def convert_process_extensions(process20, process1x, obs20_id):
extensions = process20["extensions"]
if "windows-process-ext" in extensions:
windows_process = extensions["windows-process-ext"]
convert_obj(windows_process, process1x, WINDOWS_PROCESS_EXTENSION_MAP,
obs20_id)
if "startup_info" in windows_process:
process1x.startup_info = StartupInfo()
convert_obj(windows_process["startup_info"],
process1x.startup_info, STARTUP_INFO_MAP)
if "windows-service-ext" in extensions:
windows_service = extensions["windows-service-ext"]
convert_obj(windows_service, process1x, WINDOWS_SERVICE_EXTENSION_MAP,
obs20_id)
if "service_dll_refs" in windows_service:
if windows_service["service_dll_refs"][0] in _STIX1X_OBJS:
file_object = _STIX1X_OBJS[windows_service["service_dll_refs"]
[0]]
if "name" in file_object:
process1x.service_dll = file_object.file_name
else:
warn("%s is not an index found in %s", 306,
windows_service["service_dll_refs"][0], obs20_id)
if len(windows_service["service_dll_refs"]) > 1:
for dll_ref in windows_service["service_dll_refs"][1:]:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, obs20_id, "service_dll_refs", dll_ref)
if "descriptions" in windows_service:
process1x.description_list = ServiceDescriptionList()
for d in windows_service["descriptions"]:
process1x.description_list.append(d)
def convert_file_c_o(file2x, file1x, obs2x_id):
if "hashes" in file2x:
for k, v in sort_objects_into_processing_order(file2x["hashes"]):
add_hashes_property(file1x, k, v)
convert_obj(file2x, file1x, FILE_MAP, obs2x_id)
if "parent_directory_ref" in file2x:
if file2x["parent_directory_ref"] in _STIX1X_OBJS:
directory_object = _STIX1X_OBJS[file2x["parent_directory_ref"]]
directory_string = str(directory_object.full_path)
file1x.full_path = directory_string + ("\\" if is_windows_directory(directory_string) else "/") + file2x["name"]
else:
warn("%s is not an index found in %s", 306, file2x["parent_directory_ref"], obs2x_id)
if "is_encrypted" in file2x and get_option_value("version_of_stix2x") == "2.0":
if file2x["is_encrypted"]:
if "encryption_algorithm" in file2x:
file1x.encryption_algorithm = file2x["encryption_algorithm"]
else:
info("is_encrypted in %s is true, but no encryption_algorithm is given", 309, obs2x_id)
if "decryption_key" in file2x:
file1x.decryption_key = file2x["decryption_key"]
else:
info("is_encrypted in %s is true, but no decryption_key is given", 311, obs2x_id)
else:
if "encryption_algorithm" in file2x:
info("is_encrypted in %s is false, but encryption_algorithm is given", 310, obs2x_id)
if "decryption_key" in file2x:
info("is_encrypted in %s is false, but decryption_key is given", 312, obs2x_id)
if "extensions" in file2x:
convert_file_extensions(file2x, file1x, obs2x_id)
# in STIX 2.0, there are two contains_ref properties, one in the basic File object, and one on the Archive File extension
# the slider does not handle the one in the basic File object
if "contains_refs" in file2x:
warn("contains_refs in %s not handled", 607, obs2x_id)
return file1x
def convert_tool(tool20):
tool1x = ToolInformation()
if "name" in tool20:
tool1x.title = tool20["name"]
if "description" in tool20:
tool1x.description = tool20["description"]
if "tool_version" in tool20:
tool1x.version = tool20["tool_version"]
if "labels" in tool20:
warn(
"labels not representable in a STIX 1.x ToolInformation. Found in %s",
502, tool20["id"])
# bug in python_stix prevents using next line of code
# tool1x.type_ = convert_open_vocabs_to_controlled_vocabs(tool20["labels"], TOOL_LABELS_MAP)
ttp = TTP(id_=convert_id20(tool20["id"]),
timestamp=text_type(tool20["modified"]))
if not ttp.resources:
ttp.resources = Resource()
if not ttp.resources.tools:
ttp.resources.tools = Tools()
ttp.resources.tools.append(tool1x)
if "kill_chain_phases" in tool20:
process_kill_chain_phases(tool20["kill_chain_phases"], ttp)
if "object_marking_refs" in tool20:
for m_id in tool20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ttp, ms, descendants=True)
if "granular_markings" in tool20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, tool20["id"])
record_id_object_mapping(tool20["id"], ttp)
return ttp
def process_sighting(o):
