def from_dict(process_dict, process_cls = None):
if not process_dict:
return None
if process_cls == None:
process_ = Process()
else:
process_ = process_cls
ObjectProperties.from_dict(process_dict, process_)
process_.is_hidden = process_dict.get('is_hidden')
process_.pid = UnsignedInteger.from_dict(process_dict.get('pid'))
process_.name = String.from_dict(process_dict.get('name'))
process_.creation_time = DateTime.from_dict(process_dict.get('creation_time'))
process_.parent_pid = UnsignedInteger.from_dict(process_dict.get('parent_pid'))
process_.child_pid_list = [UnsignedInteger.from_dict(x) for x in process_dict.get('child_pid_list', [])]
process_.image_info = ImageInfo.from_dict(process_dict.get('image_info'))
process_.argument_list = [String.from_dict(x) for x in process_dict.get('argument_list', [])]
process_.environment_variable_list = EnvironmentVariableList.from_list(process_dict.get('environment_variable_list'))
process_.kernel_time = Duration.from_dict(process_dict.get('kernel_time'))
process_.port_list = [Port.from_dict(x) for x in process_dict.get('port_list', [])]
process_.network_connection_list = [NetworkConnection.from_dict(x) for x in process_dict.get('network_connection_list', [])]
process_.start_time = DateTime.from_dict(process_dict.get('start_time'))
process_.username = String.from_dict(process_dict.get('username'))
process_.user_time = Duration.from_dict(process_dict.get('user_time'))
process_.extracted_features = None
return process_
def from_obj(validity_obj):
if not validity_obj:
return None
validity_ = Validity()
validity_.not_after = DateTime.from_obj(validity_obj.get_Not_After())
validity_.not_before = DateTime.from_obj(validity_obj.get_Not_Before())
return validity_
def from_obj(process_obj, process_cls = None):
if not process_obj:
return None
if process_cls == None:
process_ = Process()
else:
process_ = process_cls
ObjectProperties.from_obj(process_obj, process_)
process_.is_hidden = process_obj.get_is_hidden()
process_.pid = UnsignedInteger.from_obj(process_obj.get_PID())
process_.name = String.from_obj(process_obj.get_Name())
process_.creation_time = DateTime.from_obj(process_obj.get_Creation_Time())
process_.parent_pid = UnsignedInteger.from_obj(process_obj.get_Parent_PID())
process_.image_info = ImageInfo.from_obj(process_obj.get_Image_Info())
process_.environment_variable_list = EnvironmentVariableList.from_obj(process_obj.get_Environment_Variable_List())
process_.kernel_time = Duration.from_obj(process_obj.get_Kernel_Time())
process_.start_time = DateTime.from_obj(process_obj.get_Start_Time())
process_.username = String.from_obj(process_obj.get_Username())
process_.user_time = Duration.from_obj(process_obj.get_User_Time())
process_.extracted_features = None
if process_obj.get_Argument_List() is not None : process_.argument_list = [String.from_obj(x) for x in process_obj.get_Argument_List().get_Argument()]
if process_obj.get_Child_PID_List() is not None : process_.child_pid_list = [UnsignedInteger.from_obj(x) for x in process_obj.get_Child_PID_List().get_Child_PID()]
if process_obj.get_Port_List() is not None : process_.port_list = [Port.from_obj(x) for x in process_obj.get_Port_List().get_Port()]
if process_obj.get_Network_Connection_List() is not None : process_.network_connection_list = [NetworkConnection.from_obj(x) for x in process_obj.get_Network_Connection_List().get_Network_Connection()]
return process_
def from_dict(validity_dict):
if not validity_dict:
return None
validity_ = Validity()
validity_.not_after = DateTime.from_dict(validity_dict.get('not_after'))
validity_.not_before = DateTime.from_dict(validity_dict.get('not_before'))
return validity_
def from_obj(win_file_obj, file_class = None):
if not win_file_obj:
return None
if not file_class:
win_file_ = File.from_obj(win_file_obj, WinFile())
else:
win_file_ = File.from_obj(win_file_obj, file_class)
win_file_.filename_accessed_time = DateTime.from_obj(win_file_obj.get_Filename_Accessed_Time())
win_file_.filename_created_time = DateTime.from_obj(win_file_obj.get_Filename_Created_Time())
win_file_.filename_modified_time = DateTime.from_obj(win_file_obj.get_Filename_Modified_Time())
win_file_.drive = String.from_obj(win_file_obj.get_Drive())
win_file_.security_id = String.from_obj(win_file_obj.get_Security_ID())
