def export_stix(iocs):
"""
Export the tagged items in STIX format.
BROKE!
"""
observables_doc = None
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = filename
stix_package.stix_header = stix_header
for ioc in iocs['md5']:
observable = cybox_helper.create_file_hash_observable('', value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
if t == 'ipv4':
if not value in indicators:
observable = cybox_helper.create_ipv4_observable(value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
elif t == 'domain':
if not value in indicators:
observable = cybox_helper.create_domain_name_observable(value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
elif t == 'url':
if not value in indicators:
observable = cybox_helper.create_url_observable(value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
elif t == 'email':
if not value in indicators:
observable = cybox_helper.create_email_address_observable(value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
if len(observables) > 0:
if not filename.endswith('.xml'):
filename = "%s.xml" % filename #add .xml extension if missing
# end if
with open(filename, "wb") as f:
stix_xml = stix_package.to_xml()
f.write(stix_xml)
def main():
'''Build a CybOX Observables document and write it to stdout'''
domain = helper.create_domain_name_observable('www.example.com')
url = helper.create_url_observable('http://www.example.com')
ipv4 = helper.create_ipv4_observable('127.0.0.1')
email = helper.create_email_address_observable('*****@*****.**')
file_ = helper.create_file_hash_observable('foo.bar',
'94f93e00fd122466d68a6ae3b8c7f908')
observables_doc = Observables([
domain,
ipv4,
url,
email,
file_,
])
print(observables_doc.to_xml())
pprint(observables_doc.to_dict())
def main():
'''Build a CybOX Observables document and write it to stdout'''
domain = helper.create_domain_name_observable('www.example.com')
url = helper.create_url_observable('http://www.example.com')
ipv4 = helper.create_ipv4_observable('127.0.0.1')
email = helper.create_email_address_observable('*****@*****.**')
file_ = helper.create_file_hash_observable('foo.bar',
'94f93e00fd122466d68a6ae3b8c7f908')
observables_doc = Observables([
domain,
ipv4,
url,
email,
file_,
])
print(observables_doc.to_xml(encoding=None))
pprint(observables_doc.to_dict())
def crea_ipv4(self, ip):
""" Crea un helper para una dirección IP y devuelve un Observable """
self.helper = helper.create_ipv4_observable(ip)
def export_cybox():
"""
Export the tagged items in CybOX format.
This prompts the user to determine which file they want the CybOX saved
out too.
"""
filename = asksaveasfilename(title="Save As", filetypes=[("xml file",".xml"),("All files",".*")])
observables_doc = None
if filename:
observables = []
for t in tags:
indicators = []
myhighlights = text.tag_ranges(t)
mystart = 0
for h in myhighlights:
if mystart == 0:
mystart = h
else:
mystop = h
value = text.get(mystart,mystop).replace('[.]','.').replace('[@]','@')
if t == 'md5':
value = value.upper()
if value not in indicators:
observable = cybox_helper.create_file_hash_observable('', value)
observables.append(observable)
indicators.append(value)
elif t == 'ipv4':
if not value in indicators:
observable = cybox_helper.create_ipv4_observable(value)
observables.append(observable)
indicators.append(value)
elif t == 'domain':
if not value in indicators:
# CybOX 2.0 contains a schema bug that prevents the use of this function.
# The workaround is to not declare a @type attribute for the URI object
#observable = cybox_helper.create_domain_name_observable(value)
uri_obj = URI(value=value)
uri_obs = Observable(item=uri_obj)
observables.append(uri_obs)
indicators.append(value)
elif t == 'url':
if not value in indicators:
observable = cybox_helper.create_url_observable(value)
observables.append(observable)
indicators.append(value)
elif t == 'email':
if not value in indicators:
observable = cybox_helper.create_email_address_observable(value)
observables.append(observable)
indicators.append(value)
mystart = 0
# end if
# end for
# end for
if len(observables) > 0:
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
observables_doc = Observables(observables=observables)
if not filename.endswith('.xml'):
filename = "%s.xml" % filename #add .xml extension if missing
# end if
with open(filename, "wb") as f:
cybox_xml = observables_doc.to_xml(namespace_dict={NS.name: NS.prefix})
f.write(cybox_xml)
def export_cybox():
"""
Export the tagged items in CybOX format.
This prompts the user to determine which file they want the CybOX saved
out too.
