def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
if obj.Exploit_Targets:
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
if obj.Indicators:
return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
if obj.Threat_Actors:
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(
dict_repr.get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(
dict_repr.get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(
dict_repr.get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(
dict_repr.get('indicators'))
return_obj.observables = Observables.from_dict(
dict_repr.get('observables'))
return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(
dict_repr.get('threat_actors'))
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(
dict_repr.get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(
obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(
obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(
obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(
obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [
Campaign.from_obj(x)
for x in obj.get_Campaigns().get_Campaign()
]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [
CourseOfAction.from_obj(x)
for x in obj.get_Courses_Of_Action().get_Course_Of_Action()
]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [
ExploitTarget.from_obj(x)
for x in obj.get_Exploit_Targets().get_Exploit_Target()
]
if obj.get_Indicators():
return_obj.indicators = [
Indicator.from_obj(x)
for x in obj.get_Indicators().get_Indicator()
]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(
obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [
Incident.from_obj(x)
for x in obj.get_Incidents().get_Incident()
]
if obj.get_Threat_Actors():
return_obj.threat_actors = [
ThreatActor.from_obj(x)
for x in obj.get_Threat_Actors().get_Threat_Actor()
]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(dict_repr.get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(dict_repr.get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(dict_repr.get('indicators'))
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(dict_repr.get('threat_actors'))
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None,
courses_of_action=None, exploit_targets=None, indicators=None,
observables=None, incidents=None, threat_actors=None,
ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = utils.dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
self._set_var(STIXHeader, try_cast=False, stix_header=value)
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
self.indicators.append(indicator)
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
self.campaigns.append(campaign)
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = Incidents(value)
def add_incident(self, incident):
self.incidents.append(incident)
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = ThreatActors(value)
def add_threat_actor(self, threat_actor):
self._threat_actors.append(threat_actor)
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = CoursesOfAction(value)
def add_course_of_action(self, course_of_action):
self._courses_of_action.append(course_of_action)
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = ExploitTargets(value)
def add_exploit_target(self, exploit_target):
self._exploit_targets.append(exploit_target)
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if isinstance(value, TTPs):
self._ttps = value
else:
self._ttps = TTPs(value)
def add_ttp(self, ttp):
self.ttps.append(ttp)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_threat_actor,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
def to_obj(self, return_obj=None, ns_info=None):
super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = self.version
return_obj.timestamp = utils.dates.serialize_value(self.timestamp)
if self.stix_header:
return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info)
if self.campaigns:
return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info)
if self.courses_of_action:
return_obj.Courses_Of_Action = self.courses_of_action.to_obj(ns_info=ns_info)
if self.exploit_targets:
return_obj.Exploit_Targets = self.exploit_targets.to_obj(ns_info=ns_info)
if self.indicators:
return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info)
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info)
if self.threat_actors:
return_obj.Threat_Actors = self.threat_actors.to_obj(ns_info=ns_info)
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_packages:
return_obj.Related_Packages = self.related_packages.to_obj(ns_info=ns_info)
return return_obj
def to_dict(self):
return super(STIXPackage, self).to_dict()
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(dict_repr.get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(dict_repr.get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(dict_repr.get('indicators'))
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(dict_repr.get('threat_actors'))
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
entity_parser = parser.EntityParser()
return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = utils.dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
self._set_var(STIXHeader, try_cast=False, stix_header=value)
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
self.indicators.append(indicator)
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
self.campaigns.append(campaign)
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = Incidents(value)
def add_incident(self, incident):
self.incidents.append(incident)
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = ThreatActors(value)
def add_threat_actor(self, threat_actor):
self._threat_actors.append(threat_actor)
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = CoursesOfAction(value)
def add_course_of_action(self, course_of_action):
self._courses_of_action.append(course_of_action)
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = ExploitTargets(value)
def add_exploit_target(self, exploit_target):
self._exploit_targets.append(exploit_target)
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if isinstance(value, TTPs):
self._ttps = value
else:
self._ttps = TTPs(value)
def add_ttp(self, ttp):
self.ttps.append(ttp)
def add(self, entity):
"""Adds `entity` to a top-level collection. For example, if `entity` is
an Indicator object, the `entity` will be added to the ``indicators``
top-level collection.
