def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj,
cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.stage = VocabString.from_obj(obj.get_Stage())
return_obj.type_ = VocabString.from_obj(obj.get_Type())
return_obj.description = StructuredText.from_obj(
obj.get_Description())
return_obj.short_description = StructuredText.from_obj(
obj.get_Short_Description())
return_obj.objective = Objective.from_obj(obj.get_Objective())
return_obj.parameter_observables = \
Observables.from_obj(obj.get_Parameter_Observables())
return_obj.impact = Statement.from_obj(obj.get_Impact())
return_obj.cost = Statement.from_obj(obj.get_Cost())
return_obj.efficacy = Statement.from_obj(obj.get_Efficacy())
return_obj.information_source = InformationSource.from_obj(
obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.get_Related_COAs())
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def parse(xml_file):
obs_obj = cybox_core_binding.parse(xml_file) # create binding object from xml file
obs = Observables.from_obj(obs_obj) # convert binding object into python-cybox object
#pro = process_binding.parse(xml_file)
#p = Process.from_obj(pro)
#print p.pid
return obs
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def parse(xml_file):
# create binding object from xml file
observables_obj = cybox_core_binding.parse(xml_file)
# convert binding object into python-cybox object
observables = Observables.from_obj(observables_obj)
return observables
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(
obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(
obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(
obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.stage = VocabString.from_obj(obj.get_Stage())
return_obj.type_ = VocabString.from_obj(obj.get_Type())
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.objective = Objective.from_obj(obj.get_Objective())
return_obj.parameter_observables = \
Observables.from_obj(obj.get_Parameter_Observables())
return_obj.impact = Statement.from_obj(obj.get_Impact())
return_obj.cost = Statement.from_obj(obj.get_Cost())
return_obj.efficacy = Statement.from_obj(obj.get_Efficacy())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.get_Related_COAs())
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def parse(xml_file):
# create binding object from xml file
observables_obj = cybox_core_binding.parse(xml_file)
# convert binding object into python-cybox object
observables = Observables.from_obj(observables_obj)
return observables
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
# ReportBaseType fields
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
# ReportType fields
if isinstance(obj, cls._binding_class):
return_obj.header = Header.from_obj(obj.Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()]
if obj.get_Indicators():
return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()]
if obj.get_Threat_Actors():
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(CourseOfAction, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
related.RelatedPackageRefs.from_obj(obj.Related_Packages)
return_obj.structured_coa = \
_BaseStructuredCOA.from_obj(obj.Structured_COA)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
# ReportBaseType fields
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
# ReportType fields
if isinstance(obj, cls._binding_class):
return_obj.header = Header.from_obj(obj.Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
def main():
infilename = ''
outfilename = ''
#Get the command-line arguments
args = sys.argv[1:]
if len(args) < 4:
usage()
sys.exit(1)
for i in range(0,len(args)):
if args[i] == '-i':
infilename = args[i+1]
elif args[i] == '-o':
outfilename = args[i+1]
if os.path.isfile(infilename):
try:
# Perform the translation using the methods from the OpenIOC to CybOX Script
openioc_indicators = openioc.parse(infilename)
observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True)
observables_cls = Observables.from_obj(observables_obj)
# Set the namespace to be used in the STIX Package
stix.utils.set_id_namespace({"https://github.com/STIXProject/openioc-to-stix":"openiocToSTIX"})
# Wrap the created Observables in a STIX Package/Indicator
stix_package = STIXPackage()
# Add the OpenIOC namespace
input_namespaces = {"http://openioc.org/":"openioc"}
stix_package.__input_namespaces__ = input_namespaces
for observable in observables_cls.observables:
indicator_dict = {}
producer_dict = {}
producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}]
indicator_dict['producer'] = producer_dict
indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File"
indicator = Indicator.from_dict(indicator_dict)
indicator.add_observable(observables_cls.observables[0])
stix_package.add_indicator(indicator)
# Create and write the STIX Header
stix_header = STIXHeader()
stix_header.package_intent = "Indicators - Malware Artifacts"
stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File"
stix_package.stix_header = stix_header
# Write the generated STIX Package as XML to the output file
outfile = open(outfilename, 'w')
# Ignore any warnings - temporary fix for no schemaLocation w/ namespace
with warnings.catch_warnings():
warnings.simplefilter("ignore")
outfile.write(stix_package.to_xml())
warnings.resetwarnings()
outfile.flush()
outfile.close()
except Exception, err:
print('\nError: %s\n' % str(err))
traceback.print_exc()
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(CourseOfAction, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj,
