def _run_inspector_test(self, inspector, directory_name): # Output paths output_dir_path = os.path.join('test', 'test_extracted_data', directory_name) inspected_data_file_path = os.path.join(output_dir_path, INSPECTED_DATA_FILE_NAME) source_data_file_path = os.path.join(output_dir_path, SOURCE_DATA_FILE_NAME) # Execute the inspector inspected_objects, source_objects = inspector.execute( self.device_info, output_dir_path) # write the results write_observables_xml_file(Observables(inspected_objects), inspected_data_file_path, simple_output=True) write_observables_xml_file(Observables(source_objects), source_data_file_path, simple_output=True) # Assert xml files were written self.assertTrue(os.path.exists(inspected_data_file_path)) self.assertTrue(os.path.exists(source_data_file_path)) # Delete the created files os.remove(inspected_data_file_path) os.remove(source_data_file_path)
def test_round_trip_xml(self): np = NetworkPacket.from_dict(self._full_dict) xml = Observables(np).to_xml() new_obj = Observables.from_obj(parseString(xml)) new_dict = new_obj.observables[0].object_.properties.to_dict() self.maxDiff = None self.assertEqual(self._full_dict, new_dict)
def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable)
def main(): print '<?xml version="1.0" encoding="UTF-8"?>' v = AnyURI("www.sample1.com/index.html") v.condition = "Equals" u = URI() u.value = v u.type_ = URI.TYPE_URL o = Observables(u) print o.to_xml()
def cybox_mutex(observable, observable_type, objects): nsname, nsurl = observable.namespace.last().namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: m = Mutex() m.name = obj.mutex_name o = Observable(m) o.title = observable.name o.description = observable.description observables.add(o) return observables
def main(): fn = 'se_07.xml' print "parsing input xml document..." observables_obj = cybox_core_binding.parse(fn) # build a binding object observables = Observables.from_obj(observables_obj) # build an api object from binding observables_dict = observables.to_dict() # create dictionary from api object pprint(observables_dict) print "building xml from dictionary..." observables_two = Observables.from_dict(observables_dict) # create copy api object from dictionary xml = observables_two.to_xml() # generate xml from copied api object print xml
def test_round_trip(self): a = Address("*****@*****.**", Address.CAT_EMAIL) a2 = Address("*****@*****.**", Address.CAT_EMAIL) ms = MeasureSource() ms.class_ = "System" ms.source_type = "Analysis" ms.description = StructuredText("A Description") o = Observables([a, a2]) o.observable_package_source = ms o2 = round_trip(o, output=True) self.assertEqual(o.to_dict(), o2.to_dict())
def test_get_namespaces(self): m = EmailMessage() m.to = "*****@*****.**" m.subject = "Here's a cool picture" m.links = Links() u = URI("http://example.com/cool.jpg", URI.TYPE_URL) m.links.append(u.parent.id_) o = Observables([u, m]) logger.info(o.to_xml()) actual_namespaces = o._get_namespaces() logger.info("\n".join([str(x) for x in actual_namespaces])) self.assertEqual(5, len(actual_namespaces))
def cybox_http(observable, observable_type, objects): nsname, nsurl = observable.namespace.last().namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: h = cybox_object_http(obj) # get related objects related_objects_list = get_related_objects_for_object(obj.id, observable_type) o = Observable(h) o.title = observable.name o.description = observable.description observables.add(o) return observables
def cybox_http(observable, observable_type, objects): nsname, nsurl = observable.namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: h = cybox_object_http(obj) # get related objects related_objects_list = get_related_objects_for_object(obj.id, observable_type) o = Observable(h) o.title = observable.name o.description = observable.description observables.add(o) return observables
def test_get_namespaces(self): m = EmailMessage() m.to = "*****@*****.**" m.subject = "Here's a cool picture" m.links = Links() u = URI("http://example.com/cool.jpg", URI.TYPE_URL) m.links.append(u.parent.id_) o = Observables([u, m]) print o.to_xml() actual_namespaces = o._get_namespaces() print "\n".join([str(x) for x in actual_namespaces]) self.assertEqual(5, len(actual_namespaces))
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) if obj.version: return_obj.version = obj.version if obj.Campaigns: return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign] if obj.Courses_Of_Action: return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action] if obj.Exploit_Targets: return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target] if obj.Indicators: return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator] if obj.Observables: return_obj.observables = Observables.from_obj(obj.Observables) if obj.Incidents: return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident] if obj.Threat_Actors: return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor] if obj.TTPs: return_obj.ttps = TTPs.from_obj(obj.TTPs) return return_obj