"""
if utils.is_cybox(entity):
self.add_observable(entity)
return
tlo_adds = {
Campaign: self.add_campaign,
CourseOfAction: self.add_course_of_action,
ExploitTarget: self.add_exploit_target,
Incident: self.add_incident,
Indicator: self.add_indicator,
ThreatActor: self.add_threat_actor,
TTP: self.add_threat_actor,
Observable: self.add_observable,
}
try:
add = tlo_adds[entity.__class__]
add(entity)
except KeyError:
error = "Cannot add type '{0}' to a top-level collection"
error = error.format(type(entity))
raise TypeError(error)
def to_obj(self, return_obj=None, ns_info=None):
super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = self.version
return_obj.timestamp = utils.dates.serialize_value(self.timestamp)
if self.stix_header:
return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info)
if self.campaigns:
return_obj.Campaigns = self.campaigns.to_obj(ns_info=ns_info)
if self.courses_of_action:
return_obj.Courses_Of_Action = self.courses_of_action.to_obj(
ns_info=ns_info)
if self.exploit_targets:
return_obj.Exploit_Targets = self.exploit_targets.to_obj(
ns_info=ns_info)
if self.indicators:
return_obj.Indicators = self.indicators.to_obj(ns_info=ns_info)
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
return_obj.Incidents = self.incidents.to_obj(ns_info=ns_info)
if self.threat_actors:
return_obj.Threat_Actors = self.threat_actors.to_obj(
ns_info=ns_info)
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_packages:
return_obj.Related_Packages = self.related_packages.to_obj(
ns_info=ns_info)
return return_obj
def to_dict(self):
return super(STIXPackage, self).to_dict()
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.campaigns = Campaigns.from_obj(obj.Campaigns)
return_obj.courses_of_action = CoursesOfAction.from_obj(
obj.Courses_Of_Action)
return_obj.exploit_targets = ExploitTargets.from_obj(
obj.Exploit_Targets)
return_obj.indicators = Indicators.from_obj(obj.Indicators)
return_obj.observables = Observables.from_obj(obj.Observables)
return_obj.incidents = Incidents.from_obj(obj.Incidents)
return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors)
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return_obj.related_packages = RelatedPackages.from_obj(
obj.Related_Packages)
# Don't overwrite unless a version is passed in
if obj.version:
return_obj.version = obj.version
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(
dict_repr.get('stix_header'))
return_obj.campaigns = Campaigns.from_dict(dict_repr.get('campaigns'))
return_obj.courses_of_action = CoursesOfAction.from_dict(
dict_repr.get('courses_of_action'))
return_obj.exploit_targets = ExploitTargets.from_dict(
dict_repr.get('exploit_targets'))
return_obj.indicators = Indicators.from_dict(
dict_repr.get('indicators'))
return_obj.observables = Observables.from_dict(
dict_repr.get('observables'))
return_obj.incidents = Incidents.from_dict(dict_repr.get('incidents'))
return_obj.threat_actors = ThreatActors.from_dict(
dict_repr.get('threat_actors'))
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(
dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
entity_parser = parser.EntityParser()
return entity_parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_indicator(v)
else:
self.add_indicator(value)
def add_indicator(self, indicator):
if not indicator:
return
elif isinstance(indicator, Indicator):
self.indicators.append(indicator)
else:
raise ValueError('indicator must be instance of stix.indicator.Indicator')
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_campaign(v)
else:
self.add_campaign(value)
def add_campaign(self, campaign):
if not campaign:
return
elif isinstance(campaign, Campaign):
self.campaigns.append(campaign)
else:
raise ValueError('indicator must be instance of stix.campaign.Campaign')
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
if value and not isinstance(value, Observables):
raise ValueError('value must be instance of cybox.core.Observables')
self._observables = value
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_incident(v)
else:
self.add_incident(value)
def add_incident(self, incident):
if not incident:
return
elif isinstance(incident, Incident):
self.incidents.append(incident)
else:
raise ValueError('Cannot add %s to incident list' % type(incident))
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_threat_actor(v)
else:
self.add_threat_actor(value)
def add_threat_actor(self, threat_actor):
if not threat_actor:
return
elif isinstance(threat_actor, ThreatActor):
self._threat_actors.append(threat_actor)
else:
raise ValueError('Cannot add %s to threat actor list' % type(threat_actor))
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_course_of_action(v)
else:
self.add_course_of_action(value)
