def convert_resource_disposition(resource_disposition): rd = {} if resource_disposition.disposition_date: rd["disposition_date"] = convert_timestamp_to_string(resource_disposition.disposition_date) if resource_disposition.disposition_process: rd["disposition_process"] = str(resource_disposition.disposition_process) return rd
def convert_registry_key(reg_key): cybox_reg = {"type": "windows-registry-key"} if reg_key.key or reg_key.hive: full_key = "" if reg_key.hive: full_key += reg_key.hive.value + "\\" if reg_key.key: full_key += reg_key.key.value cybox_reg["key"] = full_key else: error("windows-registry-key is required to have a key property", 608) if reg_key.values: cybox_reg["values"] = [] for v in reg_key.values: reg_value = {} if hasattr(v, "data") and v.data: reg_value["data"] = text_type(v.data) if hasattr(v, "name") and v.name: reg_value["name"] = text_type(v.name) if hasattr(v, "datatype") and v.datatype: reg_value["data_type"] = text_type(v.datatype) cybox_reg["values"].append(reg_value) if reg_key.modified_time: cybox_reg["modified"] = convert_timestamp_to_string( reg_key.modified_time) return cybox_reg
def convert_edh_marking_to_acs_marking(marking_definition_instance, isa_marking, marking_assertion): acs_marking = {"extension_type": "property-extension"} # name is optional if isa_marking.create_date_time: acs_marking["create_date_time"] = convert_timestamp_to_string(isa_marking.create_date_time) else: warn("Required property %s is not provided for ACS data marking", 641, "create_date_time") if isa_marking.responsible_entity: for entity in isa_marking.responsible_entity.value: responsible_entity_parts = entity.split(":") if responsible_entity_parts[0] == "CUST": acs_marking["responsible_entity_custodian"] = responsible_entity_parts[1] if responsible_entity_parts[0] == "ORIG": acs_marking["responsible_entity_originator"] = responsible_entity_parts[1] if "responsible_entity_custodian" not in acs_marking: warn("Required property %s is not provided for ACS data marking", 641, "responsible_entity_custodian") if isa_marking.identifier: identifier = isa_marking.identifier if not re.match(_ISA_IDENTIFIER_PATTERN, identifier): warn("ACS identifier %s is not valid", 643, identifier) acs_marking["identifier"] = identifier # both auth_ref properties in the XML schema are minOccurs="0" maxOccurs="1" if marking_assertion.auth_ref: acs_marking["authority_reference"] = [marking_assertion.auth_ref] if isa_marking.auth_ref: if acs_marking["authority_reference"]: acs_marking["authority_reference"].append(isa_marking.auth_ref) else: acs_marking["authority_reference"] = isa_marking.auth_ref if marking_assertion.policy_ref: acs_marking["policy_reference"] = marking_assertion.policy_ref else: warn("Required property %s is not provided for ACS data marking", 641, "policy_reference") if marking_assertion.original_classification: acs_marking["original_classification"] = convert_original_classification(marking_assertion.original_classification) if marking_assertion.derivative_classification: acs_marking["derivative_classification"] = convert_derivative_classification(marking_assertion.derivative_classification) if marking_assertion.declassification: acs_marking["declassification"] = convert_declassification(marking_assertion.declassification) if marking_assertion.resource_disposition: acs_marking["resource_disposition"] = convert_resource_disposition(marking_assertion.resource_disposition) if marking_assertion.public_release: acs_marking["public_release"] = convert_public_release(marking_assertion.public_release) if marking_assertion.access_privilege: acs_marking["access_privilege"] = [] for ac in marking_assertion.access_privilege: acs_marking["access_privilege"].append(convert_access_privilege(ac)) if marking_assertion.further_sharing: acs_marking["further_sharing"] = [] for fs in marking_assertion.further_sharing: acs_marking["further_sharing"].append(convert_further_sharing(fs)) if marking_assertion.control_set: acs_marking["control_set"] = convert_control_set(marking_assertion.control_set) else: warn("Required property %s is not provided for ACS data marking", 641, "control_set") marking_definition_instance["extensions"] = {_ACS_EXTENSION_DEFINITION_ID: acs_marking}
def convert_public_release(public_release): pr = {} if public_release.released_by: pr["released_by"] = str(public_release.released_by) else: warn("Required property %s is not provided for ACS data marking", 641, "released_by") if public_release.released_on: pr["released_on"] = convert_timestamp_to_string(public_release.released_on) return pr
