def addsec_to_cybox_file(as_observables):
f = File()
for observable in as_observables:
if observable.dataType == 10: # DataTypeFile
f.full_path = observable.data
elif observable.dataType == 2: # DataTypeSHA1 (binary bytes)
f.sha1 = Hash(observable.data.encode('hex'))
return f
def addsec_to_cybox(as_obtype, as_obdata):
#
# Addition Security to CybOX mappings, for discrete/separate observables
#
# 30: DataTypeSymbolName
if as_obtype == 30:
a = API()
a.function_name = as_obdata
return a
# 32: DataTypeLibraryName
if as_obtype == 32:
l = Library()
l.name = as_obdata
l.path = as_obdata
return l
# 14: DataTypeUsername
if as_obtype == 14:
u = UserAccount()
u.username = as_obdata
return u
# 10: DataTypeFile
if as_obtype == 10:
f = File()
f.full_path = as_obdata
return f
# 23: DataTypeHostname
if as_obtype == 23:
h = Hostname()
h.hostname_value = as_obdata
return h
# 29: DataTypeEnvString
if as_obtype == 29:
# Here, Process is meant to represent the hosting process; then we
# attach the actual environment variable value
p = Process()
p.environment_variable_list = as_obdata
return p
# 17: DataTypeApplication
if as_obtype == 17:
# Particularly on Android, identification of an installed package fits
# somewhere between File and Process, but not quite either. The closest
# fit is around LinuxPackage, which is what we use. We should technically
# derive from it, but we're trying to keep things simple.
p = LinuxPackage()
p.name = as_obdata
return p
# 11: DataTypeX509
# 12: DataTypeX509Subject
# 13: DataTypeX509Issuer
if as_obtype == 11 or as_obtype == 12 or as_obtype == 13:
c = X509Certificate()
if as_obtype == 11: c.raw_certificate = as_obdata.encode('hex')
if as_obtype == 12: c.certificate.subject = as_obdata
if as_obtype == 13: c.certificate.issuer = as_obdata
return c
# 2: DataTypeSHA1Hash
# 7: DataTypeVersionString
# 18: DataTypeString
# 31: DataTypePropertyName
# TODO: find the proper CybOX to represent these; for now, we don't
# report them
return None