def add_course_of_action(self, course_of_action):
if not course_of_action:
return
elif isinstance(course_of_action, CourseOfAction):
self._courses_of_action.append(course_of_action)
else:
raise ValueError('Cannot add %s to course of action list' % type(course_of_action))
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_exploit_target(v)
else:
self.add_exploit_target(value)
def add_exploit_target(self, exploit_target):
if not exploit_target:
return
elif isinstance(exploit_target, ExploitTarget):
self._exploit_targets.append(exploit_target)
else:
raise ValueError('Cannot add %s to exploit target list' % type(exploit_target))
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if not value:
self._ttps = TTPs()
elif isinstance(value, TTPs):
self._ttps = value
elif isinstance(value, list):
for v in value:
self.add_ttp(v)
else:
self.add_ttp(value)
def add_ttp(self, ttp):
if not ttp:
return
if not self.ttps:
self.ttps = TTPs()
self.ttps.append(ttp)
def to_obj(self, return_obj=None, ns_info=None):
super(STIXPackage, self).to_obj(return_obj=return_obj, ns_info=ns_info)
if not return_obj:
return_obj = self._binding_class()
return_obj.id = self.id_
return_obj.idref = self.idref
return_obj.version = self.version
return_obj.timestamp = dates.serialize_value(self.timestamp)
if self.stix_header:
return_obj.STIX_Header = self.stix_header.to_obj(ns_info=ns_info)
if self.campaigns:
coas_obj = self._binding.CampaignsType()
coas_obj.Campaign = [x.to_obj(ns_info=ns_info) for x in self.campaigns]
return_obj.Campaigns = coas_obj
if self.courses_of_action:
coas_obj = self._binding.CoursesOfActionType()
coas_obj.Course_Of_Action = [x.to_obj(ns_info=ns_info) for x in self.courses_of_action]
return_obj.Courses_Of_Action = coas_obj
if self.exploit_targets:
et_obj = stix_common_binding.ExploitTargetsType()
et_obj.Exploit_Target = [x.to_obj(ns_info=ns_info) for x in self.exploit_targets]
return_obj.Exploit_Targets = et_obj
if self.indicators:
indicators_obj = self._binding.IndicatorsType()
indicators_obj.Indicator = [x.to_obj(ns_info=ns_info) for x in self.indicators]
return_obj.Indicators = indicators_obj
if self.observables:
return_obj.Observables = self.observables.to_obj(ns_info=ns_info)
if self.incidents:
incidents_obj = self._binding.IncidentsType()
incidents_obj.Incident = [x.to_obj(ns_info=ns_info) for x in self.incidents]
return_obj.Incidents = incidents_obj
if self.threat_actors:
threat_actors_obj = self._binding.ThreatActorsType()
threat_actors_obj.Threat_Actor = [x.to_obj(ns_info=ns_info) for x in self.threat_actors]
return_obj.Threat_Actors = threat_actors_obj
if self.ttps:
return_obj.TTPs = self.ttps.to_obj(ns_info=ns_info)
if self.related_packages:
return_obj.Related_Packages = self.related_packages.to_obj(ns_info=ns_info)
return return_obj
def to_dict(self):
d = {}
if self.id_:
d['id'] = self.id_
if self.idref:
d['idref'] = self.idref
if self.version:
d['version'] = self.version
if self.idref:
d['idref'] = self.idref
if self.timestamp:
d['timestamp'] = dates.serialize_value(self.timestamp)
if self.stix_header:
d['stix_header'] = self.stix_header.to_dict()
if self.campaigns:
d['campaigns'] = [x.to_dict() for x in self.campaigns]
if self.courses_of_action:
d['courses_of_action'] = [x.to_dict() for x in self.courses_of_action]
if self.exploit_targets:
d['exploit_targets'] = [x.to_dict() for x in self.exploit_targets]
if self.indicators:
d['indicators'] = [x.to_dict() for x in self.indicators]
if self.observables:
d['observables'] = self.observables.to_dict()
if self.incidents:
d['incidents'] = [x.to_dict() for x in self.incidents]
if self.threat_actors:
d['threat_actors'] = [x.to_dict() for x in self.threat_actors]
if self.ttps:
d['ttps'] = self.ttps.to_dict()
if self.related_packages:
d['related_packages'] = self.related_packages.to_dict()
return d
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
if obj.Exploit_Targets:
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
if obj.Indicators:
return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
if obj.Threat_Actors:
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref = dict_repr.get('idref', None)
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None))
return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])]
return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])]
return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])]
return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])]
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])]
return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])]
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file, encoding=None):
"""Parses the `xml_file` file-like object and returns a
:class:`STIXPackage` instance.
