): return self._ttps @ttps.setter def ttps(self, value): if isinstance(value, TTPs): self._ttps = value else: self._ttps = TTPs(value) def add_ttp(self, ttp): self.ttps.append(ttp) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_threat_actor, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) def to_obj(self, return_obj=None, ns_info=None): super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info) if not return_obj: return_obj = self._binding_class() return_obj.id = self.id_ return_obj.idref = self.idref return_obj.version = self.version return_obj.timestamp = utils.dates.serialize_value(self.timestamp) if self.stix_header: return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info) if self.campaigns: return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info) if self.courses_of_action: return_obj.Courses_Of_Action = self.courses_of_action.to_obj( ns_info=ns_info) if self.exploit_targets: return_obj.Exploit_Targets = self.exploit_targets.to_obj( ns_info=ns_info) if self.indicators: return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info) if self.observables: return_obj.Observables = self.observables.to_obj(ns_info=ns_info) if self.incidents: return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info) if self.threat_actors: return_obj.Threat_Actors = self.threat_actors.to_obj( ns_info=ns_info) if self.ttps: return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info) if self.related_packages: return_obj.Related_Packages = self.related_packages.to_obj( ns_info=ns_info) return return_obj def to_dict(self): return super(STIXPackage, self).to_dict() @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj( obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj( obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_packages = RelatedPackages.from_obj( obj.Related_Packages) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict( dict_repr.get('stix_header')) return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns')) return_obj.courses_of_action = CoursesOfAction.from_dict( dict_repr.get('courses_of_action')) return_obj.exploit_targets = ExploitTargets.from_dict( dict_repr.get('exploit_targets')) return_obj.indicators = Indicators.from_dict( dict_repr.get('indicators')) return_obj.observables = Observables.from_dict( dict_repr.get('observables')) return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents')) return_obj.threat_actors = ThreatActors.from_dict( dict_repr.get('threat_actors')) return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict( dict_repr.get('related_packages')) return return_obj @classmethod def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ entity_parser = parser.EntityParser() return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity): """A STIX Package object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref: **DEPRECATED** An identifier reference. If set this will unset the ``id_`` property. timestamp: **DEPRECATED** A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. course_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_packages: **DEPRECATED**. A collection of :class:`.RelatedPackage` objects. reports: A collection of :class:`.Report` objects. """ _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.2" _ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2") id_ = fields.IdField("id") idref = fields.IdrefField("idref", preset_hook=deprecated.field) version = fields.TypedField("version") timestamp = fields.DateTimeField("timestamp", preset_hook=deprecated.field) stix_header = fields.TypedField("STIX_Header", STIXHeader) campaigns = fields.TypedField("Campaigns", Campaigns) courses_of_action = fields.TypedField("Courses_Of_Action", CoursesOfAction) exploit_targets = fields.TypedField("Exploit_Targets", ExploitTargets) observables = fields.TypedField("Observables", Observables) indicators = fields.TypedField("Indicators", Indicators) incidents = fields.TypedField("Incidents", Incidents) threat_actors = fields.TypedField("Threat_Actors", ThreatActors) ttps = fields.TypedField("TTPs", TTPs) related_packages = fields.TypedField("Related_Packages", RelatedPackages) reports = fields.TypedField("Reports", Reports) def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None): super(STIXPackage, self).__init__() self.id_ = id_ or idgen.create_id("Package") self.idref = idref self.version = STIXPackage._version self.stix_header = stix_header self.campaigns = campaigns or Campaigns() self.courses_of_action = courses_of_action or CoursesOfAction() self.exploit_targets = exploit_targets or ExploitTargets() self.observables = observables or Observables() self.indicators = indicators or Indicators() self.incidents = incidents or Incidents() self.threat_actors = threat_actors or ThreatActors() self.ttps = ttps or TTPs() self.related_packages = related_packages self.reports = reports or Reports() self.timestamp = timestamp def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ if self.indicators is None: self.indicators = Indicators() self.indicators.append(indicator) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ if self.campaigns is None: self.campaigns = Campaigns() self.campaigns.append(campaign) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ if self.incidents is None: self.incidents = Incidents() self.incidents.append(incident) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ if self.threat_actors is None: self.threat_actors = ThreatActors() self.threat_actors.append(threat_actor) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ if self.courses_of_action is None: self.courses_of_action = CoursesOfAction() self.courses_of_action.append(course_of_action) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ if self.exploit_targets is None: self.exploit_targets = ExploitTargets() self.exploit_targets.append(exploit_target) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ if self.ttps is None: self.ttps = TTPs() self.ttps.ttp.append(ttp) def add_report(self, report): """Adds a :class:`.Report` object to the :attr:`reports` collection. """ if self.reports is None: self.reports = Reports() self.reports.append(report) def add_related_package(self, related_package): """Adds a :class:`.RelatedPackage` object to the :attr:`related_packages` collection. """ if self.related_packages is None: self.related_packages = RelatedPackages() self.related_packages.append(related_package) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_ttp, Report: self.add_report, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) @classmethod def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ entity_parser = parser.EntityParser() return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity): ''' classdocs ''' def __init__(self, id_=None, idref_=None, stix_header=None, indicators=None, observables=None): ''' Constructor ''' self.id_ = id_ if id_ else stix.utils.create_id() self.idref_ = idref_ self.version = '1.0' self.indicators = indicators self.observables = observables self.stix_header = stix_header @property def stix_header(self): return self._stix_header @stix_header.setter def stix_header(self, value): if value and not isinstance(value, STIXHeader): raise ValueError('value must be instance of STIXHeader') self._stix_header = value @property def indicators(self): return self._indicators @indicators.setter def indicators(self, valuelist): self._indicators = [] # initialize if valuelist: for value in valuelist: self.add_indicator(value) @property def observables(self): return self._observables @observables.setter def observables(self, value): if value and not isinstance(value, Observables): raise ValueError( 'value must be instance of cybox.core.Observables') self._observables = value def add_indicator(self, indicator): if indicator and not isinstance(indicator, Indicator): raise ValueError( 'indicator must be instance of stix.indicator.Indicator') self.indicators.append(indicator) def add_observable(self, observable): if not self.observables: self.observables = Observables(observable) else: self.observables.add(observable) def to_obj(self, return_obj=None): if not return_obj: return_obj = stix_core_binding.STIXType() return_obj.set_id(self.id_) return_obj.set_idref(self.idref_) return_obj.set_version(self.version) if self.stix_header: return_obj.set_STIX_Header(self.stix_header.to_obj()) if self.indicators: indicators_obj = stix_core_binding.IndicatorsType() for indicator in self.indicators: indicators_obj.add_Indicator(indicator.to_obj()) return_obj.set_Indicators(indicators_obj) if self.observables: observables_obj = self.observables.to_obj() return_obj.set_Observables(observables_obj) return return_obj def to_dict(self, return_dict=None): if not return_dict: return_dict = {} if self.id_: return_dict['id'] = self.id_ return_dict['version'] = self.version if self.idref_: return_dict['idref'] = self.idref_ if self.stix_header: return_dict['stix_header'] = self.stix_header.to_dict() if self.indicators: for indicator in self.indicators: return_dict.setdefault('indicators', []).append(indicator.to_dict()) if