def poll_20(taxii_client, protocol_version='2.0'):
try:
count = 0
fd = None
js = _get_json_response(taxii_client, protocol_version)
if 'objects' not in js:
return 0
fd, stix_file_path = tempfile.mkstemp(suffix='.json')
if protocol_version == '2.0':
with open(stix_file_path, 'wb+') as fp:
fp.write(json.dumps(js, indent=4).encode('utf-8'))
elif protocol_version == '2.1':
objects = _get_objects_21(taxii_client, protocol_version, [], js)
if len(objects) == 0:
return 0
bundle = Bundle(objects)
with open(stix_file_path, 'wb+') as fp:
fp.write(bundle.serialize(pretty=True).encode('utf-8'))
from ctirs.core.stix.regist import regist
if taxii_client._community is not None:
regist(stix_file_path, taxii_client._community, taxii_client._via)
count += 1
last_requested = datetime.datetime.now(pytz.utc)
taxii_client._taxii.last_requested = last_requested
taxii_client._taxii.save()
return count
except BaseException as e:
traceback.print_exc()
raise e
finally:
if fd is not None:
try:
os.close(fd)
except Exception:
pass
def post_language_contents(request, object_ref, ctirs_auth_user):
try:
j = json.loads(request.body)
# S-TIP Identity 作成する
stip_identity = _get_stip_identname(request.user)
# bundle 作成
bundle = Bundle(stip_identity)
# 参照元の obejct を取得
object_ = get_object(object_ref)
if object_ is None:
return error(
Exception('No document. (object_ref=%s)' % (object_ref)))
for language_content in j['language_contents']:
selector_str = language_content['selector']
content_value = language_content['content']
language = language_content['language']
try:
selector_elems = selector_str.split('.')
last_elem = object_
# selector の 要素をチェックする
if len(selector_elems) == 1:
# selector が . でつながられていない場合
last_selector = selector_str
last_elem = is_exist_objects(selector_str, last_elem)
else:
# selector が . でつながられている場合は最後までたどる
for selector in selector_elems[:-1]:
last_selector = selector
last_elem = is_exist_objects(selector, last_elem)
if last_elem is None:
raise Exception('selector is invalid: ' +
str(selector_str))
if isinstance(last_elem, list):
# 空要素で初期化し、該当 index の要素だけ上書きする
lc_lists = [''] * len(last_elem)
lc_lists[get_list_index_from_selector(
selector_elems[-1])] = content_value
content = lc_lists
selector = '.'.join(selector_elems[:-1])
elif isinstance(last_elem, dict):
# 空辞書で初期化し、該当 index の要素だけ上書きする
content = {}
content[selector_elems[-1]] = content_value
selector = '.'.join(selector_elems[:-1])
else:
# list ではない
content = content_value
selector = last_selector
except Exception as e:
traceback.print_exc()
raise e
contents = {}
contents[language] = {selector: content}
language_content = LanguageContent(
created_by_ref=stip_identity,
object_ref=object_ref,
object_modified=object_['modified'],
contents=contents)
bundle.objects.append(language_content)
# viaを取得
via = Vias.get_via_rest_api_upload(uploader=ctirs_auth_user.id)
community = Communities.get_default_community()
# stixファイルを一時ファイルに出力
stix_file_path = tempfile.mktemp(suffix='.json')
with open(stix_file_path, 'wb+') as fp:
fp.write(bundle.serialize(indent=4, ensure_ascii=False)).encode()
# 登録処理
regist(stix_file_path, community, via)
resp = get_normal_response_json()
bundle_json = json.loads(str(bundle))
resp['data'] = {'bundle': bundle_json}
return JsonResponse(resp, status=201, safe=False)
except Exception as e:
traceback.print_exc()
return error(e)
def processAndSubmit(self):
# Create SDO's / Cyber Obs
ext_ref = ExternalReference(
source_name=f"Cuckoo Sandbox Report {str(self.report.info.id)}",
url=f"{self.cuckoo_url}/analysis/{str(self.report.info.id)}/summary",
external_id=str(self.report.info.id),
)
if self.report.network.hosts:
ips = self.createIPObs(self.report.network.hosts)
else:
ips = []
if self.report.network.domains:
fqdns = self.createDNSObs(self.report.network.domains)
else:
fqdns = [[], []]
if self.report.process:
processes = self.createProcessObs(self.report.process)
else:
processes = []
if self.EnableRegKeys:
if self.report.behavior:
if self.report.behavior.regkey_written:
registry_keys = self.createRegKeysObs(
self.report.behavior.regkey_written
)
else:
registry_keys = None
else:
registry_keys = None
else:
registry_keys = None
if self.EnableNetTraffic:
if self.report.network:
network_traffic = self.createNetTrafficObs(self.report.network)
else:
network_traffic = None
else:
network_traffic = None
if self.report.dropped:
dropped_binaries = self.createBinarieObs(self.report.dropped)
else:
dropped_binaries = []
if self.report.signatures:
AttackPatterns = self.getAttackPatterns(self.report.signatures)
else:
AttackPatterns = []
self.helper.log_info(fqdns)
# Get all IDs from ATPs/CyberObs
IDs = self.get_related(
ips,
fqdns[0],
processes,
network_traffic,
dropped_binaries,
AttackPatterns,
registry_keys,
)
# Create Main binary and link All ATPs/Cyber Obs
payload = self.createPrimaryBinary(self.report.target.file, ext_ref)
payload_relations = []
bundle_ids = []
for ID in IDs:
try:
IDx = ID.id
bundle_ids.append(
ID
) # Get list for bundle w/o Attack Patterns that exisit
except:
IDx = ID
payload_relations.append(
Relationship(
relationship_type="related-to",
source_ref=payload[0].id,
target_ref=IDx,
)
)
for ATP in AttackPatterns:
payload_relations.append(
Relationship(
relationship_type="related-to",
source_ref=payload[0].id,
target_ref=ATP,
)
)
IDs.append(payload[0]) # Add Observeable
IDs.append(payload[1]) # Add Indicator
bundle_ids.append(payload[0])
bundle_ids.append(payload[1])
payload_relations.append(payload[2])
if int(self.report.info.score) >= self.ReportScore:
# Create Report and link All ATPs/Cyber Obs/Payload
report = self.createCuckooReport(self.report, IDs, ext_ref)
b = Bundle(
report, bundle_ids, payload_relations, fqdns[1]
) # fqdns[1] is the Resolves-to relations
else:
b = Bundle(bundle_ids, payload_relations, fqdns[1])
self.helper.send_stix2_bundle(b.serialize())
return None