Args:
xml_file: A file, file-like object, etree._Element, or
etree._ElementTree instance.
encoding: The character encoding of the `xml_file` input. If
``None``, an attempt will be made to determine the input
character encoding. Default is ``None``.
Returns:
An instance of :class:`STIXPackage`.
"""
parser = EntityParser()
return parser.parse_xml(xml_file, encoding=encoding)
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self,
id_=None,
idref=None,
timestamp=None,
stix_header=None,
courses_of_action=None,
exploit_targets=None,
indicators=None,
observables=None,
incidents=None,
threat_actors=None,
ttps=None,
campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_indicator(v)
else:
self.add_indicator(value)
def add_indicator(self, indicator):
if not indicator:
return
elif isinstance(indicator, Indicator):
self.indicators.append(indicator)
else:
raise ValueError(
'indicator must be instance of stix.indicator.Indicator')
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_campaign(v)
else:
self.add_campaign(value)
def add_campaign(self, campaign):
if not campaign:
return
elif isinstance(campaign, Campaign):
self.campaigns.append(campaign)
else:
raise ValueError(
'indicator must be instance of stix.campaign.Campaign')
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
if value and not isinstance(value, Observables):
raise ValueError(
'value must be instance of cybox.core.Observables')
self._observables = value
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
@property
def incidents(self):
return self._incidents
@incidents.setter
def incidents(self, value):
self._incidents = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_incident(v)
else:
self.add_incident(value)
def add_incident(self, incident):
if not incident:
return
elif isinstance(incident, Incident):
self.incidents.append(incident)
else:
raise ValueError('Cannot add %s to incident list' % type(incident))
@property
def threat_actors(self):
return self._threat_actors
@threat_actors.setter
def threat_actors(self, value):
self._threat_actors = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_threat_actor(v)
else:
self.add_threat_actor(value)
def add_threat_actor(self, threat_actor):
if not threat_actor:
return
elif isinstance(threat_actor, ThreatActor):
self._threat_actors.append(threat_actor)
else:
raise ValueError('Cannot add %s to threat actor list' %
type(threat_actor))
@property
def courses_of_action(self):
return self._courses_of_action
@courses_of_action.setter
def courses_of_action(self, value):
self._courses_of_action = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_course_of_action(v)
else:
self.add_course_of_action(value)
def add_course_of_action(self, course_of_action):
if not course_of_action:
return
elif isinstance(course_of_action, CourseOfAction):
self._courses_of_action.append(course_of_action)
else:
raise ValueError('Cannot add %s to course of action list' %
type(course_of_action))
@property
def exploit_targets(self):
return self._exploit_targets
@exploit_targets.setter
def exploit_targets(self, value):
self._exploit_targets = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_exploit_target(v)
else:
self.add_exploit_target(value)
def add_exploit_target(self, exploit_target):
if not exploit_target:
return
elif isinstance(exploit_target, ExploitTarget):
self._exploit_targets.append(exploit_target)
else:
raise ValueError('Cannot add %s to exploit target list' %
type(exploit_target))
@property
def ttps(self):
return self._ttps
@ttps.setter
def ttps(self, value):
if not value:
self._ttps = TTPs()
elif isinstance(value, TTPs):
self._ttps = value
elif isinstance(value, list):
for v in value:
self.add_ttp(v)
else:
self.add_ttp(value)
def add_ttp(self, ttp):
if not ttp:
return
if not self.ttps:
self.ttps = TTPs()
self.ttps.append(ttp)
def to_obj(self, return_obj=None):
if not return_obj:
return_obj = self._binding_class()
return_obj.set_id(self.id_)
return_obj.set_idref(self.idref)
return_obj.set_version(self.version)
return_obj.set_timestamp(dates.serialize_value(self.timestamp))
if self.stix_header:
return_obj.set_STIX_Header(self.stix_header.to_obj())
if self.campaigns:
coas_obj = self._binding.CampaignsType()
coas_obj.set_Campaign([x.to_obj() for x in self.campaigns])
return_obj.set_Campaigns(coas_obj)
if self.courses_of_action:
coas_obj = self._binding.CoursesOfActionType()