if indicator_ref(o["sighting_of_ref"]):
indicator_of_sighting = _ID_OBJECT_MAPPING[o["sighting_of_ref"]]
if not indicator_of_sighting:
warn("%s is not in this bundle. Referenced from %s", 308,
o["sighting_of_ref"], o["id"])
return
if not indicator_of_sighting.sightings:
indicator_of_sighting.sightings = Sightings()
if "where_sighted_refs" in o:
for ref in o["where_sighted_refs"]:
s = Sighting()
indicator_of_sighting.sightings.append(s)
if ref in _IDENTITIES:
identity20_tuple = _IDENTITIES[ref]
s.information_source = create_information_source(
identity20_tuple)
if "observed_data_refs" in o:
# reference, regardless of whether its in the bundle or not
s.related_observables = RelatedObservables()
for od_ref in o["observed_data_refs"]:
ro = RelatedObservable()
s.related_observables.append(ro)
ro.item = Observable(idref=convert_id20(od_ref))
# TODO: first_seen
# TODO: last_seen
else:
warn(
"Unable to convert STIX 2.0 sighting %s because it doesn't refer to an indicator",
508, o["sighings_of_ref"])
def convert_coa(coa20):
coa1x = CourseOfAction(id_=convert_id20(coa20["id"]),
timestamp=text_type(coa20["modified"]))
if "name" in coa20:
coa1x.title = coa20["name"]
if "description" in coa20:
coa1x.add_description(coa20["description"])
if "labels" in coa20:
coa_types = convert_open_vocabs_to_controlled_vocabs(
coa20["labels"], COA_LABEL_MAP)
coa1x.type_ = coa_types[0]
for l in coa_types[1:]:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, "labels", l)
if "object_marking_refs" in coa20:
for m_id in coa20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(coa1x, ms, descendants=True)
if "granular_markings" in coa20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, coa20["id"])
record_id_object_mapping(coa20["id"], coa1x)
return coa1x
def convert_identity(ident20):
if ("sectors" in ident20 or "contact_information" in ident20
or "labels" in ident20 or "identity_class" in ident20
or "description" in ident20):
ident1x = CIQIdentity3_0Instance()
id1x = convert_id20(ident20["id"])
ident1x.id_ = id1x
if ident20["identity_class"] != "organization":
ident1x.name = ident20["name"]
if "labels" in ident20:
ident1x.roles = ident20["labels"]
if ("sectors" in ident20 or "contact_information" in ident20
or "identity_class" in ident20 or "description" in ident20):
ident1x.specification = STIXCIQIdentity3_0()
if ident20["identity_class"] == "organization":
party_name = PartyName()
party_name.add_organisation_name(text_type(ident20["name"]))
ident1x.specification.party_name = party_name
if "sectors" in ident20:
first = True
for s in ident20["sectors"]:
if first:
ident1x.specification.organisation_info = \
OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0]))
first = False
else:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, "Identity", "sectors", s)
# Identity in 1.x has no description property, use free-text-lines
if "identity_class" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "identity_class",
ident20["identity_class"])
# Because there is format defined in the specification for this property, it is difficult to
# determine how to convert the information probably found within it to the CIQ fields, so it will be put
# in the free_text_lines
if "contact_information" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "contact_information",
ident20["contact_information"])
if "description" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "description",
ident20["description"])
else:
ident1x = Identity(id_=convert_id20(ident20["id"]),
name=ident20["name"])
if "object_marking_refs" in ident20:
for m_id in ident20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ident1x, ms, descendants=True)
if "granular_markings" in ident20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, ident20["id"])
return ident1x
def convert_image_file_extension(image_ext, file1x, obs20_id):
convert_obj(image_ext, file1x, IMAGE_FILE_EXTENSION_MAP, obs20_id)
if "exif_tags" in image_ext:
exif_tags = image_ext["exif_tags"]
if "Compression" in exif_tags:
file1x.image_is_compressed = (exif_tags["Compression"] != 1)
else:
warn("%s not representable in a STIX 1.x %s. Found in %s", 503,
"exif_tags", "ImageFile", obs20_id)
def convert_domain_name_c_o(dn20, dn1x, obs20_id):
