def test_boolean_expression_with_parentheses(): exp1 = stix2.MatchesComparisonExpression(stix2.ObjectPath("email-message", [stix2.ReferenceObjectPathComponent("from_ref"), stix2.BasicObjectPathComponent("value")]), stix2.StringConstant(".+\\@example\\.com$")) exp2 = stix2.MatchesComparisonExpression("email-message:body_multipart[*].body_raw_ref.name", stix2.StringConstant("^Final Report.+\\.exe$")) exp = stix2.ParentheticalExpression(stix2.AndBooleanExpression([exp1, exp2])) assert str(exp) == "(email-message:from_ref.value MATCHES '.+\\\\@example\\\\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\\\\.exe$')" # noqa
def test_hash_followed_by_registryKey_expression(): hash_exp = stix2.EqualityComparisonExpression("file:hashes.MD5", stix2.HashConstant("79054025255fb1a26e4bc422aef54eb4", "MD5")) o_exp1 = stix2.ObservationExpression(hash_exp) reg_exp = stix2.EqualityComparisonExpression(stix2.ObjectPath("windows-registry-key", ["key"]), stix2.StringConstant("HKEY_LOCAL_MACHINE\\foo\\bar")) o_exp2 = stix2.ObservationExpression(reg_exp) fb_exp = stix2.FollowedByObservationExpression([o_exp1, o_exp2]) para_exp = stix2.ParentheticalExpression(fb_exp) qual_exp = stix2.WithinQualifier(stix2.IntegerConstant(300)) exp = stix2.QualifiedObservationExpression(para_exp, qual_exp) assert str(exp) == "([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\foo\\\\bar']) WITHIN 300 SECONDS" # noqa
def _element_list_to_object_path(object_type, path_elements): """ Build an AST ObjectPath instance from an object "path" given as a list of strings, ints and the special _INDEX_STAR_STEP object, used for list index "star" steps. The strings are interpreted as property names and the ints/star steps as list indices. :param object_type: The SCO type to use for the ObjectPath instance :param path_elements: The path elements as a list of strings/ints/_INDEX_STAR_STEPs :return: An ObjectPath instance """ path_components = [] i = 0 while i < len(path_elements): elt_i = path_elements[i] if not isinstance(elt_i, str): raise UnsupportedObjectStructureError(object_type, path_elements) if i < len(path_elements) - 1: elt_i1 = path_elements[i + 1] if isinstance(elt_i1, int): component = stix2.ListObjectPathComponent(elt_i, elt_i1) i += 1 elif elt_i1 is _INDEX_STAR_STEP: component = stix2.ListObjectPathComponent(elt_i, "*") i += 1 # ignoring ReferenceObjectPathComponent here. I think the pattern # visitor never uses it(?), so I guess I won't either. else: component = stix2.BasicObjectPathComponent(elt_i, False) else: component = stix2.BasicObjectPathComponent(elt_i, False) path_components.append(component) i += 1 object_path = stix2.ObjectPath(object_type, path_components) return object_path
def process_reports(self, reports): if reports is None: printer.error("No results") return for report in reports: name = report["name"] id = report["id"] stix2_objects = [] stix2_object_refs = [] # FFS AV, consistency! if 'tlp' in report: tlp_id = REF_TLPS[report['tlp'].upper()] elif 'TLP' in report: tlp_id = REF_TLPS[report['TLP'].upper()] else: tlp_id = REF_TLPS['WHITE'] sectors = report['industries'] if sectors: unmatched_sectors = [] added_sector = False for sector in [html.unescape(x.upper()) for x in sectors]: sector_name = None sector_id = None if sector in SECTOR_MAPPINGS: # sector_ids.append(self.octi_sectors[SECTOR_MAPPINGS[sector]]) sector_name = SECTOR_MAPPINGS[sector] try: sector_id = self.octi_sectors[ SECTOR_MAPPINGS[sector]] except Exception as e: printer.error(e) continue else: printer.debug(f"Looking for sector {sector}") match = difflib.get_close_matches( sector, self.octi_sectors.keys(), 1) if not len(match): printer.error( f"Unable to determine a matching sector for {sector}" ) unmatched_sectors.append(sector) continue # sector_ids.append(self.octi_sectors[match[0]]) sector_name = match[0] sector_id = self.octi_sectors[match[0]] if sector_name is not None: s = stix2.Identity(id=sector_id, name=sector_name, identity_class='class', custom_properties={ 'x_opencti_identity_type': 'sector' }) printer.debug(f"Adding sector {sector_name}") stix2_objects.append(s) stix2_object_refs.append(s) added_sector = True if not added_sector: printer.warn("Adding 'UNKNOWN' placeholder sector") s = stix2.Identity(id=self.octi_sectors["UNKNOWN"], name="Unknown", identity_class='class', custom_properties={ 'x_opencti_identity_type': 'sector' }) stix2_objects.append(s) stix2_object_refs.append(s) description = report['description'] if len(unmatched_sectors): description = description + "\n\n###\nUnable to find a match for the following sectors, " \ "please review manually:\n - " + '\n - '.join(unmatched_sectors) printer.info(f"Generating STIX2 for {name} ({id})") author = stix2.Identity(name=report['author_name'], identity_class='organization') stix2_objects.append(author) adversary = None if report['adversary']: printer.debug("Adding adversary {}".format( report['adversary'])) adversary = stix2.IntrusionSet(name=report['adversary']) stix2_object_refs.append(adversary) stix2_objects.append(adversary) if report['targeted_countries']: for country in report['targeted_countries']: printer.debug(f"Adding country {country}") c = stix2.Identity(name=country, identity_class='organization', custom_properties={ 'x_opencti_identity_type': 'country' }) stix2_objects.append(c) stix2_object_refs.append(c) external_refs = [] for eref in report['references']: external_refs.append( stix2.ExternalReference(source_name=tldextract.extract( eref).registered_domain, url=eref)) indicators = report["indicators"] if indicators: for indicator in indicators: resolved_type = self.resolve_type( indicator["type"].lower()) if resolved_type != None and indicator["is_active"]: observable_type = resolved_type observable_value = indicator["indicator"] pattern_type = 'stix' try: if observable_type in PATTERNTYPES: pattern_type = observable_type elif observable_type not in OPENCTISTIX2: printer.info("Not in stix2 dict") else: if 'transform' in OPENCTISTIX2[ observable_type]: if OPENCTISTIX2[observable_type][ 'transform'][ 'operation'] == 'remove_string': observable_value = observable_value.replace( OPENCTISTIX2[observable_type] ['transform']['value'], '') lhs = stix2.ObjectPath( OPENCTISTIX2[observable_type]['type'], OPENCTISTIX2[observable_type]['path']) observable_value = stix2.ObservationExpression( stix2.EqualityComparisonExpression( lhs, observable_value)) except Exception as e: printer.error(e) printer.info( "Could not determine suitable pattern") try: indicator_obj = stix2.Indicator( name=indicator["indicator"], description=indicator["description"], pattern=str(observable_value), valid_from=indicator["created"], labels=['malicious-activity'], created_by_ref=author, object_marking_refs=[tlp_id], custom_properties={ 'x_opencti_observable_type': resolved_type, 'x_opencti_observable_value': indicator["indicator"], 'x_opencti_pattern_type': pattern_type }) stix2_object_refs.append(indicator_obj) stix2_objects.append(indicator_obj) except Exception as e: printer.error(e) printer.info("Couldn't fetch indicator") else: printer.error("No indicators") report = stix2.Report(name=name, description=description, created_by_ref=author, labels=['threat-report'], published=report['created'], created=report['created'], modified=report['modified'], object_refs=stix2_object_refs, object_marking_refs=[tlp_id], external_references=external_refs) stix2_objects.append(report) bundle = stix2.Bundle(stix2_objects).serialize() if not self.dryrun: self.opencti_connector_helper.send_stix2_bundle( bundle, None, True, False) printer.info("Sending to OpenCTI") #printer.debug(str(bundle)) else: printer.debug(f"No sectors, disregarding '{name}'")