self.observables: return_dict['observables'] = self.observables.to_dict() return return_dict @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref_ = obj.get_idref() return_obj.version = obj.get_version() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) if obj.get_Indicators(): indicators_obj = obj.get_Indicators() if indicators_obj.get_Indicator(): for indicator_obj in indicators_obj.get_Indicator(): return_obj.add_indicator(Indicator.from_obj(indicator_obj)) if obj.get_Observables(): observables_obj = obj.get_Observables() return_obj.observables = Observables.from_obj(observables_obj) return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id', None) return_obj.idref_ = dict_repr.get('idref', None) return_obj.version = dict_repr.get('version', None) header_dict = dict_repr.get('stix_header', None) return_obj.stix_header = STIXHeader.from_dict(header_dict) indicators = dict_repr.get('indicators', []) for indicator_dict in indicators: return_obj.add_indicator(Indicator.from_dict(indicator_dict)) observables_dict = dict_repr.get('observables') return_obj.observables = Observables.from_dict(observables_dict) return return_obj @classmethod def from_xml(cls, xml_file): ''' Returns a tuple of (api_object, binding_object). Parameters: xml_file - either a filename or a stream object ''' if isinstance(xml_file, basestring): f = open(xml_file, "rb") else: f = xml_file doc = stix_core_binding.parsexml_(f) stix_package_obj = stix_core_binding.STIXType().factory() stix_package_obj.build(doc.getroot()) stix_package = STIXPackage().from_obj(stix_package_obj) return (stix_package, stix_package_obj) def to_xml(self, ns_dict=None): ''' Overrides the stix.to_xml() method. The ns_dict parameter is a dictionary where keys are namespaces and values are prefixes. The NS:PREFIX pairs are appended to the stix_core_binding.DEFAULT_XML_NS_MAP dictionary. ''' export_ns_dict = dict(stix_core_binding.DEFAULT_XML_NS_MAP) if ns_dict: export_ns_dict.update(ns_dict) s = StringIO() self.to_obj().export(s, 0, export_ns_dict) return s.getvalue()
class STIXPackage(stix.Entity): _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.1.1" def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None): self.id_ = id_ or stix.utils.create_id("Package") self.idref = idref self.version = self._version self.stix_header = stix_header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_packages = RelatedPackages() if timestamp: self.timestamp = timestamp else: self.timestamp = datetime.now(tzutc()) if not idref else None @property def id_(self): return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): return self._idref @idref.setter def idref(self, value): if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): return self._timestamp @timestamp.setter def timestamp(self, value): self._timestamp = dates.parse_value(value) @property def stix_header(self): return self._stix_header @stix_header.setter def stix_header(self, value): if value and not isinstance(value, STIXHeader): raise ValueError('value must be instance of STIXHeader') self._stix_header = value @property def indicators(self): return self._indicators @indicators.setter def indicators(self, value): self._indicators = [] if not value: return elif isinstance(value, list): for v in value: self.add_indicator(v) else: self.add_indicator(value) def add_indicator(self, indicator): if not indicator: return elif isinstance(indicator, Indicator): self.indicators.append(indicator) else: raise ValueError( 'indicator must be instance of stix.indicator.Indicator') @property def campaigns(self): return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = [] if not value: return elif isinstance(value, list): for v in value: self.add_campaign(v) else: self.add_campaign(value) def add_campaign(self, campaign): if not campaign: return elif isinstance(campaign, Campaign): self.campaigns.append(campaign) else: raise ValueError( 'indicator must be instance of stix.campaign.Campaign') @property def observables(self): return self._observables @observables.setter def observables(self, value): if value and not isinstance(value, Observables): raise ValueError( 'value must be instance of cybox.core.Observables') self._observables = value def add_observable(self, observable): if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): return self._incidents @incidents.setter def incidents(self, value): self._incidents = [] if not value: return elif isinstance(value, list): for v in value: self.add_incident(v) else: self.add_incident(value) def add_incident(self, incident): if not incident: return elif isinstance(incident, Incident): self.incidents.append(incident) else: raise ValueError('Cannot add %s to incident list' % type(incident)) @property def threat_actors(self): return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = [] if not value: return elif isinstance(value, list): for v in value: self.add_threat_actor(v) else: self.add_threat_actor(value) def add_threat_actor(self, threat_actor): if not threat_actor: return elif isinstance(threat_actor, ThreatActor): self._threat_actors.append(threat_actor) else: raise ValueError('Cannot add %s to threat actor list' % type(threat_actor)) @property def courses_of_action(self): return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = [] if not value: return elif isinstance(value, list): for v in value: self.add_course_of_action(v) else: self.add_course_of_action(value) def add_course_of_action(self, course_of_action): if not course_of_action: return elif isinstance(course_of_action, CourseOfAction): self._courses_of_action.append(course_of_action) else: raise ValueError('Cannot add %s to course of action list' % type(course_of_action)) @property def exploit_targets(self): return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = [] if not value: return elif isinstance(value, list): for v in value: self.add_exploit_target(v) else: self.add_exploit_target(value) def add_exploit_target(self, exploit_target): if not exploit_target: return elif isinstance(exploit_target, ExploitTarget): self._exploit_targets.append(exploit_target) else: raise ValueError('Cannot add %s to exploit target list' % type(exploit_target)) @property def ttps(self): return self._ttps @ttps.setter def ttps(self, value): if not value: self._ttps = None elif isinstance(value, TTPs): self._ttps = value elif isinstance(value, list): for v in value: self.add_ttp(v) else: self.add_ttp(value) def add_ttp(self, ttp): if not ttp: return if not self.ttps: self.ttps = TTPs() self.ttps.add_ttp(ttp) def to_obj(self, return_obj=None): if not return_obj: return_obj = self._binding_class() return_obj.set_id(self.id_) return_obj.set_idref(self.idref) return_obj.set_version(self.version) return_obj.set_timestamp(dates.serialize_value(self.timestamp)) if self.stix_header: return_obj.set_STIX_Header(self.stix_header.to_obj()) if self.campaigns: coas_obj = self._binding.CampaignsType() coas_obj.set_Campaign([x.to_obj() for x in self.campaigns]) return_obj.set_Campaigns(coas_obj) if self.courses_of_action: coas_obj = self._binding.CoursesOfActionType() coas_obj.set_Course_Of_Action( [x.to_obj() for x in self.courses_of_action]) return_obj.set_Courses_Of_Action(coas_obj) if self.exploit_targets: et_obj = stix_common_binding.ExploitTargetsType() et_obj.set_Exploit_Target( [x.to_obj() for x in self.exploit_targets]) return_obj.set_Exploit_Targets(et_obj) if self.indicators: indicators_obj = self._binding.IndicatorsType() indicators_obj.set_Indicator([x.to_obj() for x in self.indicators]) return_obj.set_Indicators(indicators_obj) if self.observables: return_obj.set_Observables(self.observables.to_obj()) if self.incidents: incidents_obj = self._binding.IncidentsType() incidents_obj.set_Incident([x.to_obj() for x in self.incidents]) return_obj.set_Incidents(incidents_obj) if self.threat_actors: threat_actors_obj = self._binding.ThreatActorsType() threat_actors_obj.set_Threat_Actor( [x.to_obj() for x in self.threat_actors]) return_obj.set_Threat_Actors(threat_actors_obj) if self.ttps: return_obj.set_TTPs(self.ttps.to_obj()) if self.related_packages: return_obj.set_Related_Packages(self.related_packages.to_obj()) return return_obj def to_dict(self): d = {} if self.id_: d['id'] = self.id_ if self.idref: d['idref'] = self.idref if self.version: d['version'] = self.version if self.idref: d['idref'] = self.idref if self.timestamp: d['timestamp'] = dates.serialize_value(self.timestamp) if self.stix_header: d['stix_header'] = self.stix_header.to_dict() if self.campaigns: d['campaigns'] = [x.to_dict() for x in self.campaigns] if self.courses_of_action: d['courses_of_action'] = [ x.to_dict() for x in self.courses_of_action ] if self.exploit_targets: d['exploit_targets'] = [x.to_dict() for x in self.exploit_targets] if self.indicators: d['indicators'] = [x.to_dict() for x in self.indicators] if self.observables: d['observables'] = self.observables.to_dict() if self.incidents: d['incidents'] = [x.to_dict() for x in self.incidents] if self.threat_actors: d['threat_actors'] = [x.to_dict() for x in self.threat_actors] if self.ttps: d['ttps'] = self.ttps.to_dict() if self.related_packages: d['related_packages'] = self.related_packages.to_dict() return d @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj( obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [ Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign() ] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [ CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action() ] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target() ] if obj.get_Indicators(): return_obj.indicators = [ Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator() ] if obj.get_Observables(): return_obj.observables = Observables.from_obj( obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [ Incident.from_obj(x) for x in obj.get_Incidents().get_Incident() ] if obj.get_Threat_Actors(): return_obj.threat_actors = [ ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor() ] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id', None) return_obj.idref = dict_repr.get('idref', None) return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) header_dict = dict_repr.get('stix_header', None) return_obj.stix_header = STIXHeader.from_dict(header_dict) return_obj.campaigns = [ Campaign.from_dict(x) for x in dict_repr.get('campaigns', []) ] return_obj.courses_of_action = [ CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', []) ] return_obj.exploit_targets = [ ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', []) ] return_obj.indicators = [ Indicator.from_dict(x) for x in dict_repr.get('indicators', []) ] return_obj.observables = Observables.from_dict( dict_repr.get('observables')) return_obj.incidents = [ Incident.from_dict(x) for x in dict_repr.get('incidents', []) ] return_obj.threat_actors = [ ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', []) ] return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict( dict_repr.get('related_packages')) return return_obj @classmethod def from_xml(cls, xml_file): parser = EntityParser() return parser.parse_xml(xml_file)
class STIXPackage(stix.Entity): ''' classdocs ''' def __init__(self, id_=None, idref_=None, stix_header=None, indicators=None, observables=None): ''' Constructor ''' self.id_ = id_ if id_ else stix.utils.create_id() self.idref_ = idref_ self.version = '1.0' self.indicators = indicators self.observables = observables self.stix_header = stix_header @property def stix_header(self): return self._stix_header @stix_header.setter def stix_header(self, value): if value and not isinstance(value, STIXHeader): raise ValueError('value must be instance of STIXHeader') self._stix_header = value @property def indicators(self): return self._indicators @indicators.setter def indicators(self, valuelist): self._indicators = [] # initialize if valuelist: for value in valuelist: self.add_indicator(value) @property def observables(self): return self._observables @observables.setter def observables(self, value): if value and not isinstance(value, Observables): raise ValueError('value must be instance of cybox.core.Observables') self._observables = value def add_indicator(self, indicator): if indicator and not isinstance(indicator, Indicator): raise ValueError('indicator must be instance of stix.indicator.Indicator') self.indicators.append(indicator) def add_observable(self, observable): if not self.observables: self.observables = Observables(observable) else: self.observables.add(observable) def to_obj(self, return_obj=None): if not return_obj: return_obj = stix_core_binding.STIXType() return_obj.set_id(self.id_) return_obj.set_idref(self.idref_) return_obj.set_version(self.version) if self.stix_header: return_obj.set_STIX_Header(self.stix_header.to_obj()) if self.indicators: indicators_obj = stix_core_binding.IndicatorsType() for indicator in self.indicators: indicators_obj.add_Indicator(indicator.to_obj()) return_obj.set_Indicators(indicators_obj) if self.observables: observables_obj = self.observables.to_obj() return_obj.set_Observables(observables_obj) return return_obj def to_dict(self, return_dict=None): if not return_dict: return_dict = {} if self.id_: return_dict['id'] = self.id_ return_dict['version'] = self.version if self.idref_: return_dict['idref'] = self.idref_ if self.stix_header: return_dict['stix_header'] = self.stix_header.to_dict() if self.indicators: for indicator in self.indicators: return_dict.setdefault('indicators', []).append(indicator.to_dict()) if self.observables: return_dict['observables'] = self.observables.to_dict() return return_dict @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref_ = obj.get_idref() return_obj.version = obj.get_version() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) if obj.get_Indicators(): indicators_obj = obj.get_Indicators() if indicators_obj.get_Indicator(): for indicator_obj in indicators_obj.get_Indicator(): return_obj.add_indicator(Indicator.from_obj(indicator_obj)) if obj.get_Observables(): observables_obj = obj.get_Observables() return_obj.observables = Observables.from_obj(observables_obj) return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id', None) return_obj.idref_ = dict_repr.get('idref', None) return_obj.version = dict_repr.get('version', None) header_dict = dict_repr.get('stix_header', None) return_obj.stix_header = STIXHeader.from_dict(header_dict) indicators = dict_repr.get('indicators', []) for indicator_dict in indicators: return_obj.add_indicator(Indicator.from_dict(indicator_dict)) observables_dict = dict_repr.get('observables') return_obj.observables = Observables.from_dict(observables_dict) return return_obj @classmethod def from_xml(cls, xml_file): ''' Returns a tuple of (api_object, binding_object). Parameters: xml_file - either a filename or a stream object ''' if isinstance(xml_file, basestring): f = open(xml_file, "rb") else: f = xml_file doc = stix_core_binding.parsexml_(f) stix_package_obj = stix_core_binding.STIXType().factory() stix_package_obj.build(doc.getroot()) stix_package = STIXPackage().from_obj(stix_package_obj) return (stix_package, stix_package_obj) def to_xml(self, ns_dict=None): ''' Overrides the stix.to_xml() method. The ns_dict parameter is a dictionary where keys are namespaces and values are prefixes. The NS:PREFIX pairs are appended to the stix_core_binding.DEFAULT_XML_NS_MAP dictionary. ''' export_ns_dict = dict(stix_core_binding.DEFAULT_XML_NS_MAP) if ns_dict: export_ns_dict.update(ns_dict) s = StringIO() self.to_obj().export(s, 0, export_ns_dict) return s.getvalue()
class Report(Cached, stix.Entity): """A STIX Report Object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref (optional): An identifier reference. If set this will unset the ``id_`` property. timestamp (optional): A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. course_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_reports: A collection of :class:`.RelatedReport` objects. """ _binding = report_binding _binding_class = _binding.ReportType _namespace = 'http://stix.mitre.org/Report-1' _version = "1.0" def __init__(self, id_=None, idref=None, timestamp=None, header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_reports=None): self.id_ = id_ or idgen.create_id("Report") self.idref = idref self.version = self._version self.header = header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_reports = related_reports if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None @property def id_(self): """A globally unique identifier for this Report. By default, one will be generated automatically. """ return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): """A reference to another Report identifier. Setting this will unset any previous ``id`` values. """ return self._idref @idref.setter def idref(self, value): if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): """Specifies a timestamp for the definition of this specific Report object. """ return self._timestamp @timestamp.setter def timestamp(self, value): self._timestamp = utils.dates.parse_value(value) @property def header(self): """The :class:`.Header` section for the Report. """ return self._header @header.setter def header(self, value): self._set_var(Header, try_cast=False, header=value) @property def indicators(self): """The top-level :class:`.Indicator` collection. This behaves like a ``MutableSequence`` type. """ return self._indicators @indicators.setter def indicators(self, value): self._indicators = Indicators(value) def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ self.indicators.append(indicator) @property def campaigns(self): """The top-level :class:`.Campaign` collection. This behaves like a ``MutableSequence`` type. """ return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = Campaigns(value) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ self.campaigns.append(campaign) @property def observables(self): """The top-level ``Observable`` collection. This behaves like a ``MutableSequence`` type. """ return self._observables @observables.setter