Пример #1
0
    def to_cybox(self, exclude=None):
        """
        Convert an email to a CybOX Observables.

        Pass parameter exclude to specify fields that should not be
        included in the returned object.

        Returns a tuple of (CybOX object, releasability list).

        To get the cybox object as xml or json, call to_xml() or
        to_json(), respectively, on the resulting CybOX object.
        """

        if exclude == None:
            exclude = []

        observables = []

        obj = EmailMessage()
        # Assume there is going to be at least one header
        obj.header = EmailHeader()

        if 'message_id' not in exclude:
            obj.header.message_id = String(self.message_id)

        if 'subject' not in exclude:
            obj.header.subject = String(self.subject)

        if 'sender' not in exclude:
            obj.header.sender = Address(self.reply_to, Address.CAT_EMAIL)

        if 'reply_to' not in exclude:
            obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL)

        if 'x_originating_ip' not in exclude:
            obj.header.x_originating_ip = Address(self.x_originating_ip,
                                                  Address.CAT_IPV4)

        if 'raw_body' not in exclude:
            obj.raw_body = self.raw_body

        if 'raw_header' not in exclude:
            obj.raw_header = self.raw_header

        #copy fields where the names differ between objects
        if 'helo' not in exclude and 'email_server' not in exclude:
            obj.email_server = String(self.helo)
        if ('from_' not in exclude and 'from' not in exclude
                and 'from_address' not in exclude):
            obj.header.from_ = EmailAddress(self.from_address)
        if 'date' not in exclude and 'isodate' not in exclude:
            obj.header.date = DateTime(self.isodate)

        observables.append(Observable(obj))
        return (observables, self.releasability)
Пример #2
0
    def to_cybox(self, exclude=None):
        """
        Convert an email to a CybOX Observables.

        Pass parameter exclude to specify fields that should not be
        included in the returned object.

        Returns a tuple of (CybOX object, releasability list).

        To get the cybox object as xml or json, call to_xml() or
        to_json(), respectively, on the resulting CybOX object.
        """

        if exclude == None:
            exclude = []

        observables = []

        obj = EmailMessage()
        # Assume there is going to be at least one header
        obj.header = EmailHeader()

        if 'message_id' not in exclude:
            obj.header.message_id = String(self.message_id)

        if 'subject' not in exclude:
            obj.header.subject = String(self.subject)

        if 'sender' not in exclude:
            obj.header.sender = Address(self.reply_to, Address.CAT_EMAIL)

        if 'reply_to' not in exclude:
            obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL)

        if 'x_originating_ip' not in exclude:
            obj.header.x_originating_ip = Address(self.x_originating_ip,
                                                  Address.CAT_IPV4)

        if 'raw_body' not in exclude:
            obj.raw_body = self.raw_body

        if 'raw_header' not in exclude:
            obj.raw_header = self.raw_header

        #copy fields where the names differ between objects
        if 'helo' not in exclude and 'email_server' not in exclude:
            obj.email_server = String(self.helo)
        if ('from_' not in exclude and 'from' not in exclude and
            'from_address' not in exclude):
            obj.header.from_ = EmailAddress(self.from_address)
        if 'date' not in exclude and 'isodate' not in exclude:
            obj.header.date = DateTime(self.isodate)

        observables.append(Observable(obj))
        return (observables, self.releasability)
Пример #3
0
    def __parse_email_message(self, msg):
        """ Parses the supplied message
        Returns a map of message parts expressed as cybox objects.

        Keys: 'message', 'files', 'urls'
        """
        
        files       = []
        url_list    = []
        domain_list = []
        message     = EmailMessage()

        # Headers are required (for now)
        message.header = self.__create_cybox_headers(msg)

        if self.include_attachments:
            files = self.__create_cybox_files(msg)
            message.attachments = Attachments()
            for f in files:
                message.attachments.append(f.parent.id_)
                f.add_related(message, "Contained_Within", inline=False)

        if self.include_raw_headers:
            raw_headers_str = self.__get_raw_headers(msg).strip()
            if raw_headers_str:
                message.raw_header = String(raw_headers_str)