cls._binding_class): # CourseOfActionType properties
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
related.RelatedPackageRefs.from_obj(obj.Related_Packages)
return_obj.structured_coa = \
_BaseStructuredCOA.from_obj(obj.Structured_COA)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
if obj.Exploit_Targets:
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
if obj.Indicators:
return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
if obj.Threat_Actors:
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
def test_round_trip_xml(self):
np = NetworkPacket.from_dict(self._full_dict)
xml = Observables(np).to_xml()
new_obj = Observables.from_obj(parseString(xml))
new_dict = new_obj.observables[0].object_.properties.to_dict()
self.maxDiff = None
self.assertEqual(self._full_dict, new_dict)
def test_round_trip_xml(self):
np = NetworkPacket.from_dict(self._full_dict)
xml = Observables(np).to_xml(encoding=None)
new_obj = Observables.from_obj(parseString(xml))
new_dict = new_obj.observables[0].object_.properties.to_dict()
self.maxDiff = None
self.assertEqual(self._full_dict, new_dict)
def main():
infilename = ''
outfilename = ''
#Get the command-line arguments
args = sys.argv[1:]
if len(args) < 4:
usage()
sys.exit(1)
for i in range(0, len(args)):
if args[i] == '-i':
infilename = args[i + 1]
elif args[i] == '-o':
outfilename = args[i + 1]
if os.path.isfile(infilename):
try:
# Perform the translation using the methods from the OpenIOC to CybOX Script
openioc_indicators = openioc.parse(infilename)
observables_obj = openioc_to_cybox.generate_cybox(
openioc_indicators, infilename, True)
observables_cls = Observables.from_obj(observables_obj)
# Wrap the created Observables in a STIX Package/Indicator
stix_package = STIXPackage()
for observable in observables_cls.observables:
indicator_dict = {}
producer_dict = {}
producer_dict['tools'] = [{
'name': 'OpenIOC to STIX Utility',
'version': str(__VERSION__)
}]
indicator_dict['producer'] = producer_dict
indicator_dict[
'title'] = "CybOX-represented Indicator Created from OpenIOC File"
indicator = Indicator.from_dict(indicator_dict)
indicator.add_observable(observables_cls.observables[0])
stix_package.add_indicator(indicator)
# Create and write the STIX Header
stix_header = STIXHeader()
stix_header.package_intent = "Indicators - Malware Artifacts"
stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File"
stix_package.stix_header = stix_header
# Write the generated STIX Package as XML to the output file
outfile = open(outfilename, 'w')
outfile.write(stix_package.to_xml())
outfile.flush()
outfile.close()
except Exception, err:
print('\nError: %s\n' % str(err))
traceback.print_exc()
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details)
return_obj.targeted_systems = TargetedSystems.from_obj(obj.Targeted_Systems)
return_obj.targeted_information = TargetedInformation.from_obj(obj.Targeted_Information)
return return_obj
def main():
infilename = ''
outfilename = ''
#Get the command-line arguments
args = sys.argv[1:]
if len(args) < 4:
usage()
sys.exit(1)
for i in range(0,len(args)):
if args[i] == '-i':
infilename = args[i+1]
elif args[i] == '-o':
outfilename = args[i+1]
if os.path.isfile(infilename):
try:
# Perform the translation using the methods from the OpenIOC to CybOX Script
openioc_indicators = openioc.parse(infilename)
observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True)
observables_cls = Observables.from_obj(observables_obj)
# Wrap the created Observables in a STIX Package/Indicator
stix_package = STIXPackage()
for observable in observables_cls.observables:
indicator_dict = {}
producer_dict = {}
producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}]
indicator_dict['producer'] = producer_dict
indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File"
indicator = Indicator.from_dict(indicator_dict)
indicator.add_observable(observables_cls.observables[0])
stix_package.add_indicator(indicator)
# Create and write the STIX Header
stix_header = STIXHeader()
stix_header.package_intent = "Indicators - Malware Artifacts"
stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File"
stix_package.stix_header = stix_header
# Write the generated STIX Package as XML to the output file
outfile = open(outfilename, 'w')
outfile.write(stix_package.to_xml())
outfile.flush()
outfile.close()
except Exception, err:
print('\nError: %s\n' % str(err))
traceback.print_exc()
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(
obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [
Campaign.from_obj(x)
for x in obj.get_Campaigns().get_Campaign()
]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [
CourseOfAction.from_obj(x)
for x in obj.get_Courses_Of_Action().get_Course_Of_Action()
]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [
ExploitTarget.from_obj(x)
for x in obj.get_Exploit_Targets().get_Exploit_Target()
]
if obj.get_Indicators():
return_obj.indicators = [
Indicator.from_obj(x)
for x in obj.get_Indicators().get_Indicator()
]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(
obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [
Incident.from_obj(x)
for x in obj.get_Incidents().get_Incident()
]
if obj.get_Threat_Actors():
return_obj.threat_actors = [
ThreatActor.from_obj(x)
for x in obj.get_Threat_Actors().get_Threat_Actor()
]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def main():
fn = 'se_07.xml'
print "parsing input xml document..."