coas_obj.set_Course_Of_Action(
[x.to_obj() for x in self.courses_of_action])
return_obj.set_Courses_Of_Action(coas_obj)
if self.exploit_targets:
et_obj = stix_common_binding.ExploitTargetsType()
et_obj.set_Exploit_Target(
[x.to_obj() for x in self.exploit_targets])
return_obj.set_Exploit_Targets(et_obj)
if self.indicators:
indicators_obj = self._binding.IndicatorsType()
indicators_obj.set_Indicator([x.to_obj() for x in self.indicators])
return_obj.set_Indicators(indicators_obj)
if self.observables:
return_obj.set_Observables(self.observables.to_obj())
if self.incidents:
incidents_obj = self._binding.IncidentsType()
incidents_obj.set_Incident([x.to_obj() for x in self.incidents])
return_obj.set_Incidents(incidents_obj)
if self.threat_actors:
threat_actors_obj = self._binding.ThreatActorsType()
threat_actors_obj.set_Threat_Actor(
[x.to_obj() for x in self.threat_actors])
return_obj.set_Threat_Actors(threat_actors_obj)
if self.ttps:
return_obj.set_TTPs(self.ttps.to_obj())
if self.related_packages:
return_obj.set_Related_Packages(self.related_packages.to_obj())
return return_obj
def to_dict(self):
d = {}
if self.id_:
d['id'] = self.id_
if self.idref:
d['idref'] = self.idref
if self.version:
d['version'] = self.version
if self.idref:
d['idref'] = self.idref
if self.timestamp:
d['timestamp'] = dates.serialize_value(self.timestamp)
if self.stix_header:
d['stix_header'] = self.stix_header.to_dict()
if self.campaigns:
d['campaigns'] = [x.to_dict() for x in self.campaigns]
if self.courses_of_action:
d['courses_of_action'] = [
x.to_dict() for x in self.courses_of_action
]
if self.exploit_targets:
d['exploit_targets'] = [x.to_dict() for x in self.exploit_targets]
if self.indicators:
d['indicators'] = [x.to_dict() for x in self.indicators]
if self.observables:
d['observables'] = self.observables.to_dict()
if self.incidents:
d['incidents'] = [x.to_dict() for x in self.incidents]
if self.threat_actors:
d['threat_actors'] = [x.to_dict() for x in self.threat_actors]
if self.ttps:
d['ttps'] = self.ttps.to_dict()
if self.related_packages:
d['related_packages'] = self.related_packages.to_dict()
return d
@classmethod
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(
obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [
Campaign.from_obj(x)
for x in obj.get_Campaigns().get_Campaign()
]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [
CourseOfAction.from_obj(x)
for x in obj.get_Courses_Of_Action().get_Course_Of_Action()
]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [
ExploitTarget.from_obj(x)
for x in obj.get_Exploit_Targets().get_Exploit_Target()
]
if obj.get_Indicators():
return_obj.indicators = [
Indicator.from_obj(x)
for x in obj.get_Indicators().get_Indicator()
]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(
obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [
Incident.from_obj(x)
for x in obj.get_Incidents().get_Incident()
]
if obj.get_Threat_Actors():
return_obj.threat_actors = [
ThreatActor.from_obj(x)
for x in obj.get_Threat_Actors().get_Threat_Actor()
]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
@classmethod
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref = dict_repr.get('idref', None)
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
header_dict = dict_repr.get('stix_header', None)
return_obj.stix_header = STIXHeader.from_dict(header_dict)
return_obj.campaigns = [
Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])
]
return_obj.courses_of_action = [
CourseOfAction.from_dict(x)
for x in dict_repr.get('courses_of_action', [])
]
return_obj.exploit_targets = [
ExploitTarget.from_dict(x)
for x in dict_repr.get('exploit_targets', [])
]
return_obj.indicators = [
Indicator.from_dict(x) for x in dict_repr.get('indicators', [])
]
return_obj.observables = Observables.from_dict(
dict_repr.get('observables'))
return_obj.incidents = [
Incident.from_dict(x) for x in dict_repr.get('incidents', [])
]
return_obj.threat_actors = [
ThreatActor.from_dict(x)
for x in dict_repr.get('threat_actors', [])
]
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(
dict_repr.get('related_packages'))
return return_obj
@classmethod
def from_xml(cls, xml_file):
parser = EntityParser()
return parser.parse_xml(xml_file)
def related_packages(self, value):
if isinstance(value, RelatedPackages):
self._related_packages = value
else:
self._related_packages = RelatedPackages(value)