def process_indicator_item(indicator_item,
observables=None,
indicatoritem_dict=None):
context = indicator_item.get_Context()
content = indicator_item.get_Content()
search_string = context.get_search()
content_string = content.get_valueOf_().rstrip()
condition = indicator_item.get_condition()
relatedobj = None
observable = None
if observables:
id_string = ''
if indicator_item.get_id() is not None:
id_string = 'openioc:indicator-item-' + normalize_id(
indicator_item.get_id())
else:
id_string = 'openioc:indicator-item-' + generate_observable_id()
indicatoritem_dict[get_indicatoritem_string(
indicator_item)] = id_string
observable = cybox_binding.ObservableType(id=id_string)
try:
properties = ioc_observable.createObj(
search_string, content_string, map_condition_keywords(condition))
except Exception as e:
if observable:
description_text = str("<![CDATA[{0}]]>").format(
"Error|Fatal. Encountered error when attempting IndicatorItem translation:"
+ str(e))
#check if createObj returned only the expected object, or a list including a RelatedObject
if type(properties) is list:
relatedobj = properties[1]
properties = properties[0]
if properties:
if observable:
cyObject = cybox_binding.ObjectType(Properties=properties)
observable.set_Object(cyObject)
if relatedobj != None:
roType = cybox_binding.RelatedObjectsType()
roType.add_Related_Object(relatedobj)
cyObject.set_Related_Objects(roType)
return observable
return True
else:
if observable:
skipped_term = string_test(
indicator_item.get_Context().get_search())
description_text = str("<![CDATA[{0}]]>").format("Error|Ignore. IndicatorItem not translated. Encountered IOC term "\
+ skipped_term + ", which does not currently map to CybOX.")
observable.set_Description(
cybox_common_binding.StructuredTextType(
valueOf_=description_text))
return observable
return False
return
def to_obj(self, structured_text_obj=None):
if not structured_text_obj:
text_obj = common_binding.StructuredTextType()
else:
text_obj = structured_text_obj
text_obj.set_valueOf_(self.value)
if self.structuring_format is not None:
text_obj.set_structuring_format(self.structuring_format)
return text_obj
def to_obj(self, return_obj=None, ns_info=None):
self._collect_ns_info(ns_info)
if not return_obj:
return_obj = common_binding.StructuredTextType()
return_obj.valueOf_ = self.value
if self.structuring_format is not None:
return_obj.structuring_format = self.structuring_format
return return_obj
def generate_cybox(indicators, infilename, embed_observables):
#Create the core CybOX structure
observables = cybox_binding.ObservablesType()
#Set the description if it exists
description = None
if indicators.get_description() != None:
description = indicators.get_description()
elif indicators.get_short_description != None:
description = indicators.get_short_description()
indicator_definition = indicators.get_definition()
for indicator in indicator_definition.get_Indicator():
#Create the 'indicator' observable for holding the boolean indicator logic
id_string = ''
if indicator.get_id() is not None:
id_string = 'openioc:indicator-' + normalize_id(indicator.get_id())
else:
id_string = 'openioc:indicator-' + generate_observable_id()
indicator_observable = cybox_binding.ObservableType(id=id_string)
#Set the title as appropriate
if description != None:
indicator_observable.set_Title(description)
#Set observable source to IOC
observable_source = cybox_common_binding.MeasureSourceType()
observable_source_description = cybox_common_binding.StructuredTextType(
)
observable_source_description.set_valueOf_(
'OpenIOC File: ' + os.path.basename(infilename))
observable_source.set_Description(observable_source_description)
indicator_observable.set_Observable_Source(observable_source)
composition = cybox_binding.ObservableCompositionType(
operator=indicator.get_operator())
#Process the indicator, including any embedded indicators
if process_indicator(indicator, observables, composition, True,
embed_observables):
indicator_observable.set_Observable_Composition(composition)
observables.add_Observable(indicator_observable)
else:
#IOC had no indicator items compatible with CybOX
return None
return observables