def test_network_traffic_tcp_example():
h = stix2.TCPExt(src_flags_hex="00000002")
nt = stix2.NetworkTraffic(_valid_refs={"0": "ipv4-addr"},
protocols="tcp",
src_ref="0",
extensions={'tcp-ext': h})
assert nt.extensions['tcp-ext'].src_flags_hex == "00000002"
def test_network_traffic_icmp_example():
h = stix2.ICMPExt(icmp_type_hex="08", icmp_code_hex="00")
nt = stix2.NetworkTraffic(_valid_refs={"0": "ipv4-addr"},
protocols="tcp",
src_ref="0",
extensions={'icmp-ext': h})
assert nt.extensions['icmp-ext'].icmp_type_hex == "08"
assert nt.extensions['icmp-ext'].icmp_code_hex == "00"
def test_network_traffic_example():
nt = stix2.NetworkTraffic(_valid_refs={
"0": "ipv4-addr",
"1": "ipv4-addr"
},
protocols="tcp",
src_ref="0",
dst_ref="1")
assert nt.protocols == ["tcp"]
assert nt.src_ref == "0"
assert nt.dst_ref == "1"
def test_network_traffic_socket_example():
h = stix2.SocketExt(is_listening=True,
address_family="AF_INET",
protocol_family="PF_INET",
socket_type="SOCK_STREAM")
nt = stix2.NetworkTraffic(_valid_refs={"0": "ipv4-addr"},
protocols="tcp",
src_ref="0",
extensions={'socket-ext': h})
assert nt.extensions['socket-ext'].is_listening
assert nt.extensions['socket-ext'].address_family == "AF_INET"
assert nt.extensions['socket-ext'].protocol_family == "PF_INET"
assert nt.extensions['socket-ext'].socket_type == "SOCK_STREAM"
def test_network_traffic_http_request_example():
h = stix2.HTTPRequestExt(
request_method="get",
request_value="/download.html",
request_version="http/1.1",
request_header={
"Accept-Encoding": "gzip,deflate",
"User-Agent":
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113",
"Host": "www.example.com"
})
nt = stix2.NetworkTraffic(_valid_refs={"0": "ipv4-addr"},
protocols="tcp",
src_ref="0",
extensions={'http-request-ext': h})
assert nt.extensions['http-request-ext'].request_method == "get"
assert nt.extensions['http-request-ext'].request_value == "/download.html"
assert nt.extensions['http-request-ext'].request_version == "http/1.1"
assert nt.extensions['http-request-ext'].request_header[
'Accept-Encoding'] == "gzip,deflate"
assert nt.extensions['http-request-ext'].request_header[
'User-Agent'] == "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113"
assert nt.extensions['http-request-ext'].request_header[
'Host'] == "www.example.com"
def decode_packets(capture, count):
"""
:type count: int
:type capture: Union[pyshark.LiveCapture, pyshark.FileCapture]
"""
pkt_no = 0
all_observed = []
observed_objs = []
decoder = PacketDecoder()
global off_line
global write_bundle
global pattern_file
pattern_list = []
if pattern_file is not None:
try:
with io.open(pattern_file, 'r') as patterns_in:
for pattern in patterns_in:
pattern = pattern.strip()
if not pattern:
continue # skip blank lines
if pattern[0] == u"#":
continue # skip commented out lines
escaped_pattern = pattern.encode("unicode_escape").decode(
"ascii")
print(escaped_pattern)
pattern_list.append(Pattern(escaped_pattern))
except PermissionError as e:
raise e
for i in range(4):
t = src.stixthread.STIXPoster(i, obj_queue)
threads.append(t)
t.start()
for packet in capture:
pkt_no += 1
sniff_timestamp = float(packet.sniff_timestamp)
args, objects = decoder.decode(packet)
if not len(args):
continue
logging.debug("args: %s", args)
logging.debug("objects: %s", objects)
net_traffic = stix2.NetworkTraffic(**args)
objects[str(decoder.refcount)] = net_traffic
decoder.refcount += 1
device = 'device--' + settings.get_devuuid(online=not off_line)
observed = StixObservedData(
first_observed=str(datetime.utcfromtimestamp(sniff_timestamp)),
last_observed=str(datetime.utcfromtimestamp(sniff_timestamp)),
number_observed=1,
objects=objects,
device_ref=device)
print(observed) # Debug
# all_observed.append(json.loads(str(observed)))
if len(pattern_list):
matches = []
matched = False
for p in pattern_list:
matches = p.match([json.loads(observed.serialize())])
if len(matches):
matched = True
# print('matched: ', observed.serialize())
if not matched:
observed = None
if observed:
logging.debug(observed)
observed_objs.append(observed)
if not off_line:
print('Putting object into queue')
obj_queue.put(observed)
if 0 > count > pkt_no:
break
obj_queue.join()
for t in threads:
t.stop()
t.join()
if write_bundle is not None:
try:
fp = open(write_bundle, 'w')
except PermissionError as e:
raise e
else:
with fp:
stix_bundle = Bundle(*observed_objs, allow_custom=True)
fp.writelines(stix_bundle.serialize(pretty=True))
fp.close()
