def _export_from_json_to_xml(json1): import re from stix.indicator.indicator import Indicator from cybox.core import observable from cybox.common import Hash from cybox.objects.file_object import File indicatorIns = Indicator() indicDesc = "Additional fields: " if testMode: print "------------New Indicator: Start------------" print "--------------check dictionary ----------------" if json1["relatedid_restriction"]: print json1["relatedid_restriction"] if json1["source"]: print json1["source"] if "ardig" in json1 and json1["ardig"]: print str(json1["ardig"]) if "address" in json1 and json1["address"]:print json1["address"] print "--------------check dictionary:END----------------" #need to be set before setting times producer attributes indicatorIns.set_producer_identity("None") strAddress = "" strAsn = "" strAsnDesc = "" strRir = "" strCc = "" strPrefix = "" strRdata = "" strDescShort = "" strMalware = "" strProtocol = "" strPortList = "" for item in json1.keys(): if fieldsList.get(item) is None: log_string = log_string + "New field: " + str(json1.get(item)) + "\n" if json1.get("whois") is not None: indicDesc = indicDesc + "whois = " + str(json1["whois"]) + "; " if json1.get("relatedid_restriction") is not None: indicDesc = indicDesc + "relatedid_restriction = " + str(json1["relatedid_restriction"]) + "; " if json1.get("source") is not None: indicatorIns.set_producer_identity(json1["source"]) if json1.get("contact") is not None: indicDesc = indicDesc + "contact = " + json1["contact"] + "; " if json1.get("purpose") is not None: indicDesc = indicDesc + "purpose = " + str(json1["purpose"]) + "; " if json1.get("asn") is not None: strAsn = json1["asn"] if json1.get("asn_desc") is not None: strAsnDesc = json1["asn_desc"] if json1.get("rir") is not None: strRir = json1["rir"] if json1.get("cc") is not None: strCc = json1["cc"] if json1.get("rdata") is not None: strRdata = json1["rdata"] if json1.get("prefix") is not None: strPrefix = json1["prefix"] if json1.get("alternativeid") is not None: indicDesc = indicDesc + "alternativeid = " + str(json1["alternativeid"]) + "; " if json1.get("detecttime") is not None: indicatorIns.set_produced_time(json1["detecttime"]) if json1.get("address") is not None: strAddress = json1["address"] if json1.get("alternativeid_restriction") is not None: indicDesc = indicDesc + "alternativeid_restriction = " + str(json1["alternativeid_restriction"]) + "; " if json1.get("id") is not None: indicatorIns.id_=json1["id"] if json1.get("guid") is not None: indicDesc = indicDesc + "guid = " + str(json1["guid"]) + "; " if json1.get("severity") is not None: indicDesc = indicDesc + "severity = " + str(json1["severity"]) + "; " if json1.get("assessment") is not None: indicDesc = "Assessment: " + str(json1["assessment"]) + ". " + indicDesc if json1.get("description") is not None: descList = str(json1["description"]).rsplit() if len(descList) > 1: strDescShort = descList[len(descList)-1] else: strDescShort = str(json1["description"]) indicDesc = indicDesc + "description = " + str(json1["description"]) + "; " if json1.get("relatedid") is not None: indicDesc = indicDesc + "relatedid = " + str(json1["relatedid"]) + "; " if json1.get("reporttime") is not None: indicatorIns.set_received_time(json1["reporttime"]) if json1.get("confidence") is not None: indicDesc = indicDesc + "confidence = " + json1["confidence"] + "; " if json1.get("restriction") is not None: indicDesc = indicDesc + "restriction = " + json1["restriction"] + "; " if json1.get("malware_hash") is not None: strMalware =json1["malware_hash"] if json1.get("protocol") is not None: strProtocol = str(json1["protocol"]) if json1.get("portlist") is not None: strPortList = str(json1["portlist"]) #Address #build address param addressParam = {'strAddress':strAddress,'strDescShort':strDescShort,'strAsn':strAsn,'strAsnDesc':strAsnDesc, 'strRir':strRir,'strCc':strCc,'strPrefix':strPrefix,'strRdata':strRdata, 'strProtocol':strProtocol,'strPortList':strPortList,'indicDesc':indicDesc,} if testMode: print "Address: " + addressParam["strAddress"] print "strDescShort: " + addressParam["strDescShort"] if strAddress: #address indicDesc = _build_adderss_obj(addressParam,indicatorIns) #rdata onlly if strAddress is None and strRdata: matchRez = re.match("""((25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)\.){3} (25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)""", strRdata) if matchRez: #address = helper.create_ipv4_observable(strRdata) indicatorIns.add_observable(observable.Observable(Address(strRdata,'ipv4-addr'))) else: indicatorIns.add_observable(observable.Observable(URI(strRdata,'Domain Name'))) if testMode: print "It's rdata only" #malware if strMalware: malFile = File() hash_ = Hash(strMalware) malFile.add_hash(hash_) malware = observable.Observable(malFile) indicatorIns.add_observable(malware) if testMode: print "It's malware_hash" if indicDesc: indicatorIns.description = indicDesc return indicatorIns