Пример #1
0
 def createSubjectUrl(self, url):
     """Create a URL subject entity.
     @param url: URL path.
     @return: subject object.
     """
     subject = maec.SubjectType()
     subject.set_Object_Reference(
         maec.ObjectReferenceType(type_="URI",
                                  object_id=self.idMap["urlmd5"]))
     self.idMap["subject"] = self.idMap["urlmd5"]
     return subject
Пример #2
0
 def createSubjectFile(self, file):
     """Create a file subject entity.
     @param file: file as in cuckoo dict.
     @return: subject object.
     """
     subject = maec.SubjectType()
     subject.set_Object_Reference(
         maec.ObjectReferenceType(type_="Object",
                                  object_id=self.idMap[file["name"]]))
     self.idMap["subject"] = self.idMap[file["name"]]
     return subject
Пример #3
0
 def createSubject(self, file):
     """Create a subject entity.
     @param file: file as in cuckoo dict.
     @return: subject object.
     """
     subject = maec.SubjectType()
     subject.set_Object_Reference(
         maec.ObjectReferenceType(type_='Object',
                                  object_id=self.idMap[file['name']]))
     self.idMap['subject'] = self.idMap[file['name']]
     return subject
Пример #4
0
    def createActionAPI(self, process):
        """Creates an action object which describes a process.
        @param process: process from cuckoo dict.
        """
        pid = self.getProcessId()
        pos = 1

        for call in process["calls"]:
            act = maec.ActionType(id="%s:act:%s" %
                                  (self.idMap["prefix"], self.getActionId()),
                                  ordinal_position=pos,
                                  timestamp=call["timestamp"],
                                  successful=call["category"])
            try:
                initiator = self.idMap[process["process_name"]]
            except KeyError:
                initiator = self.idMap["subject"]
            act.set_Action_Initiator(
                maec.Action_InitiatorType(
                    type_="Process",
                    Initiator_Object=maec.ObjectReferenceType(
                        type_="Object", object_id=initiator)))
            ai = maec.ActionImplementationType(
                type_="API_Call",
                id="%s:imp:%s" % (self.idMap["prefix"], self.getActImpId()),
            )
            apicall = maec.APICallType(
                id="%s:api:%s" % (self.idMap["prefix"], self.getApiCallId()),
                apifunction_name=call["api"],
                ReturnValue=call["return"])
            apos = 1
            for arg in call["arguments"]:
                apicall.add_APICall_Parameter(
                    maec.APICall_ParameterType(ordinal_position=apos,
                                               Name=arg["name"],
                                               Value=arg["value"]))
                apos = apos + 1
            ai.set_API_Call(apicall)

            act.set_Action_Implementation(ai)
            self.actions.add_Action(act)
            pos = pos + 1
Пример #5
0
    def createActionAPI(self, process):
        """Creates an action object which describes a process.
        @param process: process from cuckoo dict.
        """
        pid = self.getProcessId()
        pos = 1

        for call in process['calls']:
            act = maec.ActionType(id="%s:act:%s" %
                                  (self.idMap['prefix'], self.getActionId()),
                                  ordinal_position=pos,
                                  timestamp=call['timestamp'],
                                  successful=call['category'])
            try:
                initiator = self.idMap[process['process_name']]
            except KeyError:
                initiator = self.idMap['subject']
            act.set_Action_Initiator(
                maec.Action_InitiatorType(
                    type_='Process',
                    Initiator_Object=maec.ObjectReferenceType(
                        type_='Object', object_id=initiator)))
            ai = maec.ActionImplementationType(
                type_='API_Call',
                id="%s:imp:%s" % (self.idMap['prefix'], self.getActImpId()),
            )
            apicall = maec.APICallType(
                id="%s:api:%s" % (self.idMap['prefix'], self.getApiCallId()),
                apifunction_name=call['api'],
                ReturnValue=call['return'])
            apos = 1
            for arg in call['arguments']:
                apicall.add_APICall_Parameter(
                    maec.APICall_ParameterType(ordinal_position=apos,
                                               Name=arg['name'],
                                               Value=arg['value']))
                apos = apos + 1
            ai.set_API_Call(apicall)

            act.set_Action_Implementation(ai)
            self.actions.add_Action(act)
            pos = pos + 1
Пример #6
0
 def createActionNet(self, packet):
     """Create a network action.
     @return: action.
     """
     act = maec.ActionType(id="%s:act:%s" %
                           (self.idMap["prefix"], self.getActionId()), )
     act.set_Action_Initiator(
         maec.Action_InitiatorType(
             type_="Process",
             Initiator_Object=maec.ObjectReferenceType(
                 type_="Object", object_id=self.idMap["subject"])))
     ai = maec.ActionImplementationType(
         type_="Other",
         id="%s:imp:%s" % (self.idMap["prefix"], self.getActImpId()),
     )
     net = maec.Network_Action_AttributesType(
         Internal_Port=packet["sport"],
         External_Port=packet["dport"],
         Internal_IP_Address=packet["src"],
         External_IP_Address=packet["dst"])
     ai.set_Network_Action_Attributes(net)
     act.set_Action_Implementation(ai)
     self.actions.add_Action(act)