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() # ReportBaseType fields return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp # ReportType fields if isinstance(obj, cls._binding_class): return_obj.header = Header.from_obj(obj.Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.stage = VocabString.from_obj(obj.Stage) return_obj.type_ = VocabString.from_obj(obj.Type) return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.objective = Objective.from_obj(obj.Objective) return_obj.parameter_observables = \ Observables.from_obj(obj.Parameter_Observables) return_obj.impact = Statement.from_obj(obj.Impact) return_obj.cost = Statement.from_obj(obj.Cost) return_obj.efficacy = Statement.from_obj(obj.Efficacy) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.Related_COAs) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def targeted_technical_details(self, value): if not value: self._targeted_technical_details = None elif isinstance(value, Observables): self._targeted_technical_details = value else: self._targeted_technical_details = Observables(observables=[value])
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.stage = VocabString.from_dict(dict_repr.get('stage')) return_obj.type_ = VocabString.from_dict(dict_repr.get('type')) return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.objective = Objective.from_dict(dict_repr.get('objective')) return_obj.parameter_observables = \ Observables.from_dict(dict_repr.get('parameter_observables')) return_obj.impact = Statement.from_dict(dict_repr.get('impact')) return_obj.cost = Statement.from_dict(dict_repr.get('cost')) return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.related_coas = \ RelatedCOAs.from_dict(dict_repr.get('related_coas')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def observable_characterization(self, value): if not value: self._observable_characterization = None elif isinstance(value, Observables): self._observable_characterization = value else: self._observable_characterization = Observables(observables=[value])
def parse(xml_file): # create binding object from xml file observables_obj = cybox_core_binding.parse(xml_file) # convert binding object into python-cybox object observables = Observables.from_obj(observables_obj) return observables
def main(): infilename = '' outfilename = '' #Get the command-line arguments args = sys.argv[1:] if len(args) < 4: usage() sys.exit(1) for i in range(0,len(args)): if args[i] == '-i': infilename = args[i+1] elif args[i] == '-o': outfilename = args[i+1] if os.path.isfile(infilename): try: # Perform the translation using the methods from the OpenIOC to CybOX Script openioc_indicators = openioc.parse(infilename) observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True) observables_cls = Observables.from_obj(observables_obj) # Set the namespace to be used in the STIX Package stix.utils.set_id_namespace({"https://github.com/STIXProject/openioc-to-stix":"openiocToSTIX"}) # Wrap the created Observables in a STIX Package/Indicator stix_package = STIXPackage() # Add the OpenIOC namespace input_namespaces = {"http://openioc.org/":"openioc"} stix_package.__input_namespaces__ = input_namespaces for observable in observables_cls.observables: indicator_dict = {} producer_dict = {} producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}] indicator_dict['producer'] = producer_dict indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File" indicator = Indicator.from_dict(indicator_dict) indicator.add_observable(observables_cls.observables[0]) stix_package.add_indicator(indicator) # Create and write the STIX Header stix_header = STIXHeader() stix_header.package_intent = "Indicators - Malware Artifacts" stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File" stix_package.stix_header = stix_header # Write the generated STIX Package as XML to the output file outfile = open(outfilename, 'w') # Ignore any warnings - temporary fix for no schemaLocation w/ namespace with warnings.catch_warnings(): warnings.simplefilter("ignore") outfile.write(stix_package.to_xml()) warnings.resetwarnings() outfile.flush() outfile.close() except Exception, err: print('\nError: %s\n' % str(err)) traceback.print_exc()
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj( obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj( obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_packages = RelatedPackages.from_obj( obj.Related_Packages) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj
def structured_description(self, value): if not value: self._structured_description = None elif isinstance(value, Observables): self._structured_description = value else: self._structured_description = Observables(value)
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.stage = VocabString.from_dict(dict_repr.get('stage')) return_obj.type_ = VocabString.from_dict(dict_repr.get('type')) return_obj.description = StructuredText.from_dict( dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict( dict_repr.get('short_description')) return_obj.objective = Objective.from_dict(dict_repr.get('objective')) return_obj.parameter_observables = \ Observables.from_dict(dict_repr.get('parameter_observables')) return_obj.impact = Statement.from_dict(dict_repr.get('impact')) return_obj.cost = Statement.from_dict(dict_repr.get('cost')) return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy')) return_obj.information_source = InformationSource.from_dict( dict_repr.get('information_source')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.related_coas = \ RelatedCOAs.from_dict(dict_repr.get('related_coas')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.stage = VocabString.from_obj(obj.get_Stage()) return_obj.type_ = VocabString.from_obj(obj.get_Type()) return_obj.description = StructuredText.from_obj( obj.get_Description()) return_obj.short_description = StructuredText.from_obj( obj.get_Short_Description()) return_obj.objective = Objective.from_obj(obj.get_Objective()) return_obj.parameter_observables = \ Observables.from_obj(obj.get_Parameter_Observables()) return_obj.impact = Statement.from_obj(obj.get_Impact()) return_obj.cost = Statement.from_obj(obj.get_Cost()) return_obj.efficacy = Statement.from_obj(obj.get_Efficacy()) return_obj.information_source = InformationSource.from_obj( obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.get_Related_COAs()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def test_correct_namespace_output(self): link = Link() link.value = u("https://www.example.com") xml = Observables(link).to_xml() self.assertTrue(b"cybox:Properties" in xml) self.assertTrue(b"LinkObj:Properties" not in xml)
def parse(xml_file): obs_obj = cybox_core_binding.parse(xml_file) # create binding object from xml file obs = Observables.from_obj(obs_obj) # convert binding object into python-cybox object #pro = process_binding.parse(xml_file) #p = Process.from_obj(pro) #print p.pid return obs
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(CourseOfAction, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.stage = VocabString.from_dict(get('stage')) return_obj.type_ = VocabString.from_dict(get('type')) return_obj.objective = Objective.from_dict(get('objective')) return_obj.parameter_observables = \ Observables.from_dict(get('parameter_observables')) return_obj.impact = Statement.from_dict(get('impact')) return_obj.cost = Statement.from_dict(get('cost')) return_obj.efficacy = Statement.from_dict(get('efficacy')) return_obj.related_coas = \ RelatedCOAs.from_dict(get('related_coas')) return_obj.related_packages = \ related.RelatedPackageRefs.from_dict(get('related_packages')) return_obj.structured_coa = \ _BaseStructuredCOA.from_dict(get('structured_coa')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(CourseOfAction, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.title = obj.Title return_obj.stage = VocabString.from_obj(obj.Stage) return_obj.type_ = VocabString.from_obj(obj.Type) return_obj.objective = Objective.from_obj(obj.Objective) return_obj.parameter_observables = \ Observables.from_obj(obj.Parameter_Observables) return_obj.impact = Statement.from_obj(obj.Impact) return_obj.cost = Statement.from_obj(obj.Cost) return_obj.efficacy = Statement.from_obj(obj.Efficacy) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.Related_COAs) return_obj.related_packages = \ related.RelatedPackageRefs.from_obj(obj.Related_Packages) return_obj.structured_coa = \ _BaseStructuredCOA.from_obj(obj.Structured_COA) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict( dict_repr.get('stix_header')) return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns')) return_obj.courses_of_action = CoursesOfAction.from_dict( dict_repr.get('courses_of_action')) return_obj.exploit_targets = ExploitTargets.from_dict( dict_repr.get('exploit_targets')) return_obj.indicators = Indicators.from_dict( dict_repr.get('indicators')) return_obj.observables = Observables.from_dict( dict_repr.get('observables')) return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents')) return_obj.threat_actors = ThreatActors.from_dict( dict_repr.get('threat_actors')) return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict( dict_repr.get('related_packages')) return return_obj
