def write_cbs_from_poll_response_11(self,
poll_response,
dest_dir,
write_type_=W_CLOBBER):
"""
This function writes content blocks to file from a TAXII 1.1 Poll Response
"""
for cb in poll_response.content_blocks:
if cb.content_binding.binding_id == CB_STIX_XML_10:
format_ = '_STIX10_'
ext = '.xml'
elif cb.content_binding.binding_id == CB_STIX_XML_101:
format_ = '_STIX101_'
ext = '.xml'
elif cb.content_binding.binding_id == CB_STIX_XML_11:
format_ = '_STIX11_'
ext = '.xml'
elif cb.content_binding.binding_id == CB_STIX_XML_111:
format_ = '_STIX111_'
ext = '.xml'
elif cb.content_binding.binding_id == CB_STIX_XML_12:
format_ = '_STIX12_'
ext = '.xml'
else: # Format and extension are unknown
format_ = ''
ext = ''
if cb.timestamp_label:
date_string = 't' + cb.timestamp_label.isoformat()
else:
date_string = 's' + datetime.datetime.now().isoformat()
filename = gen_filename(poll_response.collection_name, format_,
date_string, ext)
filename = os.path.join(dest_dir, filename)
write, message = TaxiiScript.get_write_and_message(
filename, write_type_)
if write:
with io.open(filename, 'wb') as f:
f.write(cb.content.encode())
print("%s%s" % (message, filename))
def write_cbs_from_poll_response_11(self, poll_response, dest_dir, write_type_=W_CLOBBER):
"""
This function writes content blocks to file from a TAXII 1.1 Poll Response
"""
for cb in poll_response.content_blocks:
if cb.content_binding.binding_id == CB_STIX_XML_10:
format_ = '_STIX10_'
ext = '.xml'
elif cb.content_binding.binding_id == CB_STIX_XML_101:
format_ = '_STIX101_'
ext = '.xml'
elif cb.content_binding.binding_id == CB_STIX_XML_11:
format_ = '_STIX11_'
ext = '.xml'
elif cb.content_binding.binding_id == CB_STIX_XML_111:
format_ = '_STIX111_'
ext = '.xml'
elif cb.content_binding.binding_id == CB_STIX_XML_12:
format_ = '_STIX12_'
ext = '.xml'
else: # Format and extension are unknown
format_ = ''
ext = ''
if cb.timestamp_label:
date_string = 't' + cb.timestamp_label.isoformat()
else:
date_string = 's' + datetime.datetime.now().isoformat()
filename = gen_filename(poll_response.collection_name,
format_,
date_string,
ext)
filename = os.path.join(dest_dir, filename)
write, message = TaxiiScript.get_write_and_message(filename, write_type_)
if write:
with io.open(filename, 'wb') as f:
f.write(cb.content)
print("%s%s" % (message, filename))
def write_response_to_import(self, response, dest_dir):
""" write response to disc """
if not os.path.exists(dest_dir):
os.makedirs(dest_dir)
for cb in response.content_blocks:
if cb.content_binding.binding_id == CB_STIX_XML_10: sformat = '_STIX10_'
elif cb.content_binding.binding_id == CB_STIX_XML_101: sformat = '_STIX101_'
elif cb.content_binding.binding_id == CB_STIX_XML_11: sformat = '_STIX11_'
elif cb.content_binding.binding_id == CB_STIX_XML_111: sformat = '_STIX111_'
else: sformat = ''
ext = '.xml'
date_string = 's' + datetime.datetime.now().isoformat()
if cb.timestamp_label: date_string = 't' + cb.timestamp_label.isoformat()
filename = gen_filename(response.collection_name, sformat, date_string, ext)
filename = os.path.join(dest_dir, filename)
with open(filename, 'w') as f:
f.write(cb.content)
return True
def file_name_for_content_block(content_block, collection):
