Пример #1
0
    def test_markable_attributes(self):
        """Test that attribute selector used on resulting xpath.
            Does not check for accuracy of marked data."""
        container = stixmarx.new()
        package = container.package
        red_marking = generate_marking_spec(generate_red_marking_struct())

        indicator = Indicator(title="Test")
        observable = generate_observable()

        indicator.add_observable(observable)

        package.add_indicator(indicator)

        observable.object_.id_ = container.add_marking(observable.object_.id_,
                                                       red_marking)
        indicator.timestamp = container.add_marking(indicator.timestamp,
                                                    red_marking)

        self.assertTrue(package.stix_header is None)
        self.assertTrue(package.indicators[0].handling is None)

        container.flush()

        self.assertTrue(package.stix_header is None)

        self.assertTrue(package.indicators[0].handling is not None)

        for marking in package.indicators[0].handling.marking:
            selector = marking.controlled_structure.split("/")[-1]

            self.assertTrue(selector.startswith("@"))
Пример #2
0
def to_stix_rfi(obj):
    from stix.indicator import Indicator as S_Ind
    list_rfis = []

    for each in obj.rfi:
        ind = S_Ind()
        ind.title = "CRITs RFI"
        ind.timestamp = each.date
        ind.description = each.topic
        ind.id_ = each.source

        list_rfis.append(ind)

        for item in each.instance:
            ind_2 = S_Ind()
            ind_2.title = "CRITs RFI"
            ind_2.timestamp = each.date
            ind_2.description = each.topic
            ind_2.producer = to_source(item)
            ind_2.id_ = each.source

            list_rfis.append(ind_2)

    return list_rfis
Пример #3
0
def to_stix_relationship(obj):
    from stix.indicator import Indicator

    ind_rel = []

    for relationship in obj.relationships:
        #if not relationship.private: #testing
        ind = Indicator()
        ind.title = "MARTI Relation"
        ind.timestamp = relationship.relationship_date
        ind.confidence = relationship.rel_confidence.title()
        ind.id_ = relationship.url_key
        ind.add_indicator_type(get_indicator_type(relationship.rel_type))
        ind.description = relationship.rel_reason
        ind.short_description = relationship.relationship
        ind_rel.append(ind)

    return ind_rel
Пример #4
0
def main():
    # Create a new stixmarx MarkingContainer with a
    # new STIXPackage object contained within it.
    container = stixmarx.new()

    # Get the associated STIX Package
    package = container.package

    # Create an Indicator object
    indicator = Indicator(title='Indicator Title',
                          description='Gonna Mark This')

    # Add the Indicator object to our STIX Package
    package.add(indicator)

    # Build MarkingSpecification and add TLP MarkingStructure
    red_marking = MarkingSpecification(marking_structures=TLP(color="RED"))
    amber_marking = MarkingSpecification(marking_structures=TLP(color="AMBER"))
    green_marking = MarkingSpecification(marking_structures=TLP(color="GREEN"))

    # Mark the indicator with our TLP RED marking
    # This is the equivalent of a component marking. Applies to all descendants
    # nodes, text and attributes.
    container.add_marking(indicator, red_marking, descendants=True)

    # Mark the indicator with TLP GREEN. If descendants is false, the marking
    # will only apply to the indicator node. Does NOT include text, attributes
    # or descendants.
    container.add_marking(indicator, green_marking)

    # Mark the description text.
    # >>> type(indicator.description.value)  <type 'str'>
    indicator.description.value = container.add_marking(
        indicator.description.value, amber_marking)
    # >>> type(indicator.description.value)  <class 'stixmarx.api.types.MarkableBytes'>

    # Mark the indicator timestamp attribute.
    # >>> type(indicator.description.value)  <type 'datetime.datetime'>
    indicator.timestamp = container.add_marking(indicator.timestamp,
                                                amber_marking)
    # >>> type(indicator.description.value)  <type 'stixmarx.api.types.MarkableDateTime'>

    # Print the XML!
    print(container.to_xml().decode("utf-8"))
Пример #5
0
def to_stix_comments(obj):
    from crits.comments.handlers import get_comments
    from stix.indicator import Indicator as S_Ind

    comments = get_comments(obj.id, obj._meta['crits_type'], False)
    ind_comments = []

    for each in comments:
        if not each.private:
            ind = S_Ind()
            ind.title = "CRITs Comment(s)"
            ind.description = each.comment
            ind.short_description = each.url_key
            ind.producer = to_stix_information_source(each)
            ind.timestamp = each.edit_date #should be date, but for some reason, it's not getting the correct value

            ind_comments.append(ind)

    return ind_comments
Пример #6
0
def gen_indicator(data, key, _db={}):

    if isinstance(data, dict):

        if _db.get(key, {}).get('ind'):
            ind = Indicator(id_=_db[key]['ind'])
            #ind = Indicator(idref=db[key]['ind'])

        else:
            ind = Indicator()
            _db[key].update({'ind': ind.id_})

            time = data.get('title').split('(')[1][:-1]
            ind.title = data.get('title')
            ind.description = '%s | For more detail go here - %s' % (
                data.get('description'), data.get('link'))
            if time:
                ind.timestamp = datetime.strptime(time, '%Y/%m/%d_%H:%M')
            #ind.producer = src_info

        return ind, _db