def convert_resource_disposition(resource_disposition):
rd = {}
if resource_disposition.disposition_date:
rd["disposition_date"] = convert_timestamp_to_string(resource_disposition.disposition_date)
if resource_disposition.disposition_process:
rd["disposition_process"] = str(resource_disposition.disposition_process)
return rd
def convert_registry_key(reg_key):
cybox_reg = {"type": "windows-registry-key"}
if reg_key.key or reg_key.hive:
full_key = ""
if reg_key.hive:
full_key += reg_key.hive.value + "\\"
if reg_key.key:
full_key += reg_key.key.value
cybox_reg["key"] = full_key
else:
error("windows-registry-key is required to have a key property", 608)
if reg_key.values:
cybox_reg["values"] = []
for v in reg_key.values:
reg_value = {}
if hasattr(v, "data") and v.data:
reg_value["data"] = text_type(v.data)
if hasattr(v, "name") and v.name:
reg_value["name"] = text_type(v.name)
if hasattr(v, "datatype") and v.datatype:
reg_value["data_type"] = text_type(v.datatype)
cybox_reg["values"].append(reg_value)
if reg_key.modified_time:
cybox_reg["modified"] = convert_timestamp_to_string(
reg_key.modified_time)
return cybox_reg
def convert_edh_marking_to_acs_marking(marking_definition_instance, isa_marking, marking_assertion):
acs_marking = {"extension_type": "property-extension"}
# name is optional
if isa_marking.create_date_time:
acs_marking["create_date_time"] = convert_timestamp_to_string(isa_marking.create_date_time)
else:
warn("Required property %s is not provided for ACS data marking", 641, "create_date_time")
if isa_marking.responsible_entity:
for entity in isa_marking.responsible_entity.value:
responsible_entity_parts = entity.split(":")
if responsible_entity_parts[0] == "CUST":
acs_marking["responsible_entity_custodian"] = responsible_entity_parts[1]
if responsible_entity_parts[0] == "ORIG":
acs_marking["responsible_entity_originator"] = responsible_entity_parts[1]
if "responsible_entity_custodian" not in acs_marking:
warn("Required property %s is not provided for ACS data marking", 641, "responsible_entity_custodian")
if isa_marking.identifier:
identifier = isa_marking.identifier
if not re.match(_ISA_IDENTIFIER_PATTERN, identifier):
warn("ACS identifier %s is not valid", 643, identifier)
acs_marking["identifier"] = identifier
# both auth_ref properties in the XML schema are minOccurs="0" maxOccurs="1"
if marking_assertion.auth_ref:
acs_marking["authority_reference"] = [marking_assertion.auth_ref]
if isa_marking.auth_ref:
if acs_marking["authority_reference"]:
acs_marking["authority_reference"].append(isa_marking.auth_ref)
else:
acs_marking["authority_reference"] = isa_marking.auth_ref
if marking_assertion.policy_ref:
acs_marking["policy_reference"] = marking_assertion.policy_ref
else:
warn("Required property %s is not provided for ACS data marking", 641, "policy_reference")
if marking_assertion.original_classification:
acs_marking["original_classification"] = convert_original_classification(marking_assertion.original_classification)
if marking_assertion.derivative_classification:
acs_marking["derivative_classification"] = convert_derivative_classification(marking_assertion.derivative_classification)
if marking_assertion.declassification:
acs_marking["declassification"] = convert_declassification(marking_assertion.declassification)
if marking_assertion.resource_disposition:
acs_marking["resource_disposition"] = convert_resource_disposition(marking_assertion.resource_disposition)
if marking_assertion.public_release:
acs_marking["public_release"] = convert_public_release(marking_assertion.public_release)
if marking_assertion.access_privilege:
acs_marking["access_privilege"] = []
for ac in marking_assertion.access_privilege:
acs_marking["access_privilege"].append(convert_access_privilege(ac))
if marking_assertion.further_sharing:
acs_marking["further_sharing"] = []
for fs in marking_assertion.further_sharing:
acs_marking["further_sharing"].append(convert_further_sharing(fs))
if marking_assertion.control_set:
acs_marking["control_set"] = convert_control_set(marking_assertion.control_set)
else:
warn("Required property %s is not provided for ACS data marking", 641, "control_set")
marking_definition_instance["extensions"] = {_ACS_EXTENSION_DEFINITION_ID: acs_marking}
def convert_public_release(public_release):
pr = {}
if public_release.released_by:
pr["released_by"] = str(public_release.released_by)
else:
warn("Required property %s is not provided for ACS data marking", 641, "released_by")
if public_release.released_on:
pr["released_on"] = convert_timestamp_to_string(public_release.released_on)
return pr
def convert_email_message(email_message):
index = 0
cybox_dict = {}
email_dict = {
"type": "email-message",
"is_multipart": False
} # the default
cybox_dict[text_type(index)] = email_dict
index += 1
if email_message.header:
header = email_message.header
if header.date:
email_dict["date"] = convert_timestamp_to_string(header.date)
if header.content_type:
email_dict["content_type"] = text_type(header.content_type)
if header.subject:
email_dict["subject"] = text_type(header.subject)
if header.from_:
# should there ever be more than one?
from_ref = convert_address(header.from_)
cybox_dict[text_type(index)] = from_ref
email_dict["from_ref"] = text_type(index)
index += 1
if header.to:
for t in header.to:
to_ref = convert_address(t)
cybox_dict[text_type(index)] = to_ref
if "to_refs" not in email_dict:
email_dict["to_refs"] = []
email_dict["to_refs"].append(text_type(index))
index += 1
if header.cc:
for t in header.cc:
cc_ref = convert_address(t)
cybox_dict[text_type(index)] = cc_ref
if "cc_refs" not in email_dict:
email_dict["cc_refs"] = []
email_dict["cc_refs"].append(text_type(index))
index += 1
if header.bcc:
for t in header.bcc:
bcc_ref = convert_address(t)
cybox_dict[text_type(index)] = bcc_ref
if "bcc_refs" not in email_dict:
email_dict["bcc_refs"] = []
email_dict["bcc_refs"].append(text_type(index))
index += 1
# TODO: handle additional headers
if email_message.attachments:
email_dict["is_multipart"] = True
multiparts = []
for a in email_message.attachments:
multiparts.append(convert_attachment(a))
email_dict["body_multipart"] = multiparts
return cybox_dict
def convert_declassification(declassification):
dec = {}
if declassification.declass_exemption:
dec["declass_exemption"] = str(declassification.declass_exemption)
if declassification.declass_period:
dec["declass_period"] = int(declassification.declass_period)
if declassification.declass_date:
dec["declass_date"] = convert_timestamp_to_string(declassification.declass_date)
if declassification.declass_event:
dec["declass_event"] = str(declassification.declass_event)
return dec
def convert_derivative_classification(derivative_classification):
cd = {}
if derivative_classification.classified_by:
cd["classified_by"] = str(derivative_classification.classified_by)
else:
warn("Required property %s is not provided for ACS data marking", 641, "classified_by")
if derivative_classification.classified_on:
cd["classified_on"] = convert_timestamp_to_string(derivative_classification.classified_on)
if derivative_classification.derived_from:
cd["derived_from"] = str(derivative_classification.derived_from)
else:
warn("Required property %s is not provided for ACS data marking", 641, "derived_from")
return cd
def convert_original_classification(original_classification):
co = {}
if original_classification.classified_by:
co["classified_by"] = str(original_classification.classified_by)
else:
warn("Required property %s is not provided for ACS data marking", 641, "classified_by")
if original_classification.classified_on:
co["classified_on"] = convert_timestamp_to_string(original_classification.classified_on)
if original_classification.classification_reason:
co["classification_reason"] = str(original_classification.classification_reason)
if original_classification.compilation_reason:
co["compilation_reason"] = str(original_classification.compilation_reason)
return co
def convert_process(process):
index = 0
cybox_dict = {}
process_dict = {"type": "process"}
cybox_dict[text_type(index)] = process_dict
index += 1
if process.name and get_option_value("spec_version") == "2.0":
process_dict["name"] = text_type(process.name)
if process.pid:
process_dict["pid"] = process.pid.value
if process.creation_time:
process_dict["created"] = convert_timestamp_to_string(
process.creation_time.value)
if process.child_pid_list:
for cp in process.child_pid_list:
create_process_ref(cp, process_dict, cybox_dict, index,
"child_refs")
index += 1
if process.parent_pid:
create_process_ref(process.parent_pid, process_dict, cybox_dict, index,
"parent_ref")
index += 1