observables_obj = cybox_core_binding.parse(fn) # build a binding object
observables = Observables.from_obj(observables_obj) # build an api object from binding
observables_dict = observables.to_dict() # create dictionary from api object
pprint(observables_dict)
print "building xml from dictionary..."
observables_two = Observables.from_dict(observables_dict) # create copy api object from dictionary
xml = observables_two.to_xml() # generate xml from copied api object
print xml
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details)
if obj.Targeted_Systems:
return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.Targeted_Systems]
if obj.Targeted_Information:
return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.Targeted_Information]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.targeted_technical_details = Observables.from_obj(
obj.Targeted_Technical_Details)
return_obj.targeted_systems = TargetedSystems.from_obj(
obj.Targeted_Systems)
return_obj.targeted_information = TargetedInformation.from_obj(
obj.Targeted_Information)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.get_Identity())
return_obj.targeted_technical_details = Observables.from_obj(obj.get_Targeted_Technical_Details())
if obj.get_Targeted_Systems():
return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.get_Targeted_Systems()]
if obj.get_Targeted_Information():
return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.get_Targeted_Information()]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.observable_characterization = Observables.from_obj(obj.get_Observable_Characterization())
if obj.get_Type():
return_obj.types = [AttackerInfrastructureType.from_obj(x) for x in obj.get_Type()]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.observable_characterization = Observables.from_obj(obj.Observable_Characterization)
if obj.Type:
return_obj.types = [VocabString.from_obj(x) for x in obj.Type]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.observable_characterization = Observables.from_obj(obj.Observable_Characterization)
if obj.Type:
return_obj.types = [VocabString.from_obj(x) for x in obj.Type]
return return_obj
def read_cybox(input_file, isJson):
if not isJson:
cybox_obj = cybox_core_binding.parse(input_file)
cybox_observables = Observables.from_obj(cybox_obj)
cybox_data = cybox_observables.to_dict()
else:
with open(input_file, 'r') as f:
cybox_data = json.load(input_file)
# TODO: Add other indicator types
indicator_data = {'ip_addresses': [],
'hostnames': [] }
# TODO: Support additional logic (build parse tree or similar?)
for each in cybox_data['observables']:
if each['object']['properties']['category'] == 'ipv4-addr':
indicator_data['ip_addresses'].append(each['object']['properties']['address_value'])
return indicator_data
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(
obj.get_Short_Description())
return_obj.observable_characterization = Observables.from_obj(
obj.get_Observable_Characterization())
if obj.get_Type():
return_obj.types = [
VocabString.from_obj(x) for x in obj.get_Type()
]
return return_obj
def __get_email_cybox_object(self, email_sha256, log, config=None):
if not config:
return None, None, None
mail_path = os.path.join(config['emailpath'], email_sha256[0:2], email_sha256[2:4], email_sha256)
email_path = os.path.join(mail_path, 'cybox-%s-message.xml' % (email_sha256))
email_stix_path = os.path.join(mail_path, 'stix-%s-email-message.xml' % (email_sha256))
email_stix_filename = 'stix-%s-email-message.xml' % (email_sha256)
if os.path.exists(mail_path) and os.path.exists(email_path):
try:
observables_obj = cybox_core_binding.parse(email_path)
obs = Observables.from_obj(observables_obj)
email_observables = obs.observables[1:]
email_object = Object.from_obj(obs.observables[0].to_obj().Object)
return email_object._properties, email_observables, (email_stix_path, email_stix_filename)
except StandardError as e:
log.error("failed extracting cybox email observable: %s" % (e))
return None, None, None
log.warning("no cybox report or email found for given hash: %s" % (email_path))
return None, None, None
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref_ = obj.get_idref()
return_obj.version = obj.get_version()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
if obj.get_Indicators():
indicators_obj = obj.get_Indicators()
if indicators_obj.get_Indicator():
for indicator_obj in indicators_obj.get_Indicator():
return_obj.add_indicator(Indicator.from_obj(indicator_obj))
if obj.get_Observables():
observables_obj = obj.get_Observables()
return_obj.observables = Observables.from_obj(observables_obj)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref_ = obj.get_idref()
return_obj.version = obj.get_version()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
if obj.get_Indicators():
indicators_obj = obj.get_Indicators()
if indicators_obj.get_Indicator():
for indicator_obj in indicators_obj.get_Indicator():
return_obj.add_indicator(Indicator.from_obj(indicator_obj))
if obj.get_Observables():
observables_obj = obj.get_Observables()
return_obj.observables = Observables.from_obj(observables_obj)
return return_obj
def alta_informacion(request):
#"""
#When in GET method return all the Content Blocks.