win_file_.security_type = String.from_obj(win_file_obj.get_Security_Type())
win_file_.stream_list = StreamList.from_obj(win_file_obj.get_Stream_List())
return win_file_
def from_dict(win_file_dict, file_class = None):
if not win_file_dict:
return None
if not file_class:
win_file_ = File.from_dict(win_file_dict, WinFile())
else:
win_file_ = File.from_dict(win_file_dict, file_class)
win_file_.filename_accessed_time = DateTime.from_dict(win_file_dict.get('filename_accessed_time'))
win_file_.filename_created_time = DateTime.from_dict(win_file_dict.get('filename_created_time'))
win_file_.filename_modified_time = DateTime.from_dict(win_file_dict.get('filename_modified_time'))
win_file_.drive = String.from_dict(win_file_dict.get('drive'))
win_file_.security_id = String.from_dict(win_file_dict.get('security_id'))
win_file_.security_type = String.from_dict(win_file_dict.get('security_type'))
win_file_.stream_list = StreamList.from_list(win_file_dict.get('stream_list'))
return win_file_
def from_obj(file_obj, file_class=None):
if not file_obj:
return None
if not file_class:
file_ = File()
else:
file_ = file_class
ObjectProperties.from_obj(file_obj, file_)
file_.is_packed = file_obj.get_is_packed()
file_.file_name = String.from_obj(file_obj.get_File_Name())
file_.file_path = FilePath.from_obj(file_obj.get_File_Path())
file_.device_path = String.from_obj(file_obj.get_Device_Path())
file_.full_path = String.from_obj(file_obj.get_Full_Path())
file_.file_extension = String.from_obj(file_obj.get_File_Extension())
file_.size_in_bytes = UnsignedLong.from_obj(file_obj.get_Size_In_Bytes())
file_.magic_number = HexBinary.from_obj(file_obj.get_Magic_Number())
file_.file_format = String.from_obj(file_obj.get_File_Format())
file_.hashes = HashList.from_obj(file_obj.get_Hashes())
file_.extracted_features = ExtractedFeatures.from_obj(file_obj.get_Extracted_Features())
#TODO: why are there two Strings and one DateTime here?
file_.modified_time = String.from_obj(file_obj.get_Modified_Time())
file_.accessed_time = String.from_obj(file_obj.get_Accessed_Time())
file_.created_time = DateTime.from_obj(file_obj.get_Created_Time())
return file_
def from_dict(file_dict, file_class=None):
if not file_dict:
return None
if not file_class:
file_ = File()
else:
file_ = file_class
ObjectProperties.from_dict(file_dict, file_)
file_.is_packed = file_dict.get('is_packed')
file_.file_name = String.from_dict(file_dict.get('file_name'))
file_.file_path = FilePath.from_dict(file_dict.get('file_path'))
file_.device_path = String.from_dict(file_dict.get('device_path'))
file_.full_path = String.from_dict(file_dict.get('full_path'))
file_.file_extension = String.from_dict(file_dict.get('file_extension'))
file_.size_in_bytes = UnsignedLong.from_dict(file_dict.get('size_in_bytes'))
file_.magic_number = HexBinary.from_dict(file_dict.get('magic_number'))
file_.file_format = String.from_dict(file_dict.get('file_format'))
file_.hashes = HashList.from_list(file_dict.get('hashes'))
file_.extracted_features = ExtractedFeatures.from_dict(file_dict.get('extracted_features'))
file_.modified_time = String.from_dict(file_dict.get('modified_time'))
file_.accessed_time = String.from_dict(file_dict.get('accessed_time'))
file_.created_time = DateTime.from_dict(file_dict.get('created_time'))
return file_
def from_dict(whois_dict):
if not whois_dict:
return None
whois = WhoisEntry()
ObjectProperties.from_dict(whois_dict, whois)
whois.domain_name = URI.from_dict(whois_dict.get('domain_name'))
whois.domain_id = String.from_dict(whois_dict.get('domain_id'))
whois.server_name = URI.from_dict(whois_dict.get('server_name'))
whois.ip_address = Address.from_dict(whois_dict.get('ip_address'), Address.CAT_IPV4)
whois.dnssec = whois_dict.get('dnssec')
whois.nameservers = WhoisNameservers.from_list(whois_dict.get('nameservers'))
whois.status = WhoisStatuses.from_list(whois_dict.get('status'))
whois.updated_date = DateTime.from_dict(whois_dict.get('updated_date'))
whois.creation_date = DateTime.from_dict(whois_dict.get('creation_date'))
whois.expiration_date = DateTime.from_dict(whois_dict.get('expiration_date'))
whois.regional_internet_registry = String.from_dict(whois_dict.get('regional_internet_registry'))
whois.sponsoring_registrar = String.from_dict(whois_dict.get('sponsoring_registrar'))