if process.argument_list and get_option_value("spec_version") == "2.0":
process_dict["arguments"] = []
for a in process.argument_list:
process_dict["arguments"].append(a.value)
if process.network_connection_list:
renumbered_nc_dicts = {}
process_dict["opened_connection_refs"] = []
for nc in process.network_connection_list:
nc_dicts = convert_network_connection(nc)
root_obj_index = find_index_of_type(nc_dicts, "network-traffic")
current_largest_id, number_mapping = do_renumbering(
nc_dicts, index, root_obj_index, renumbered_nc_dicts)
add_objects(cybox_dict, renumbered_nc_dicts)
process_dict["opened_connection_refs"].append(
text_type(number_mapping[root_obj_index]))
index = current_largest_id
if isinstance(process, WinProcess):
extended_properties = {}
process_properties = convert_windows_process(process)
if process_properties:
extended_properties["windows-process-ext"] = process_properties
if isinstance(process, WinService):
service_properties = convert_windows_service(process)
if service_properties:
extended_properties["windows-service-ext"] = service_properties
if extended_properties:
process_dict["extensions"] = extended_properties
return cybox_dict
def convert_account(acc):
account_dict = {"type": "user-account"}
if acc.creation_date:
account_dict["account_created"] = acc.creation_date.value
# if acc.last_accessed_time:
# account_dict["account_last_login"] = acc.last_accessed_time
if acc.disabled:
account_dict["is_disabled"] = acc.disabled
if acc.authentication and get_option_value("spec_version") == "2.1":
if acc.authentication.authentication_data:
account_dict["credential"] = acc.authentication.authentication_data
if isinstance(acc, UserAccount):
if acc.username:
account_dict["account_login"] = acc.username.value
if acc.full_name:
account_dict["display_name"] = acc.full_name.value
if acc.last_login:
account_dict["account_last_login"] = convert_timestamp_to_string(
acc.last_login.value)
if isinstance(acc, UnixUserAccount):
account_dict["account_type"] = "unix"
ext_dict = {}
if acc.group_id:
ext_dict["gid"] = acc.group_id.value
if acc.user_id:
account_dict["user_id"] = text_type(acc.user_id.value)
if acc.login_shell:
ext_dict["shell"] = acc.login_shell.value
if acc.home_directory:
ext_dict["home_dir"] = acc.home_directory.value
if acc.group_list:
ext_dict["groups"] = []
for g in acc.group_list:
ext_dict["groups"].append(text_type(g.group_id.value))
if ext_dict != {}:
account_dict["extensions"] = {"unix-account-ext": ext_dict}
elif isinstance(acc, WinComputerAccount):
if acc.domain:
account_dict["account_type"] = "windows-domain"
else:
account_dict["account_type"] = "windows-local"
return account_dict
def convert_network_connection(conn):
index = 0
cybox_dict = {}
cybox_traffic = {}
def create_domain_name_object(dn):
return {"type": "domain-name", "value": text_type(dn.value)}
if conn.creation_time is not None:
cybox_traffic["start"] = convert_timestamp_to_string(
conn.creation_time.value, None, None)
cybox_traffic["protocols"] = []
if conn.layer3_protocol is not None:
cybox_traffic["protocols"].append(
text_type(conn.layer3_protocol.value).lower())
if conn.source_socket_address is not None:
# The source, if present will have index "0".
if conn.source_socket_address.port is not None:
if conn.source_socket_address.port.port_value is not None:
cybox_traffic["src_port"] = int(
conn.source_socket_address.port.port_value)
if conn.source_socket_address.port.layer4_protocol is not None:
cybox_traffic["protocols"].append(
text_type(conn.source_socket_address.port.layer4_protocol.
