def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def __create_cybox_http_message(self, msg):
if not msg:
return None
_illegal_xml_chars_RE = re.compile(u"[\x00-\x08\x0b\x0c\x0e-\x1F\uD800-\uDFFF\uFFFE\uFFFF\n]")
http_mess = HTTPMessage()
http_mess.length = int(len(msg))
http_mess.message_body = String(_illegal_xml_chars_RE.sub("?", msg))
return http_mess
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id):
obj1x = HTTPSession()
nc.layer7_connections = Layer7Connections()
nc.layer7_connections.http_session = obj1x
rr = HTTPRequestResponse()
obj1x.http_request_response.append(rr)
rr.http_client_request = HTTPClientRequest()
request_line = HTTPRequestLine()
request_line.http_method = http_request_ext["request_method"]
request_line.value = http_request_ext["request_value"]
if "request_version" in http_request_ext:
request_line.version = http_request_ext["request_version"]
rr.http_client_request.http_request_line = request_line
if "request_header" in http_request_ext:
rr.http_client_request.http_request_header = HTTPRequestHeader()
rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields(
)
convert_obj(http_request_ext["request_header"],
rr.http_client_request.http_request_header.parsed_header,
HTTP_REQUEST_HEADERS_MAP, obs20_id)
if "Host" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.host = \
add_host(http_request_ext["request_header"]["Host"])
if "From" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.from_ = \
EmailAddress(http_request_ext["request_header"]["From"])
if "Referer" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.referer = \
URI(http_request_ext["request_header"]["Referer"])
if "X_Wap_Profile" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \
URI(http_request_ext["request_header"]["X_Wap_Profile"])
if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext:
body = HTTPMessage()
if "message_body_length" in http_request_ext:
body.length = http_request_ext["message_body_length"]
if "message_body_data_ref" in http_request_ext:
if http_request_ext["message_body_length"] in _STIX1X_OBJS:
artifact_obj = _STIX1X_OBJS[
http_request_ext["message_body_length"]]
body.message_body = artifact_obj.packed_data
else:
warn("%s is not an index found in %s", 306,
http_request_ext["message_body_length"], obs20_id)
rr.http_client_request.http_message_body = body
def http_conversations(httpconv):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Connect to URL"
a.type_ = "Connect"
ao.properties = NetworkConnection()
ao.properties.layer4_protocol = httpconv["protocol"]
header = HTTPResponseHeader()
headerfiled = HTTPResponseHeaderFields()
response = HTTPServerResponse()
if httpconv["response_headers"].has_key("Transfer-Encoding"):
headerfiled.transfer_encoding = httpconv["response_headers"]["Transfer-Encoding"]
headerfiled.content_type = httpconv["response_headers"]["Content-Type"]
headerfiled.server = httpconv["response_headers"]["Server"]
headerfiled.connection = httpconv["response_headers"]["Connection"]
#headerfiled.date = DateTime(httpconv["response_headers"]["Date"])
t = datetime.strptime(httpconv["response_headers"]["Date"],'%a, %d %b %Y %H:%M:%S %Z').replace(tzinfo=pytz.utc)
#print t
headerfiled.date = DateTime(t)
headerfiled.content_type = httpconv["response_headers"]["type"]
header.parsed_header = headerfiled
if httpconv.has_key("download_content"):
body = HTTPMessage()
body.message_body = str(httpconv["download_content"]).encode('string-escape')
response.http_message_body = body
line = HTTPStatusLine()
tmp = httpconv["response_headers"]["Status-Line"].split()
line.version = tmp[0]
line.status_code = PositiveInteger(tmp[1])
line.reason_phrase = tmp[2]
response.http_status_line = line
response.http_response_header = header
client = HTTPClientRequest()
line = HTTPRequestLine()
tmp = httpconv["url"].split()
line.http_method = tmp[0]
line.value = tmp[1]
line.version = tmp[2]
client.http_request_line = line
cheader = HTTPRequestHeader()
cheaderfiled = HTTPRequestHeaderFields()
host = HostField()
host.domain_name = URI(httpconv["dst_host"])
val = Port()
val.port_value = PositiveInteger(httpconv["dst_port"])
host.port = val
cheaderfiled.host = host
cheader.parsed_header = cheaderfiled
client.http_request_header = cheader
httpsession = HTTPSession()
requestresponse = HTTPRequestResponse()
requestresponse.http_client_request = client
requestresponse.http_server_response = response
httpsession.http_request_response = [requestresponse]
layer7 = Layer7Connections()
layer7.http_session = httpsession
ao.properties.layer7_connections = layer7
#print ao.properties.to_dict()
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
