def from_obj(object_obj):
if not object_obj:
return None
obj = Object.from_obj(object_obj, AssociatedObject())
obj.association_type = AssociationType.from_obj(
object_obj.get_Association_Type())
return obj
def from_obj(bundle_obj):
if not bundle_obj:
return None
bundle_ = Bundle(None, None)
bundle_.id = bundle_obj.get_id()
bundle_.schema_version = bundle_obj.get_schema_version()
bundle_.defined_subject = bundle_obj.get_defined_subject()
bundle_.content_type = bundle_obj.get_content_type()
bundle_.timestamp = bundle_obj.get_timestamp()
bundle_.malware_instance_object_attributes = Object.from_obj(
bundle_obj.get_Malware_Instance_Object_Attributes()
)
if bundle_obj.get_AV_Classifications() is not None:
bundle_.av_classifications = AVClassifications.from_obj(bundle_obj.get_AV_Classifications())
bundle_.process_tree = ProcessTree.from_obj(bundle_obj.get_Process_Tree())
if bundle_obj.get_Behaviors() is not None:
bundle_.behaviors = BehaviorList.from_obj(bundle_obj.get_Behaviors())
if bundle_obj.get_Capabilities() is not None:
bundle_.capabilities = CapabilityList.from_obj(bundle_obj.get_Capabilities())
if bundle_obj.get_Actions() is not None:
bundle_.actions = ActionList.from_obj(bundle_obj.get_Actions())
if bundle_obj.get_Objects() is not None:
bundle_.objects = ObjectList.from_obj(bundle_obj.get_Objects())
if bundle_obj.get_Candidate_Indicators() is not None:
bundle_.candidate_indicators = CandidateIndicatorList.from_obj(bundle_obj.get_Candidate_Indicators())
bundle_.collections = Collections.from_obj(bundle_obj.get_Collections())
return bundle_
def from_obj(object_obj):
if not object_obj:
return None
obj = Object.from_obj(object_obj, AssociatedObject())
obj.association_type = VocabString.from_obj(
object_obj.Association_Type)
return obj
def from_obj(observable_obj):
if not observable_obj:
return None
from cybox.core import PatternFidelity
obs = Observable()
obs.id_ = observable_obj.id
obs.title = observable_obj.Title
obs.description = StructuredText.from_obj(observable_obj.Description)
obs.object_ = Object.from_obj(observable_obj.Object)
obs.event = Event.from_obj(observable_obj.Event)
obs.observable_composition = ObservableComposition.from_obj(
observable_obj.Observable_Composition)
obs.idref = observable_obj.idref
obs.sighting_count = observable_obj.sighting_count
if observable_obj.Observable_Source:
obs.observable_source = [
MeasureSource.from_obj(x)
for x in observable_obj.Observable_Source
]
obs.keywords = Keywords.from_obj(observable_obj.Keywords)
obs.pattern_fidelity = PatternFidelity.from_obj(
observable_obj.Pattern_Fidelity)
return obs
def from_obj(observable_obj):
if not observable_obj:
return None
obs = Observable()
obs.id_ = observable_obj.get_id()
obs.title = observable_obj.get_Title()
obs.description = StructuredText.from_obj(observable_obj.get_Description())
obs.object_ = Object.from_obj(observable_obj.get_Object())
obs.observable_composition = ObservableComposition.from_obj(observable_obj.get_Observable_Composition())
obs.idref = observable_obj.get_idref()
return obs
def from_obj(observable_obj):
if not observable_obj:
return None
obs = Observable()
obs.id_ = observable_obj.get_id()
obs.title = observable_obj.get_Title()
obs.description = StructuredText.from_obj(observable_obj.get_Description())
obs.object_ = Object.from_obj(observable_obj.get_Object())
obs.event = Event.from_obj(observable_obj.get_Event())
obs.observable_composition = ObservableComposition.from_obj(observable_obj.get_Observable_Composition())
obs.idref = observable_obj.get_idref()
obs.sighting_count = observable_obj.get_sighting_count()
if observable_obj.get_Observable_Source():
obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.get_Observable_Source()]
return obs
def from_obj(malware_subject_obj):
if not malware_subject_obj:
return None
malware_subject_ = MalwareSubject(None)
malware_subject_.id = malware_subject_obj.get_id()
malware_subject_.malware_instance_object_attributes = Object.from_obj(malware_subject_obj.get_Malware_Instance_Object_Attributes())
malware_subject_.minor_variants = MinorVariants.from_obj(malware_subject_obj.get_Minor_Variants())
malware_subject_.configuration_details = MalwareConfigurationDetails.from_obj(malware_subject_obj.get_Configuration_Details())
malware_subject_.development_environment = MalwareDevelopmentEnvironment.from_obj(malware_subject_obj.get_Development_Environment())
malware_subject_.field_data = None #TODO: add support
malware_subject_.analyses = Analyses.from_obj(malware_subject_obj.get_Analyses())
malware_subject_.findings_bundles = FindingsBundleList.from_obj(malware_subject_obj.get_Findings_Bundles())
malware_subject_.relationships = MalwareSubjectRelationshipList.from_obj(malware_subject_obj.get_Relationships())
if malware_subject_obj.get_Label():
malware_subject_.label = [VocabString.from_obj(x) for x in malware_subject_obj.get_Label()]
if malware_subject_obj.get_Compatible_Platform():
malware_subject_.compatible_platform = [PlatformSpecification.from_obj(x) for x in malware_subject_obj.get_Compatible_Platform()]
return malware_subject_
def __get_email_cybox_object(self, email_sha256, log, config=None):
if not config:
return None, None, None
mail_path = os.path.join(config['emailpath'], email_sha256[0:2], email_sha256[2:4], email_sha256)
email_path = os.path.join(mail_path, 'cybox-%s-message.xml' % (email_sha256))
email_stix_path = os.path.join(mail_path, 'stix-%s-email-message.xml' % (email_sha256))
email_stix_filename = 'stix-%s-email-message.xml' % (email_sha256)
if os.path.exists(mail_path) and os.path.exists(email_path):
try:
observables_obj = cybox_core_binding.parse(email_path)
obs = Observables.from_obj(observables_obj)
email_observables = obs.observables[1:]
email_object = Object.from_obj(obs.observables[0].to_obj().Object)
return email_object._properties, email_observables, (email_stix_path, email_stix_filename)
except StandardError as e:
log.error("failed extracting cybox email observable: %s" % (e))
return None, None, None
log.warning("no cybox report or email found for given hash: %s" % (email_path))
return None, None, None
def from_obj(observable_obj):
if not observable_obj:
return None
from cybox.core import PatternFidelity
obs = Observable()
obs.id_ = observable_obj.id
obs.title = observable_obj.Title
obs.description = StructuredText.from_obj(observable_obj.Description)
obs.object_ = Object.from_obj(observable_obj.Object)
obs.event = Event.from_obj(observable_obj.Event)
obs.observable_composition = ObservableComposition.from_obj(observable_obj.Observable_Composition)
obs.idref = observable_obj.idref
obs.sighting_count = observable_obj.sighting_count
if observable_obj.Observable_Source:
obs.observable_source = [MeasureSource.from_obj(x) for x in observable_obj.Observable_Source]
obs.keywords = Keywords.from_obj(observable_obj.Keywords)
obs.pattern_fidelity = PatternFidelity.from_obj(observable_obj.Pattern_Fidelity)
return obs
def from_obj(object_obj):
if not object_obj:
return None
obj = Object.from_obj(object_obj, AssociatedObject())
obj.association_type_ = VocabString.from_obj(object_obj.get_Association_Type())
return obj
def from_obj(object_obj):
if not object_obj:
return None
obj = Object.from_obj(object_obj, AssociatedObject())
obj.association_type = AssociationType.from_obj(object_obj.Association_Type)
return obj
