def DNSRequestObj(dnsinfo): networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "UDP" networkconnection.layer7_protocol = "DNS" ssocketaddress = SocketAddress() sport = Port() sport.port_value = dnsinfo[1] sport.layer4_protocol = "UDP" ssocketaddress.port = sport networkconnection.source_socket_address = ssocketaddress dsocketaddress = SocketAddress() dsocketaddress.ip_address = dnsinfo[2] dport = Port() dport.port_value = dnsinfo[3] dport.layer4_protocol = "UDP" dsocketaddress.port = dport networkconnection.destination_socket_address = dsocketaddress layer7connections = Layer7Connections() dqr = DNSQuery() indicator = Indicator() dnsques = DNSQuestion() dnsques.qname = dnsinfo[4] dnsques.qtype = translateType(dnsinfo[5]) dqr.question = dnsques indicator.title = "DNS Request" indicator.description = ( "An indicator containing information about a DNS Request") layer7connections.dns_query = dqr networkconnection.layer7_connections = layer7connections indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator
def create_network_connection(self,creation_time=None,destination_socket_address=None,destination_tcp_state=None,source_socket_address=None,source_tcp_state=None,tls_used=None, layer7_protocol=None,layer4_protocol=None,layer3_protocol=None,layer7_connections=None): network_connection = NetworkConnection() network_connection.creation_time= DateTime(creation_time) network_connection.destination_socket_address = destination_socket_address network_connection.destination_tcp_state = destination_tcp_state network_connection.source_socket_address = source_socket_address network_connection.source_tcp_state = source_tcp_state network_connection.tls_used =tls_used network_connection.layer7_protocol= layer7_protocol network_connection.layer4_protocol =layer4_protocol network_connection.layer3_protocol = layer3_protocol network_connection.layer7_connections = layer7_connections return network_connection
def HTTPFullObj(http): httprequestline = HTTPRequestLine() httprequestline.http_method = http[0] httprequestline.value = http[1] httprequestline.version = http[2] hostfield = HostField() h = URI() h.value = str(http[14]) hostfield.domain_name = h port = Port() port.port_value = http[3] hostfield.port = port httprequestheaderfields = HTTPRequestHeaderFields() if http[4] != '': httprequestheaderfields.accept = http[4] if http[5] != '': httprequestheaderfields.accept_language = http[5] if http[6] != '': httprequestheaderfields.accept_encoding = http[6] if http[7] != '': httprequestheaderfields.authorization = http[7] if http[8] != '': httprequestheaderfields.cache_control = http[8] if http[9] != '': httprequestheaderfields.connection = http[9] if http[10] != '': httprequestheaderfields.cookie = http[10] if http[11] != '': httprequestheaderfields.content_length = http[11] # integer if http[12] != '': httprequestheaderfields.content_type = http[12] if http[13] != '': httprequestheaderfields.date = http[13] # datetime if http[14] != '': httprequestheaderfields.host = hostfield if http[15] != '': httprequestheaderfields.proxy_authorization = http[15] httprequestheader = HTTPRequestHeader() httprequestheader.parsed_header = httprequestheaderfields httpclientrequest = HTTPClientRequest() httpclientrequest.http_request_line = httprequestline httpclientrequest.http_request_header = httprequestheader http_request_response = HTTPRequestResponse() http_request_response.http_client_request = httpclientrequest httpsession = HTTPSession() httpsession.http_request_response = http_request_response layer7connections = Layer7Connections() layer7connections.http_session = httpsession networkconnection = NetworkConnection() networkconnection.layer3_protocol = "IPv4" networkconnection.layer4_protocol = "TCP" networkconnection.layer7_protocol = "HTTP" networkconnection.layer7_connections = layer7connections indicator = Indicator() indicator.title = "HTTP request" indicator.description = ( "An indicator containing information about a HTTP request") indicator.set_produced_time(utils.dates.now()) indicator.add_object(networkconnection) return indicator