def test_pattern_multiple_all(self): s = String(["foo", "bar", "baz"]) s.condition = "Equals" s.apply_condition = "ALL" # If we change @apply_condition from the default, it should match # that value. self.assertTrue(b'apply_condition="ALL"' in s.to_xml())
def from_obj(process_obj, process_cls = None): if not process_obj: return None if process_cls == None: process_ = Process() else: process_ = process_cls ObjectProperties.from_obj(process_obj, process_) process_.is_hidden = process_obj.get_is_hidden() process_.pid = UnsignedInteger.from_obj(process_obj.get_PID()) process_.name = String.from_obj(process_obj.get_Name()) process_.creation_time = DateTime.from_obj(process_obj.get_Creation_Time()) process_.parent_pid = UnsignedInteger.from_obj(process_obj.get_Parent_PID()) process_.image_info = ImageInfo.from_obj(process_obj.get_Image_Info()) process_.environment_variable_list = EnvironmentVariableList.from_obj(process_obj.get_Environment_Variable_List()) process_.kernel_time = Duration.from_obj(process_obj.get_Kernel_Time()) process_.start_time = DateTime.from_obj(process_obj.get_Start_Time()) process_.username = String.from_obj(process_obj.get_Username()) process_.user_time = Duration.from_obj(process_obj.get_User_Time()) process_.extracted_features = None if process_obj.get_Argument_List() is not None : process_.argument_list = [String.from_obj(x) for x in process_obj.get_Argument_List().get_Argument()] if process_obj.get_Child_PID_List() is not None : process_.child_pid_list = [UnsignedInteger.from_obj(x) for x in process_obj.get_Child_PID_List().get_Child_PID()] if process_obj.get_Port_List() is not None : process_.port_list = [Port.from_obj(x) for x in process_obj.get_Port_List().get_Port()] if process_obj.get_Network_Connection_List() is not None : process_.network_connection_list = [NetworkConnection.from_obj(x) for x in process_obj.get_Network_Connection_List().get_Network_Connection()] return process_
def from_obj(x509_certificate_signature_obj): if not x509_certificate_signature_obj: return None x509_certificate_signature_ = X509CertificateSignature() x509_certificate_signature_.signature_algorithm = String.from_obj(x509_certificate_signature_obj.get_Signature_Algorithm()) x509_certificate_signature_.signature = String.from_obj(x509_certificate_signature_obj.get_Signature()) return x509_certificate_signature_
def from_dict(x509_certificate_signature_dict): if not x509_certificate_signature_dict: return None x509_certificate_signature_ = X509CertificateSignature() x509_certificate_signature_.signature_algorithm = String.from_dict(x509_certificate_signature_dict.get('signature_algorithm')) x509_certificate_signature_.signature = String.from_dict(x509_certificate_signature_dict.get('signature')) return x509_certificate_signature_
def from_dict(process_dict, process_cls = None): if not process_dict: return None if process_cls == None: process_ = Process() else: process_ = process_cls ObjectProperties.from_dict(process_dict, process_) process_.is_hidden = process_dict.get('is_hidden') process_.pid = UnsignedInteger.from_dict(process_dict.get('pid')) process_.name = String.from_dict(process_dict.get('name')) process_.creation_time = DateTime.from_dict(process_dict.get('creation_time')) process_.parent_pid = UnsignedInteger.from_dict(process_dict.get('parent_pid')) process_.child_pid_list = [UnsignedInteger.from_dict(x) for x in process_dict.get('child_pid_list', [])] process_.image_info = ImageInfo.from_dict(process_dict.get('image_info')) process_.argument_list = [String.from_dict(x) for x in process_dict.get('argument_list', [])] process_.environment_variable_list = EnvironmentVariableList.from_list(process_dict.get('environment_variable_list')) process_.kernel_time = Duration.from_dict(process_dict.get('kernel_time')) process_.port_list = [Port.from_dict(x) for x in process_dict.get('port_list', [])] process_.network_connection_list = [NetworkConnection.from_dict(x) for x in process_dict.get('network_connection_list', [])] process_.start_time = DateTime.from_dict(process_dict.get('start_time')) process_.username = String.from_dict(process_dict.get('username')) process_.user_time = Duration.from_dict(process_dict.get('user_time')) process_.extracted_features = None return process_
def test_unicode_string(self): s = u("A Unicode \ufffd string") string = String(s) unicode_string = six.text_type(string) self.assertEqual(s, unicode_string) self.assertEqual(s.encode("utf-8"), unicode_string.encode("utf-8")) self.assertTrue(s.encode("utf-8") in string.to_xml())
def from_obj(global_flag_obj): if not global_flag_obj: return None global_flag_ = GlobalFlag() global_flag_.abbreviation = String.from_obj(global_flag_obj.get_Abbreviation()) global_flag_.destination = String.from_obj(global_flag_obj.get_Destination()) global_flag_.hexadecimal_value = HexBinary.from_obj(global_flag_obj.get_Hexadecimal_Value()) global_flag_.symbolic_name = String.from_obj(global_flag_obj.get_Symbolic_Name()) return global_flag_