whois.registrar_info = WhoisRegistrar.from_dict(whois_dict.get('registrar_info'))
whois.registrants = WhoisRegistrants.from_list(whois_dict.get('registrants'))
whois.contact_info = WhoisContact.from_dict(whois_dict.get('contact_info'))
return whois
def from_obj(whois_obj):
if not whois_obj:
return None
whois = WhoisEntry()
ObjectProperties.from_obj(whois_obj, whois)
whois.domain_name = URI.from_obj(whois_obj.get_Domain_Name())
whois.domain_id = String.from_obj(whois_obj.get_Domain_ID())
whois.server_name = URI.from_obj(whois_obj.get_Server_Name())
whois.ip_address = Address.from_obj(whois_obj.get_IP_Address())
whois.dnssec = whois_obj.get_DNSSEC()
whois.nameservers = WhoisNameservers.from_obj(whois_obj.get_Nameservers())
whois.status = WhoisStatuses.from_obj(whois_obj.get_Status())
whois.updated_date = DateTime.from_obj(whois_obj.get_Updated_Date())
whois.creation_date = DateTime.from_obj(whois_obj.get_Creation_Date())
whois.expiration_date = DateTime.from_obj(whois_obj.get_Expiration_Date())
whois.regional_internet_registry = String.from_obj(whois_obj.get_Regional_Internet_Registry())
whois.sponsoring_registrar = String.from_obj(whois_obj.get_Sponsoring_Registrar())
whois.registrar_info = WhoisRegistrar.from_obj(whois_obj.get_Registrar_Info())
whois.registrants = WhoisRegistrants.from_obj(whois_obj.get_Registrants())
whois.contact_info = WhoisContact.from_obj(whois_obj.get_Contact_Info())
return whois
def from_obj(network_connection_obj):
if not network_connection_obj:
return None
network_connection_ = NetworkConnection()
network_connection_.tls_used = network_connection_obj.get_tls_used()
network_connection_.creation_time = DateTime.from_obj(network_connection_obj.get_Creation_Time())
network_connection_.layer3_protocol = String.from_obj(network_connection_obj.get_Layer3_Protocol())
network_connection_.layer4_protocol = String.from_obj(network_connection_obj.get_Layer4_Protocol())
network_connection_.layer7_protocol = String.from_obj(network_connection_obj.get_Layer7_Protocol())
network_connection_.source_socket_address = SocketAddress.from_obj(network_connection_obj.get_Source_Socket_Address())
network_connection_.source_tcp_state = network_connection_obj.get_Source_TCP_State()
network_connection_.destination_socket_address = SocketAddress.from_obj(network_connection_obj.get_Destination_Socket_Address())
network_connection_.destination_tcp_state = network_connection_obj.get_Destination_TCP_State()
network_connection_.layer7_connections = Layer7Connections.from_obj(network_connection_obj.get_Layer7_Connections())
return network_connection_
def from_dict(network_connection_dict):
if not network_connection_dict:
return None
network_connection_ = NetworkConnection()
network_connection_.tls_used = network_connection_dict.get('tls_used')
network_connection_.creation_time = DateTime.from_dict(network_connection_dict.get('creation_time'))
network_connection_.layer3_protocol = String.from_dict(network_connection_dict.get('layer3_protocol'))
network_connection_.layer4_protocol = String.from_dict(network_connection_dict.get('layer4_protocol'))
network_connection_.layer7_protocol = String.from_dict(network_connection_dict.get('layer7_protocol'))
network_connection_.source_socket_address = SocketAddress.from_dict(network_connection_dict.get('source_socket_address'))
network_connection_.source_tcp_state = network_connection_dict.get('source_tcp_state')
network_connection_.destination_socket_address = SocketAddress.from_dict(network_connection_dict.get('destination_socket_address'))
network_connection_.destination_tcp_state = network_connection_dict.get('destination_tcp_state')
network_connection_.layer7_connections = Layer7Connections.from_dict(network_connection_dict.get('layer7_connections'))
return network_connection_
def from_dict(header_dict):
header = EmailHeader()
header.to = EmailRecipients.from_dict(header_dict.get('to'))
header.cc = EmailRecipients.from_dict(header_dict.get('cc'))
header.bcc = EmailRecipients.from_dict(header_dict.get('bcc'))
header.from_ = Address.from_dict(header_dict.get('from'), Address.CAT_EMAIL)
header.subject = String.from_dict(header_dict.get('subject'))
header.in_reply_to = String.from_dict(header_dict.get('in_reply_to'))
header.date = DateTime.from_dict(header_dict.get('date'))
