def __init__(self, id=None, name=None): super(Capability, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="capability") self.name = name
def __init__(self, id = None, description = None): super(Behavior, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="behavior") self.description = description
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None): self.id_ = id_ or idgen.create_id("Package") self.idref = idref self._version = STIXPackage._version self.stix_header = stix_header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_packages = related_packages self.reports = reports self.timestamp = timestamp
def __init__(self, id=None, description=None): super(Behavior, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="behavior") self.description = description
def __init__(self, name=None, id=None): super(ObjectCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="object_collection") self.object_list = ObjectList()
def __init__(self, name = None, id = None): super(CandidateIndicatorCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="candidate_indicator_collection") self.candidate_indicator_list = CandidateIndicatorList()
def __init__(self, name = None, id = None): super(ActionCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="action_collection") self.action_list = ActionList()
def __init__(self, name = None, id = None): super(ObjectCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="object_collection") self.object_list = ObjectList()
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None): super(STIXPackage, self).__init__() self.id_ = id_ or idgen.create_id("Package") self.idref = idref self.version = STIXPackage._version self.stix_header = stix_header self.campaigns = campaigns or Campaigns() self.courses_of_action = courses_of_action or CoursesOfAction() self.exploit_targets = exploit_targets or ExploitTargets() self.observables = observables or Observables() self.indicators = indicators or Indicators() self.incidents = incidents or Incidents() self.threat_actors = threat_actors or ThreatActors() self.ttps = ttps or TTPs() self.related_packages = related_packages self.reports = reports or Reports() self.timestamp = timestamp
def __init__(self,id=None,namespace=None,malware_instance_object_attributes=None,relationships=None,minor_variants=None,labels=None,findings_bundles=None, development_environment=None,configuration_details=None,compatible_platform=None,analyses=None): super(MaecMalwareSubject, self).__init__(id=id,malware_instance_object_attributes=malware_instance_object_attributes) if id is None and namespace is not None: set_id_method(IDGenerator.METHOD_UUID) set_id_namespace(namespace) self.id_ = create_id(prefix="malware_subject") self.relationships =MalwareSubjectRelationshipList() if relationships is not None: for relationship in relationships: if isinstance(relationship,MalwareSubjectRelationship): self.relationships.append(relationship) self.minor_variants = MinorVariants() if minor_variants is not None: for minor_variant in minor_variants: self.minor_variants.append(minor_variant) self.label=[] if labels is not None: for label in labels: self.label.append(VocabString(label)) self.findings_bundles = FindingsBundleList() if findings_bundles is not None and isinstance(findings_bundles,FindingsBundleList): self.findings_bundles = findings_bundles self.development_environment = development_environment self.configuration_details =configuration_details self.compatible_platform =compatible_platform self.analyses = analyses
def __init__(self, id=None, parent_action_idref=None): super(ProcessTreeNode, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="process_tree") self.parent_action_idref = parent_action_idref
def __init__(self,id=None,namespace=None,method=None,type=None,source=None,ordinal_position=None, start_datetime=None,complete_datetime=None,lastupdate_datetime=None,analysts=None,summary=None,comments=None,tools=None, dynamic_analysis_metadata=None,report=None,analysis_environment=None): super(MaecAnalysis,self).__init__(id=id,method=method,type=type) set_id_method(IDGenerator.METHOD_UUID) if id is None: if namespace is not None: set_id_namespace(namespace) self.id_ = create_id(prefix='analysis') self.ordinal_position=ordinal_position self.start_datetime=start_datetime self.complete_datetime =complete_datetime self.lastupdate_datetime =lastupdate_datetime self.source=source if analysts is not None: self.analysts = Personnel() for contr in analysts(): if isinstance(contr,Contributor): self.analysts.append(contr) self.summary =summary if comments is not None: self.comments = CommentList() for comment in comments: self.comments.append(comment) if tools is not None: for tool in tools: if isinstance(tool,ToolInformation): self.add_tool(tool) if dynamic_analysis_metadata is not None and isinstance(dynamic_analysis_metadata,DynamicAnalysisMetadata): self.dynamic_analysis_metadata =dynamic_analysis_metadata self.report =report if isinstance(analysis_environment,AnalysisEnvironment): self.analysis_environment=analysis_environment
def __init__(self, name=None, id=None): super(BehaviorCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="behavior_collection") self.behavior_list = BehaviorList()