def observables(self, value): self._set_var(Observables, observables=value) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): """The top-level :class:`.Incident` collection. This behaves like a ``MutableSequence`` type. """ return self._incidents @incidents.setter def incidents(self, value): self._incidents = Incidents(value) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ self.incidents.append(incident) @property def threat_actors(self): """The top-level :class:`.ThreatActor` collection. This behaves like a ``MutableSequence`` type. """ return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = ThreatActors(value) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ self._threat_actors.append(threat_actor) @property def courses_of_action(self): """The top-level :class:`.CourseOfAction` collection. This behaves like a ``MutableSequence`` type. """ return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = CoursesOfAction(value) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ self._courses_of_action.append(course_of_action) @property def exploit_targets(self): """The top-level :class:`.ExploitTarget` collection. This behaves like a ``MutableSequence`` type. """ return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = ExploitTargets(value) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ self._exploit_targets.append(exploit_target) @property def ttps(self): """The top-level :class:`.TTP` collection. This behaves like a ``MutableSequence`` type. """ return self._ttps @ttps.setter def ttps(self, value): if isinstance(value, TTPs): self._ttps = value else: self._ttps = TTPs(value) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ self.ttps.append(ttp) @property def related_reports(self): """The top-level :class:`.RelatedReports` collection. This behaves like a ``MutableSequence`` type. """ return self._related_reports @related_reports.setter def related_reports(self, value): if isinstance(value, RelatedReports): self._related_reports = value else: self._related_reports = RelatedReports(value) def add_related_report(self, related_report): """Adds an :class:`.RelatedReport` object to the :attr:`related_reports` collection. """ self.related_reports.append(related_report) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_threat_actor, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) def to_obj(self, return_obj=None, ns_info=None): super(Report, self).to_obj(return_obj=return_obj, ns_info=ns_info) if not return_obj: return_obj = self._binding_class() return_obj.id = self.id_ return_obj.idref = self.idref return_obj.version = self.version return_obj.timestamp = utils.dates.serialize_value(self.timestamp) if self.header: return_obj.Header = self.header.to_obj(ns_info=ns_info) if self.campaigns: return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info) if self.courses_of_action: return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info) if self.exploit_targets: return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info) if self.indicators: return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info) if self.observables: return_obj.Observables = self.observables.to_obj(ns_info=ns_info) if self.incidents: return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info) if self.threat_actors: return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info) if self.ttps: return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info) if self.related_reports: return_obj.Related_Reports = self.related_reports.to_obj(ns_info=ns_info) return return_obj def to_dict(self): return super(Report, self).to_dict() @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() # ReportBaseType fields return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp # ReportType fields if isinstance(obj, cls._binding_class): return_obj.header = Header.from_obj(obj.Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() get = dict_repr.get return_obj.id_ = get('id') return_obj.idref = get('idref') return_obj.timestamp = get('timestamp') return_obj.version = get('version', cls._version) return_obj.header = Header.from_dict(get('header')) return_obj.campaigns = Campaigns.from_dict(get('campaigns')) return_obj.courses_of_action = CoursesOfAction.from_dict(get('courses_of_action')) return_obj.exploit_targets = ExploitTargets.from_dict(get('exploit_targets')) return_obj.indicators = Indicators.from_dict(get('indicators')) return_obj.observables = Observables.from_dict(get('observables')) return_obj.incidents = Incidents.from_dict(get('incidents')) return_obj.threat_actors = ThreatActors.from_dict(get('threat_actors')) return_obj.ttps = TTPs.from_dict(get('ttps')) return_obj.related_reports = RelatedReports.from_dict(get('related_reports')) return return_obj
class Report(stix.Entity): """A STIX Report Object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref (optional): An identifier reference. If set this will unset the ``id_`` property. timestamp (optional): A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. course_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_reports: A collection of :class:`.RelatedReport` objects. """ _binding = report_binding _binding_class = _binding.ReportType _namespace = 'http://stix.mitre.org/Report-1' _version = "1.0" id_ = fields.IdField("id") idref = fields.IdrefField("idref") timestamp = fields.TypedField("timestamp") version = fields.TypedField("version") header = fields.TypedField("Header", Header) campaigns = fields.TypedField("Campaigns", type_="stix.report.Campaigns") courses_of_action = fields.TypedField("Courses_Of_Action", type_="stix.report.CoursesOfAction") exploit_targets = fields.TypedField("Exploit_Targets", type_="stix.report.ExploitTargets") observables = fields.TypedField("Observables", Observables) indicators = fields.TypedField("Indicators", type_="stix.report.Indicators") incidents = fields.TypedField("Incidents", type_="stix.report.Incidents") threat_actors = fields.TypedField("Threat_Actors", type_="stix.report.ThreatActors") ttps = fields.TypedField("TTPs", type_="stix.core.ttps.TTPs") related_reports = fields.TypedField("Related_Reports", type_="stix.report.RelatedReports") def __init__(self, id_=None, idref=None, timestamp=None, header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_reports=None): super(Report, self).__init__() self.id_ = id_ or idgen.create_id("Report") self.idref = idref self.version = self._version self.header = header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_reports = related_reports if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ if self.indicators is None: self.indicators = Indicators() self.indicators.append(indicator) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ if self.campaigns is None: self.campaigns = Campaigns() self.campaigns.append(campaign) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ if self.incidents is None: self.incidents = Incidents() self.incidents.append(incident) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ if self.threat_actors is None: self.threat_actors = ThreatActors() self.threat_actors.append(threat_actor) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ if self.courses_of_action is None: self.courses_of_action = CoursesOfAction() self.courses_of_action.append(course_of_action) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ if self.exploit_targets is None: self.exploit_targets = ExploitTargets() self.exploit_targets.append(exploit_target) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ if self.ttps is None: self.ttps = TTPs() self.ttps.append(ttp) def add_related_report(self, related_report): """Adds an :class:`.RelatedReport` object to the :attr:`related_reports` collection. """ if self.related_reports is None: self.related_reports = RelatedReports() self.related_reports.append(related_report) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_ttp, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error)
d = json.load(json_data) Obs = Observables() #print(d[2]) #mapping starts count = 0 hashes = { 'MD-5', 'MD-6', 'SHA-1', 'SHA-224', 'SHA-256', 'SHA-224', 'SHA-384', 'SHA-512', 'SSD-EEP' 'MD5', 'MD6', 'SHA1', 'SHA224', 'SHA256', 'SHA224', 'SHA384', 'SHA512', 'SSDEEP' } for a in d: Bol = True if d[count]['eventid'] == 'cowrie.session.connect': Obs.add(create_network_connection_observable(count)) if d[count]['eventid'] == 'cowrie.login.failed' or d[count][ 'eventid'] == 'cowrie.login.success': Obs.add(create_user_account_observable(count)) if d[count]['eventid'] == 'cowrie.session.closed': Obs.add(create_network_connection_closed_observable(count)) if d[count]['eventid'] == 'cowrie.command.input': Bol = True Obs.add(create_command_observable(count, Bol)) if d[count]['eventid'] == 'cowrie.command.failed': Bol = False Obs.add(create_command_observable(count, Bol)) if d[count]['eventid'] == 'cowrie.log.open': Bol = True Obs.add(create_file_observable(count, Bol)) if d[count]['eventid'] == 'cowrie.log.closed':