def from_dict(x509_non_standard_extensions_dict): if not x509_non_standard_extensions_dict: return None x509_non_standard_extensions_ = X509NonStandardExtensions() x509_non_standard_extensions_.netscape_comment = String.from_dict(x509_non_standard_extensions_dict.get('netscape_comment')) x509_non_standard_extensions_.netscape_certificate_type = String.from_dict(x509_non_standard_extensions_dict.get('netscape_certificate_type')) x509_non_standard_extensions_.old_authority_key_identifier = String.from_dict(x509_non_standard_extensions_dict.get('old_authority_key_identifier')) x509_non_standard_extensions_.old_primary_key_attributes = String.from_dict(x509_non_standard_extensions_dict.get('old_primary_key_attributes')) return x509_non_standard_extensions_
def from_dict(environment_variable_dict): if not environment_variable_dict: return None environment_variable_ = EnvironmentVariable() environment_variable_.name = String.from_dict(environment_variable_dict.get('name')) environment_variable_.value = String.from_dict(environment_variable_dict.get('value')) return environment_variable_
def from_dict(global_flag_dict): if not global_flag_dict: return None global_flag_ = GlobalFlag() global_flag_.abbreviation = String.from_dict(global_flag_dict.get('abbreviation')) global_flag_.destination = String.from_dict(global_flag_dict.get('destination')) global_flag_.hexadecimal_value = HexBinary.from_dict(global_flag_dict.get('hexadecimal_value')) global_flag_.symbolic_name = String.from_dict(global_flag_dict.get('symbolic_name')) return global_flag_
def from_obj(x509_non_standard_extensions_obj): if not x509_non_standard_extensions_obj: return None x509_non_standard_extensions_ = X509NonStandardExtensions() x509_non_standard_extensions_.netscape_comment = String.from_obj(x509_non_standard_extensions_obj.get_Netscape_Comment()) x509_non_standard_extensions_.netscape_certificate_type = String.from_obj(x509_non_standard_extensions_obj.get_Netscape_Certificate_Type()) x509_non_standard_extensions_.old_authority_key_identifier = String.from_obj(x509_non_standard_extensions_obj.get_Old_Authority_Key_Identifier()) x509_non_standard_extensions_.old_primary_key_attributes = String.from_obj(x509_non_standard_extensions_obj.get_Old_Primary_Key_Attributes()) return x509_non_standard_extensions_
def from_obj(environment_variable_obj): if not environment_variable_obj: return None environment_variable_ = EnvironmentVariable() environment_variable_.name = String.from_obj(environment_variable_obj.Name) environment_variable_.value = String.from_obj(environment_variable_obj.Value) return environment_variable_
def from_obj(bios_info_obj): if not bios_info_obj: return None bios_info_ = BIOSInfo() bios_info_.bios_date = Date.from_obj(bios_info_obj.get_BIOS_Date()) bios_info_.bios_version = String.from_obj(bios_info_obj.get_BIOS_Version()) bios_info_.bios_manufacturer = String.from_obj(bios_info_obj.get_BIOS_Manufacturer()) bios_info_.bios_release_date = Date.from_obj(bios_info_obj.get_BIOS_Release_Date()) bios_info_.bios_serial_number = String.from_obj(bios_info_obj.get_BIOS_Serial_Number()) return bios_info_
def from_dict(bios_info_dict): if not bios_info_dict: return None bios_info_ = BIOSInfo() bios_info_.bios_date = Date.from_dict(bios_info_dict.get('bios_date')) bios_info_.bios_version = String.from_dict(bios_info_dict.get('bios_version')) bios_info_.bios_manufacturer = String.from_dict(bios_info_dict.get('bios_manufacturer')) bios_info_.bios_release_date = Date.from_dict(bios_info_dict.get('bios_release_date')) bios_info_.bios_serial_number = String.from_dict(bios_info_dict.get('bios_serial_number')) return bios_info_
def to_cybox(self, exclude=None): """ Convert an email to a CybOX Observables. Pass parameter exclude to specify fields that should not be included in the returned object. Returns a tuple of (CybOX object, releasability list). To get the cybox object as xml or json, call to_xml() or to_json(), respectively, on the resulting CybOX object. """ if exclude == None: exclude = [] observables = [] obj = EmailMessage() # Assume there is going to be at least one header obj.header = EmailHeader() if 'message_id' not in exclude: obj.header.message_id = String(self.message_id) if 'subject' not in exclude: obj.header.subject = String(self.subject) if 'sender' not in exclude: obj.header.sender = Address(self.reply_to, Address.CAT_EMAIL) if 'reply_to' not in exclude: obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obj.header.x_originating_ip = Address(self.x_originating_ip, Address.CAT_IPV4) if 'raw_body' not in exclude: obj.raw_body = self.raw_body if 'raw_header' not in exclude: obj.raw_header = self.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obj.email_server = String(self.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obj.header.from_ = EmailAddress(self.from_address) if 'date' not in exclude and 'isodate' not in exclude: obj.header.date = DateTime(self.isodate) observables.append(Observable(obj)) return (observables, self.releasability)