value.lower()))
if conn.source_socket_address.ip_address is not None:
source = convert_address(conn.source_socket_address.ip_address)
cybox_traffic["src_ref"] = str(index)
cybox_dict[text_type(index)] = source
index += 1
elif conn.source_socket_address.hostname is not None:
if conn.source_socket_address.hostname.is_domain_name and conn.source_socket_address.hostname.hostname_value is not None:
source_domain = create_domain_name_object(
conn.source_socket_address.hostname.hostname_value)
cybox_traffic["src_ref"] = str(index)
cybox_dict[text_type(index)] = source_domain
index += 1
elif (conn.source_socket_address.hostname.naming_system is not None
and any(x.value == "DNS" for x in
conn.source_socket_address.hostname.naming_system)):
source_domain = create_domain_name_object(
conn.source_socket_address.hostname.hostname_value)
cybox_traffic["src_ref"] = str(index)
cybox_dict[text_type(index)] = source_domain
index += 1
if conn.destination_socket_address is not None:
# The destination will have index "1" if there is a source.
if conn.destination_socket_address.port is not None:
if conn.destination_socket_address.port is not None:
cybox_traffic["dst_port"] = int(
conn.destination_socket_address.port.port_value)
if conn.destination_socket_address.port.layer4_protocol is not None:
cybox_traffic["protocols"].append(
text_type(conn.destination_socket_address.port.
layer4_protocol.value.lower()))
if conn.destination_socket_address.ip_address is not None:
destination = convert_address(
conn.destination_socket_address.ip_address)
cybox_traffic["dst_ref"] = str(index)
cybox_dict[text_type(index)] = destination
index += 1
elif conn.destination_socket_address.hostname is not None:
if conn.destination_socket_address.hostname.is_domain_name and conn.destination_socket_address.hostname.hostname_value is not None:
destination_domain = create_domain_name_object(
conn.destination_socket_address.hostname.hostname_value)
cybox_traffic["dst_ref"] = str(index)
cybox_dict[text_type(index)] = destination_domain
index += 1
elif (conn.destination_socket_address.hostname.naming_system
is not None and any(x.value == "DNS"
for x in conn.destination_socket_address.
hostname.naming_system)):
destination_domain = create_domain_name_object(
conn.destination_socket_address.hostname.hostname_value)
cybox_traffic["dst_ref"] = str(index)
cybox_dict[text_type(index)] = destination_domain
index += 1
if conn.layer4_protocol is not None:
cybox_traffic["protocols"].append(
text_type(conn.layer4_protocol.value).lower())
if conn.layer7_protocol is not None:
cybox_traffic["protocols"].append(
text_type(conn.layer7_protocol.value).lower())
if conn.layer7_connections is not None:
if conn.layer7_connections.http_session is not None:
# HTTP extension
cybox_traffic["extensions"] = {}
request_responses = conn.layer7_connections.http_session.http_request_response
if request_responses:
cybox_traffic["extensions"] = {
"http-request-ext":
convert_http_network_connection_extension(
request_responses[0])
}
if len(conn.layer7_connections.http_session.
http_request_response) > 1:
warn(
"Only one HTTP_Request_Response used for http-request-ext, using first value",
512)
if conn.layer7_connections.dns_query:
warn(
"Layer7_Connections/DNS_Query content not supported in STIX 2.0",
424)
if cybox_traffic:
cybox_traffic["type"] = "network-traffic"
cybox_dict[text_type(index)] = cybox_traffic
# cybox_traffic["end"]
# cybox_traffic["is_active"]
# cybox_traffic["src_byte_count"]
# cybox_traffic["dst_byte_count"]
# cybox_traffic["src_packets"]
# cybox_traffic["dst_packets"]
# cybox_traffic["ipfix"]
# cybox_traffic["src_payload_ref"]
# cybox_traffic["dst_payload_ref"]
# cybox_traffic["encapsulates_refs"]
# cybox_traffic["encapsulated_by_ref"]
return cybox_dict