# Shamelessly mimics libtaxii (for compatability).
format_for_binding_id = {
CB_STIX_XML_10: '_STIX10_',
CB_STIX_XML_101: '_STIX101_',
CB_STIX_XML_11: '_STIX11_',
CB_STIX_XML_111: '_STIX111_',
}
binding_id = content_block.content_binding.binding_id
if binding_id in format_for_binding_id:
format_ = format_for_binding_id[binding_id]
extension = '.xml'
else:
format_ = ''
extension = ''
if content_block.timestamp_label:
date_string = 't' + content_block.timestamp_label.isoformat()
else:
date_string = 's' + datetime.datetime.now().isoformat()
return gen_filename(collection, format_, date_string, extension)
def process_fsisac_stix_for_today(self):
today_str = datetime.datetime.today().strftime('%Y-%m-%d')
print "[*] Downloading stix for today (%s)..." % (today_str)
# Create a TAXII Client
client = tc.HttpClient()
client.set_auth_type(tc.HttpClient.AUTH_CERT_BASIC
) # Username/password plus client cert auth
client.set_use_https(True) # Use HTTPS
# Update with your CIR credentials
client.auth_credentials['username'] = FSISAC_USERNAME
client.auth_credentials['password'] = FSISAC_PASSWORD
client.auth_credentials['key_file'] = FSISAC_KEY
client.auth_credentials['cert_file'] = FSISAC_CERT
taxii_server = 'analysis.fsisac.com'
taxii_service = '/taxii-discovery-service/'
feed = 'system.Default' # TAXII feed to be polled. Update to poll a custom TAXII feed.
# TAXII poll Exclusive Start Date and Inclusive End Date, as python datetime tuples.
toyear = datetime.datetime.today().year
tomonth = datetime.datetime.today().month
today = datetime.datetime.today().day
yesterday = datetime.datetime.today() + datetime.timedelta(days=-1)
yesterday = yesterday.day
# print "=" * 100
# print "DEBUGGING"
# print "=" * 100
# print toyear, tomonth, yesterday # debug
# print toyear, tomonth, today # debug
# print "=" * 100
if yesterday == 31:
start = datetime.datetime(toyear,
tomonth - 1,
yesterday,
tzinfo=pytz.UTC)
else:
start = datetime.datetime(toyear,
tomonth,
yesterday,
tzinfo=pytz.UTC)
end = datetime.datetime(toyear, tomonth, today, tzinfo=pytz.UTC)
# start = datetime.datetime(2019, 4, 5, tzinfo=pytz.UTC)
# end = datetime.datetime(2019, 4, 5, tzinfo=pytz.UTC)
# A TAXII poll can return a lot of data. For performance reasons, if the polling period spans multiple days,
# only poll for one day at a time within the polling period.
inc_start = start
inc_end = inc_start + datetime.timedelta(days=1)
while inc_start <= end:
params = tm11.PollParameters()
#Create the TAXII poll request
poll_request = tm11.PollRequest(
tm11.generate_message_id(),
collection_name=feed,
poll_parameters=params,
exclusive_begin_timestamp_label=inc_start,
inclusive_end_timestamp_label=inc_end)
poll_xml = poll_request.to_xml()
# Get the TAXII poll response
http_resp = client.call_taxii_service2(taxii_server, taxii_service,
VID_TAXII_XML_11, poll_xml)
taxii_message = t.get_message_from_http_response(
http_resp, poll_request.message_id)
# Write each content block from the TAXII poll response to the "path" directory.
for cb in taxii_message.content_blocks:
#filename = gen_filename(taxii_message.collection_name, 'FSISAC_STIX111_', cb.timestamp_label.isoformat(), '.xml')
filename = gen_filename('FSISAC', '_STIX111_',
cb.timestamp_label.isoformat(), '.xml')
with open(STIX_DOWNLOADED_PATH + "/" + filename,
'w') as outfile:
outfile.write(cb.content)
print "Written to %s" % filename
# Increment to the next day in the specified date range.
inc_start = inc_start + datetime.timedelta(days=1)
inc_end = inc_end + datetime.timedelta(days=1)