def __parse_email_message(self, msg):
""" Parses the supplied message
Returns a map of message parts expressed as cybox objects.
Keys: 'message', 'files', 'urls'
"""
files = []
url_list = []
domain_list = []
message = EmailMessage()
# Headers are required (for now)
message.header = self.__create_cybox_headers(msg)
if self.include_attachments:
files = self.__create_cybox_files(msg)
message.attachments = Attachments()
for f in files:
message.attachments.append(f.parent.id_)
f.add_related(message, "Contained_Within", inline=False)
if self.include_raw_headers:
raw_headers_str = self.__get_raw_headers(msg).strip()
if raw_headers_str:
message.raw_header = String(raw_headers_str)
# need this for parsing urls AND raw body text
raw_body = "\n".join(self.__get_raw_body_text(msg)).strip()
if self.include_raw_body and raw_body:
message.raw_body = String(raw_body)
if self.include_urls:
(url_list, domain_list) = self.__parse_urls(raw_body)
if url_list:
links = Links()
for u in url_list:
links.append(LinkReference(u.parent.id_))
if links:
message.links = links
# Return a list of all objects we've built
return [message] + files + url_list + domain_list
def test_get_namespaces(self):
m = EmailMessage()
m.to = "*****@*****.**"
m.subject = "Here's a cool picture"
m.links = Links()
u = URI("http://example.com/cool.jpg", URI.TYPE_URL)
m.links.append(u.parent.id_)
o = Observables([u, m])
print o.to_xml()
actual_namespaces = o._get_namespaces()
print "\n".join([str(x) for x in actual_namespaces])
self.assertEqual(5, len(actual_namespaces))
def test_round_trip_list(self):
l = Links()
l.append("example:URI-watchlist1")
l.append("example:URI-watchlist2")
l2 = cybox.test.round_trip(l, list_=True)
self.assertEqual(l.to_list(), l2.to_list())
def test_round_trip_list(self):
l = Links()
l.append("example:URI-watchlist1")
l.append("example:URI-watchlist2")
l2 = cybox.test.round_trip(l, list_=True)
self.assertEqual(l.to_list(), l2.to_list())
def populate_email(self, cybox_email, attribute):
# returns a cybox email object out of a ce1sus object
def_name = attribute.definition.name
if def_name == 'email_attachment_file_name':
attachment = File()
attachment.file_name = attribute.value
attachment.file_name.condition = self.get_condition(attribute)
# cybox_email.attachments = Attachments()
# cybox_email.attachments.append(File)
elif def_name == 'email_bcc':
self.__check_set_email_header(cybox_email)
if not cybox_email.header.bcc:
cybox_email.header.bcc = EmailRecipients()
cybox_email.header.bcc.append(self.create_EmailAddress(attribute))
elif def_name == 'email_cc':
self.__check_set_email_header(cybox_email)
if not cybox_email.header.cc:
cybox_email.header.cc = EmailRecipients()
cybox_email.header.bcc.append(self.create_EmailAddress(attribute))
elif def_name == 'email_errors_to':
self.__check_set_email_header(cybox_email)
self.set_check_attr(cybox_email, 'header.errors_to', attribute)
elif def_name == 'email_message_id':
self.__check_set_email_header(cybox_email)
self.set_check_attr(cybox_email, 'header.message_id', attribute)
elif def_name == 'email_mime_version':
self.__check_set_email_header(cybox_email)
self.set_check_attr(cybox_email, 'header.mime_version', attribute)
elif def_name == 'email_raw_body':
self.set_check_attr(cybox_email, 'raw_body', attribute)
elif def_name == 'email_raw_header':
self.set_check_attr(cybox_email, 'raw_header', attribute)
elif def_name == 'email_reply_to':
if not cybox_email.header.in_reply_to:
self.__check_set_email_header(cybox_email)
cybox_email.header.in_reply_to = EmailRecipients()
cybox_email.header.in_reply_to.append(
self.create_EmailAddress(attribute))
elif def_name == 'email_server':
self.set_check_attr(cybox_email, 'email_server', attribute)
elif def_name == 'email_subject':
self.set_check_attr(cybox_email, 'subject', attribute)
elif def_name == 'email_from':
self.__check_set_email_header(cybox_email)
if not cybox_email.header.from_:
cybox_email.header.from_ = self.create_EmailAddress(attribute)
elif def_name == 'email_to':
self.__check_set_email_header(cybox_email)
if not cybox_email.header.to:
cybox_email.header.to = EmailRecipients()
cybox_email.header.to.append(self.create_EmailAddress(attribute))
elif def_name == 'email_x_mailer':
self.set_check_attr(cybox_email, 'header.x_mailer', attribute)
elif def_name == 'email_x_originating_ip':
self.set_check_attr(cybox_email, 'header.x_originating_ip',
attribute)
elif 'hash' in def_name:
raise CyboxMapperException('Not defined')
elif def_name == 'email_link':
if not cybox_email.links:
cybox_email.links = Links()
cybox_email.links.append(Link(attribute.value))
elif def_name == 'email_send_date':
cybox_email.date = attribute.value
elif def_name == 'email_in_reply_to':
self.__check_set_email_header(cybox_email)
cybox_email.header.in_reply_to = attribute.value
else:
raise CyboxMapperException('Not defined for {0}'.format(def_name))
def cybox_object_email(obj):
e = EmailMessage()
e.raw_body = obj.raw_body
e.raw_header = obj.raw_header
# Links
e.links = Links()
for link in obj.links.all():
pass
# Attachments
e.attachments = Attachments()
attachment_objects = []
for att in obj.attachments.all():
for meta in att.file_meta.all():
fobj = cybox_object_file(att, meta)
e.attachments.append(fobj.parent.id_)
fobj.add_related(e, "Contained_Within", inline=False)
attachment_objects.append(fobj)
# construct header information
h = EmailHeader()
h.subject = obj.subject
h.date = obj.email_date
h.message_id = obj.message_id
h.content_type = obj.content_type
h.mime_version = obj.mime_version
h.user_agent = obj.user_agent
h.x_mailer = obj.x_mailer
# From
for from_ in obj.from_string.all():
from_address = EmailAddress(from_.sender)
from_address.is_spoofed = from_.is_spoofed
from_address.condition = from_.condition
h.from_ = from_address
# Sender
for sender in obj.sender.all():
sender_address = EmailAddress(sender.sender)
sender_address.is_spoofed = sender.is_spoofed
sender_address.condition = sender.condition
h.sender.add(sender_address)
# To
recipients = EmailRecipients()
for recipient in obj.recipients.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.to = recipients
# CC
recipients = EmailRecipients()
for recipient in obj.recipients_cc.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.cc = recipients
# BCC
recipients = EmailRecipients()
for recipient in obj.recipients_bcc.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.bcc = recipients
e.header = h
return e, attachment_objects
