Python IOC_Parser примеры использования

Пример #1

Файл: import-file-pdf-observables.py Проект: mitiga/connectors

 def _process_message(self, data):
     file_fetch = data["file_fetch"]
     file_uri = self.helper.opencti_url + file_fetch
     file_name = os.path.basename(file_fetch)
     entity_id = data["entity_id"]
     # Get context
     is_context = entity_id is not None and len(entity_id) > 0
     if self.helper.get_only_contextual() and not is_context:
         raise ValueError(
             "No context defined, connector is get_only_contextual true"
         )
     self.helper.log_info("Importing the file " + file_uri)
     # Get the file
     file_content = self.helper.api.fetch_opencti_file(file_uri, True)
     # Write the file
     f = open(file_name, "wb")
     f.write(file_content)
     f.close()
     # Parse
     bundle_objects = []
     i = 0
     parser = iocp.IOC_Parser(None, "pdf", True, "pdfminer", "json")
     parsed = parser.parse(file_name)
     os.remove(file_name)
     if parsed != []:
         for file in parsed:
             if file != None:
                 for page in file:
                     if page != []:
                         for match in page:
                             resolved_match = self.resolve_match(match)
                             if resolved_match:
                                 observable = SimpleObservable(
                                     id=OpenCTIStix2Utils.generate_random_stix_id(
                                         "x-opencti-simple-observable"
                                     ),
                                     key=resolved_match["type"],
                                     value=resolved_match["value"],
                                     x_opencti_create_indicator=self.create_indicator,
                                 )
                                 bundle_objects.append(observable)
                                 i += 1
     else:
         self.helper.log_error("Could not parse the report!")
     if is_context:
         entity = self.helper.api.stix_domain_object.read(id=entity_id)
         if entity is not None:
             if entity["entity_type"] == "Report" and len(bundle_objects) > 0:
                 report = Report(
                     id=entity["standard_id"],
                     name=entity["name"],
                     description=entity["description"],
                     published=self.helper.api.stix2.format_date(entity["created"]),
                     report_types=entity["report_types"],
                     object_refs=bundle_objects,
                 )
                 bundle_objects.append(report)
     bundle = Bundle(objects=bundle_objects).serialize()
     bundles_sent = self.helper.send_stix2_bundle(bundle)
     return "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import"

Пример #2

Файл: import-file-pdf-observables.py Проект: rhaist/connectors

    def _process_message(self, data):
        file_path = data["file_path"]
        file_name = os.path.basename(file_path)
        work_context = data["work_context"]
        file_uri = self.helper.opencti_url + file_path
        self.helper.log_info("Importing the file " + file_uri)
        # Get the file
        file_content = self.helper.api.fetch_opencti_file(file_uri, True)
        # Write the file
        path = "/tmp/" + file_name
        f = open(path, "wb")
        f.write(file_content)
        f.close()
        # Parse
        bundle = {
            "type": "bundle",
            "id": "bundle--" + str(uuid.uuid4()),
            "spec_version": "2.0",
            "objects": [],
        }
        observed_data = {
            "id": "observed-data--" + str(uuid.uuid4()),
            "type": "observed-data",
            "x_opencti_indicator_create": self.create_indicator,
            "objects": {},
        }
        i = 0
        parser = iocp.IOC_Parser(None, "pdf", True, "pdfminer", "json")
        parsed = parser.parse(path)
        os.remove(path)
        if parsed != []:
            for file in parsed:
                if file != None:
                    for page in file:
                        if page != []:
                            for match in page:
                                resolved_match = self.resolve_match(match)
                                if resolved_match:
                                    observable = {
                                        "type":
                                        resolved_match["type"],
                                        "x_opencti_observable_type":
                                        resolved_match["type"],
                                        "x_opencti_observable_value":
                                        resolved_match["value"],
                                        "x_opencti_indicator_create":
                                        self.create_indicator,
                                    }
                                    observed_data["objects"][i] = observable
                                    i += 1
        else:
            self.helper.log_error("Could not parse the report!")

