def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("Domain Watchlist")
for key in mydata["IOC"].keys():
fqdn = URI()
fqdn.value = sanitizer(key)
fqdn.type_ = URI.TYPE_DOMAIN
fqdn.condition = "Equals"
obsu = Observable(fqdn)
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
fqdn.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
class RelatedObjectTest(unittest.TestCase):
def setUp(self):
cybox.utils.set_id_method(2)
self.ip = Address("192.168.1.1", Address.CAT_IPV4)
self.domain = URI("example.local", URI.TYPE_DOMAIN)
def test_inline_changes_parent_id(self):
old_domain_parent_id = self.domain.parent.id_
old_ip_parent_id = self.ip.parent.id_
self.domain.add_related(self.ip, "Resolves To", inline=True)
self.assertEqual(old_domain_parent_id, self.domain.parent.id_)
self.assertNotEqual(old_ip_parent_id, self.ip.parent.id_)
def test_noninline_does_not_change_parent_id(self):
old_domain_parent_id = self.domain.parent.id_
old_ip_parent_id = self.ip.parent.id_
self.domain.add_related(self.ip, "Resolves To", inline=False)
self.assertEqual(old_domain_parent_id, self.domain.parent.id_)
self.assertEqual(old_ip_parent_id, self.ip.parent.id_)
def test_no_relationships(self):
self._test_round_trip(Observables([self.ip, self.domain]))
def test_inline(self):
self.domain.add_related(self.ip, "Resolves To", inline=True)
o2 = self._test_round_trip(Observables(self.domain))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the first observable, and has an inlined object with an id
actual_id = o2.observables[0].object_.related_objects[0].id_
self.assertEqual(expected_id, actual_id)
def test_backward_relationship(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# IP should already be known before Domain is parsed
o2 = self._test_round_trip(Observables([self.ip, self.domain]))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the second observable, and should only have an IDREF
actual_id = o2.observables[1].object_.related_objects[0].idref
self.assertEqual(expected_id, actual_id)
def test_forward_relationship(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# The "related" IP object will be encountered in the Domain object
# before the actual IP has been seen. Make sure this doesn't break.
o2 = self._test_round_trip(Observables([self.domain, self.ip]))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the second observable, and should only have an IDREF
actual_id = o2.observables[0].object_.related_objects[0].idref
self.assertEqual(expected_id, actual_id)
def test_missing_related_object(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# If we only include the domain, the dereference will fail.
o2 = self._test_round_trip(Observables([self.domain]))
rel_obj = o2.observables[0].object_.related_objects[0]
self.assertRaises(cybox.utils.CacheMiss, rel_obj.get_properties)
def _test_round_trip(self, observables):
self.maxDiff = None
print observables.to_xml()
observables2 = cybox.test.round_trip(observables)
self.assertEqual(observables.to_dict(), observables2.to_dict())
return observables2
def _test_returned_objects(self, o2):
# Get the Domain object (ID will contain "URI")
for obs in o2.observables:
if "URI" in obs.object_.id_:
ip_obj = obs.object_.related_objects[0]
break
# Check that the properties are identical
self.assertEqual(self.ip.to_dict(), ip_obj.get_properties().to_dict())
class RelatedObjectTest(EntityTestCase, unittest.TestCase):
klass = RelatedObject
_full_dict = {
'id': "example:Object-1",
'relationship': "Created",
}
def setUp(self):
set_id_method(2)
self.ip = Address("192.168.1.1", Address.CAT_IPV4)
self.domain = URI("example.local", URI.TYPE_DOMAIN)
def test_inline_changes_parent_id(self):
old_domain_parent_id = self.domain.parent.id_
old_ip_parent_id = self.ip.parent.id_
self.domain.add_related(self.ip, "Resolves To", inline=True)
self.assertEqual(old_domain_parent_id, self.domain.parent.id_)
self.assertNotEqual(old_ip_parent_id, self.ip.parent.id_)
def test_noninline_does_not_change_parent_id(self):
old_domain_parent_id = self.domain.parent.id_
old_ip_parent_id = self.ip.parent.id_
self.domain.add_related(self.ip, "Resolves To", inline=False)
self.assertEqual(old_domain_parent_id, self.domain.parent.id_)
self.assertEqual(old_ip_parent_id, self.ip.parent.id_)
def test_no_relationships(self):
self._test_round_trip(Observables([self.ip, self.domain]))
def test_inline(self):
self.domain.add_related(self.ip, "Resolves To", inline=True)
o2 = self._test_round_trip(Observables(self.domain))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the first observable, and has an inlined object with an id
actual_id = o2.observables[0].object_.related_objects[0].id_
self.assertEqual(expected_id, actual_id)
def test_backward_relationship(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# IP should already be known before Domain is parsed
o2 = self._test_round_trip(Observables([self.ip, self.domain]))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the second observable, and should only have an IDREF
actual_id = o2.observables[1].object_.related_objects[0].idref
self.assertEqual(expected_id, actual_id)
def test_forward_relationship(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# The "related" IP object will be encountered in the Domain object
# before the actual IP has been seen. Make sure this doesn't break.
o2 = self._test_round_trip(Observables([self.domain, self.ip]))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the second observable, and should only have an IDREF
actual_id = o2.observables[0].object_.related_objects[0].idref
self.assertEqual(expected_id, actual_id)
def test_missing_related_object(self):
self.domain.add_related(self.ip, "Resolves To", inline=False)