def from_dict(image_info_dict): if not image_info_dict: return None image_info_ = ImageInfo() image_info_.file_name = String.from_dict(image_info_dict.get('file_name')) image_info_.command_line = String.from_dict(image_info_dict.get('command_line')) image_info_.current_directory = String.from_dict(image_info_dict.get('current_directory')) image_info_.path = String.from_dict(image_info_dict.get('path')) return image_info_
def from_dict(environment_variable_dict): if not environment_variable_dict: return None environment_variable_ = EnvironmentVariable() environment_variable_.name = String.from_dict( environment_variable_dict.get('name')) environment_variable_.value = String.from_dict( environment_variable_dict.get('value')) return environment_variable_
def from_obj(image_info_obj): if not image_info_obj: return None image_info_ = ImageInfo() image_info_.file_name = String.from_obj(image_info_obj.get_File_Name()) image_info_.command_line = String.from_obj(image_info_obj.get_Command_Line()) image_info_.current_directory = String.from_obj(image_info_obj.get_Current_Directory()) image_info_.path = String.from_obj(image_info_obj.get_Path()) return image_info_
def from_dict(os_dict): if not os_dict: return None os_ = OS() os_.bitness = String.from_dict(os_dict.get('bitness')) os_.build_number = String.from_dict(os_dict.get('build_number')) os_.environment_variable_list = EnvironmentVariableList.from_list(os_dict.get('environment_variable_list')) os_.install_date = Date.from_dict(os_dict.get('install_date')) os_.patch_level = String.from_dict(os_dict.get('patch_level')) os_.platform = None #TODO: add support for platform specification return os_
def from_dict(registry_value_dict): if not registry_value_dict: return None registry_value_ = RegistryValue() registry_value_.name = String.from_dict(registry_value_dict.get('name')) registry_value_.data = String.from_dict(registry_value_dict.get('data')) registry_value_.datatype = String.from_dict(registry_value_dict.get('datatype')) #registry_value_.byte_runs = ByteRuns.from_dict(registry_value_dict.get('byte_runs')) return registry_value_
def from_obj(environment_variable_obj): if not environment_variable_obj: return None environment_variable_ = EnvironmentVariable() environment_variable_.name = String.from_obj( environment_variable_obj.Name) environment_variable_.value = String.from_obj( environment_variable_obj.Value) return environment_variable_
def from_obj(registry_value_obj): if not registry_value_obj: return None registry_value_ = RegistryValue() registry_value_.name = String.from_obj(registry_value_obj.get_Name()) registry_value_.data = String.from_obj(registry_value_obj.get_Data()) registry_value_.datatype = String.from_obj(registry_value_obj.get_Datatype()) #registry_value_.byte_runs = ByteRuns.from_obj(registry_value_obj.get_Byte_Runs()) return registry_value_
def from_obj(os_obj): if not os_obj: return None os_ = OS() os_.bitness = String.from_obj(os_obj.get_Bitness()) os_.build_number = String.from_obj(os_obj.get_Build_Number()) os_.environment_variable_list = EnvironmentVariableList.from_obj(os_obj.get_Environment_Variable_List()) os_.install_date = Date.from_obj(os_obj.get_Install_Date()) os_.patch_level = String.from_obj(os_obj.get_Patch_Level()) os_.platform = None #TODO: add support for platform specification return os_
def from_obj(digital_signature_obj): if not digital_signature_obj: return None digital_signature_ = DigitalSignature() digital_signature_.signature_exists = digital_signature_obj.get_signature_exists() digital_signature_.signature_verified = digital_signature_obj.get_signature_verified() digital_signature_.certificate_issuer = String.from_obj(digital_signature_obj.get_Certificate_Issuer()) digital_signature_.certificate_subject = String.from_obj(digital_signature_obj.get_Certificate_Subject()) digital_signature_.signature_description = String.from_obj(digital_signature_obj.get_Signature_Description()) return digital_signature_
def __create_dns_query_object(self, domain, record_type, nameserver=None): """Creates a CybOX DNSQueryType Object""" question = DNSQuestion() question.qname = self.__create_domain_name_object(domain) question.qtype = String(record_type) question.qclass = String('IN') query = DNSQuery() query.successful = False query.question = question return query
