def create_port_based_observable(rule,
protocol,
port_type,
ports,
single_mode=True):
observables = []
if port_type == 'dst_port':
other_port = 'src_port'
old_port = rule.get('src_port')
elif port_type == 'src_port':
other_port = 'dst_port'
old_port = rule.get('dst_port')
ranges = ports[0]
values = ports[1]
embedded_observable = cybox.ObservableType()
embedded_observable_composition = cybox.ObservableCompositionType(
operator='OR')
rule[other_port] = '$variable'
for port_range in ranges:
rule[port_type] = port_range
embedded_observable_composition.add_Observable(
create_observable_composition(rule, protocol))
rule[port_type] = values
embedded_observable_composition.add_Observable(
create_observable_composition(rule, protocol))
embedded_observable.set_Observable_Composition(
embedded_observable_composition)
if single_mode:
rule[port_type] = '$variable'
rule[other_port] = old_port
observables.append(create_observable_composition(rule, protocol))
observables.append(embedded_observable)
return observables
def generate_cybox(indicators):
#Create the core CybOX structure
observables = cybox.ObservablesType()
#Set the description if it exists
description = None
if indicators.get_description() != None:
description = indicators.get_description()
elif indicators.get_short_description != None:
description = indicators.get_short_description()
indicator_definition = indicators.get_definition()
for indicator in indicator_definition.get_Indicator():
#Create the 'indicator' observable for holding the boolean indicator logic
id_string = ''
if indicator.get_id() is not None:
id_string = 'openioc:indicator-' + normalize_id(indicator.get_id())
else:
id_string = 'openioc:indicator-' + generate_observable_id()
indicator_observable = cybox.ObservableType(id=id_string)
#Set the title as appropriate
if description != None:
indicator_observable.set_Title(description)
composition = cybox.ObservableCompositionType(operator=indicator.get_operator())
#Process the indicator, including any embedded indicators
process_indicator(indicator, observables, composition, True)
indicator_observable.set_Observable_Composition(composition)
observables.add_Observable(indicator_observable)
return observables
def create_observable_composition(rule, protocol, composition=False):
component_count = 0
embedded_observable = cybox.ObservableType()
embedded_observable_composition = cybox.ObservableCompositionType(
operator='AND')
if rule.get('content_statement') != None:
#Loop through and add the observable components
for content in rule.get('content_statement'):
observable_component = create_observable_component(
rule, protocol, content, 'content')
if observable_component != None:
embedded_observable_composition.add_Observable(
observable_component)
component_count += 1
if rule.get('pcre_statement') != None:
for pcre in rule.get('pcre_statement'):
observable_component = create_observable_component(
rule, protocol, pcre, 'pcre')
if observable_component != None:
embedded_observable_composition.add_Observable(
observable_component)
component_count += 1
#Finally, set the composition in the top-level observable
if component_count > 0:
embedded_observable.set_Observable_Composition(
embedded_observable_composition)
if composition == True:
return embedded_observable_composition
else:
return embedded_observable
else:
return None
def process_indicator(indicator, observables, observable_composition, top_level=True):
if test_compatible_indicator(indicator):
#Dictionary for keeping track of indicatoritems without IDs
indicatoritem_dict = {}
current_composition = None
if top_level == False:
observable = cybox.ObservableType(id='openioc:indicator-' + normalize_id(indicator.get_id()))
nested_observable_composition = cybox.ObservableCompositionType(operator=indicator.get_operator())
observable.set_Observable_Composition(nested_observable_composition)
observable_composition.add_Observable(observable)
current_composition = nested_observable_composition
elif top_level == True:
current_composition = observable_composition
for indicator_item in indicator.get_IndicatorItem():
if process_indicator_item(indicator_item, observables, indicatoritem_dict):
if indicator_item.get_id() is not None:
observable = cybox.ObservableType(idref='openioc:indicator-item-' + normalize_id(indicator_item.get_id()))
else:
observable = cybox.ObservableType(idref=indicatoritem_dict.get(get_indicatoritem_string(indicator_item)))
current_composition.add_Observable(observable)
#Recurse as needed to handle embedded indicators
for embedded_indicator in indicator.get_Indicator():
process_indicator(embedded_indicator, observables, current_composition, False)
return
def create_observable(rule):
protocol = rule.get('protocol')
#Currently we support only TCP and UDP rules
if protocol == 'udp' or protocol == 'tcp':
pass
else:
return None
observable_id = None
title = None
options = rule.get('options')
#Create the title
if options != None:
title = get_option(options, 'msg')
observable_id = get_option(options, 'sid')
#Create the observable
observable = cybox.ObservableType()
#Create the observable composition
observable_composition = cybox.ObservableCompositionType(operator='AND')
id_string = ''
if observable_id != None:
id_string = 'cybox:observable-' + observable_id
else:
id_string = 'cybox:observable-' + generate_observable_id()
observable.set_id(id_string)
if title != None:
observable.set_Title(title)
#Check if the ports are a range list or not
src_ports = check_port_range_list(rule.get('src_port'))
dst_ports = check_port_range_list(rule.get('dst_port'))
if src_ports != None and dst_ports == None:
observable_list = create_port_based_observable(rule, protocol,
'src_port', src_ports)
for obsv in observable_list:
observable_composition.add_Observable(obsv)
elif src_ports == None and dst_ports != None:
observable_list = create_port_based_observable(rule, protocol,
'dst_port', dst_ports)
for obsv in observable_list:
observable_composition.add_Observable(obsv)
elif src_ports != None and dst_ports != None:
observable_list = create_port_based_observable(rule, protocol,
'src_port', src_ports,
False)
for obsv in observable_list:
observable_composition.add_Observable(obsv)
observable_list = create_port_based_observable(rule, protocol,
'dst_port', dst_ports,
False)
for obsv in observable_list:
observable_composition.add_Observable(obsv)
elif src_ports == None and dst_ports == None:
observable_composition = create_observable_composition(
rule, protocol, True)
if observable_composition.hasContent_():
observable.set_Observable_Composition(observable_composition)
return observable
else:
return None