def test_observable_iterable(self): a = Address("*****@*****.**", Address.CAT_EMAIL) a2 = Address("*****@*****.**", Address.CAT_EMAIL) o = Observables([a, a2]) for obs in o: self.assertTrue(obs.object_.properties in [a, a2])
def main(): from stix.coa import CourseOfAction, Objective from stix.common import Confidence from stix.core import STIXPackage from cybox.core import Observables from cybox.objects.address_object import Address pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication between the PIVY agents and the C2 Server" obj.applicability_confidence = Confidence("High") coa.objective = obj coa.impact = "Low" coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact." coa.cost = "Low" coa.efficacy = "High" addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4) coa.parameter_observables = Observables(addr) pkg.add_course_of_action(coa) print pkg.to_xml()
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.stage = VocabString.from_obj(obj.get_Stage()) return_obj.type_ = VocabString.from_obj(obj.get_Type()) return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.objective = Objective.from_obj(obj.get_Objective()) return_obj.parameter_observables = \ Observables.from_obj(obj.get_Parameter_Observables()) return_obj.impact = Statement.from_obj(obj.get_Impact()) return_obj.cost = Statement.from_obj(obj.get_Cost()) return_obj.efficacy = Statement.from_obj(obj.get_Efficacy()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.get_Related_COAs()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None): super(STIXPackage, self).__init__() self.id_ = id_ or idgen.create_id("Package") self.idref = idref self.version = STIXPackage._version self.stix_header = stix_header self.campaigns = campaigns or Campaigns() self.courses_of_action = courses_of_action or CoursesOfAction() self.exploit_targets = exploit_targets or ExploitTargets() self.observables = observables or Observables() self.indicators = indicators or Indicators() self.incidents = incidents or Incidents() self.threat_actors = threat_actors or ThreatActors() self.ttps = ttps or TTPs() self.related_packages = related_packages self.reports = reports or Reports() self.timestamp = timestamp
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()] if obj.get_Indicators(): return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()] if obj.get_Observables(): return_obj.observables = Observables.from_obj(obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()] if obj.get_Threat_Actors(): return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj
def main(): infilename = '' outfilename = '' #Get the command-line arguments args = sys.argv[1:] #Basic argument checking if len(args) < 4: usage() sys.exit(1) for i in range(0, len(args)): if args[i] == '-i': infilename = args[i + 1] elif args[i] == '-o': outfilename = args[i + 1] #Basic input file checking if os.path.isfile(infilename): #Get the raw lines from the input file raw_lines = get_input(infilename) #Breakup each certificate into its corresponding lines cert_strings = split_certs(raw_lines) observables_list = [] #Process each certificate array into its CybOX representation for cert_array in cert_strings: #Get the Python dictionary corresponding to the certificate cert_dict = tokenize_input(cert_array) observables_list.append(cert_to_cybox(cert_dict)) observables = Observables(observables_list) #Open the output file for writing and write out the generated Observables out_file = open(outfilename, 'w') out_file.write("<?xml version='1.0' encoding='UTF-8'?>\n") out_file.write( "<!-- Generated by X509 to CybOX Utility\nhttps://github.com/CybOXProject/Tools/-->\n" ) out_file.write("<!DOCTYPE doc [<!ENTITY comma ','>]>\n") out_file.write( observables.to_xml( namespace_dict={ 'https://github.com/CybOXProject/Tools': 'x509_to_cybox' })) out_file.close() else: print('\nError: Input file not found or inaccessible.') sys.exit(1)
def _create_observables(self, msg): o = Observables(self.__parse_email_message(msg)) t = ToolInformation() t.name = os.path.basename(__file__) t.description = StructuredText("Email to CybOX conversion script") t.vendor = "The MITRE Corporation" t.version = __version__ t_list = ToolInformationList() t_list.append(t) m = MeasureSource() m.tools = t_list o.observable_package_source = m return o
def test_missing_related_object(self): self.domain.add_related(self.ip, "Resolves To", inline=False) # If we only include the domain, the dereference will fail. o2 = self._test_round_trip(Observables([self.domain])) rel_obj = o2.observables[0].object_.related_objects[0] self.assertRaises(CacheMiss, rel_obj.get_properties)