def from_dict(digital_signature_dict): if not digital_signature_dict: return None digital_signature_ = DigitalSignature() digital_signature_.signature_exists = digital_signature_dict.get('signature_exists') digital_signature_.signature_verified = digital_signature_dict.get('signature_verified') digital_signature_.certificate_issuer = String.from_dict(digital_signature_dict.get('certificate_issuer')) digital_signature_.certificate_subject = String.from_dict(digital_signature_dict.get('certificate_subject')) digital_signature_.signature_description = String.from_dict(digital_signature_dict.get('signature_description')) return digital_signature_
def from_dict(win_handle_dict): if not win_handle_dict: return None win_handle_ = WinHandle() win_handle_.id = UnsignedInteger.from_dict(win_handle_dict.get('id')) win_handle_.name = String.from_dict(win_handle_dict.get('name')) win_handle_.type = String.from_dict(win_handle_dict.get('type')) win_handle_.object_address = UnsignedLong.from_dict(win_handle_dict.get('id')) win_handle_.access_mask = UnsignedLong.from_dict(win_handle_dict.get('access_mask')) win_handle_.pointer_count = UnsignedLong.from_dict(win_handle_dict.get('id')) return win_handle_
def from_obj(win_handle_obj): if not win_handle_obj: return None win_handle_ = WinHandle() win_handle_.id = UnsignedInteger.from_obj(win_handle_obj.get_ID()) win_handle_.name = String.from_obj(win_handle_obj.get_Name()) win_handle_.type = String.from_obj(win_handle_obj.get_Type()) win_handle_.object_address = UnsignedLong.from_obj(win_handle_obj.get_Object_Address()) win_handle_.access_mask = UnsignedLong.from_obj(win_handle_obj.get_Access_Mask()) win_handle_.pointer_count = UnsignedLong.from_obj(win_handle_obj.get_Pointer_Count()) return win_handle_
def from_dict(packer_dict): if not packer_dict: return None packer = Packer() packer.name = String.from_dict(packer_dict.get('name')) packer.version = String.from_dict(packer_dict.get('version')) packer.entry_point = HexBinary.from_dict(packer_dict.get('entry_point')) packer.signature = String.from_dict(packer_dict.get('signature')) packer.type_ = String.from_dict(packer_dict.get('type')) return packer
def from_obj(packer_obj): if not packer_obj: return None packer = Packer() packer.name = String.from_obj(packer_obj.get_Name()) packer.version = String.from_obj(packer_obj.get_Version()) packer.entry_point = HexBinary.from_obj(packer_obj.get_Entry_Point()) packer.signature = String.from_obj(packer_obj.get_Signature()) packer.type_ = String.from_obj(packer_obj.get_Type()) return packer
def from_dict(network_interface_dict): if not network_interface_dict: return None network_interface_ = NetworkInterface() network_interface_.adapter = String.from_dict(network_interface_dict.get('adapter')) network_interface_.description = String.from_dict(network_interface_dict.get('description')) network_interface_.dhcp_lease_expires = DateTime.from_dict(network_interface_dict.get('dhcp_lease_expires')) network_interface_.dhcp_lease_obtained = DateTime.from_dict(network_interface_dict.get('dhcp_lease_obtained')) network_interface_.dhcp_server_list = DHCPServerList.from_list(network_interface_dict.get('dhcp_server_list')) network_interface_.ip_gateway_list = IPGatewayList.from_list(network_interface_dict.get('ip_gateway_list')) network_interface_.ip_list = IPInfoList.from_list(network_interface_dict.get('ip_list')) network_interface_.mac = String.from_dict(network_interface_dict.get('mac')) return network_interface_
def from_obj(network_interface_obj): if not network_interface_obj: return None network_interface_ = NetworkInterface() network_interface_.adapter = String.from_obj(network_interface_obj.get_Adapter()) network_interface_.description = String.from_obj(network_interface_obj.get_Description()) network_interface_.dhcp_lease_expires = DateTime.from_obj(network_interface_obj.get_DHCP_Lease_Expires()) network_interface_.dhcp_lease_obtained = DateTime.from_obj(network_interface_obj.get_DHCP_Lease_Obtained()) network_interface_.dhcp_server_list = DHCPServerList.from_obj(network_interface_obj.get_DHCP_Server_List()) network_interface_.ip_gateway_list = IPGatewayList.from_obj(network_interface_obj.get_IP_Gateway_List()) network_interface_.ip_list = IPInfoList.from_obj(network_interface_obj.get_IP_List()) network_interface_.mac = String.from_obj(network_interface_obj.get_MAC()) return network_interface_
def from_obj(win_kernel_hook_obj): if not win_kernel_hook_obj: return None win_kernel_hook_ = WinKernelHook() win_kernel_hook_.digital_signature_hooking = DigitalSignature.from_obj(win_kernel_hook_obj.get_Digital_Signature_Hooking()) win_kernel_hook_.digital_signature_hooked = DigitalSignature.from_obj(win_kernel_hook_obj.get_Digital_Signature_Hooked()) win_kernel_hook_.hooked_address = UnsignedLong.from_obj(win_kernel_hook_obj.get_Hooked_Address()) win_kernel_hook_.hook_description = String.from_obj(win_kernel_hook_obj.get_Hook_Description()) win_kernel_hook_.hooked_function = String.from_obj(win_kernel_hook_obj.get_Hooked_Function()) win_kernel_hook_.hooked_module = String.from_dict(win_kernel_hook_obj.get_Hooked_Module()) win_kernel_hook_.type = String.from_obj(win_kernel_hook_obj.get_Type()) return win_kernel_hook_
