def create_poll_response(cls, poll_service, prp, content):
"""
Creates a poll response.
1. If the request's response type is "Count Only",
a single poll response w/ more=False used.
2. If the content size is less than the poll_service's
max_result_size, a poll response w/ more=False is used.
3. If the poll_service's max_result_size is blank,
a poll response w/ more=False used.
4. If the response type is "Full" and the total
number of contents are greater than the
poll_service's max_result_size, a ResultSet
is created, and a PollResponse w/more=True is used.
"""
content_count = len(content)
# RT_COUNT_ONLY - Always use a single result
# RT_FULL - Use a single response if
# poll_service.max_result_size is None or
# len(content) <= poll_service.max_result_size
# Use a Multi-Part response otherwise
if (prp.response_type == RT_COUNT_ONLY
or poll_service.max_result_size is None
or content_count <= poll_service.max_result_size):
poll_response = tm11.PollResponse(
message_id=generate_message_id(),
in_response_to=prp.message_id,
collection_name=prp.collection.name,
result_part_number=1,
more=False,
exclusive_begin_timestamp_label=prp.
exclusive_begin_timestamp_label,
inclusive_end_timestamp_label=prp.
inclusive_end_timestamp_label,
record_count=tm11.RecordCount(content_count, False))
if prp.subscription:
poll_response.subscription_id = prp.subscription.subscription_id
if prp.response_type == RT_FULL:
for c in content:
poll_response.content_blocks.append(
c.to_content_block_11())
else:
# Split into multiple result sets
result_set = handlers.create_result_set(poll_service, prp, content)
rsp_1 = models.ResultSetPart.objects.get(
result_set__pk=result_set.pk, part_number=1)
poll_response = rsp_1.to_poll_response_11(prp.message_id)
result_set.last_part_returned = rsp_1
result_set.save()
response = poll_response
return poll_response
def handle_poll_request(s, msg):
collection = msg.collection_name
query = msg.poll_parameters.query
begin = msg.exclusive_begin_timestamp_label
end = msg.inclusive_end_timestamp_label
# Start constructing the content block list
cbs = []
def handle(content, file):
print("Adding %s..." % file)
# Create content block.
cb = tm11.ContentBlock(tm11.ContentBinding(t.CB_STIX_XML_11),
content)
# Append content block to list.
cbs.append(cb)
print("Building response...")
latest = s.get_matching(collection, begin, end, query, handle)
print("Done")
# Create poll response.
resp = tm11.PollResponse(message_id=tm11.generate_message_id(),
in_response_to=msg.message_id,
collection_name=msg.collection_name,
inclusive_end_timestamp_label=latest,
content_blocks=cbs,
more=False)
# Send response
s.respond(resp.to_xml())
def prepare_poll_response(cls,
service,
collection,
in_response_to,
timeframe=None,
content_bindings=None,
result_part=1,
allow_async=False,
return_content=True,
result_id=None,
subscription_id=None):
timeframe = timeframe or (None, None)
if not any(timeframe) and not content_bindings:
total_count = collection.volume
else:
try:
total_count = service.get_content_blocks_count(
collection,
timeframe=timeframe,
content_bindings=content_bindings)
except ResultsNotReady:
if not allow_async:
message = ("The content is not available now and "
"the request has allow_asynch set to false")
raise_failure(message=message,
in_response_to=in_response_to)
result_set = service.create_result_set(
collection,
timeframe=timeframe,
content_bindings=content_bindings)
return tm11.StatusMessage(message_id=generate_message_id(),
in_response_to=in_response_to,
status_type=ST_PENDING,
status_details={
SD_ESTIMATED_WAIT:
service.wait_time,
SD_RESULT_ID: result_set.id,
