def test_markable_attributes(self):
"""Test that attribute selector used on resulting xpath.
Does not check for accuracy of marked data."""
container = stixmarx.new()
package = container.package
red_marking = generate_marking_spec(generate_red_marking_struct())
indicator = Indicator(title="Test")
observable = generate_observable()
indicator.add_observable(observable)
package.add_indicator(indicator)
observable.object_.id_ = container.add_marking(observable.object_.id_,
red_marking)
indicator.timestamp = container.add_marking(indicator.timestamp,
red_marking)
self.assertTrue(package.stix_header is None)
self.assertTrue(package.indicators[0].handling is None)
container.flush()
self.assertTrue(package.stix_header is None)
self.assertTrue(package.indicators[0].handling is not None)
for marking in package.indicators[0].handling.marking:
selector = marking.controlled_structure.split("/")[-1]
self.assertTrue(selector.startswith("@"))
def to_stix_rfi(obj):
from stix.indicator import Indicator as S_Ind
list_rfis = []
for each in obj.rfi:
ind = S_Ind()
ind.title = "CRITs RFI"
ind.timestamp = each.date
ind.description = each.topic
ind.id_ = each.source
list_rfis.append(ind)
for item in each.instance:
ind_2 = S_Ind()
ind_2.title = "CRITs RFI"
ind_2.timestamp = each.date
ind_2.description = each.topic
ind_2.producer = to_source(item)
ind_2.id_ = each.source
list_rfis.append(ind_2)
return list_rfis
def to_stix_relationship(obj):
from stix.indicator import Indicator
ind_rel = []
for relationship in obj.relationships:
#if not relationship.private: #testing
ind = Indicator()
ind.title = "MARTI Relation"
ind.timestamp = relationship.relationship_date
ind.confidence = relationship.rel_confidence.title()
ind.id_ = relationship.url_key
ind.add_indicator_type(get_indicator_type(relationship.rel_type))
ind.description = relationship.rel_reason
ind.short_description = relationship.relationship
ind_rel.append(ind)
return ind_rel
def main():
# Create a new stixmarx MarkingContainer with a
# new STIXPackage object contained within it.
container = stixmarx.new()
# Get the associated STIX Package
package = container.package
# Create an Indicator object
indicator = Indicator(title='Indicator Title',
description='Gonna Mark This')
# Add the Indicator object to our STIX Package
package.add(indicator)
# Build MarkingSpecification and add TLP MarkingStructure
red_marking = MarkingSpecification(marking_structures=TLP(color="RED"))
amber_marking = MarkingSpecification(marking_structures=TLP(color="AMBER"))
green_marking = MarkingSpecification(marking_structures=TLP(color="GREEN"))
# Mark the indicator with our TLP RED marking
# This is the equivalent of a component marking. Applies to all descendants
# nodes, text and attributes.
container.add_marking(indicator, red_marking, descendants=True)
# Mark the indicator with TLP GREEN. If descendants is false, the marking
# will only apply to the indicator node. Does NOT include text, attributes
# or descendants.
container.add_marking(indicator, green_marking)
# Mark the description text.
# >>> type(indicator.description.value) <type 'str'>
indicator.description.value = container.add_marking(
indicator.description.value, amber_marking)
# >>> type(indicator.description.value) <class 'stixmarx.api.types.MarkableBytes'>
# Mark the indicator timestamp attribute.
# >>> type(indicator.description.value) <type 'datetime.datetime'>
indicator.timestamp = container.add_marking(indicator.timestamp,
amber_marking)
# >>> type(indicator.description.value) <type 'stixmarx.api.types.MarkableDateTime'>
# Print the XML!
print(container.to_xml().decode("utf-8"))
def to_stix_comments(obj):
from crits.comments.handlers import get_comments
from stix.indicator import Indicator as S_Ind
comments = get_comments(obj.id, obj._meta['crits_type'], False)
ind_comments = []
for each in comments:
if not each.private:
ind = S_Ind()
ind.title = "CRITs Comment(s)"
ind.description = each.comment
ind.short_description = each.url_key
ind.producer = to_stix_information_source(each)
ind.timestamp = each.edit_date #should be date, but for some reason, it's not getting the correct value
ind_comments.append(ind)
return ind_comments
def gen_indicator(data, key, _db={}):
if isinstance(data, dict):
if _db.get(key, {}).get('ind'):
ind = Indicator(id_=_db[key]['ind'])
#ind = Indicator(idref=db[key]['ind'])
else:
ind = Indicator()
_db[key].update({'ind': ind.id_})
time = data.get('title').split('(')[1][:-1]
ind.title = data.get('title')
ind.description = '%s | For more detail go here - %s' % (
data.get('description'), data.get('link'))
if time:
ind.timestamp = datetime.strptime(time, '%Y/%m/%d_%H:%M')
#ind.producer = src_info
return ind, _db