def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def from_obj(layer7_connections_obj):
if not layer7_connections_obj:
return None
layer7_connections_ = Layer7Connections()
layer7_connections_.http_session = HTTPSession.from_obj(layer7_connections_obj.get_HTTP_Session())
layer7_connections_.dns_queries = [DNSQuery.from_obj(x) for x in layer7_connections_obj.get_DNS_Query()]
return layer7_connections_
def builder_to_stix_object(self, object_data):
fields = HTTPRequestHeaderFields()
fields.user_agent = object_data.get('user_agent')
header = HTTPRequestHeader()
header.parsed_header = fields
req = HTTPClientRequest()
req.http_request_header = header
req_res = HTTPRequestResponse()
req_res.http_client_request = req
session = HTTPSession()
session.http_request_response = [req_res]
return session
def from_dict(layer7_connections_dict):
if not layer7_connections_dict:
return None
layer7_connections_ = Layer7Connections()
layer7_connections_.http_session = HTTPSession.from_dict(layer7_connections_dict.get('http_session'))
if layer7_connections_dict.get('dns_queries') is not None:
layer7_connections_.dns_queries = [DNSQuery.from_dict(x) for x in layer7_connections_dict.get('dns_queries', [])]
return layer7_connections_
def __create_cybox_https(self, hdict, whitelist):
http_requests = []
already_recorded = {}
for entry in hdict:
identifier = "%s%s%s%s" % (entry['host'], entry['port'], entry['method'], entry['path'])
if identifier in already_recorded:
log.debug("already recorded entry: %s" % (identifier))
continue
already_recorded[identifier] = True
http_session = HTTPSession()
http_session.http_request_response = self.__create_cybox_http_request_response(entry, whitelist)
if not http_session.http_request_response:
log.debug("no request response object created ...")
continue
http_requests.append(http_session)
return http_requests
def gen_user_agents(self, count):
'''Generate list of User-Agents'''
user_agents = []
for i in range(0, count):
http_session = HTTPSession()
http_request_response = HTTPRequestResponse()
http_request = HTTPClientRequest()
http_request_header = HTTPRequestHeader()
parsed_header = HTTPRequestHeaderFields()
parsed_header.user_agent = self.fake.user_agent()
http_request_header.parsed_header = parsed_header
http_request.http_request_header = http_request_header
http_request_response.http_client_request = http_request
http_session.http_request_response = http_request_response
user_agents.append(http_session)
return user_agents
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id):
obj1x = HTTPSession()
nc.layer7_connections = Layer7Connections()
nc.layer7_connections.http_session = obj1x
rr = HTTPRequestResponse()
obj1x.http_request_response.append(rr)
rr.http_client_request = HTTPClientRequest()
request_line = HTTPRequestLine()
request_line.http_method = http_request_ext["request_method"]
request_line.value = http_request_ext["request_value"]
if "request_version" in http_request_ext:
request_line.version = http_request_ext["request_version"]
rr.http_client_request.http_request_line = request_line
if "request_header" in http_request_ext:
rr.http_client_request.http_request_header = HTTPRequestHeader()
rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields(
)
convert_obj(http_request_ext["request_header"],
rr.http_client_request.http_request_header.parsed_header,
HTTP_REQUEST_HEADERS_MAP, obs20_id)
if "Host" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.host = \
add_host(http_request_ext["request_header"]["Host"])
if "From" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.from_ = \
EmailAddress(http_request_ext["request_header"]["From"])
if "Referer" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.referer = \
URI(http_request_ext["request_header"]["Referer"])
if "X_Wap_Profile" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \
URI(http_request_ext["request_header"]["X_Wap_Profile"])
if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext:
body = HTTPMessage()
if "message_body_length" in http_request_ext:
body.length = http_request_ext["message_body_length"]
if "message_body_data_ref" in http_request_ext:
if http_request_ext["message_body_length"] in _STIX1X_OBJS:
artifact_obj = _STIX1X_OBJS[
http_request_ext["message_body_length"]]
body.message_body = artifact_obj.packed_data
else:
warn("%s is not an index found in %s", 306,
http_request_ext["message_body_length"], obs20_id)
rr.http_client_request.http_message_body = body
def http_conversations(httpconv):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Connect to URL"
a.type_ = "Connect"
ao.properties = NetworkConnection()
ao.properties.layer4_protocol = httpconv["protocol"]
header = HTTPResponseHeader()
headerfiled = HTTPResponseHeaderFields()
response = HTTPServerResponse()
if httpconv["response_headers"].has_key("Transfer-Encoding"):
headerfiled.transfer_encoding = httpconv["response_headers"]["Transfer-Encoding"]
headerfiled.content_type = httpconv["response_headers"]["Content-Type"]
headerfiled.server = httpconv["response_headers"]["Server"]
headerfiled.connection = httpconv["response_headers"]["Connection"]
#headerfiled.date = DateTime(httpconv["response_headers"]["Date"])
t = datetime.strptime(httpconv["response_headers"]["Date"],'%a, %d %b %Y %H:%M:%S %Z').replace(tzinfo=pytz.utc)
#print t
headerfiled.date = DateTime(t)
headerfiled.content_type = httpconv["response_headers"]["type"]
header.parsed_header = headerfiled
if httpconv.has_key("download_content"):
body = HTTPMessage()
body.message_body = str(httpconv["download_content"]).encode('string-escape')
response.http_message_body = body
line = HTTPStatusLine()
tmp = httpconv["response_headers"]["Status-Line"].split()
line.version = tmp[0]
line.status_code = PositiveInteger(tmp[1])
line.reason_phrase = tmp[2]
response.http_status_line = line
response.http_response_header = header
client = HTTPClientRequest()
line = HTTPRequestLine()
tmp = httpconv["url"].split()
line.http_method = tmp[0]
line.value = tmp[1]
line.version = tmp[2]
client.http_request_line = line
cheader = HTTPRequestHeader()
cheaderfiled = HTTPRequestHeaderFields()
host = HostField()
host.domain_name = URI(httpconv["dst_host"])
val = Port()
val.port_value = PositiveInteger(httpconv["dst_port"])
host.port = val
cheaderfiled.host = host
cheader.parsed_header = cheaderfiled
client.http_request_header = cheader
httpsession = HTTPSession()
requestresponse = HTTPRequestResponse()
requestresponse.http_client_request = client
requestresponse.http_server_response = response
httpsession.http_request_response = [requestresponse]
layer7 = Layer7Connections()
layer7.http_session = httpsession
ao.properties.layer7_connections = layer7
#print ao.properties.to_dict()
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