def from_dict(win_kernel_hook_dict): if not win_kernel_hook_dict: return None win_kernel_hook_ = WinKernelHook() win_kernel_hook_.digital_signature_hooking = DigitalSignature.from_dict(win_kernel_hook_dict.get('digital_signature_hooking')) win_kernel_hook_.digital_signature_hooked = DigitalSignature.from_dict(win_kernel_hook_dict.get('digital_signature_hooked')) win_kernel_hook_.hooked_address = UnsignedLong.from_dict(win_kernel_hook_dict.get('hooked_address')) win_kernel_hook_.hook_description = String.from_dict(win_kernel_hook_dict.get('hook_description')) win_kernel_hook_.hooked_function = String.from_dict(win_kernel_hook_dict.get('hooked_function')) win_kernel_hook_.hooked_module = String.from_dict(win_kernel_hook_dict.get('hooked_module')) win_kernel_hook_.type = String.from_dict(win_kernel_hook_dict.get('type')) return win_kernel_hook_
def to_obj(self, return_obj=None, ns_info=None): self._collect_ns_info(ns_info) datasize_obj = String.to_obj(self, return_obj=return_obj, ns_info=ns_info) if self.units is not None: datasize_obj.units = self.units return datasize_obj
def to_obj(self, return_obj=None, ns_info=None): self._collect_ns_info(ns_info) filepath_obj = String.to_obj(self, return_obj=return_obj, ns_info=ns_info) if self.fully_qualified is not None: filepath_obj.fully_qualified = self.fully_qualified return filepath_obj
def __parse_email_message(self, msg): """ Parses the supplied message Returns a map of message parts expressed as cybox objects. Keys: 'message', 'files', 'urls' """ files = [] url_list = [] domain_list = [] message = EmailMessage() # Headers are required (for now) message.header = self.__create_cybox_headers(msg) if self.include_attachments: files = self.__create_cybox_files(msg) message.attachments = Attachments() for f in files: message.attachments.append(f.parent.id_) f.add_related(message, "Contained_Within", inline=False) if self.include_raw_headers: raw_headers_str = self.__get_raw_headers(msg).strip() if raw_headers_str: message.raw_header = String(raw_headers_str) # need this for parsing urls AND raw body text raw_body = "\n".join(self.__get_raw_body_text(msg)).strip() if self.include_raw_body and raw_body: message.raw_body = String(raw_body) if self.include_urls: (url_list, domain_list) = self.__parse_urls(raw_body) if url_list: links = Links() for u in url_list: links.append(LinkReference(u.parent.id_)) if links: message.links = links # Return a list of all objects we've built return [message] + files + url_list + domain_list
def cybox_object_http(obj): http_session = HTTPSession() hh = HTTPRequestResponse() hc = HTTPClientRequest() if obj.client_request.message_body: hm = HTTPMessage() hm.lenght = len(obj.client_request.message_body) hm.message_body = String(obj.client_request.message_body) hc.http_message_body = hm rh = HTTPRequestHeader() if obj.client_request.raw_header: rh.raw_header = String(obj.client_request.raw_header) hhf = HTTPRequestHeaderFields() hhf.user_agent = String(obj.client_request.user_agent) host_field = HostField() host_field.domain_name = URI(value=obj.client_request.domain_name) port = Port() port.port_value = PositiveInteger(obj.client_request.port.port) host_field.port = port hhf.host = host_field rh.parsed_header = hhf hc.http_request_header = rh hl = HTTPRequestLine() hl.http_method = String(obj.client_request.request_method) hl.version = String(obj.client_request.request_version) hl.value = String(obj.client_request.request_uri) hc.http_request_line = hl hh.http_client_request = hc http_session.http_request_response = [hh] return http_session
def test_subject_TypedField(self): h = EmailHeader() # Set using actual object h.subject = String("Howdy") self.assertEqual(String, type(h.subject)) # Set using implied cast h.subject = "Howdy" self.assertEqual(String, type(h.subject)) s = "http://badsubject.com" bad_object = URI(s) self.assertRaises(ValueError, setattr, h, 'subject', bad_object)
def from_obj(extracted_string_obj): if not extracted_string_obj: return None extracted_string_ = ExtractedString() extracted_string_.encoding = VocabString.from_obj( extracted_string_obj.get_Encoding()) extracted_string_.string_value = String.from_obj( extracted_string_obj.get_String_Value()) extracted_string_.byte_string_value = HexBinary.from_obj( extracted_string_obj.get_Byte_String_Value()) extracted_string_.hashes = HashList.from_obj( extracted_string_obj.get_Hashes()) extracted_string_.address = HexBinary.from_obj( extracted_string_obj.get_Address()) extracted_string_.length = PositiveInteger.from_obj( extracted_string_obj.get_Length()) extracted_string_.language = String.from_obj( extracted_string_obj.get_Language()) extracted_string_.english_translation = String.from_obj( extracted_string_obj.get_English_Translation()) return extracted_string_