header.message_id = String.from_dict(header_dict.get('message_id'))
header.sender = Address.from_dict(header_dict.get('sender'), Address.CAT_EMAIL)
header.reply_to = Address.from_dict(header_dict.get('reply_to'), Address.CAT_EMAIL)
header.errors_to = String.from_dict(header_dict.get('errors_to'))
return header
def from_obj(header_obj):
header = EmailHeader()
header.to = EmailRecipients.from_obj(header_obj.get_To())
header.cc = EmailRecipients.from_obj(header_obj.get_CC())
header.bcc = EmailRecipients.from_obj(header_obj.get_BCC())
header.from_ = Address.from_obj(header_obj.get_From())
header.subject = String.from_obj(header_obj.get_Subject())
header.in_reply_to = String.from_obj(header_obj.get_In_Reply_To())
header.date = DateTime.from_obj(header_obj.get_Date())
header.message_id = String.from_obj(header_obj.get_Message_ID())
header.sender = Address.from_obj(header_obj.get_Sender())
header.reply_to = Address.from_obj(header_obj.get_Reply_To())
header.errors_to = String.from_obj(header_obj.get_Errors_To())
return header
def from_obj(registry_key_obj):
if not registry_key_obj:
return None
win_registry_key_ = WinRegistryKey()
win_registry_key_.key = String.from_obj(registry_key_obj.get_Key())
win_registry_key_.hive = String.from_obj(registry_key_obj.get_Hive())
win_registry_key_.number_values = UnsignedInteger.from_obj(registry_key_obj.get_Number_Values())
win_registry_key_.modified_time = DateTime.from_obj(registry_key_obj.get_Modified_Time())
win_registry_key_.creator_username = String.from_obj(registry_key_obj.get_Creator_Username())
win_registry_key_.handle_list = WinHandleList.from_obj(registry_key_obj.get_Handle_List())
win_registry_key_.number_subkeys = UnsignedInteger.from_obj(registry_key_obj.get_Number_Subkeys())
#win_registry_key_.byte_runs = ByteRuns.from_obj(registry_key_obj.get_Byte_Runs())
if registry_key_obj.get_Values() is not None:
for registry_value_obj in registry_key_obj.get_Values().get_Value():
win_registry_key_.values.append(RegistryValue.from_obj(registry_value_obj))
if registry_key_obj.get_Subkeys() is not None:
for registry_subkey_obj in registry_key_dict.get_Subkeys().get_Subkey():
win_registry_key_.subkeys.append(WinRegistryKey.from_obj(registry_subkey_obj))
return win_registry_key_
def from_dict(registry_key_dict):
if not registry_key_dict:
return None
win_registry_key_ = WinRegistryKey()
win_registry_key_.key = String.from_dict(registry_key_dict.get('key'))
win_registry_key_.hive = String.from_dict(registry_key_dict.get('hive'))
win_registry_key_.number_values = UnsignedInteger.from_dict(registry_key_dict.get('number_values'))
win_registry_key_.modified_time = DateTime.from_dict(registry_key_dict.get('modified_time'))
win_registry_key_.creator_username = String.from_dict(registry_key_dict.get('creator_username'))
win_registry_key_.handle_list = WinHandleList.from_list(registry_key_dict.get('handle_list'))
win_registry_key_.number_subkeys = UnsignedInteger.from_dict(registry_key_dict.get('number_subkeys'))
#win_registry_key_.byte_runs = ByteRuns.from_dict(registry_key_dict.get('byte_runs'))
if registry_key_dict.get('values') is not None:
for registry_value_dict in registry_key_dict.get('values'):
win_registry_key_.values.append(RegistryValue.from_dict(registry_value_dict))
if registry_key_dict.get('subkeys') is not None:
for registry_subkey_dict in registry_key_dict.get('subkeys'):
win_registry_key_.subkeys.append(WinRegistryKey.from_dict(registry_subkey_dict))
return win_registry_key_
build_information.compiler_version = String('')
build_information.linker_name = String('')
build_information.linker_version = String('')
# https://cybox.readthedocs.org/en/stable/_modules/cybox/common/digitalsignature.html#DigitalSignature
digital_signature = DigitalSignature()
digital_signature.certificate_issuer = String('')
digital_signature.certificate_subject = String('')
digital_signature.signature_description = String('')
digital_signature.signature_exists = None
digital_signature.signature_verified = None
# https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEExports
exports = PEExports()
exports.exported_functions = PEExportedFunctions()
exports.exports_time_stamp = DateTime()
exports.name = String()
exports.number_of_addresses = Long()
exports.number_of_functions = Integer()
exports.number_of_names = Long()