def main(): v = AnyURI("http://www.example.com/index1.html") u = URI() u.value = v u.type_ = URI.TYPE_URL print(Observables(u).to_xml())
def strip_observables(pkg_path): '''Strips observable from a package, support multiple structures''' result = Observables() pkg = STIXPackage.from_xml(pkg_path) processed = [] for ind in pkg.indicators: if ind.composite_indicator_expression: """The indicator is a compsite structure, this references other indicators, which reference the observables...""" cyboxobject = ObservableComposition() cyboxobject.operator = str(ind.observable_composition_operator) for x in ind.composite_indicator_expression: """For every indicator in the composite list, get referenced indicator""" ref_ind = getindicator_by_id(pkg, str(x._idref)) if ref_ind.observables: for y in ref_ind.observables: """For every referenced observable, get the object""" ref_obs = getobservable_by_id(pkg, y._idref) if ref_obs: cyboxobject.add(ref_obs) processed.append(ref_obs.id_) result.add(cyboxobject) if ind.observables: for x in ind.observables: if x is not None: if x.id_ not in processed: result.add(x) processed.append(x.id_) if pkg.observables: for x in pkg.observables: if x is not None: if x.id_ not in processed: result.add(x) scanfile = open(os.path.join(iocname,"scan.json"),'w') scanfile.write(json.dumps(walkobservables(result).to_dict(), indent=4)) scanfile.close()
def test_inline(self): self.domain.add_related(self.ip, "Resolves To", inline=True) o2 = self._test_round_trip(Observables(self.domain)) self._test_returned_objects(o2) expected_id = self.ip.parent.id_ # Domain is the first observable, and has an inlined object with an id actual_id = o2.observables[0].object_.related_objects[0].id_ self.assertEqual(expected_id, actual_id)
def test_round_trip_xml(self): np = NetworkPacket.from_dict(self._full_dict) xml = Observables(np).to_xml(encoding=None) new_obj = Observables.from_obj(parseString(xml)) new_dict = new_obj.observables[0].object_.properties.to_dict() self.maxDiff = None self.assertEqual(self._full_dict, new_dict)
def main(): '''Build a CybOX Observables document and write it to stdout''' domain = api.create_domain_name_observable('www.example.com') url = api.create_url_observable('http://www.example.com') ipv4 = api.create_ipv4_observable('127.0.0.1') email = api.create_email_address_observable('*****@*****.**') file_ = api.create_file_hash_observable('foo.bar','94f93e00fd122466d68a6ae3b8c7f908') observables_doc = Observables([ domain, ipv4, url, email, file_, ]) observables_doc.to_obj().export(sys.stdout, 0) pprint(observables_doc.to_dict())
def main(): v = AnyURI("http://www.example.com/index1.html") v.condition = "Equals" u = URI() u.value = v u.type_ = URI.TYPE_URL print(Observables(u).to_xml(encoding=None))
def main(): infilename = '' outfilename = '' #Get the command-line arguments args = sys.argv[1:] #Basic argument checking if len(args) < 4: usage() sys.exit(1) for i in range(0,len(args)): if args[i] == '-i': infilename = args[i+1] elif args[i] == '-o': outfilename = args[i+1] #Basic input file checking if os.path.isfile(infilename): #Get the raw lines from the input file raw_lines = get_input(infilename) #Breakup each certificate into its corresponding lines cert_strings = split_certs(raw_lines) observables_list = [] #Process each certificate array into its CybOX representation for cert_array in cert_strings: #Get the Python dictionary corresponding to the certificate cert_dict = tokenize_input(cert_array) observables_list.append(cert_to_cybox(cert_dict)) observables = Observables(observables_list) #Open the output file for writing and write out the generated Observables out_file = open(outfilename, 'w') out_file.write("<?xml version='1.0' encoding='UTF-8'?>\n") out_file.write("<!-- Generated by X509 to CybOX Utility\nhttps://github.com/CybOXProject/Tools/-->\n") out_file.write("<!DOCTYPE doc [<!ENTITY comma ','>]>\n") out_file.write(observables.to_xml(namespace_dict={'https://github.com/CybOXProject/Tools': 'x509_to_cybox'})) out_file.close() else: print('\nError: Input file not found or inaccessible.') sys.exit(1)
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.targeted_systems = [VocabString.from_dict(x) for x in dict_repr.get('targeted_systems', [])] return_obj.targeted_information = [VocabString.from_dict(x) for x in dict_repr.get('targeted_information', [])] return_obj.targeted_technical_details = Observables.from_dict(dict_repr.get('targeted_technical_details')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.Identity) return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details) return_obj.targeted_systems = TargetedSystems.from_obj(obj.Targeted_Systems) return_obj.targeted_information = TargetedInformation.from_obj(obj.Targeted_Information) return return_obj