        # Get context
        if len(observed_data["objects"]) > 0:
            bundle["objects"].append(observed_data)
            if work_context is not None and len(work_context) > 0:
                report = self.helper.api.report.read(id=work_context)
                if report is not None:
                    report_stix = {
                        "type":
                        "report",
                        "id":
                        report["stix_id_key"],
                        "name":
                        report["name"],
                        "description":
                        report["description"],
                        "published":
                        self.helper.api.stix2.format_date(report["published"]),
                        "object_refs": [],
                    }
                    report_stix["object_refs"].append(observed_data["id"])
                    bundle["objects"].append(report_stix)
            bundles_sent = self.helper.send_stix2_bundle(
                json.dumps(bundle), None, False, False)
            return [
                "Sent " + str(len(bundles_sent)) +
                " stix bundle(s) for worker import"
            ]

Пример #3

    def _process_message(self, data):
        file_fetch = data["file_fetch"]
        file_uri = self.helper.opencti_url + file_fetch
        file_name = os.path.basename(file_fetch)
        entity_id = data.get("entity_id", None)
        self.helper.log_info(entity_id)
        # Get context
        is_context = entity_id is not None and len(entity_id) > 0
        self.helper.log_info("Context: {}".format(is_context))
        self.helper.log_info(
            "get_only_contextual: {}".format(self.helper.get_only_contextual())
        )
        if self.helper.get_only_contextual() and not is_context:
            raise ValueError(
                "No context defined, connector is get_only_contextual true"
            )
        self.helper.log_info("Importing the file " + file_uri)
        # Get the file
        file_content = self.helper.api.fetch_opencti_file(file_uri, True)
        # Write the file
        f = open(file_name, "wb")
        f.write(file_content)
        f.close()
        # Parse
        bundle_objects = []
        stix_objects = set()
        i = 0
        custom_indicators = self._get_entities()
        mime_type = self._get_mime_type(file_name)
        print(mime_type)
        if mime_type is None:
            raise ValueError("Invalid file format of {}".format(file_name))

        parser = iocp.IOC_Parser(
            None,
            mime_type,
            True,
            "pdfminer",
            "json",
            custom_indicators=custom_indicators,
        )
        parsed = parser.parse(file_name)
        os.remove(file_name)
        if parsed != []:
            for file in parsed:
                if file != None:
                    for page in file:
                        if page != []:
                            for match in page:
                                resolved_match = self._resolve_match(match)
                                if resolved_match:
                                    # For the creation of relationships
                                    if resolved_match[
                                        "type"
                                    ] not in self.types.values() and self._is_uuid(
                                        resolved_match["value"]
                                    ):
                                        stix_objects.add(resolved_match["value"])
                                    # For CVEs since SimpleObservable doesn't support Vulnerabilities yet
                                    elif resolved_match["type"] == "Vulnerability.name":
                                        vulnerability = Vulnerability(
                                            name=resolved_match["value"]
                                        )
                                        bundle_objects.append(vulnerability)
                                    # Other observables
                                    elif resolved_match["type"] in self.types.values():
                                        observable = SimpleObservable(
                                            id=OpenCTIStix2Utils.generate_random_stix_id(
                                                "x-opencti-simple-observable"
                                            ),
                                            key=resolved_match["type"],
                                            value=resolved_match["value"],
                                            x_opencti_create_indicator=self.create_indicator,
                                        )
                                        bundle_objects.append(observable)
                                    else:
                                        self.helper.log_info(
                                            "Odd data received: {}".format(
                                                resolved_match
                                            )
                                        )
                                    i += 1
        else:
            self.helper.log_error("Could not parse the report!")

        if is_context:
            entity = self.helper.api.stix_domain_object.read(id=entity_id)
            if entity is not None:
                if entity["entity_type"] == "Report" and len(bundle_objects) > 0:
                    report = Report(
                        id=entity["standard_id"],
                        name=entity["name"],
                        description=entity["description"],
                        published=self.helper.api.stix2.format_date(entity["created"]),
                        report_types=entity["report_types"],
                        object_refs=bundle_objects,
                    )
                    bundle_objects.append(report)

        bundles_sent = []
        if len(bundle_objects) > 0:
            bundle = Bundle(objects=bundle_objects).serialize()
            bundles_sent = self.helper.send_stix2_bundle(bundle)

        if len(stix_objects) > 0 and entity_id is not None:
            report = self.helper.api.report.read(id=entity_id)
            if report:
                for stix_object in stix_objects:
                    self.helper.log_info(stix_object)
                    self.helper.api.report.add_stix_object_or_stix_relationship(
                        id=report["id"], stixObjectOrStixRelationshipId=stix_object
                    )

        return "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import"