def __init__(self, name = None, id = None): super(BehaviorCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="behavior_collection") self.behavior_list = BehaviorList()
def __init__(self, name=None, id=None): super(ActionCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="action_collection") self.action_list = ActionList()
def __init__(self, id_=None, idref=None, timestamp=None, header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_reports=None): super(Report, self).__init__() self.id_ = id_ or idgen.create_id("Report") self.idref = idref self.version = self._version self.header = header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_reports = related_reports if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None
def __init__(self, name=None, id=None): super(CandidateIndicatorCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="candidate_indicator_collection") self.candidate_indicator_list = CandidateIndicatorList()
def __init__(self, id = None, parent_action_idref = None): super(ProcessTreeNode, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="process_tree") self.parent_action_idref = parent_action_idref
def __init__(self, id=None, malware_instance_object_attributes=None): super(MalwareSubject, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="malware_subject") #Set the Malware Instance Object Attributes (a CybOX object) if they are not none self.malware_instance_object_attributes = malware_instance_object_attributes
def __init__(self, id = None, malware_instance_object_attributes = None): super(MalwareSubject, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="malware_subject") #Set the Malware Instance Object Attributes (a CybOX object) if they are not none self.malware_instance_object_attributes = malware_instance_object_attributes
def __init__(self, id = None, method = None, type = None, findings_bundle_reference = []): super(Analysis, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="analysis") self.method = method self.type_ = type self.findings_bundle_reference = findings_bundle_reference
def __init__(self, id = None, schema_version = "2.1", timestamp = None): super(Package, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="package") self.schema_version = schema_version self.timestamp = timestamp self.malware_subjects = MalwareSubjectList() self.__input_namespaces__ = {} self.__input_schemalocations__ = {}
def __init__(self, properties=None, type_=None): # TODO: Accept id_ as an argument super(Object, self).__init__() if properties: prefix = str(properties.__class__.__name__) else: prefix = "Object" self.id_ = idgen.create_id(prefix=prefix) self.idref = None self.properties = properties self.related_objects = [] self.domain_specific_object_properties = None
def __init__(self, properties=None, id_=None, idref=None): super(Object, self).__init__() if properties: prefix = str(properties.__class__.__name__) else: prefix = "Object" self.id_ = id_ or idgen.create_id(prefix=prefix) self.idref = idref self.properties = properties self.related_objects = RelatedObjects()
def __init__(self, item=None, id_=None, idref=None, title=None, description=None): """Create an Observable out of 'item'. `item` can be any of: - an Object - an Event - an ObservableComposition - any subclass of ObjectProperties. In the first three cases, the appropriate property of the Observable will be set. In the last cases, an Object will be built automatically to ensure the correct hierarchy is created. """ super(Observable, self).__init__() if not id_ and not idref: id_ = idgen.create_id(prefix="Observable") self.id_ = id_ self.title = title self.description = description self.object_ = None self.event = None self.observable_composition = None self.idref = idref self.sighting_count = None self.observable_source = [] self.keywords = Keywords() self.pattern_fidelity = None if item is None: return elif isinstance(item, Object): self.object_ = item elif isinstance(item, ObservableComposition): self.observable_composition = item elif isinstance(item, Event): self.event = item elif isinstance(item, ObjectProperties): if item.parent: self.object_ = item.parent else: self.object_ = Object(item) else: msg = ("item must be an Object, Event, ObservableComposition, or " "subclass of ObjectProperties. Received an %s" % type(item)) raise TypeError(msg)
def __init__(self, id = None, defined_subject = False, schema_version = "4.1", content_type = None, malware_instance_object = None): super(Bundle, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="bundle") self.schema_version = schema_version self.defined_subject = defined_subject self.content_type = content_type self.timestamp = None self.malware_instance_object_attributes = malware_instance_object self.__input_namespaces__ = {} self.__input_schemalocations__ = {}
def __init__(self, id=None, method=None, type=None, findings_bundle_reference=[]): super(Analysis, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="analysis") self.method = method self.type_ = type self.findings_bundle_reference = findings_bundle_reference
def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None): self.id_ = id_ or idgen.create_id(self._ID_PREFIX) self.idref = idref self.title = title self.description = description self.short_description = short_description self.version = None self.information_source = None self.handling = None if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None