def cybox_file(observable, observable_type, objects): nsname, nsurl = observable.namespace.split(':', 1) NS = cybox.utils.Namespace(nsurl, nsname) cybox.utils.set_id_namespace(NS) observables = Observables() for obj in objects: for meta in obj.file_meta.all(): f = cybox_object_file(obj, meta) # get related objects related_objects_list = get_related_objects_for_object(obj.id, observable_type) for rel_obj_dict in related_objects_list: for rel_obj in rel_obj_dict['objects']: if isinstance(rel_obj, EmailMessage_Object): rel_o, attachments_list = cybox_object_email(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) for att in attachments_list: observables.add(Observable(att)) continue elif isinstance(rel_obj, File_Object): for rel_meta in rel_obj.file_meta.all(): rel_o = cybox_object_file(rel_obj, rel_meta) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, Address_Object): rel_o = cybox_object_address(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, URI_Object): rel_o = cybox_object_uri(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue elif isinstance(rel_obj, HTTPSession_Object): rel_o = cybox_object_http(rel_obj) f.add_related(rel_o, rel_obj_dict['relation'], True) continue o = Observable(f) o.title = observable.name o.description = observable.description observables.add(o) return observables
def walkobservables(obs): '''Recursive function for checking observables in an Observables, Observable_composition, Observable tree''' try: remove = Observables() for x in obs.observables: if walkobservables(x) is None: remove.add(x) for x in remove: obs.remove(x) return obs except AttributeError: pass try: remove = Observables() for x in obs.observable_composition.observables: if walkobservables(x) is None: remove.add(x) for x in remove: obs.observable_composition.observables.remove(x) return obs except AttributeError: pass try: if not checkcompatible_observable(obs): return None except AttributeError: pass return obs
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.types = [AttackerInfrastructureType.from_dict(x) for x in dict_repr.get('types', [])] return_obj.observable_characterization = Observables.from_dict(dict_repr.get('observable_characterization')) return return_obj
def main(): infilename = '' outfilename = '' #Get the command-line arguments args = sys.argv[1:] if len(args) < 4: usage() sys.exit(1) for i in range(0,len(args)): if args[i] == '-i': infilename = args[i+1] elif args[i] == '-o': outfilename = args[i+1] if os.path.isfile(infilename): try: # Perform the translation using the methods from the OpenIOC to CybOX Script openioc_indicators = openioc.parse(infilename) observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True) observables_cls = Observables.from_obj(observables_obj) # Wrap the created Observables in a STIX Package/Indicator stix_package = STIXPackage() for observable in observables_cls.observables: indicator_dict = {} producer_dict = {} producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}] indicator_dict['producer'] = producer_dict indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File" indicator = Indicator.from_dict(indicator_dict) indicator.add_observable(observables_cls.observables[0]) stix_package.add_indicator(indicator) # Create and write the STIX Header stix_header = STIXHeader() stix_header.package_intent = "Indicators - Malware Artifacts" stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File" stix_package.stix_header = stix_header # Write the generated STIX Package as XML to the output file outfile = open(outfilename, 'w') outfile.write(stix_package.to_xml()) outfile.flush() outfile.close() except Exception, err: print('\nError: %s\n' % str(err)) traceback.print_exc()
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() get = dict_repr.get return_obj.identity = Identity.from_dict(get('identity')) return_obj.targeted_systems = TargetedSystems.from_dict(get('targeted_systems')) return_obj.targeted_information = TargetedInformation.from_dict(get('targeted_information')) return_obj.targeted_technical_details = Observables.from_dict(get('targeted_technical_details')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.targeted_technical_details = Observables.from_obj(obj.get_Targeted_Technical_Details()) if obj.get_Targeted_Systems(): return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.get_Targeted_Systems()] if obj.get_Targeted_Information(): return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.get_Targeted_Information()] return return_obj