# The Extraneous_Bytes field specifies the number of extraneous bytes contained in the PE binary.
extraneous_bytes = Integer()
# https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEHeaders
headers = PEHeaders()
headers.dos_header = DOSHeader()
headers.entropy = Entropy()
headers.file_header = PEFileHeader()
headers.hashes = HashList()
headers.optional_header = PEOptionalHeader()
def test_parse_datetime(self):
cybox_dt = DateTime(self.dt)
self.assertEqual(self.dt, cybox_dt.value)
self.assertEqual(self.dt.isoformat(), six.text_type(cybox_dt))
def test_isodate(self):
now = datetime.datetime.now()
dt = DateTime(now)
self.assertEqual(now.isoformat(), dt.serialized_value)
def test_isodate(self):
now = datetime.datetime.now()
dt = DateTime(now)
self.assertEqual(now.isoformat(), dt.serialized_value)
self.assertEqual(now.isoformat(), dt.to_obj().valueOf_)
def test_parse_date_string(self):
cybox_dt2 = DateTime(self.dt_str)
self.assertEqual(self.dt, cybox_dt2.value)
self.assertEqual(self.dt.isoformat(), cybox_dt2.serialized_value)
self.assertEqual(self.dt.isoformat(), str(cybox_dt2))
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"):
"""
Convert a CRITs TLO to a CybOX Observable.
:param obj: The TLO to convert.
:type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes`
:param exclude: Attributes to exclude.
:type exclude: list
:param bin_fmt: The format for the binary (if applicable).
:type bin_fmt: str
"""
type_ = obj._meta['crits_type']
if type_ == 'Certificate':
custom_prop = Property(
) # make a custom property so CRITs import can identify Certificate exports
custom_prop.name = "crits_type"
custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
custom_prop._value = "Certificate"
obje = File() # represent cert information as file
obje.md5 = obj.md5
obje.file_name = obj.filename
obje.file_format = obj.filetype
obje.size_in_bytes = obj.size
obje.custom_properties = CustomProperties()
obje.custom_properties.append(custom_prop)
obs = Observable(obje)
obs.description = obj.description
data = obj.filedata.read()
if data: # if cert data available
a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
a.packaging.append(Base64Encoding())
obje.add_related(a, "Child_Of") # relate artifact to file
return ([obs], obj.releasability)
elif type_ == 'Domain':
obje = DomainName()
obje.value = obj.domain
obje.type_ = obj.record_type
return ([Observable(obje)], obj.releasability)
elif type_ == 'Email':
if exclude == None:
exclude = []
observables = []
obje = EmailMessage()
# Assume there is going to be at least one header
obje.header = EmailHeader()
if 'message_id' not in exclude:
obje.header.message_id = String(obj.message_id)
if 'subject' not in exclude:
obje.header.subject = String(obj.subject)
if 'sender' not in exclude:
obje.header.sender = Address(obj.sender, Address.CAT_EMAIL)
if 'reply_to' not in exclude:
obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL)
if 'x_originating_ip' not in exclude:
obje.header.x_originating_ip = Address(obj.x_originating_ip,
Address.CAT_IPV4)
if 'x_mailer' not in exclude:
obje.header.x_mailer = String(obj.x_mailer)
if 'boundary' not in exclude:
obje.header.boundary = String(obj.boundary)
if 'raw_body' not in exclude:
obje.raw_body = obj.raw_body
if 'raw_header' not in exclude:
obje.raw_header = obj.raw_header
#copy fields where the names differ between objects
if 'helo' not in exclude and 'email_server' not in exclude:
obje.email_server = String(obj.helo)
if ('from_' not in exclude and 'from' not in exclude
and 'from_address' not in exclude):
obje.header.from_ = EmailAddress(obj.from_address)
if 'date' not in exclude and 'isodate' not in exclude:
obje.header.date = DateTime(obj.isodate)
obje.attachments = Attachments()
observables.append(Observable(obje))
return (observables, obj.releasability)
elif type_ == 'Indicator':
observables = []