def __init__(self, id=None, idref=None, namespace=None,type=None,observation_method=None,frequency=None,event=None,description=None): super(CyboxEvent,self).__init__() set_id_method(IDGenerator.METHOD_UUID) if id is None and idref is None: if namespace is not None: set_id_namespace(namespace) self.id_ = create_id(prefix='event') self.actions = Actions() self.type_= type self.observation_method = observation_method self.idref =idref self.frequency = frequency self.event =[] if isinstance(event,CyboxEvent): self.event.append(event) self.description =description self._namespace =namespace
def __init__(self, id=None, defined_subject=False, schema_version="4.1", content_type=None, malware_instance_object=None): super(Bundle, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="bundle") self.schema_version = schema_version self.defined_subject = defined_subject self.content_type = content_type self.timestamp = None self.malware_instance_object_attributes = malware_instance_object self.__input_namespaces__ = {} self.__input_schemalocations__ = {}
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict): '''Merge a list of input binned (related) Malware Subjects''' # Merge the Malware_Instance_Object_Attributes mal_inst_obj_list = [x.malware_instance_object_attributes for x in binned_list] merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list)) # Give the merged Object a new ID merged_inst_obj.id_ = idgen.create_id('object') # Deduplicate the hash values, if they exist if merged_inst_obj.properties and merged_inst_obj.properties.hashes: hashes = merged_inst_obj.properties.hashes hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'simple_hash_value')) hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'fuzzy_hash_value')) merged_inst_obj.properties.hashes = hashes # Merge and deduplicate the labels merged_labels = list(itertools.chain(*[x.label for x in binned_list if x.label])) deduplicated_labels = deduplicate_vocabulary_list(merged_labels) # Merge the configuration details config_details_list = [x.configuration_details for x in binned_list if x.configuration_details] merged_config_details = None if config_details_list: merged_config_details = MalwareConfigurationDetails.from_dict(merge_entities(config_details_list)) # Merge the minor variants merged_minor_variants = list(itertools.chain(*[x.minor_variants for x in binned_list if x.minor_variants])) # Merge the field data # TODO: Add support. Not implemented in the APIs. # Merge the analyses merged_analyses = list(itertools.chain(*[x.analyses for x in binned_list if x.analyses])) # Merge the findings bundles merged_findings_bundles = merge_findings_bundles([x.findings_bundles for x in binned_list if x.findings_bundles]) # Merge the relationships merged_relationships = list(itertools.chain(*[x.relationships for x in binned_list if x.relationships])) # Merge the compatible platforms merged_compatible_platforms = list(itertools.chain(*[x.compatible_platform for x in binned_list if x.compatible_platform])) # Build the merged Malware Subject merged_malware_subject.malware_instance_object_attributes = merged_inst_obj if deduplicated_labels: merged_malware_subject.label = deduplicated_labels if merged_config_details: merged_malware_subject.configuration_details = merged_config_details if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants(merged_minor_variants) if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses) if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList(merged_relationships) if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms
def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None): from stix.common import StructuredTextList super(BaseCoreComponent, self).__init__() self.id_ = id_ or idgen.create_id(self._ID_PREFIX) self.idref = idref self.title = title self.descriptions = StructuredTextList(description) self.short_descriptions = StructuredTextList(short_description) if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None
def __init__(self, id=None, idref=None, namespace=None,name=None,action_status=None,context=None,description=None,discovery_method=None,frequency=None,action_aliases=None, action_arguments=None,ordinal_position=None,timestamp=None,type=None,associated_objects=None,relationships=None ): super(CyboxAction, self).__init__() set_id_method(IDGenerator.METHOD_UUID) if id is None and idref is None: if namespace is not None: set_id_namespace(namespace) self.id_ = create_id(prefix='action') self.action_arguments = action_arguments self.action_aliases = action_aliases self.discovery_method = discovery_method self.name = name self.action_status = action_status self.associated_objects = associated_objects self.type_ = type self.timestamp = timestamp self.relationships =relationships self.ordinal_position = ordinal_position self.frequency= frequency self.description = description self.context = context
def __init__(self, id=None): super(CapabilityObjective, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="capability_objective")
def __init__(self): super(MalwareAction, self).__init__() self.id_ = idgen.create_id(prefix="action")