def from_dict(extracted_string_dict): if not extracted_string_dict: return None extracted_string_ = ExtractedString() extracted_string_.encoding = VocabString.from_dict( extracted_string_dict.get('encoding')) extracted_string_.string_value = String.from_dict( extracted_string_dict.get('string_value')) extracted_string_.byte_string_value = HexBinary.from_dict( extracted_string_dict.get('byte_string_value')) extracted_string_.hashes = HashList.from_list( extracted_string_dict.get('hashes')) extracted_string_.address = HexBinary.from_dict( extracted_string_dict.get('address')) extracted_string_.length = PositiveInteger.from_dict( extracted_string_dict.get('length')) extracted_string_.language = String.from_dict( extracted_string_dict.get('language')) extracted_string_.english_translation = String.from_dict( extracted_string_dict.get('english_translation')) return extracted_string_
def __create_dns_record_object(self, domain, record_type, nameserver=None): """Creates a CybOX DNSRecordType Object""" record = self.__get_dns_record(domain, record_type, nameserver) if not record: return None dns_record = DNSRecord() dns_record.domain_name = self.__create_domain_name_object(record.get('Domain_Name')) dns_record.ip_address = self.__create_ip_address_object(record.get('IP_Address')) dns_record.entry_type = String(record.get('Entry_Type')) dns_record.flags = HexBinary(record.get('Flags')) dns_record.record_data = record.get('Record_Data') return dns_record
def test_observable_init(self): # Can pass an Object into the Observable constructor o = Object() obs = Observable(o) # Can pass an Event into the Observable constructor e = Event() obs = Observable(e) # Can pass an ObservableComposition into the Observable constructor oc = ObservableComposition() obs = Observable(oc) # Can pass an ObjectProperties subclass into the Observable constructor a = Address() obs = Observable(a) # Cannot pass a String into the Observable constructor. s = String() self.assertRaises(TypeError, Observable, s)
def test_instance_multiple(self): s = String(["foo", "bar", "baz"]) # @apply_condition should not be set on instances. self.assertFalse(b'apply_condition' in s.to_xml())
def test_list_of_strings_with_comma(self): s = String([u("string,1"), u("string,1"), u("string,3")]) s2 = cybox.test.round_trip(s) self.assertEqual(s, s2)
def to_dict(self): datasize_dict = String.to_dict(self) if self.units is not None: datasize_dict['units'] = self.units return datasize_dict
def test_instance_multiple_all(self): s = String(["foo", "bar", "baz"]) s.apply_condition = "ALL" # Even though we set it, this is not a pattern so @apply_condition # shouldn't be output. self.assertFalse(b'apply_condition' in s.to_xml())
def test_pattern_single(self): s = String("foo") s.condition = "Equals" # @apply_condition should not be set if the value is not a list. self.assertFalse(b'apply_condition' in s.to_xml())
def __init__(self, *args, **kwargs): String.__init__(self, *args, **kwargs) self.units = None
def test_string(self): s = String("test_string") self.assertEqual(s.datatype, "string") self.assertEqual(s.value, "test_string")
def test_pattern_multiple(self): s = String(["foo", "bar", "baz"]) s.condition = "Equals" # @apply_condition should be set when there is a @condition and the # value is a list. self.assertTrue(b'apply_condition="ANY"' in s.to_xml())
def test_delimiter(self): s = String(["string1", "string2"]) s.delimiter = "##delim##" self.assertTrue(b"##comma##" not in s.to_xml()) self.assertTrue(b"string1##delim##string2" in s.to_xml())
def test_string_with_comma(self): s = String("test_string,") s2 = cybox.test.round_trip(s) self.assertEqual(s, s2)
def __create_cybox_headers(self, msg): """ Returns a CybOX EmailHeaderType object """ if self.__verbose_output: sys.stderr.write("** parsing headers\n") headers = EmailHeader() if 'received' in self.headers: lines = self._parse_received_headers(msg) if lines: headers.received_lines = lines if 'to' in self.headers: headers.to = _get_email_recipients(msg['to']) if msg['delivered-to'] and not headers.to: headers.to = _get_email_recipients(msg['delivered-to']) if 'cc' in self.headers: headers.cc = _get_email_recipients(msg['cc']) if 'bcc' in self.headers: headers.bcc = _get_email_recipients(msg['bcc']) if 'from' in self.headers: headers.from_ = _get_single_email_address(msg['from']) if 'sender' in self.headers: headers.sender = _get_single_email_address(msg['sender']) if 'reply-to' in self.headers: headers.reply_to = _get_single_email_address(msg['reply-to']) if 'subject' in self.headers and 'subject' in msg: headers.subject = String(msg['subject']) if 'in-reply-to' in self.headers and 'in-reply-to' in msg: headers.in_reply_to = String(msg['in-reply-to']) if 'errors-to' in self.headers and 'errors-to' in msg: headers.errors_to = String(msg['errors-to']) if 'date' in self.headers and 'date' in msg: headers.date = DateTime(msg['date']) if 'message-id' in self.headers and 'message-id' in msg: headers.message_id = String(msg['message-id']) if 'boundary' in self.headers and 'boundary' in msg: headers.boundary = String(msg['boundary']) if 'content-type' in self.headers and 'content-type' in msg: headers.content_type = String(msg['content-type']) if 'mime-version' in self.headers and 'mime-version' in msg: headers.mime_version = String(msg['mime-version']) if 'precedence' in self.headers and 'precedence' in msg: headers.precedence = String(msg['precedence']) if 'user-agent' in self.headers and 'user-agent' in msg: headers.user_agent = String(msg['user-agent']) if 'x-mailer' in self.headers and 'x-mailer' in msg: headers.x_mailer = String(msg['x-mailer']) if 'x-originating-ip' in self.headers and msg['x-originating-ip']: headers.x_originating_ip = Address(msg['x-originating-ip'], Address.CAT_IPV4) if 'x-priority' in self.headers and 'x-priority' in msg: #Must be a digit - pull one out of anything that could be a string such as 3 (Normal) import re priority = '' for p in re.findall(r'\d+',msg['x-priority']): if p.isdigit(): priority = p if priority: headers.x_priority = String(priority) return headers
def __create_cybox_headers(self, msg): """ Returns a CybOX EmailHeaderType object """ if self.__verbose_output: sys.stderr.write("** parsing headers\n") headers = EmailHeader() if 'received' in self.headers: headers.received_lines = self._parse_received_headers(msg) if 'to' in self.headers: headers.to = _get_email_recipients(msg['to']) if 'cc' in self.headers: headers.cc = _get_email_recipients(msg['cc']) if 'bcc' in self.headers: headers.bcc = _get_email_recipients(msg['bcc']) if 'from' in self.headers: headers.from_ = _get_single_email_address(msg['from']) if 'sender' in self.headers: headers.sender = _get_single_email_address(msg['sender']) if 'reply-to' in self.headers: headers.reply_to = _get_single_email_address(msg['reply-to']) if 'subject' in self.headers: headers.subject = String(msg['subject']) if 'in-reply-to' in self.headers: headers.in_reply_to = String(msg['in-reply-to']) if 'errors-to' in self.headers: headers.errors_to = String(msg['errors-to']) if 'date' in self.headers: headers.date = DateTime(msg['date']) if 'message-id' in self.headers: headers.message_id = String(msg['message-id']) if 'boundary' in self.headers: headers.boundary = String(msg['boundary']) if 'content-type' in self.headers: headers.content_type = String(msg['content-type']) if 'mime-version' in self.headers: headers.mime_version = String(msg['mime-version']) if 'precedence' in self.headers: headers.precedence = String(msg['precedence']) if 'user-agent' in self.headers: headers.user_agent = String(msg['user-agent']) if 'x-mailer' in self.headers: headers.x_mailer = String(msg['x-mailer']) if 'x-originating-ip' in self.headers: headers.x_originating_ip = Address(msg['x-originating-ip'], Address.CAT_IPV4) if 'x-priority' in self.headers: headers.x_priority = String(msg['x-priority']) return headers
def __create_whois_object(self, domain): """ Creates a CybOX WHOISObjectType object """ if not domain: return None if(self.__verbose_output): sys.stderr.write("** creating Whois object for: %s\n" % domain) if self.http_whois: record = self.__get_whois_record_http(domain) else: record = self.__get_whois_record(domain) if not record: return None whois = WhoisEntry() record['status'] = ['OK' if status == 'ACTIVE' else status for status in record['status']] #Only build registrar info objects if we have the relevant info if (record['registrar'] or record['whois_server'] or record['registrar_address'] or record['referral_url'] or record['registrar_contacts']): registrar = WhoisRegistrar() registrar.name = String(record.get('registrar')) registrar.address = String(record.get('registrar_address')) registrar.whois_server = URI(record.get('whois_server')) registrar.referral_url = URI(record.get('referral_url')) contacts = WhoisContacts() for email in record['registrar_contacts']: contact = WhoisContact() contact.contact_type = 'ADMIN' contact.name = String(record.get('registrar')) contact.email_address = EmailAddress(email) contacts.append(contact) registrar.contacts = contacts whois.registrar_info = registrar whois.domain_name = self.__create_domain_name_object(record.get('domain_name')) nservers = WhoisNameservers() for url in record.get('name_servers', []): nservers.append(self.__create_url_object(url)) if nservers: whois.nameservers = nservers status = WhoisStatuses() for s in record.get('status', []): status.append(WhoisStatus(s)) if status: whois.status = status whois.updated_date = DateTime(record.get('updated_date')) whois.creation_date = DateTime(record.get('creation_date')) whois.expiration_date = DateTime(record.get('expiration_date')) return whois