def convert_email_message(email_message): index = 0 cybox_dict = {} email_dict = { "type": "email-message", "is_multipart": False } # the default cybox_dict[text_type(index)] = email_dict index += 1 if email_message.header: header = email_message.header if header.date: email_dict["date"] = convert_timestamp_to_string(header.date) if header.content_type: email_dict["content_type"] = text_type(header.content_type) if header.subject: email_dict["subject"] = text_type(header.subject) if header.from_: # should there ever be more than one? from_ref = convert_address(header.from_) cybox_dict[text_type(index)] = from_ref email_dict["from_ref"] = text_type(index) index += 1 if header.to: for t in header.to: to_ref = convert_address(t) cybox_dict[text_type(index)] = to_ref if "to_refs" not in email_dict: email_dict["to_refs"] = [] email_dict["to_refs"].append(text_type(index)) index += 1 if header.cc: for t in header.cc: cc_ref = convert_address(t) cybox_dict[text_type(index)] = cc_ref if "cc_refs" not in email_dict: email_dict["cc_refs"] = [] email_dict["cc_refs"].append(text_type(index)) index += 1 if header.bcc: for t in header.bcc: bcc_ref = convert_address(t) cybox_dict[text_type(index)] = bcc_ref if "bcc_refs" not in email_dict: email_dict["bcc_refs"] = [] email_dict["bcc_refs"].append(text_type(index)) index += 1 # TODO: handle additional headers if email_message.attachments: email_dict["is_multipart"] = True multiparts = [] for a in email_message.attachments: multiparts.append(convert_attachment(a)) email_dict["body_multipart"] = multiparts return cybox_dict
def convert_declassification(declassification): dec = {} if declassification.declass_exemption: dec["declass_exemption"] = str(declassification.declass_exemption) if declassification.declass_period: dec["declass_period"] = int(declassification.declass_period) if declassification.declass_date: dec["declass_date"] = convert_timestamp_to_string(declassification.declass_date) if declassification.declass_event: dec["declass_event"] = str(declassification.declass_event) return dec
def convert_derivative_classification(derivative_classification): cd = {} if derivative_classification.classified_by: cd["classified_by"] = str(derivative_classification.classified_by) else: warn("Required property %s is not provided for ACS data marking", 641, "classified_by") if derivative_classification.classified_on: cd["classified_on"] = convert_timestamp_to_string(derivative_classification.classified_on) if derivative_classification.derived_from: cd["derived_from"] = str(derivative_classification.derived_from) else: warn("Required property %s is not provided for ACS data marking", 641, "derived_from") return cd
def convert_original_classification(original_classification): co = {} if original_classification.classified_by: co["classified_by"] = str(original_classification.classified_by) else: warn("Required property %s is not provided for ACS data marking", 641, "classified_by") if original_classification.classified_on: co["classified_on"] = convert_timestamp_to_string(original_classification.classified_on) if original_classification.classification_reason: co["classification_reason"] = str(original_classification.classification_reason) if original_classification.compilation_reason: co["compilation_reason"] = str(original_classification.compilation_reason) return co
def convert_process(process): index = 0 cybox_dict = {} process_dict = {"type": "process"} cybox_dict[text_type(index)] = process_dict index += 1 if process.name and get_option_value("spec_version") == "2.0": process_dict["name"] = text_type(process.name) if process.pid: process_dict["pid"] = process.pid.value if process.creation_time: process_dict["created"] = convert_timestamp_to_string( process.creation_time.value) if process.child_pid_list: for cp in process.child_pid_list: create_process_ref(cp, process_dict, cybox_dict, index, "child_refs") index += 1 if process.parent_pid: create_process_ref(process.parent_pid, process_dict, cybox_dict, index, "parent_ref") index += 1 if process.argument_list and get_option_value("spec_version") == "2.0": process_dict["arguments"] = [] for a in process.argument_list: process_dict["arguments"].append(a.value) if process.network_connection_list: renumbered_nc_dicts = {} process_dict["opened_connection_refs"] = [] for nc in process.network_connection_list: nc_dicts = convert_network_connection(nc) root_obj_index = find_index_of_type(nc_dicts, "network-traffic") current_largest_id, number_mapping = do_renumbering( nc_dicts, index, root_obj_index, renumbered_nc_dicts) add_objects(cybox_dict, renumbered_nc_dicts) process_dict["opened_connection_refs"].append( text_type(number_mapping[root_obj_index])) index = current_largest_id if isinstance(process, WinProcess): extended_properties = {} process_properties = convert_windows_process(process) if process_properties: extended_properties["windows-process-ext"] = process_properties if isinstance(process, WinService): service_properties = convert_windows_service(process) if service_properties: extended_properties["windows-service-ext"] = service_properties if extended_properties: process_dict["extensions"] = extended_properties return cybox_dict
def convert_account(acc): account_dict = {"type": "user-account"} if acc.creation_date: account_dict["account_created"] = acc.creation_date.value # if acc.last_accessed_time: # account_dict["account_last_login"] = acc.last_accessed_time if acc.disabled: account_dict["is_disabled"] = acc.disabled if acc.authentication and get_option_value("spec_version") == "2.1": if acc.authentication.authentication_data: account_dict["credential"] = acc.authentication.authentication_data if isinstance(acc, UserAccount): if acc.username: account_dict["account_login"] = acc.username.value if acc.full_name: account_dict["display_name"] = acc.full_name.value if acc.last_login: account_dict["account_last_login"] = convert_timestamp_to_string( acc.last_login.value) if isinstance(acc, UnixUserAccount): account_dict["account_type"] = "unix" ext_dict = {} if acc.group_id: ext_dict["gid"] = acc.group_id.value if acc.user_id: account_dict["user_id"] = text_type(acc.user_id.value) if acc.login_shell: ext_dict["shell"] = acc.login_shell.value if acc.home_directory: ext_dict["home_dir"] = acc.home_directory.value if acc.group_list: ext_dict["groups"] = [] for g in acc.group_list: ext_dict["groups"].append(text_type(g.group_id.value)) if ext_dict != {}: account_dict["extensions"] = {"unix-account-ext": ext_dict} elif isinstance(acc, WinComputerAccount): if acc.domain: account_dict["account_type"] = "windows-domain" else: account_dict["account_type"] = "windows-local" return account_dict
