def create_poll_response(cls, poll_service, prp, content): """ Creates a poll response. 1. If the request's response type is "Count Only", a single poll response w/ more=False used. 2. If the content size is less than the poll_service's max_result_size, a poll response w/ more=False is used. 3. If the poll_service's max_result_size is blank, a poll response w/ more=False used. 4. If the response type is "Full" and the total number of contents are greater than the poll_service's max_result_size, a ResultSet is created, and a PollResponse w/more=True is used. """ content_count = len(content) # RT_COUNT_ONLY - Always use a single result # RT_FULL - Use a single response if # poll_service.max_result_size is None or # len(content) <= poll_service.max_result_size # Use a Multi-Part response otherwise if (prp.response_type == RT_COUNT_ONLY or poll_service.max_result_size is None or content_count <= poll_service.max_result_size): poll_response = tm11.PollResponse( message_id=generate_message_id(), in_response_to=prp.message_id, collection_name=prp.collection.name, result_part_number=1, more=False, exclusive_begin_timestamp_label=prp. exclusive_begin_timestamp_label, inclusive_end_timestamp_label=prp. inclusive_end_timestamp_label, record_count=tm11.RecordCount(content_count, False)) if prp.subscription: poll_response.subscription_id = prp.subscription.subscription_id if prp.response_type == RT_FULL: for c in content: poll_response.content_blocks.append( c.to_content_block_11()) else: # Split into multiple result sets result_set = handlers.create_result_set(poll_service, prp, content) rsp_1 = models.ResultSetPart.objects.get( result_set__pk=result_set.pk, part_number=1) poll_response = rsp_1.to_poll_response_11(prp.message_id) result_set.last_part_returned = rsp_1 result_set.save() response = poll_response return poll_response
def handle_poll_request(s, msg): collection = msg.collection_name query = msg.poll_parameters.query begin = msg.exclusive_begin_timestamp_label end = msg.inclusive_end_timestamp_label # Start constructing the content block list cbs = [] def handle(content, file): print("Adding %s..." % file) # Create content block. cb = tm11.ContentBlock(tm11.ContentBinding(t.CB_STIX_XML_11), content) # Append content block to list. cbs.append(cb) print("Building response...") latest = s.get_matching(collection, begin, end, query, handle) print("Done") # Create poll response. resp = tm11.PollResponse(message_id=tm11.generate_message_id(), in_response_to=msg.message_id, collection_name=msg.collection_name, inclusive_end_timestamp_label=latest, content_blocks=cbs, more=False) # Send response s.respond(resp.to_xml())
def prepare_poll_response(cls, service, collection, in_response_to, timeframe=None, content_bindings=None, result_part=1, allow_async=False, return_content=True, result_id=None, subscription_id=None): timeframe = timeframe or (None, None) if not any(timeframe) and not content_bindings: total_count = collection.volume else: try: total_count = service.get_content_blocks_count( collection, timeframe=timeframe, content_bindings=content_bindings) except ResultsNotReady: if not allow_async: message = ("The content is not available now and " "the request has allow_asynch set to false") raise_failure(message=message, in_response_to=in_response_to) result_set = service.create_result_set( collection, timeframe=timeframe, content_bindings=content_bindings) return tm11.StatusMessage(message_id=generate_message_id(), in_response_to=in_response_to, status_type=ST_PENDING, status_details={ SD_ESTIMATED_WAIT: service.wait_time, SD_RESULT_ID: result_set.id, SD_WILL_PUSH: service.can_push }) # TODO: temporary fix, pending: # https://github.com/TAXIIProject/libtaxii/issues/191 result_part = int(result_part) # dividing instead of multiplying to be safe from overflow has_more = (float(total_count) / service.max_result_size) > result_part capped_count = min(service.max_result_count, total_count) is_partial = (capped_count < total_count) if has_more and not result_id: result_set = service.create_result_set( collection, timeframe=timeframe, content_bindings=content_bindings) result_id = result_set.id response = tm11.PollResponse( message_id=generate_message_id(), in_response_to=in_response_to, collection_name=collection.name, more=has_more, result_id=result_id, result_part_number=result_part, exclusive_begin_timestamp_label=timeframe[0], inclusive_end_timestamp_label=timeframe[1], # TODO: Temporararily make capped_count an int, pending: # https://github.com/TAXIIProject/libtaxii/issues/191 record_count=tm11.RecordCount(int(capped_count), is_partial), subscription_id=subscription_id) if return_content: content_blocks = service.get_content_blocks( collection, timeframe=timeframe, content_bindings=content_bindings, part_number=result_part) for block in content_blocks: response.content_blocks.append( content_block_entity_to_content_block(block, version=11)) return response
def main(): # "hardcoded" values ns = "urn:example.com:marks_malware_metadata_mart" ns_alias = "m4" # Set the STIX ID Namespace stix_namespace = {ns: ns_alias} stix_sin(stix_namespace) # Set the CybOX ID Namespace cybox_namespace = Namespace(ns, ns_alias) cybox_sin(cybox_namespace) ttp_id = 'ttp-d539bb85-9363-4814-83c8-fa9975045686' ttp_timestamp = '2014-09-30T15:56:27.000000+00:00' # Fake database values md5_hash = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' object_id = 'File-927731f2-cc2c-421c-a40e-dc6f4a6c75a4' observable_id = 'Observable-45e3e64c-8438-441e-bc49-51e417466e29' confidence = 'High' confidence_timestamp = '2014-09-29T14:32:00.000000' indicator_id = 'Indicator-54baefc1-4742-4b40-ba83-afd51115015b' indicator_timestamp = '2014-09-29T14:32:00.000000' # Code to create the STIX Package sp = STIXPackage() sp.stix_header = STIXHeader() sp.stix_header.title = "File Hash Reputation for %s" % md5_hash sp.stix_header.add_package_intent("Indicators - Malware Artifacts") sp.stix_header.information_source = InformationSource() sp.stix_header.information_source.identity = Identity() sp.stix_header.information_source.identity.name = "Mark's Malware Metadata Mart" file_hash = Hash(hash_value=md5_hash, type_='MD5', exact=True) file_hash.type_.condition = "Equals" file_obj = File() file_obj.id_ = (ns_alias + ':' + object_id) file_obj.add_hash(file_hash) indicator = Indicator(title="File Hash Reputation", id_=(ns_alias + ':' + indicator_id), timestamp=indicator_timestamp) indicator.indicator_type = "File Hash Reputation" indicator.add_observable(file_obj) indicator.observables[0].id_ = ns_alias + ':' + observable_id ttp = TTP() ttp.id_ = ns_alias + ':' + ttp_id ttp.timestamp = ttp_timestamp ttp.title = "Malicious File" indicator.add_indicated_ttp(TTP(idref=ttp.id_, timestamp=ttp.timestamp)) indicator.indicated_ttps[0].confidence = confidence indicator.indicated_ttps[0].confidence.timestamp = confidence_timestamp sp.add_indicator(indicator) sp.add_ttp(ttp) stix_xml = sp.to_xml() poll_response = tm11.PollResponse(message_id=generate_message_id(), in_response_to="1234", collection_name='file_hash_reputation') cb = tm11.ContentBlock(content_binding=CB_STIX_XML_111, content=stix_xml) poll_response.content_blocks.append(cb) print poll_response.to_xml(pretty_print=True)