class Report(Cached, stix.Entity): """A STIX Report Object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``stix.utils.create_id()``. If set, this will unset the ``idref`` property. idref (optional): An identifier reference. If set this will unset the ``id_`` property. timestamp (optional): A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. course_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_reports: A collection of :class:`.RelatedReport` objects. """ _binding = report_binding _binding_class = _binding.ReportType _namespace = 'http://stix.mitre.org/Report-1' _version = "1.0" def __init__(self, id_=None, idref=None, timestamp=None, header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_reports=None): self.id_ = id_ or stix.utils.create_id("Report") self.idref = idref self.version = self._version self.header = header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_reports = related_reports if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None @property def id_(self): """A globally unique identifier for this Report. By default, one will be generated automatically. """ return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): """A reference to another Report identifier. Setting this will unset any previous ``id`` values. """ return self._idref @idref.setter def idref(self, value): if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): """Specifies a timestamp for the definition of this specific Report object. """ return self._timestamp @timestamp.setter def timestamp(self, value): self._timestamp = utils.dates.parse_value(value) @property def header(self): """The :class:`.Header` section for the Report. """ return self._header @header.setter def header(self, value): self._set_var(Header, try_cast=False, header=value) @property def indicators(self): """The top-level :class:`.Indicator` collection. This behaves like a ``MutableSequence`` type. """ return self._indicators @indicators.setter def indicators(self, value): self._indicators = Indicators(value) def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ self.indicators.append(indicator) @property def campaigns(self): """The top-level :class:`.Campaign` collection. This behaves like a ``MutableSequence`` type. """ return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = Campaigns(value) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ self.campaigns.append(campaign) @property def observables(self): """The top-level ``Observable`` collection. This behaves like a ``MutableSequence`` type. """ return self._observables @observables.setter def observables(self, value): self._set_var(Observables, observables=value) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): """The top-level :class:`.Incident` collection. This behaves like a ``MutableSequence`` type. """ return self._incidents @incidents.setter def incidents(self, value): self._incidents = Incidents(value) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ self.incidents.append(incident) @property def threat_actors(self): """The top-level :class:`.ThreatActor` collection. This behaves like a ``MutableSequence`` type. """ return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = ThreatActors(value) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ self._threat_actors.append(threat_actor) @property def courses_of_action(self): """The top-level :class:`.CourseOfAction` collection. This behaves like a ``MutableSequence`` type. """ return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = CoursesOfAction(value) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ self._courses_of_action.append(course_of_action) @property def exploit_targets(self): """The top-level :class:`.ExploitTarget` collection. This behaves like a ``MutableSequence`` type. """ return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = ExploitTargets(value) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ self._exploit_targets.append(exploit_target) @property def ttps(self): """The top-level :class:`.TTP` collection. This behaves like a ``MutableSequence`` type. """ return self._ttps @ttps.setter def ttps(self, value): if isinstance(value, TTPs): self._ttps = value else: self._ttps = TTPs(value) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ self.ttps.append(ttp) @property def related_reports(self): """The top-level :class:`.RelatedReports` collection. This behaves like a ``MutableSequence`` type. """ return self._related_reports @related_reports.setter def related_reports(self, value): if isinstance(value, RelatedReports): self._related_reports = value else: self._related_reports = RelatedReports(value) def add_related_report(self, related_report): """Adds an :class:`.RelatedReport` object to the :attr:`related_reports` collection. """ self.related_reports.append(related_report) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_threat_actor, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) def to_obj(self, return_obj=None, ns_info=None): super(Report, self).to_obj(return_obj=return_obj, ns_info=ns_info) if not return_obj: return_obj = self._binding_class() return_obj.id = self.id_ return_obj.idref = self.idref return_obj.version = self.version return_obj.timestamp = utils.dates.serialize_value(self.timestamp) if self.header: return_obj.Header = self.header.to_obj(ns_info=ns_info) if self.campaigns: return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info) if self.courses_of_action: return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info) if self.exploit_targets: return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info) if self.indicators: return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info) if self.observables: return_obj.Observables = self.observables.to_obj(ns_info=ns_info) if self.incidents: return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info) if self.threat_actors: return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info) if self.ttps: return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info) if self.related_reports: return_obj.Related_Reports = self.related_reports.to_obj(ns_info=ns_info) return return_obj def to_dict(self): return super(Report, self).to_dict() @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() # ReportBaseType fields return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp # ReportType fields if isinstance(obj, cls._binding_class): return_obj.header = Header.from_obj(obj.Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() get = dict_repr.get return_obj.id_ = get('id') return_obj.idref = get('idref') return_obj.timestamp = get('timestamp') return_obj.version = get('version', cls._version) return_obj.header = Header.from_dict(get('header')) return_obj.campaigns = Campaigns.from_dict(get('campaigns')) return_obj.courses_of_action = CoursesOfAction.from_dict(get('courses_of_action')) return_obj.exploit_targets = ExploitTargets.from_dict(get('exploit_targets')) return_obj.indicators = Indicators.from_dict(get('indicators')) return_obj.observables = Observables.from_dict(get('observables')) return_obj.incidents = Incidents.from_dict(get('incidents')) return_obj.threat_actors = ThreatActors.from_dict(get('threat_actors')) return_obj.ttps = TTPs.from_dict(get('ttps')) return_obj.related_reports = RelatedReports.from_dict(get('related_reports')) return return_obj
def main(Path_Malware): malobs = Observables() logobs = Observables() Malware = parse(Path_Malware) Log = parse(Path_Log) CONFIDENCE = 0 #一致した数 mallist = [] loglist = [] m = 0 key = 0 for ob in Malware: args = cyboxpop(ob.to_dict()) if args is not None: mallist.append(args) #print args.ActArg malobs.add(ob) for ob in Log: args = cyboxpop(ob.to_dict()) if args is not None: loglist.append(args) logobs.add(ob) #print "mallist_count:", len(mallist) #print "loglist_count:", len(loglist) ''' for mal_num in range(len(mallist)): #if loglist[log_num]["event"]["actions"][0]["name"] == mallist[0]["event"]["actions"][0]["name"]: cyboxpop(mallist[mal_num]) #print mallist ''' print "------------------",os.path.basename(Path_Malware),"-------------------" for n in range(len(loglist)): #print "Log:",n,loglist[n].ActArg,loglist[n].Propertys,len(loglist[n].Propertys) #print "[1]:",mallist[1].ActArg,mallist[1].Propertys[1] #if loglist[n].ActName == mallist[1].ActName and loglist[n].ActArg == mallist[1].ActArg: #ShinoBOT.exe #if loglist[n].ActName == mallist[1].ActName and loglist[n].Propertys[1] == mallist[1].Propertys[1]: #SHinoBOTSuiteで偽装したファイル #if len(loglist[n].Propertys) > 1: if loglist[n].Propertys[1] == mallist[0].Propertys[1]: #if len(loglist)-n-len(loglist) < 0 : break l=0 #print "POST!" while True: if len(mallist) < m+1 or len(loglist) < n+l+1: key = n+l break if key < n+l and loglist[n+l].Propertys[1] == mallist[m].Propertys[1]: print "Log[",n+l,"]:",loglist[n+l].ActArg,loglist[n+l].Propertys print "Mal[",m,"]:",mallist[m].ActArg,mallist[m].Propertys CONFIDENCE += 1 l +=1 m +=1 else : l +=1 #print logobs.to_xml() print "パターン一致数:",CONFIDENCE print "マルウェアプロセス数:",len(mallist) print "ログプロセス数:",len(loglist) print "パターン一致割合:",float(CONFIDENCE)/len(mallist)