def to_cybox_observable(obj, exclude=None, bin_fmt="raw"): """ Convert a CRITs TLO to a CybOX Observable. :param obj: The TLO to convert. :type obj: :class:`crits.core.crits_mongoengine.CRITsBaseAttributes` :param exclude: Attributes to exclude. :type exclude: list :param bin_fmt: The format for the binary (if applicable). :type bin_fmt: str """ type_ = obj._meta['crits_type'] if type_ == 'Certificate': custom_prop = Property( ) # make a custom property so CRITs import can identify Certificate exports custom_prop.name = "crits_type" custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents" custom_prop._value = "Certificate" obje = File() # represent cert information as file obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.filetype obje.size_in_bytes = obj.size obje.custom_properties = CustomProperties() obje.custom_properties.append(custom_prop) obs = Observable(obje) obs.description = obj.description data = obj.filedata.read() if data: # if cert data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data a.packaging.append(Base64Encoding()) obje.add_related(a, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'Domain': obje = DomainName() obje.value = obj.domain obje.type_ = obj.record_type return ([Observable(obje)], obj.releasability) elif type_ == 'Email': if exclude == None: exclude = [] observables = [] obje = EmailMessage() # Assume there is going to be at least one header obje.header = EmailHeader() if 'message_id' not in exclude: obje.header.message_id = String(obj.message_id) if 'subject' not in exclude: obje.header.subject = String(obj.subject) if 'sender' not in exclude: obje.header.sender = Address(obj.sender, Address.CAT_EMAIL) if 'reply_to' not in exclude: obje.header.reply_to = Address(obj.reply_to, Address.CAT_EMAIL) if 'x_originating_ip' not in exclude: obje.header.x_originating_ip = Address(obj.x_originating_ip, Address.CAT_IPV4) if 'x_mailer' not in exclude: obje.header.x_mailer = String(obj.x_mailer) if 'boundary' not in exclude: obje.header.boundary = String(obj.boundary) if 'raw_body' not in exclude: obje.raw_body = obj.raw_body if 'raw_header' not in exclude: obje.raw_header = obj.raw_header #copy fields where the names differ between objects if 'helo' not in exclude and 'email_server' not in exclude: obje.email_server = String(obj.helo) if ('from_' not in exclude and 'from' not in exclude and 'from_address' not in exclude): obje.header.from_ = EmailAddress(obj.from_address) if 'date' not in exclude and 'isodate' not in exclude: obje.header.date = DateTime(obj.isodate) obje.attachments = Attachments() observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'Indicator': observables = [] obje = make_cybox_object(obj.ind_type, obj.value) observables.append(Observable(obje)) return (observables, obj.releasability) elif type_ == 'IP': obje = Address() obje.address_value = obj.ip if obj.ip_type == IPTypes.IPv4_ADDRESS: obje.category = "ipv4-addr" elif obj.ip_type == IPTypes.IPv6_ADDRESS: obje.category = "ipv6-addr" elif obj.ip_type == IPTypes.IPv4_SUBNET: obje.category = "ipv4-net" elif obj.ip_type == IPTypes.IPv6_SUBNET: obje.category = "ipv6-subnet" return ([Observable(obje)], obj.releasability) elif type_ == 'PCAP': obje = File() obje.md5 = obj.md5 obje.file_name = obj.filename obje.file_format = obj.contentType obje.size_in_bytes = obj.length obs = Observable(obje) obs.description = obj.description art = Artifact(obj.filedata.read(), Artifact.TYPE_NETWORK) art.packaging.append(Base64Encoding()) obje.add_related(art, "Child_Of") # relate artifact to file return ([obs], obj.releasability) elif type_ == 'RawData': obje = Artifact(obj.data.encode('utf-8'), Artifact.TYPE_FILE) obje.packaging.append(Base64Encoding()) obs = Observable(obje) obs.description = obj.description return ([obs], obj.releasability) elif type_ == 'Sample': if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256']: if attr not in exclude: val = getattr(obj, attr, None) if val: setattr(f, attr, val) if obj.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(obj.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(obj.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = obj.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude and bin_fmt: data = obj.filedata.read() if data: # if sample data available a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data if bin_fmt == "zlib": a.packaging.append(ZlibCompression()) a.packaging.append(Base64Encoding()) elif bin_fmt == "base64": a.packaging.append(Base64Encoding()) f.add_related(a, "Child_Of") # relate artifact to file if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. f.file_format = obj.filetype observables.append(Observable(f)) return (observables, obj.releasability) else: return (None, None)
def test_double_encode(self): s = String(UNICODE_STR) s2 = round_trip(s)