#When in POST method, given a content binding id, a title, description and content we create a Content Block.
#"""
logger = logging.getLogger('TAXIIApplication.rest.views.alta_informacion')
logger.debug('Entering alta_informacion')
logger.debug(request.method)
if request.method == 'GET':
content = ContentBlock.objects.all()
serializer = ContentBlockSerializer(content, many=True)
return Response(serializer.data)
elif request.method == 'POST':
cont = request.DATA.get('content')
c = StringIO.StringIO(cont)
logger.debug(request.DATA.get('content_binding'))
observables_obj = cybox_core_binding.parse(c)
observables = Observables.from_obj(observables_obj)
logger.debug(str(observables))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = request.DATA.get('description')
stix_header.title = request.DATA.get('title')
stix_package.stix_header = stix_header
stix_package.add_observable(observables)
content_binding = ContentBindingId.objects.get(id=1)
cb = ContentBlock(title=request.DATA.get('title'), description=request.DATA.get('description') ,content_binding=content_binding, content=stix_package.to_xml())
cb.save()
df = DataFeed.objects.get(name='default')
df.content_blocks.add(cb)
return Response(status=status.HTTP_201_CREATED)
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
def __make_stix_xml_string(self, filename, open_ioc_xml):
# This is actually an adapted version of the openioc_to_stix.py to be compatible with ce1sus
try:
# save the file
base_dir = self.get_dest_folder()
open_ioc_filename = base_dir + '/' + filename
open_stix_filename = base_dir + '/STIX_of_' + filename
open_ioc_file = open(open_ioc_filename, 'w+')
open_ioc_file.write(open_ioc_xml)
open_ioc_file.close()
openioc_indicators = openioc.parse(open_ioc_filename)
observables_obj = openioc_to_cybox.generate_cybox(
openioc_indicators, open_ioc_filename, True)
observables_cls = Observables.from_obj(observables_obj)
stix.utils.set_id_namespace({
"https://github.com/STIXProject/openioc-to-stix":
"openiocToSTIX"
})
stix_package = STIXPackage()
stix_package.version = '1.1.1'
input_namespaces = {"openioc": "http://openioc.org/"}
stix_package.__input_namespaces__ = input_namespaces
for observable in observables_cls.observables:
indicator_dict = {}
producer_dict = {}
producer_dict['tools'] = [{
'name': 'OpenIOC to STIX Utility',
'version': str(__VERSION__)
}]
indicator_dict['producer'] = producer_dict
indicator_dict[
'title'] = "CybOX-represented Indicator Created from OpenIOC File"
indicator = Indicator.from_dict(indicator_dict)
indicator.add_observable(observables_cls.observables[0])
stix_package.add_indicator(indicator)
stix_header = STIXHeader()
# set the correct header
file_obj = open(open_ioc_filename, 'rb')
file_contents = file_obj.read()
print file_contents
file_obj.close()
root = etree.fromstring(file_contents)
for child in root:
if child.tag.endswith('short_description'):
stix_header.short_description = child.text
elif child.tag.endswith('description'):
stix_header.description = child.text
else:
if stix_header.description and stix_header.short_description:
break
stix_header.package_intent = "Indicators - Malware Artifacts"
stix_header.description = '{0}\n\n CybOX-represented Indicators Translated from OpenIOC File'.format(
stix_header.description)
stix_package.stix_header = stix_header
# Write the generated STIX Package as XML to the output file
outfile = open(open_stix_filename, 'w')
# Ignore any warnings - temporary fix for no schemaLocation w/ namespace
with warnings.catch_warnings():
warnings.simplefilter("ignore")
outfile.write(stix_package.to_xml())
warnings.resetwarnings()
outfile.flush()
outfile.close()
return base_dir, open_stix_filename
except Exception as error:
self.logger.error(error)
raise cherrypy.HTTPError(500, '{0}'.format(error.message))
def parse(filepath):
xml = open(filepath,"r")
par = cybox_core_binding.parse(xml)
obs = Observables.from_obj(par)
return obs
def from_file(filename):
cybox_obj = core_binding.parse(os.path.abspath(filename))
return Observables.from_obj(cybox_obj)
def from_file(filename):
cybox_obj = core_binding.parse(os.path.abspath(filename))
return Observables.from_obj(cybox_obj)