"""
filename = asksaveasfilename(title="Save As",
filetypes=[("xml file", ".xml"),
("All files", ".*")])
observables_doc = None
if filename:
observables = []
for t in tags:
indicators = []
myhighlights = text.tag_ranges(t)
mystart = 0
for h in myhighlights:
if mystart == 0:
mystart = h
else:
mystop = h
value = text.get(mystart,
mystop).replace('[.]',
'.').replace('[@]', '@')
if t == 'md5':
value = value.upper()
if value not in indicators:
observable = cybox_helper.create_file_hash_observable(
'', value)
observables.append(observable)
indicators.append(value)
elif t == 'ipv4':
if not value in indicators:
observable = cybox_helper.create_ipv4_observable(
value)
observables.append(observable)
indicators.append(value)
elif t == 'domain':
if not value in indicators:
observable = cybox_helper.create_domain_name_observable(
value)
observables.append(observable)
indicators.append(value)
elif t == 'url':
if not value in indicators:
observable = cybox_helper.create_url_observable(
value)
observables.append(observable)
indicators.append(value)
elif t == 'email':
if not value in indicators:
observable = cybox_helper.create_email_address_observable(
value)
observables.append(observable)
indicators.append(value)
mystart = 0
# end if
# end for
# end for
if len(observables) > 0:
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
observables_doc = Observables(observables=observables)
if not filename.endswith('.xml'):
filename = "%s.xml" % filename #add .xml extension if missing
# end if
with open(filename, "wb") as f:
cybox_xml = observables_doc.to_xml()
f.write(cybox_xml)
def crea_ipv4(self, ip):
""" Crea un helper para una dirección IP y devuelve un Observable """
self.helper = helper.create_ipv4_observable(ip)
def export_stix():
"""
Export the tagged items in STIX format.
This prompts the user to determine which file they want the STIX saved
out too.
"""
filename = asksaveasfilename(title="Save As", filetypes=[("xml file",".xml"),("All files",".*")])
observables_doc = None
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = filename
stix_package.stix_header = stix_header
if filename:
observables = []
for t in tags:
indicators = []
myhighlights = text.tag_ranges(t)
mystart = 0
for h in myhighlights:
if mystart == 0:
mystart = h
else:
mystop = h
value = text.get(mystart,mystop).replace('[.]','.').replace('[@]','@')
if t == 'md5':
value = value.upper()
if value not in indicators:
observable = cybox_helper.create_file_hash_observable('', value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
elif t == 'ipv4':
if not value in indicators:
observable = cybox_helper.create_ipv4_observable(value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
elif t == 'domain':
if not value in indicators:
observable = cybox_helper.create_domain_name_observable(value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
elif t == 'url':
if not value in indicators:
observable = cybox_helper.create_url_observable(value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
elif t == 'email':
if not value in indicators:
observable = cybox_helper.create_email_address_observable(value)
observables.append(observable)
stix_package.add_observable(observable)
indicators.append(value)
mystart = 0
# end if
# end for
# end for
if len(observables) > 0:
if not filename.endswith('.xml'):
filename = "%s.xml" % filename #add .xml extension if missing
# end if
with open(filename, "wb") as f:
stix_xml = stix_package.to_xml()
f.write(stix_xml)
observables_doc = Observables([])
# add some different observables:
# you don't have to use every member and there are other members that are not being utilized here:
observables_doc.add(Process.from_dict({"name": "Process.exe",
"pid": 90,
"parent_pid": 10,
#"creation_time": "",
"image_info": {"command_line": "Process.exe /c blah.txt"}}))
observables_doc.add(File.from_dict({"file_name": "file.txt",
"file_extension": "txt",
"file_path": "path\\to\\file.txt"}))
observables_doc.add(helper.create_ipv4_observable("192.168.1.101"))
observables_doc.add(helper.create_url_observable("somedomain.com"))
observables_doc.add(WinService.from_dict({"service_name": "Service Name",
"display_name": "Service Display name",
"startup_type": "Service type",
"service_status": "Status",
"service_dll": "Somedll.dll",
"started_as": "Start",
"group_name": "Group name",
"startup_command_line": "Commandline"}))
observables_doc.add(WinRegistryKey.from_dict({"hive": "SYSTEM",
"key": "some\\registry\\key",
"number_values": 2,