obje = make_cybox_object(obj.ind_type, obj.value)
observables.append(Observable(obje))
return (observables, obj.releasability)
elif type_ == 'IP':
obje = Address()
obje.address_value = obj.ip
if obj.ip_type == IPTypes.IPv4_ADDRESS:
obje.category = "ipv4-addr"
elif obj.ip_type == IPTypes.IPv6_ADDRESS:
obje.category = "ipv6-addr"
elif obj.ip_type == IPTypes.IPv4_SUBNET:
obje.category = "ipv4-net"
elif obj.ip_type == IPTypes.IPv6_SUBNET:
obje.category = "ipv6-subnet"
return ([Observable(obje)], obj.releasability)
elif type_ == 'PCAP':
obje = File()
obje.md5 = obj.md5
obje.file_name = obj.filename
obje.file_format = obj.contentType
obje.size_in_bytes = obj.length
obs = Observable(obje)
obs.description = obj.description
art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK)
art.packaging.append(Base64Encoding())
obje.add_related(art, "Child_Of") # relate artifact to file
return ([obs], obj.releasability)
elif type_ == 'RawData':
obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE)
obje.packaging.append(Base64Encoding())
obs = Observable(obje)
obs.description = obj.description
return ([obs], obj.releasability)
elif type_ == 'Sample':
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(obj, attr, None)
if val:
setattr(f, attr, val)
if obj.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(obj.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = obj.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude and bin_fmt:
data = obj.filedata.read()
if data: # if sample data available
a = Artifact(data,
Artifact.TYPE_FILE) # create artifact w/data
if bin_fmt == "zlib":
a.packaging.append(ZlibCompression())
a.packaging.append(Base64Encoding())
elif bin_fmt == "base64":
a.packaging.append(Base64Encoding())
f.add_related(a, "Child_Of") # relate artifact to file
if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
f.file_format = obj.filetype
observables.append(Observable(f))
return (observables, obj.releasability)
else:
return (None, None)
def test_list_dates(self):
dt = DateTime([self.dt, self.dt, self.dt])
self.assertEqual(3, len(dt.value))
expected = "{0}{1}{0}{1}{0}".format(self.dt.isoformat(), DEFAULT_DELIM)
actual = normalize_to_xml(dt.serialized_value, DEFAULT_DELIM)
self.assertEqual(expected, actual)
def to_cybox_observable(self, exclude=None):
"""
Convert an email to a CybOX Observables.
Pass parameter exclude to specify fields that should not be
included in the returned object.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
if exclude == None:
exclude = []
observables = []
obj = EmailMessage()
# Assume there is going to be at least one header
obj.header = EmailHeader()
if 'message_id' not in exclude:
obj.header.message_id = String(self.message_id)
if 'subject' not in exclude:
obj.header.subject = String(self.subject)
if 'sender' not in exclude:
obj.header.sender = Address(self.sender, Address.CAT_EMAIL)
if 'reply_to' not in exclude:
obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL)
if 'x_originating_ip' not in exclude:
obj.header.x_originating_ip = Address(self.x_originating_ip,
Address.CAT_IPV4)
if 'x_mailer' not in exclude:
obj.header.x_mailer = String(self.x_mailer)
if 'boundary' not in exclude:
obj.header.boundary = String(self.boundary)
if 'raw_body' not in exclude:
obj.raw_body = self.raw_body
if 'raw_header' not in exclude:
obj.raw_header = self.raw_header
#copy fields where the names differ between objects
if 'helo' not in exclude and 'email_server' not in exclude:
obj.email_server = String(self.helo)
if ('from_' not in exclude and 'from' not in exclude
and 'from_address' not in exclude):
obj.header.from_ = EmailAddress(self.from_address)
if 'date' not in exclude and 'isodate' not in exclude:
obj.header.date = DateTime(self.isodate)
obj.attachments = Attachments()
observables.append(Observable(obj))
return (observables, self.releasability)
