def export_stix(iocs): """ Export the tagged items in STIX format. BROKE! """ observables_doc = None stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = filename stix_package.stix_header = stix_header for ioc in iocs['md5']: observable = cybox_helper.create_file_hash_observable('', value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) if t == 'ipv4': if not value in indicators: observable = cybox_helper.create_ipv4_observable(value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) elif t == 'domain': if not value in indicators: observable = cybox_helper.create_domain_name_observable(value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) elif t == 'url': if not value in indicators: observable = cybox_helper.create_url_observable(value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) elif t == 'email': if not value in indicators: observable = cybox_helper.create_email_address_observable(value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) if len(observables) > 0: if not filename.endswith('.xml'): filename = "%s.xml" % filename #add .xml extension if missing # end if with open(filename, "wb") as f: stix_xml = stix_package.to_xml() f.write(stix_xml)
def main(): '''Build a CybOX Observables document and write it to stdout''' domain = helper.create_domain_name_observable('www.example.com') url = helper.create_url_observable('http://www.example.com') ipv4 = helper.create_ipv4_observable('127.0.0.1') email = helper.create_email_address_observable('*****@*****.**') file_ = helper.create_file_hash_observable('foo.bar', '94f93e00fd122466d68a6ae3b8c7f908') observables_doc = Observables([ domain, ipv4, url, email, file_, ]) print(observables_doc.to_xml()) pprint(observables_doc.to_dict())
def main(): '''Build a CybOX Observables document and write it to stdout''' domain = helper.create_domain_name_observable('www.example.com') url = helper.create_url_observable('http://www.example.com') ipv4 = helper.create_ipv4_observable('127.0.0.1') email = helper.create_email_address_observable('*****@*****.**') file_ = helper.create_file_hash_observable('foo.bar', '94f93e00fd122466d68a6ae3b8c7f908') observables_doc = Observables([ domain, ipv4, url, email, file_, ]) print(observables_doc.to_xml(encoding=None)) pprint(observables_doc.to_dict())
def crea_ipv4(self, ip): """ Crea un helper para una dirección IP y devuelve un Observable """ self.helper = helper.create_ipv4_observable(ip)
def export_cybox(): """ Export the tagged items in CybOX format. This prompts the user to determine which file they want the CybOX saved out too. """ filename = asksaveasfilename(title="Save As", filetypes=[("xml file",".xml"),("All files",".*")]) observables_doc = None if filename: observables = [] for t in tags: indicators = [] myhighlights = text.tag_ranges(t) mystart = 0 for h in myhighlights: if mystart == 0: mystart = h else: mystop = h value = text.get(mystart,mystop).replace('[.]','.').replace('[@]','@') if t == 'md5': value = value.upper() if value not in indicators: observable = cybox_helper.create_file_hash_observable('', value) observables.append(observable) indicators.append(value) elif t == 'ipv4': if not value in indicators: observable = cybox_helper.create_ipv4_observable(value) observables.append(observable) indicators.append(value) elif t == 'domain': if not value in indicators: # CybOX 2.0 contains a schema bug that prevents the use of this function. # The workaround is to not declare a @type attribute for the URI object #observable = cybox_helper.create_domain_name_observable(value) uri_obj = URI(value=value) uri_obs = Observable(item=uri_obj) observables.append(uri_obs) indicators.append(value) elif t == 'url': if not value in indicators: observable = cybox_helper.create_url_observable(value) observables.append(observable) indicators.append(value) elif t == 'email': if not value in indicators: observable = cybox_helper.create_email_address_observable(value) observables.append(observable) indicators.append(value) mystart = 0 # end if # end for # end for if len(observables) > 0: NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) observables_doc = Observables(observables=observables) if not filename.endswith('.xml'): filename = "%s.xml" % filename #add .xml extension if missing # end if with open(filename, "wb") as f: cybox_xml = observables_doc.to_xml(namespace_dict={NS.name: NS.prefix}) f.write(cybox_xml)