def convert_network_connection(conn): index = 0 cybox_dict = {} cybox_traffic = {} def create_domain_name_object(dn): return {"type": "domain-name", "value": text_type(dn.value)} if conn.creation_time is not None: cybox_traffic["start"] = convert_timestamp_to_string( conn.creation_time.value, None, None) cybox_traffic["protocols"] = [] if conn.layer3_protocol is not None: cybox_traffic["protocols"].append( text_type(conn.layer3_protocol.value).lower()) if conn.source_socket_address is not None: # The source, if present will have index "0". if conn.source_socket_address.port is not None: if conn.source_socket_address.port.port_value is not None: cybox_traffic["src_port"] = int( conn.source_socket_address.port.port_value) if conn.source_socket_address.port.layer4_protocol is not None: cybox_traffic["protocols"].append( text_type(conn.source_socket_address.port.layer4_protocol. value.lower())) if conn.source_socket_address.ip_address is not None: source = convert_address(conn.source_socket_address.ip_address) cybox_traffic["src_ref"] = str(index) cybox_dict[text_type(index)] = source index += 1 elif conn.source_socket_address.hostname is not None: if conn.source_socket_address.hostname.is_domain_name and conn.source_socket_address.hostname.hostname_value is not None: source_domain = create_domain_name_object( conn.source_socket_address.hostname.hostname_value) cybox_traffic["src_ref"] = str(index) cybox_dict[text_type(index)] = source_domain index += 1 elif (conn.source_socket_address.hostname.naming_system is not None and any(x.value == "DNS" for x in conn.source_socket_address.hostname.naming_system)): source_domain = create_domain_name_object( conn.source_socket_address.hostname.hostname_value) cybox_traffic["src_ref"] = str(index) cybox_dict[text_type(index)] = source_domain index += 1 if conn.destination_socket_address is not None: # The destination will have index "1" if there is a source. if conn.destination_socket_address.port is not None: if conn.destination_socket_address.port is not None: cybox_traffic["dst_port"] = int( conn.destination_socket_address.port.port_value) if conn.destination_socket_address.port.layer4_protocol is not None: cybox_traffic["protocols"].append( text_type(conn.destination_socket_address.port. layer4_protocol.value.lower())) if conn.destination_socket_address.ip_address is not None: destination = convert_address( conn.destination_socket_address.ip_address) cybox_traffic["dst_ref"] = str(index) cybox_dict[text_type(index)] = destination index += 1 elif conn.destination_socket_address.hostname is not None: if conn.destination_socket_address.hostname.is_domain_name and conn.destination_socket_address.hostname.hostname_value is not None: destination_domain = create_domain_name_object( conn.destination_socket_address.hostname.hostname_value) cybox_traffic["dst_ref"] = str(index) cybox_dict[text_type(index)] = destination_domain index += 1 elif (conn.destination_socket_address.hostname.naming_system is not None and any(x.value == "DNS" for x in conn.destination_socket_address. hostname.naming_system)): destination_domain = create_domain_name_object( conn.destination_socket_address.hostname.hostname_value) cybox_traffic["dst_ref"] = str(index) cybox_dict[text_type(index)] = destination_domain index += 1 if conn.layer4_protocol is not None: cybox_traffic["protocols"].append( text_type(conn.layer4_protocol.value).lower()) if conn.layer7_protocol is not None: cybox_traffic["protocols"].append( text_type(conn.layer7_protocol.value).lower()) if conn.layer7_connections is not None: if conn.layer7_connections.http_session is not None: # HTTP extension cybox_traffic["extensions"] = {} request_responses = conn.layer7_connections.http_session.http_request_response if request_responses: cybox_traffic["extensions"] = { "http-request-ext": convert_http_network_connection_extension( request_responses[0]) } if len(conn.layer7_connections.http_session. http_request_response) > 1: warn( "Only one HTTP_Request_Response used for http-request-ext, using first value", 512) if conn.layer7_connections.dns_query: warn( "Layer7_Connections/DNS_Query content not supported in STIX 2.0", 424) if cybox_traffic: cybox_traffic["type"] = "network-traffic" cybox_dict[text_type(index)] = cybox_traffic # cybox_traffic["end"] # cybox_traffic["is_active"] # cybox_traffic["src_byte_count"] # cybox_traffic["dst_byte_count"] # cybox_traffic["src_packets"] # cybox_traffic["dst_packets"] # cybox_traffic["ipfix"] # cybox_traffic["src_payload_ref"] # cybox_traffic["dst_payload_ref"] # cybox_traffic["encapsulates_refs"] # cybox_traffic["encapsulated_by_ref"] return cybox_dict