SD_WILL_PUSH: service.can_push
})
# TODO: temporary fix, pending:
# https://github.com/TAXIIProject/libtaxii/issues/191
result_part = int(result_part)
# dividing instead of multiplying to be safe from overflow
has_more = (float(total_count) / service.max_result_size) > result_part
capped_count = min(service.max_result_count, total_count)
is_partial = (capped_count < total_count)
if has_more and not result_id:
result_set = service.create_result_set(
collection,
timeframe=timeframe,
content_bindings=content_bindings)
result_id = result_set.id
response = tm11.PollResponse(
message_id=generate_message_id(),
in_response_to=in_response_to,
collection_name=collection.name,
more=has_more,
result_id=result_id,
result_part_number=result_part,
exclusive_begin_timestamp_label=timeframe[0],
inclusive_end_timestamp_label=timeframe[1],
# TODO: Temporararily make capped_count an int, pending:
# https://github.com/TAXIIProject/libtaxii/issues/191
record_count=tm11.RecordCount(int(capped_count), is_partial),
subscription_id=subscription_id)
if return_content:
content_blocks = service.get_content_blocks(
collection,
timeframe=timeframe,
content_bindings=content_bindings,
part_number=result_part)
for block in content_blocks:
response.content_blocks.append(
content_block_entity_to_content_block(block, version=11))
return response
def main():
# "hardcoded" values
ns = "urn:example.com:marks_malware_metadata_mart"
ns_alias = "m4"
# Set the STIX ID Namespace
stix_namespace = {ns: ns_alias}
stix_sin(stix_namespace)
# Set the CybOX ID Namespace
cybox_namespace = Namespace(ns, ns_alias)
cybox_sin(cybox_namespace)
ttp_id = 'ttp-d539bb85-9363-4814-83c8-fa9975045686'
ttp_timestamp = '2014-09-30T15:56:27.000000+00:00'
# Fake database values
md5_hash = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
object_id = 'File-927731f2-cc2c-421c-a40e-dc6f4a6c75a4'
observable_id = 'Observable-45e3e64c-8438-441e-bc49-51e417466e29'
confidence = 'High'
confidence_timestamp = '2014-09-29T14:32:00.000000'
indicator_id = 'Indicator-54baefc1-4742-4b40-ba83-afd51115015b'
indicator_timestamp = '2014-09-29T14:32:00.000000'
# Code to create the STIX Package
sp = STIXPackage()
sp.stix_header = STIXHeader()
sp.stix_header.title = "File Hash Reputation for %s" % md5_hash
sp.stix_header.add_package_intent("Indicators - Malware Artifacts")
sp.stix_header.information_source = InformationSource()
sp.stix_header.information_source.identity = Identity()
sp.stix_header.information_source.identity.name = "Mark's Malware Metadata Mart"
file_hash = Hash(hash_value=md5_hash, type_='MD5', exact=True)
file_hash.type_.condition = "Equals"
file_obj = File()
file_obj.id_ = (ns_alias + ':' + object_id)
file_obj.add_hash(file_hash)
indicator = Indicator(title="File Hash Reputation",
id_=(ns_alias + ':' + indicator_id),
timestamp=indicator_timestamp)
indicator.indicator_type = "File Hash Reputation"
indicator.add_observable(file_obj)
indicator.observables[0].id_ = ns_alias + ':' + observable_id
ttp = TTP()
ttp.id_ = ns_alias + ':' + ttp_id
ttp.timestamp = ttp_timestamp
ttp.title = "Malicious File"
indicator.add_indicated_ttp(TTP(idref=ttp.id_, timestamp=ttp.timestamp))
indicator.indicated_ttps[0].confidence = confidence
indicator.indicated_ttps[0].confidence.timestamp = confidence_timestamp
sp.add_indicator(indicator)
sp.add_ttp(ttp)
stix_xml = sp.to_xml()
poll_response = tm11.PollResponse(message_id=generate_message_id(),
in_response_to="1234",
collection_name='file_hash_reputation')
cb = tm11.ContentBlock(content_binding=CB_STIX_XML_111, content=stix_xml)
poll_response.content_blocks.append(cb)
print poll_response.to_xml(pretty_print=True)