def export_cybox(): """ Export the tagged items in CybOX format. This prompts the user to determine which file they want the CybOX saved out too. """ filename = asksaveasfilename(title="Save As", filetypes=[("xml file", ".xml"), ("All files", ".*")]) observables_doc = None if filename: observables = [] for t in tags: indicators = [] myhighlights = text.tag_ranges(t) mystart = 0 for h in myhighlights: if mystart == 0: mystart = h else: mystop = h value = text.get(mystart, mystop).replace('[.]', '.').replace('[@]', '@') if t == 'md5': value = value.upper() if value not in indicators: observable = cybox_helper.create_file_hash_observable( '', value) observables.append(observable) indicators.append(value) elif t == 'ipv4': if not value in indicators: observable = cybox_helper.create_ipv4_observable( value) observables.append(observable) indicators.append(value) elif t == 'domain': if not value in indicators: observable = cybox_helper.create_domain_name_observable( value) observables.append(observable) indicators.append(value) elif t == 'url': if not value in indicators: observable = cybox_helper.create_url_observable( value) observables.append(observable) indicators.append(value) elif t == 'email': if not value in indicators: observable = cybox_helper.create_email_address_observable( value) observables.append(observable) indicators.append(value) mystart = 0 # end if # end for # end for if len(observables) > 0: NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) observables_doc = Observables(observables=observables) if not filename.endswith('.xml'): filename = "%s.xml" % filename #add .xml extension if missing # end if with open(filename, "wb") as f: cybox_xml = observables_doc.to_xml() f.write(cybox_xml)
def export_stix(): """ Export the tagged items in STIX format. This prompts the user to determine which file they want the STIX saved out too. """ filename = asksaveasfilename(title="Save As", filetypes=[("xml file",".xml"),("All files",".*")]) observables_doc = None stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = filename stix_package.stix_header = stix_header if filename: observables = [] for t in tags: indicators = [] myhighlights = text.tag_ranges(t) mystart = 0 for h in myhighlights: if mystart == 0: mystart = h else: mystop = h value = text.get(mystart,mystop).replace('[.]','.').replace('[@]','@') if t == 'md5': value = value.upper() if value not in indicators: observable = cybox_helper.create_file_hash_observable('', value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) elif t == 'ipv4': if not value in indicators: observable = cybox_helper.create_ipv4_observable(value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) elif t == 'domain': if not value in indicators: observable = cybox_helper.create_domain_name_observable(value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) elif t == 'url': if not value in indicators: observable = cybox_helper.create_url_observable(value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) elif t == 'email': if not value in indicators: observable = cybox_helper.create_email_address_observable(value) observables.append(observable) stix_package.add_observable(observable) indicators.append(value) mystart = 0 # end if # end for # end for if len(observables) > 0: if not filename.endswith('.xml'): filename = "%s.xml" % filename #add .xml extension if missing # end if with open(filename, "wb") as f: stix_xml = stix_package.to_xml() f.write(stix_xml)
observables_doc = Observables([]) # add some different observables: # you don't have to use every member and there are other members that are not being utilized here: observables_doc.add(Process.from_dict({"name": "Process.exe", "pid": 90, "parent_pid": 10, #"creation_time": "", "image_info": {"command_line": "Process.exe /c blah.txt"}})) observables_doc.add(File.from_dict({"file_name": "file.txt", "file_extension": "txt", "file_path": "path\\to\\file.txt"})) observables_doc.add(helper.create_ipv4_observable("192.168.1.101")) observables_doc.add(helper.create_url_observable("somedomain.com")) observables_doc.add(WinService.from_dict({"service_name": "Service Name", "display_name": "Service Display name", "startup_type": "Service type", "service_status": "Status", "service_dll": "Somedll.dll", "started_as": "Start", "group_name": "Group name", "startup_command_line": "Commandline"})) observables_doc.add(WinRegistryKey.from_dict({"hive": "SYSTEM", "key": "some\\registry\\key", "number_values": 2,