# - A single Action embedded in the Bundle
# - A single Capability embedded in the Bundle
from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType
from cybox.common import Hash, HashList, VocabString
from cybox.objects.file_object import File
from maec.bundle import Bundle, Collections, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package
from cybox.utils import Namespace
import maec.utils
# Instantiate the ID generator class (for automatic ID generation) with our example namespace
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
import pprint
import maec.bindings.maec_bundle as maec_bundle_binding
from maec.bundle import Bundle
# Matching properties dictionary
match_on_dictionary = {'FileObjectType': ['file_name'],
'WindowsRegistryKeyObjectType': ['hive', 'values.name/data'],
'WindowsMutexObjectType': ['name']}
# Parse in the input Bundle documents and create their python-maec Bundle class representations
bundle1 = Bundle.from_obj(maec_bundle_binding.parse("zeus_threatexpert_maec.xml"))
bundle2 = Bundle.from_obj(maec_bundle_binding.parse("zeus_anubis_maec.xml"))
# Perform the comparison and get the results
comparison_results = Bundle.compare([bundle1, bundle2], match_on = match_on_dictionary, case_sensitive = False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"
# Example 1 - Simple Package Generation Example
# Generates and exports MAEC Package with:
# - A single Malware Subject
# - A single Bundle embedded in the Malware Subject
# - A single Action embedded in the Bundle
# - A single Capability embedded in the Bundle
from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType
from cybox.common import Hash, HashList, VocabString
from cybox.objects.file_object import File
from maec.bundle import Bundle, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(
Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
pl1 = ms.createcompatibleplatform(description='testing platform',identifiers=[ident1,ident2]) ms.addcompatibleplatform(compatible_platform=pl1) #################################################################################################################### #Add relationship reference1 = ms.createrelationshipreference(malware_subject_idref='Test idref 1') reference2 = ms.createrelationshipreference(malware_subject_idref='Test idref 2') reference3 = ms.createrelationshipreference(malware_subject_idref='Test idref 3') reference4 = ms.createrelationshipreference(malware_subject_idref='Test idref 4') relationship1=ms.createrelationship(type='downloads',malware_subject_reference=[reference1,reference2]) relationship2=ms.createrelationship(type='downloaded by',malware_subject_reference=[reference3,reference4]) ms.addrelationship(relationship=relationship1) ms.addrelationship(relationship=relationship2) #################################################################################################################### #Add findings bundle from maec.bundle import Bundle bundle1 = Bundle() bundle1.content_type='dynamic analysis tool output' bundle2 = Bundle() bundle2.content_type='static analysis tool output' ms.addbundleinfindingbundles(bundle2) ms.addbundleinfindingbundles(bundle1) mr1 = ms.createfindingbundlesmetaanalysisobjectequivalencereference(object_idref=create_id(prefix='obj_ref')) mr2 = ms.createfindingbundlesmetaanalysisobjectequivalencereference(object_idref=create_id(prefix='obj_ref')) object_eq = ms.createfindingbundlesmetaanalysisobjectequivalence(id=create_id(prefix='obj_equiv'),object_references=[mr1,mr2]) ar1 = ms.createfindingbundlesmetaanalysisactionequivalencereference(action_id='test action id 1') ar2 = ms.createfindingbundlesmetaanalysisactionequivalencereference(action_id='test action id 2') action_eq = ms.createfindingbundlesmetaanalysisactionequivalence(action_references=[ar1,ar2]) meta_analysis = ms.createfindingbundlesmetaanalysis(object_equivalences=[object_eq],action_equivalences=[action_eq]) ms.addmetaanalysisinfindingbundles(meta_analysis=meta_analysis) ms.addexternalreferenceinfindingbundles(['testing refer qname 1','testing refer qname 2']) #Printing results
import pprint
import maec.bindings.maec_bundle as maec_bundle_binding
from maec.bundle import Bundle
# Matching properties dictionary
match_on_dictionary = {
'FileObjectType': ['file_name'],
'WindowsRegistryKeyObjectType': ['hive', 'values.name/data'],
'WindowsMutexObjectType': ['name']
}
# Parse in the input Bundle documents and create their python-maec Bundle class representations
bundle1 = Bundle.from_obj(
maec_bundle_binding.parse("zeus_threatexpert_maec.xml"))
bundle2 = Bundle.from_obj(maec_bundle_binding.parse("zeus_anubis_maec.xml"))
# Perform the comparison and get the results
comparison_results = Bundle.compare([bundle1, bundle2],
match_on=match_on_dictionary,
case_sensitive=False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"