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict): '''Merge a list of input binned (related) Malware Subjects''' # Merge the Malware_Instance_Object_Attributes mal_inst_obj_list = [ x.malware_instance_object_attributes for x in binned_list ] merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list)) # Give the merged Object a new ID merged_inst_obj.id_ = idgen.create_id('object') # Deduplicate the hash values, if they exist if merged_inst_obj.properties and merged_inst_obj.properties.hashes: hashes = merged_inst_obj.properties.hashes hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='simple_hash_value')) hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value')) merged_inst_obj.properties.hashes = hashes # Merge and deduplicate the labels merged_labels = list( itertools.chain(*[x.label for x in binned_list if x.label])) deduplicated_labels = deduplicate_vocabulary_list(merged_labels) # Merge the configuration details config_details_list = [ x.configuration_details for x in binned_list if x.configuration_details ] merged_config_details = None if config_details_list: merged_config_details = MalwareConfigurationDetails.from_dict( merge_entities(config_details_list)) # Merge the minor variants merged_minor_variants = list( itertools.chain( *[x.minor_variants for x in binned_list if x.minor_variants])) # Merge the field data # TODO: Add support. Not implemented in the APIs. # Merge the analyses merged_analyses = list( itertools.chain(*[x.analyses for x in binned_list if x.analyses])) # Merge the findings bundles merged_findings_bundles = merge_findings_bundles( [x.findings_bundles for x in binned_list if x.findings_bundles]) # Merge the relationships merged_relationships = list( itertools.chain( *[x.relationships for x in binned_list if x.relationships])) # Merge the compatible platforms merged_compatible_platforms = list( itertools.chain(*[ x.compatible_platform for x in binned_list if x.compatible_platform ])) # Build the merged Malware Subject merged_malware_subject.malware_instance_object_attributes = merged_inst_obj if deduplicated_labels: merged_malware_subject.label = deduplicated_labels if merged_config_details: merged_malware_subject.configuration_details = merged_config_details if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants( merged_minor_variants) if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses) if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList( merged_relationships) if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms
def __init__(self): super(ActionEquivalence, self).__init__() self.id_ = idgen.create_id(prefix="action_equivalence")
def test_prefix(self): prefix = "some_object" id_ = idgen.create_id(prefix) self.assertEqual(id_, TEST_NS.prefix + ":" + prefix + "-1")
ms.addcompatibleplatform(compatible_platform=pl1) #################################################################################################################### #Add relationship reference1 = ms.createrelationshipreference(malware_subject_idref='Test idref 1') reference2 = ms.createrelationshipreference(malware_subject_idref='Test idref 2') reference3 = ms.createrelationshipreference(malware_subject_idref='Test idref 3') reference4 = ms.createrelationshipreference(malware_subject_idref='Test idref 4') relationship1=ms.createrelationship(type='downloads',malware_subject_reference=[reference1,reference2]) relationship2=ms.createrelationship(type='downloaded by',malware_subject_reference=[reference3,reference4]) ms.addrelationship(relationship=relationship1) ms.addrelationship(relationship=relationship2) #################################################################################################################### #Add findings bundle from maec.bundle import Bundle bundle1 = Bundle() bundle1.content_type='dynamic analysis tool output' bundle2 = Bundle() bundle2.content_type='static analysis tool output' ms.addbundleinfindingbundles(bundle2) ms.addbundleinfindingbundles(bundle1) mr1 = ms.createfindingbundlesmetaanalysisobjectequivalencereference(object_idref=create_id(prefix='obj_ref')) mr2 = ms.createfindingbundlesmetaanalysisobjectequivalencereference(object_idref=create_id(prefix='obj_ref')) object_eq = ms.createfindingbundlesmetaanalysisobjectequivalence(id=create_id(prefix='obj_equiv'),object_references=[mr1,mr2]) ar1 = ms.createfindingbundlesmetaanalysisactionequivalencereference(action_id='test action id 1') ar2 = ms.createfindingbundlesmetaanalysisactionequivalencereference(action_id='test action id 2') action_eq = ms.createfindingbundlesmetaanalysisactionequivalence(action_references=[ar1,ar2]) meta_analysis = ms.createfindingbundlesmetaanalysis(object_equivalences=[object_eq],action_equivalences=[action_eq]) ms.addmetaanalysisinfindingbundles(meta_analysis=meta_analysis) ms.addexternalreferenceinfindingbundles(['testing refer qname 1','testing refer qname 2']) #Printing results print(ms.to_xml())
def test_id(self): # Make sure we can create an ID with a minimum of effort. # TODO: actually delete the module and reimport it to make sure there # is nothing left over from another test. self.assertNotEqual(idgen.create_id(), "")
def test_namespace(self): self.assertEqual(idgen.create_id(), TEST_NS.prefix + ":guid-1")
def __init__(self, id = None): super(CandidateIndicator, self).__init__() if id: id_ = id else: id_ = idgen.create_id(prefix="candidate_indicator")