# If we only include the domain, the dereference will fail.
o2 = self._test_round_trip(Observables([self.domain]))
rel_obj = o2.observables[0].object_.related_objects[0]
self.assertRaises(CacheMiss, rel_obj.get_properties)
def test_relationship_standard_xsitype(self):
d = {
'id': "example:Object-1",
'relationship': "Created",
}
self._test_round_trip_dict(d)
def test_relationship_nonstandard_xsitype(self):
d = {
'id': "example:Object-1",
'relationship': {
'value': "Created",
'xsi:type': "Foo",
}
}
self._test_round_trip_dict(d)
def test_relationship_vocabnameref(self):
d = {
'id': "example:Object-1",
'relationship': {
'value': "Created",
'vocab_name': "Foo",
'vocab_reference': "http://example.com/FooVocab",
}
}
self._test_round_trip_dict(d)
def _test_round_trip(self, observables):
self.maxDiff = None
print(observables.to_xml())
observables2 = round_trip(observables)
self.assertEqual(observables.to_dict(), observables2.to_dict())
return observables2
def _test_returned_objects(self, o2):
# Get the Domain object (ID will contain "URI")
for obs in o2.observables:
if "URI" in obs.object_.id_:
ip_obj = obs.object_.related_objects[0]
break
# Check that the properties are identical
self.assertEqual(self.ip.to_dict(), ip_obj.get_properties().to_dict())
def _test_round_trip_dict(self, d):
d2 = round_trip_dict(RelatedObject, d)
self.maxDiff = None
self.assertEqual(d, d2)
class RelatedObjectTest(EntityTestCase, unittest.TestCase):
klass = RelatedObject
_full_dict = {
'id': "example:Object-1",
'relationship': u("Created"),
}
def setUp(self):
self.ip = Address("192.168.1.1", Address.CAT_IPV4)
self.domain = URI("example.local", URI.TYPE_DOMAIN)
def test_inline_changes_parent_id(self):
old_domain_parent_id = self.domain.parent.id_
old_ip_parent_id = self.ip.parent.id_
self.domain.add_related(self.ip, "Resolved_To", inline=True)
self.assertEqual(old_domain_parent_id, self.domain.parent.id_)
self.assertNotEqual(old_ip_parent_id, self.ip.parent.id_)
def test_noninline_does_not_change_parent_id(self):
old_domain_parent_id = self.domain.parent.id_
old_ip_parent_id = self.ip.parent.id_
self.domain.add_related(self.ip, "Resolved_To", inline=False)
self.assertEqual(old_domain_parent_id, self.domain.parent.id_)
self.assertEqual(old_ip_parent_id, self.ip.parent.id_)
def test_no_relationships(self):
self._test_round_trip(Observables([self.ip, self.domain]))
def test_inline(self):
self.domain.add_related(self.ip, "Resolved_To", inline=True)
o2 = self._test_round_trip(Observables(self.domain))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the first observable, and has an inlined object with an id
actual_id = o2.observables[0].object_.related_objects[0].id_
self.assertEqual(expected_id, actual_id)
def test_backward_relationship(self):
self.domain.add_related(self.ip, "Resolved_To", inline=False)
# IP should already be known before Domain is parsed
o2 = self._test_round_trip(Observables([self.ip, self.domain]))
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the second observable, and should only have an IDREF
actual_id = o2.observables[1].object_.related_objects[0].idref
self.assertEqual(expected_id, actual_id)
def test_forward_relationship(self):
self.domain.add_related(self.ip, "Resolved_To", inline=False)
o1 = Observables([self.domain, self.ip])
# The "related" IP object will be encountered in the Domain object
# before the actual IP has been seen. Make sure this doesn't break.
o2 = self._test_round_trip(o1)
self._test_returned_objects(o2)
expected_id = self.ip.parent.id_
# Domain is the second observable, and should only have an IDREF
actual_id = o2.observables[0].object_.related_objects[0].idref
self.assertEqual(expected_id, actual_id)
def test_missing_related_object(self):
self.domain.add_related(self.ip, "Resolved_To", inline=False)
# If we only include the domain, the dereference will fail.
o2 = self._test_round_trip(Observables([self.domain]))
rel_obj = o2.observables[0].object_.related_objects[0]
self.assertRaises(CacheMiss, rel_obj.get_properties)
def test_relationship_standard_xsitype(self):
d = {
'id': "example:Object-1",
'relationship': u("Created"),
}
self._test_round_trip_dict(d)
def test_relationship_nonstandard_xsitype(self):
d = {
'id': "example:Object-1",
'relationship': {
'value': u("Created"),
'xsi:type': "Foo",
}
}
self._test_round_trip_dict(d)
def test_relationship_vocabnameref(self):
d = {
'id': "example:Object-1",
'relationship': {
'value': u("Created"),
'vocab_name': "Foo",
'vocab_reference': "http://example.com/FooVocab",
}
}
self._test_round_trip_dict(d)
def _test_round_trip(self, observables):
self.maxDiff = None
logger.info(observables.to_xml())
observables2 = round_trip(observables)
self.assertEqual(observables.to_dict(), observables2.to_dict())
return observables2
def _test_returned_objects(self, o2):
# Get the Domain object (ID will contain "URI")
for obs in o2.observables:
if "URI" in obs.object_.id_:
ip_obj = obs.object_.related_objects[0]
break
# Check that the properties are identical
self.assertEqual(self.ip.to_dict(), ip_obj.get_properties().to_dict())
def _test_round_trip_dict(self, d):
d2 = round_trip_dict(RelatedObject, d)
self.maxDiff = None
self.assertEqual(d, d2)
def test_properties_not_in_inline(self):
# https://github.com/CybOXProject/python-cybox/issues/287
o1 = Object(self.domain)
o2 = Object(self.ip)
o1.add_related(self.ip, "Resolved_To", inline=False)
xml = o1.to_xml(encoding=None)
print(xml)
self.assertTrue(o1.id_ in xml)
self.assertTrue(o2.id_ in xml)
self.assertFalse(str(self.ip.address_value) in xml)