        # need this for parsing urls AND raw body text
        raw_body = "\n".join(self.__get_raw_body_text(msg)).strip()

        if self.include_raw_body and raw_body:
            message.raw_body = String(raw_body)

        if self.include_urls:
            (url_list, domain_list) = self.__parse_urls(raw_body)
            if url_list:
                links = Links()
                for u in url_list:
                    links.append(LinkReference(u.parent.id_))
                if links:
                    message.links = links

        # Return a list of all objects we've built
        return [message] + files + url_list + domain_list
Пример #4
0
def cybox_object_email(obj):
    e = EmailMessage()
    e.raw_body = obj.raw_body
    e.raw_header = obj.raw_header
    # Links
    e.links = Links()
    for link in obj.links.all():
        pass
    # Attachments
    e.attachments = Attachments()
    attachment_objects = []
    for att in obj.attachments.all():
        for meta in att.file_meta.all():
            fobj = cybox_object_file(att, meta)
            e.attachments.append(fobj.parent.id_)
            fobj.add_related(e, "Contained_Within", inline=False)
            attachment_objects.append(fobj)
    # construct header information
    h = EmailHeader()
    h.subject = obj.subject
    h.date = obj.email_date
    h.message_id = obj.message_id
    h.content_type = obj.content_type
    h.mime_version = obj.mime_version
    h.user_agent = obj.user_agent
    h.x_mailer = obj.x_mailer
    # From
    for from_ in obj.from_string.all():
        from_address = EmailAddress(from_.sender)
        from_address.is_spoofed = from_.is_spoofed
        from_address.condition = from_.condition
        h.from_ = from_address
    # Sender
    for sender in obj.sender.all():
        sender_address = EmailAddress(sender.sender)
        sender_address.is_spoofed = sender.is_spoofed
        sender_address.condition = sender.condition
        h.sender.add(sender_address)
    # To
    recipients = EmailRecipients()
    for recipient in obj.recipients.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.to = recipients
    # CC
    recipients = EmailRecipients()
    for recipient in obj.recipients_cc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.cc = recipients
    # BCC
    recipients = EmailRecipients()
    for recipient in obj.recipients_bcc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.bcc = recipients
    e.header = h
    return e, attachment_objects
Пример #5
0
def cybox_object_email(obj):
    e = EmailMessage()
    e.raw_body = obj.raw_body
    e.raw_header = obj.raw_header
    # Links
    e.links = Links()
    for link in obj.links.all():
        pass
    # Attachments
    e.attachments = Attachments()
    attachment_objects = []
    for att in obj.attachments.all():
        for meta in att.file_meta.all():
            fobj = cybox_object_file(att, meta)
            e.attachments.append(fobj.parent.id_)
            fobj.add_related(e, "Contained_Within", inline=False)
            attachment_objects.append(fobj)
    # construct header information
    h = EmailHeader()
    h.subject = obj.subject
    h.date = obj.email_date
    h.message_id = obj.message_id
    h.content_type = obj.content_type
    h.mime_version = obj.mime_version
    h.user_agent = obj.user_agent
    h.x_mailer = obj.x_mailer
    # From
    for from_ in obj.from_string.all():
        from_address = EmailAddress(from_.sender)
        from_address.is_spoofed = from_.is_spoofed
        from_address.condition = from_.condition
        h.from_ = from_address
    # Sender
    for sender in obj.sender.all():
        sender_address = EmailAddress(sender.sender)
        sender_address.is_spoofed = sender.is_spoofed
        sender_address.condition = sender.condition
        h.sender.add(sender_address)
    # To
    recipients = EmailRecipients()
    for recipient in obj.recipients.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.to = recipients
    # CC
    recipients = EmailRecipients()
    for recipient in obj.recipients_cc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.cc = recipients
    # BCC
    recipients = EmailRecipients()
    for recipient in obj.recipients_bcc.all():
        rec_address = EmailAddress(recipient.recipient)
        rec_address.is_spoofed = recipient.is_spoofed
        rec_address.condition = recipient.condition
        recipients.append(rec_address)
    h.bcc = recipients
    e.header = h
    return e, attachment_objects