from cybox.objects.file_object import File from cybox.objects.win_service_object import WinService from cybox.objects.win_registry_key_object import WinRegistryKey # this can be changed to an output file outfd = sys.stdout # create an Observable object: observables_doc = Observables([]) # add some different observables: # you don't have to use every member and there are other members that are not being utilized here: observables_doc.add(Process.from_dict({"name": "Process.exe", "pid": 90, "parent_pid": 10, #"creation_time": "", "image_info": {"command_line": "Process.exe /c blah.txt"}})) observables_doc.add(File.from_dict({"file_name": "file.txt", "file_extension": "txt", "file_path": "path\\to\\file.txt"})) observables_doc.add(helper.create_ipv4_observable("192.168.1.101")) observables_doc.add(helper.create_url_observable("somedomain.com")) observables_doc.add(WinService.from_dict({"service_name": "Service Name", "display_name": "Service Display name", "startup_type": "Service type",
class STIXPackage(Cached, stix.Entity): """A STIX Package object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref: **DEPRECATED** An identifier reference. If set this will unset the ``id_`` property. timestamp: **DEPRECATED** A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. course_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_packages: **DEPRECATED**. A collection of :class:`.RelatedPackage` objects. reports: A collection of :class:`.Report` objects. """ _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.2" _ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2") def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None): self.id_ = id_ or idgen.create_id("Package") self.idref = idref self._version = STIXPackage._version self.stix_header = stix_header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_packages = related_packages self.reports = reports self.timestamp = timestamp @property def id_(self): """A globally unique identifier for this Report. By default, one will be generated automatically. """ return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): """A reference to another Report identifier. Setting this will unset any previous ``id`` values. """ return self._idref @idref.setter def idref(self, value): deprecated(value) if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): """Specifies a timestamp for the definition of this specifc Report object. """ return self._timestamp @timestamp.setter def timestamp(self, value): deprecated(value) self._timestamp = utils.dates.parse_value(value) @property def version(self): """The schematic version of this component. Note: This property refers to the version of the schema component type and should not be used for the purpose of content versioning. Default Value: '1.2' """ return self._version @property def stix_header(self): """The :class:`.STIXHeader` section of the STIX Package. """ return self._stix_header @stix_header.setter def stix_header(self, value): self._set_var(STIXHeader, try_cast=False, stix_header=value) @property def indicators(self): """The top-level :class:`.Indicator` collection. This behaves like a ``MutableSequence`` type. """ return self._indicators @indicators.setter def indicators(self, value): self._indicators = Indicators(value) def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ self.indicators.append(indicator) @property def campaigns(self): """The top-level :class:`.Campaign` collection. This behaves like a ``MutableSequence`` type. """ return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = Campaigns(value) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ self.campaigns.append(campaign) @property def observables(self): """The top-level ``Observable`` collection. This behaves like a ``MutableSequence`` type. """ return self._observables @observables.setter def observables(self, value): self._set_var(Observables, observables=value) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): """The top-level :class:`.Incident` collection. This behaves like a ``MutableSequence`` type. """ return self._incidents @incidents.setter def incidents(self, value): self._incidents = Incidents(value) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ self.incidents.append(incident) @property def threat_actors(self): """The top-level :class:`.ThreatActor` collection. This behaves like a ``MutableSequence`` type. """ return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = ThreatActors(value) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ self._threat_actors.append(threat_actor) @property def courses_of_action(self): """The top-level :class:`.CourseOfAction` collection. This behaves like a ``MutableSequence`` type. """ return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = CoursesOfAction(value) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ self._courses_of_action.append(course_of_action) @property def exploit_targets(self): """The top-level :class:`.ExploitTarget` collection. This behaves like a ``MutableSequence`` type. """ return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = ExploitTargets(value) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ self._exploit_targets.append(exploit_target) @property def ttps(self): """The top-level :class:`.TTP` collection. This behaves like a ``MutableSequence`` type. """ return self._ttps @ttps.setter def ttps(self, value): if isinstance(value, TTPs): self._ttps = value else: self._ttps = TTPs(value) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ self.ttps.append(ttp) @property def reports(self): """A collection of :class:`.Report` objects. This behaves like a ``MutableSequence`` object. """ return self._reports @reports.setter def reports(self, value): self._reports = Reports(value) def add_report(self, report): """Adds a :class:`.Report` object to the :attr:`reports` collection. """ self.reports.append(report) @property def related_packages(self): """**DEPRECATED**. A collection of :class:`.RelatedPackage` objects. """ return self._related_packages @related_packages.setter def related_packages(self, value): if isinstance(value, RelatedPackages): self._related_packages = value else: self._related_packages = RelatedPackages(value) def add_related_package(self, related_package): """Adds a :class:`.RelatedPackage` object to the :attr:`related_packages` collection. """ self.related_packages.append(related_package) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_threat_actor, Report: self.add_report, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) def to_obj(self, return_obj=None, ns_info=None): super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info) if not return_obj: return_obj = self._binding_class() return_obj.id = self.id_ return_obj.idref = self.idref return_obj.version = STIXPackage._version # noqa return_obj.timestamp = utils.dates.serialize_value(self.timestamp) if self.stix_header: return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info) if self.campaigns: return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info) if self.courses_of_action: return_obj.Courses_Of_Action = self.courses_of_action.to_obj( ns_info=ns_info) if self.exploit_targets: return_obj.Exploit_Targets = self.exploit_targets.to_obj( ns_info=ns_info) if self.indicators: return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info) if self.observables: return_obj.Observables = self.observables.to_obj(ns_info=ns_info) if self.incidents: return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info) if self.threat_actors: return_obj.Threat_Actors = self.threat_actors.to_obj( ns_info=ns_info) if self.ttps: return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info) if self.related_packages: return_obj.Related_Packages = self.related_packages.to_obj( ns_info=ns_info) if self.reports: return_obj.Reports = self.reports.to_obj(ns_info=ns_info) return return_obj def to_dict(self): d = utils.to_dict(self) if 'version' in d: d['version'] = STIXPackage._version # noqa return d @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj( obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj( obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_packages = RelatedPackages.from_obj( obj.Related_Packages) return_obj.reports = Reports.from_obj(obj.Reports) # Don't overwrite this unless passed in. if obj.version: return_obj._version = obj.version return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() get = dict_repr.get return_obj.id_ = get('id') return_obj.idref = get('idref') return_obj.timestamp = get('timestamp') return_obj._version = get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict(get('stix_header')) return_obj.campaigns = Campaigns.from_dict(get('campaigns')) return_obj.courses_of_action = CoursesOfAction.from_dict( get('courses_of_action')) return_obj.exploit_targets = ExploitTargets.from_dict( get('exploit_targets')) return_obj.indicators = Indicators.from_dict(get('indicators')) return_obj.observables = Observables.from_dict(get('observables')) return_obj.incidents = Incidents.from_dict(get('incidents')) return_obj.threat_actors = ThreatActors.from_dict(get('threat_actors')) return_obj.ttps = TTPs.from_dict(get('ttps')) return_obj.related_packages = RelatedPackages.from_dict( get('related_packages')) return_obj.reports = Reports.from_dict(get('reports')) return return_obj @classmethod def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ entity_parser = parser.EntityParser() return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(Cached, stix.Entity): """A STIX Package object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref: **DEPRECATED** An identifier reference. If set this will unset the ``id_`` property. timestamp: **DEPRECATED** A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. course_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_packages: **DEPRECATED**. A collection of :class:`.RelatedPackage` objects. reports: A collection of :class:`.Report` objects. """ _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.2" _ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2") def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None): self.id_ = id_ or idgen.create_id("Package") self.idref = idref self._version = STIXPackage._version self.stix_header = stix_header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_packages = related_packages self.reports = reports self.timestamp = timestamp @property def id_(self): """A globally unique identifier for this Report. By default, one will be generated automatically. """ return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): """A reference to another Report identifier. Setting this will unset any previous ``id`` values. """ return self._idref @idref.setter def idref(self, value): deprecated(value) if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): """Specifies a timestamp for the definition of this specifc Report object. """ return self._timestamp @timestamp.setter def timestamp(self, value): deprecated(value) self._timestamp = utils.dates.parse_value(value) @property def version(self): """The schematic version of this component. Note: This property refers to the version of the schema component type and should not be used for the purpose of content versioning. Default Value: '1.2' """ return self._version @property def stix_header(self): """The :class:`.STIXHeader` section of the STIX Package. """ return self._stix_header @stix_header.setter def stix_header(self, value): self._set_var(STIXHeader, try_cast=False, stix_header=value) @property def indicators(self): """The top-level :class:`.Indicator` collection. This behaves like a ``MutableSequence`` type. """ return self._indicators @indicators.setter def indicators(self, value): self._indicators = Indicators(value) def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ self.indicators.append(indicator) @property def campaigns(self): """The top-level :class:`.Campaign` collection. This behaves like a ``MutableSequence`` type. """ return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = Campaigns(value) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ self.campaigns.append(campaign) @property def observables(self): """The top-level ``Observable`` collection. This behaves like a ``MutableSequence`` type. """ return self._observables @observables.setter def observables(self, value): self._set_var(Observables, observables=value) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): """The top-level :class:`.Incident` collection. This behaves like a ``MutableSequence`` type. """ return self._incidents @incidents.setter def incidents(self, value): self._incidents = Incidents(value) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ self.incidents.append(incident) @property def threat_actors(self): """The top-level :class:`.ThreatActor` collection. This behaves like a ``MutableSequence`` type. """ return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = ThreatActors(value) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ self._threat_actors.append(threat_actor) @property def courses_of_action(self): """The top-level :class:`.CourseOfAction` collection. This behaves like a ``MutableSequence`` type. """ return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = CoursesOfAction(value) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ self._courses_of_action.append(course_of_action) @property def exploit_targets(self): """The top-level :class:`.ExploitTarget` collection. This behaves like a ``MutableSequence`` type. """ return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = ExploitTargets(value) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ self._exploit_targets.append(exploit_target) @property def ttps(self): """The top-level :class:`.TTP` collection. This behaves like a ``MutableSequence`` type. """ return self._ttps @ttps.setter def ttps(self, value): if isinstance(value, TTPs): self._ttps = value else: self._ttps = TTPs(value) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ self.ttps.append(ttp) @property def reports(self): """A collection of :class:`.Report` objects. This behaves like a ``MutableSequence`` object. """ return self._reports @reports.setter def reports(self, value): self._reports = Reports(value) def add_report(self, report): """Adds a :class:`.Report` object to the :attr:`reports` collection. """ self.reports.append(report) @property def related_packages(self): """**DEPRECATED**. A collection of :class:`.RelatedPackage` objects. """ return self._related_packages @related_packages.setter def related_packages(self, value): if isinstance(value, RelatedPackages): self._related_packages = value else: self._related_packages = RelatedPackages(value) def add_related_package(self, related_package): """Adds a :class:`.RelatedPackage` object to the :attr:`related_packages` collection. """ self.related_packages.append(related_package) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_ttp, Report: self.add_report, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) def to_obj(self, return_obj=None, ns_info=None): super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info) if not return_obj: return_obj = self._binding_class() return_obj.id = self.id_ return_obj.idref = self.idref return_obj.version = STIXPackage._version # noqa return_obj.timestamp = utils.dates.serialize_value(self.timestamp) if self.stix_header: return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info) if self.campaigns: return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info) if self.courses_of_action: return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info) if self.exploit_targets: return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info) if self.indicators: return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info) if self.observables: return_obj.Observables = self.observables.to_obj(ns_info=ns_info) if self.incidents: return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info) if self.threat_actors: return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info) if self.ttps: return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info) if self.related_packages: return_obj.Related_Packages = self.related_packages.to_obj(ns_info=ns_info) if self.reports: return_obj.Reports = self.reports.to_obj(ns_info=ns_info) return return_obj def to_dict(self): d = utils.to_dict(self) if 'version' in d: d['version'] = STIXPackage._version # noqa return d @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) return_obj.reports = Reports.from_obj(obj.Reports) # Don't overwrite this unless passed in. if obj.version: return_obj._version = obj.version return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() get = dict_repr.get return_obj.id_ = get('id') return_obj.idref = get('idref') return_obj.timestamp = get('timestamp') return_obj._version = get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict(get('stix_header')) return_obj.campaigns = Campaigns.from_dict(get('campaigns')) return_obj.courses_of_action = CoursesOfAction.from_dict(get('courses_of_action')) return_obj.exploit_targets = ExploitTargets.from_dict(get('exploit_targets')) return_obj.indicators = Indicators.from_dict(get('indicators')) return_obj.observables = Observables.from_dict(get('observables')) return_obj.incidents = Incidents.from_dict(get('incidents')) return_obj.threat_actors = ThreatActors.from_dict(get('threat_actors')) return_obj.ttps = TTPs.from_dict(get('ttps')) return_obj.related_packages = RelatedPackages.from_dict(get('related_packages')) return_obj.reports = Reports.from_dict(get('reports')) return return_obj @classmethod def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ entity_parser = parser.EntityParser() return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity): _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.1.1" def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None): self.id_ = id_ or stix.utils.create_id("Package") self.idref = idref self.version = self._version self.stix_header = stix_header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_packages = RelatedPackages() if timestamp: self.timestamp = timestamp else: self.timestamp = datetime.now(tzutc()) if not idref else None @property def id_(self): return self._id @id_.setter def id_(self, value): if not value: self._id = None else: self._id = value self.idref = None @property def idref(self): return self._idref @idref.setter def idref(self, value): if not value: self._idref = None else: self._idref = value self.id_ = None # unset id_ if idref is present @property def timestamp(self): return self._timestamp @timestamp.setter def timestamp(self, value): self._timestamp = dates.parse_value(value) @property def stix_header(self): return self._stix_header @stix_header.setter def stix_header(self, value): if value and not isinstance(value, STIXHeader): raise ValueError('value must be instance of STIXHeader') self._stix_header = value @property def indicators(self): return self._indicators @indicators.setter def indicators(self, value): self._indicators = [] if not value: return elif isinstance(value, list): for v in value: self.add_indicator(v) else: self.add_indicator(value) def add_indicator(self, indicator): if not indicator: return elif isinstance(indicator, Indicator): self.indicators.append(indicator) else: raise ValueError('indicator must be instance of stix.indicator.Indicator') @property def campaigns(self): return self._campaigns @campaigns.setter def campaigns(self, value): self._campaigns = [] if not value: return elif isinstance(value, list): for v in value: self.add_campaign(v) else: self.add_campaign(value) def add_campaign(self, campaign): if not campaign: return elif isinstance(campaign, Campaign): self.campaigns.append(campaign) else: raise ValueError('indicator must be instance of stix.campaign.Campaign') @property def observables(self): return self._observables @observables.setter def observables(self, value): if value and not isinstance(value, Observables): raise ValueError('value must be instance of cybox.core.Observables') self._observables = value def add_observable(self, observable): if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) @property def incidents(self): return self._incidents @incidents.setter def incidents(self, value): self._incidents = [] if not value: return elif isinstance(value, list): for v in value: self.add_incident(v) else: self.add_incident(value) def add_incident(self, incident): if not incident: return elif isinstance(incident, Incident): self.incidents.append(incident) else: raise ValueError('Cannot add %s to incident list' % type(incident)) @property def threat_actors(self): return self._threat_actors @threat_actors.setter def threat_actors(self, value): self._threat_actors = [] if not value: return elif isinstance(value, list): for v in value: self.add_threat_actor(v) else: self.add_threat_actor(value) def add_threat_actor(self, threat_actor): if not threat_actor: return elif isinstance(threat_actor, ThreatActor): self._threat_actors.append(threat_actor) else: raise ValueError('Cannot add %s to threat actor list' % type(threat_actor)) @property def courses_of_action(self): return self._courses_of_action @courses_of_action.setter def courses_of_action(self, value): self._courses_of_action = [] if not value: return elif isinstance(value, list): for v in value: self.add_course_of_action(v) else: self.add_course_of_action(value) def add_course_of_action(self, course_of_action): if not course_of_action: return elif isinstance(course_of_action, CourseOfAction): self._courses_of_action.append(course_of_action) else: raise ValueError('Cannot add %s to course of action list' % type(course_of_action)) @property def exploit_targets(self): return self._exploit_targets @exploit_targets.setter def exploit_targets(self, value): self._exploit_targets = [] if not value: return elif isinstance(value, list): for v in value: self.add_exploit_target(v) else: self.add_exploit_target(value) def add_exploit_target(self, exploit_target): if not exploit_target: return elif isinstance(exploit_target, ExploitTarget): self._exploit_targets.append(exploit_target) else: raise ValueError('Cannot add %s to exploit target list' % type(exploit_target)) @property def ttps(self): return self._ttps @ttps.setter def ttps(self, value): if not value: self._ttps = TTPs() elif isinstance(value, TTPs): self._ttps = value elif isinstance(value, list): for v in value: self.add_ttp(v) else: self.add_ttp(value) def add_ttp(self, ttp): if not ttp: return if not self.ttps: self.ttps = TTPs() self.ttps.append(ttp) def to_obj(self, return_obj=None, ns_info=None): super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info) if not return_obj: return_obj = self._binding_class() return_obj.id = self.id_ return_obj.idref = self.idref return_obj.version = self.version return_obj.timestamp = dates.serialize_value(self.timestamp) if self.stix_header: return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info) if self.campaigns: coas_obj = self._binding.CampaignsType() coas_obj.Campaign = [x.to_obj(ns_info=ns_info) for x in self.campaigns] return_obj.Campaigns = coas_obj if self.courses_of_action: coas_obj = self._binding.CoursesOfActionType() coas_obj.Course_Of_Action = [x.to_obj(ns_info=ns_info) for x in self.courses_of_action] return_obj.Courses_Of_Action = coas_obj if self.exploit_targets: et_obj = stix_common_binding.ExploitTargetsType() et_obj.Exploit_Target = [x.to_obj(ns_info=ns_info) for x in self.exploit_targets] return_obj.Exploit_Targets = et_obj if self.indicators: indicators_obj = self._binding.IndicatorsType() indicators_obj.Indicator = [x.to_obj(ns_info=ns_info) for x in self.indicators] return_obj.Indicators = indicators_obj if self.observables: return_obj.Observables = self.observables.to_obj(ns_info=ns_info) if self.incidents: incidents_obj = self._binding.IncidentsType() incidents_obj.Incident = [x.to_obj(ns_info=ns_info) for x in self.incidents] return_obj.Incidents = incidents_obj if self.threat_actors: threat_actors_obj = self._binding.ThreatActorsType() threat_actors_obj.Threat_Actor = [x.to_obj(ns_info=ns_info) for x in self.threat_actors] return_obj.Threat_Actors = threat_actors_obj if self.ttps: return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info) if self.related_packages: return_obj.Related_Packages = self.related_packages.to_obj(ns_info=ns_info) return return_obj def to_dict(self): d = {} if self.id_: d['id'] = self.id_ if self.idref: d['idref'] = self.idref if self.version: d['version'] = self.version if self.idref: d['idref'] = self.idref if self.timestamp: d['timestamp'] = dates.serialize_value(self.timestamp) if self.stix_header: d['stix_header'] = self.stix_header.to_dict() if self.campaigns: d['campaigns'] = [x.to_dict() for x in self.campaigns] if self.courses_of_action: d['courses_of_action'] = [x.to_dict() for x in self.courses_of_action] if self.exploit_targets: d['exploit_targets'] = [x.to_dict() for x in self.exploit_targets] if self.indicators: d['indicators'] = [x.to_dict() for x in self.indicators] if self.observables: d['observables'] = self.observables.to_dict() if self.incidents: d['incidents'] = [x.to_dict() for x in self.incidents] if self.threat_actors: d['threat_actors'] = [x.to_dict() for x in self.threat_actors] if self.ttps: d['ttps'] = self.ttps.to_dict() if self.related_packages: d['related_packages'] = self.related_packages.to_dict() return d @classmethod def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) if obj.version: return_obj.version = obj.version if obj.Campaigns: return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign] if obj.Courses_Of_Action: return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action] if obj.Exploit_Targets: return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target] if obj.Indicators: return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator] if obj.Observables: return_obj.observables = Observables.from_obj(obj.Observables) if obj.Incidents: return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident] if obj.Threat_Actors: return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor] if obj.TTPs: return_obj.ttps = TTPs.from_obj(obj.TTPs) return return_obj @classmethod def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id', None) return_obj.idref = dict_repr.get('idref', None) return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None)) return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])] return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])] return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])] return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])] return_obj.observables = Observables.from_dict(dict_repr.get('observables')) return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])] return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])] return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages')) return return_obj @classmethod def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ parser = EntityParser() return parser.parse_xml(xml_file, encoding=encoding)