dn1x.value = dn20["value"]
dn1x.type_ = "FQDN"
if "resolves_to_refs" in dn20:
for ref in dn20["resolves_to_refs"]:
if ref in _STIX1X_OBJS:
obj = _STIX1X_OBJS[ref]
dn1x.add_related(obj, "Resolved_To", inline=True)
else:
warn("%s is not an index found in %s", 306, ref, obs20_id)
def convert_archive_file_extension(archive_ext, file1x, obs20_id):
if "version" in archive_ext:
file1x.version = archive_ext["version"]
if "comment" in archive_ext:
file1x.comment = archive_ext["comment"]
for ref in archive_ext["contains_refs"]:
if ref in _STIX1X_OBJS:
file1x.archived_file.append(_STIX1X_OBJS[ref])
else:
warn("%s is not an index found in %s", 306, ref, obs20_id)
def convert_pe_type(pe_type20, obs20_id):
if pe_type20 == "exe":
return "Executable"
elif pe_type20 == "dll":
return "Dll"
elif pe_type20 == "sys":
warn("pe_type SYS in %s is valid in STIX 2.0, but not in STIX 1.x", 511, obs20_id)
return "Invalid"
else:
warn("pe_type %s in %s is allowed in STIX 2.0, but not in STIX 1.x", 512, pe_type20, obs20_id)
return "Invalid"
def convert_network_traffic_to_network_socket(socket_ext, nc, obs20_id):
obj1x = NetworkSocket()
convert_obj(socket_ext, obj1x, SOCKET_MAP, obs20_id)
if "options" in socket_ext:
obj1x.options = SocketOptions()
convert_obj(socket_ext["options"], obj1x.options, SOCKET_OPTIONS_MAP,
obs20_id)
if "socket_handle" in socket_ext:
warn("%s not representable in a STIX 1.x %s. Found in %s", 503,
"socket_handle", "NetworkSocket", obs20_id)
nc.add_related(obj1x, VocabString("Related_Socket"), inline=True)
def convert_image_file_extension(image_ext, file1x, obs2x_id):
convert_obj(image_ext, file1x, IMAGE_FILE_EXTENSION_MAP_2_0 if get_option_value("version_of_stix2x") == "2.0" else IMAGE_FILE_EXTENSION_MAP_2_1,
obs2x_id)
if "exif_tags" in image_ext:
exif_tags = image_ext["exif_tags"]
if "Compression" in exif_tags:
file1x.image_is_compressed = (exif_tags["Compression"] != 1)
else:
warn("%s not representable in a STIX 1.x %s. Found in %s", 503,
"exif_tags",
"ImageFile",
obs2x_id)
def set_ta_identity(source, target_ref, target_obj_idref_1x):
target, identity1x_tuple = handle_identity(target_ref, target_obj_idref_1x)
if source.identity:
warn(
"Threat Actor in STIX 2.0 has multiple attributed-to relationships, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, target_ref)
# Remove marking to CIQ identity if any.
# If not removed, stixmarx will cause an exception upon serialization
for mark_spec in CONTAINER.get_markings(target):
CONTAINER.remove_marking(target, mark_spec, True)
else:
source.identity = target
identity1x_tuple[1] = True
def convert_windows_registry_key_c_o(wrk2x, wrk1x, obs2x_id):
convert_obj(wrk2x, wrk1x, REGISTRY_KEY_MAP, obs2x_id)
if "values" in wrk2x:
values = []
for v in wrk2x["values"]:
values.append(convert_window_registry_value(v, obs2x_id))
wrk1x.values = RegistryValues()
wrk1x.values.value = values
if "creator_user_ref" in wrk2x:
if wrk2x["creator_user_ref"] in _STIX1X_OBJS:
account_object = _STIX1X_OBJS[wrk2x["creator_user_ref"]]
wrk1x.creator_username = account_object.username
else:
warn("%s is not an index found in %s", 306, wrk2x["creator_user_ref"], obs2x_id)
def add_hashes_property(obj, hash_type, value):
if hash_type == "MD5":
obj.md5 = value
elif hash_type == "SHA-1":
obj.sha1 = value
elif hash_type == "SHA-224":
obj.sha224 = value
elif hash_type == "SHA-256":
obj.sha256 = value
elif hash_type == "SHA-384":
obj.sha384 = value
elif hash_type == "SHA-512":
obj.sha512 = value
else:
warn("Unknown hash type %s used in %s", 302, hash_type, obj.id_)
def convert_unix_account_extensions(ua20, ua1x, obs20_id):
if "extensions" in ua20:
# must be unix-account-ext
if "user_id" in ua20:
ua1x.user_id = int(ua20["user_id"])
unix_account_ext = ua20["extensions"]["unix-account-ext"]
if "gid" in unix_account_ext:
ua1x.group_id = unix_account_ext["gid"]
if "groups" in unix_account_ext:
for g in unix_account_ext["groups"]:
warn(
"The 'groups' property of unix-account-ext contains strings, but the STIX 1.x property expects integers in %s",
515, obs20_id)
if "home_dir" in unix_account_ext:
ua1x.home_directory = unix_account_ext["home_dir"]
def convert_software_c_o(soft20, prod1x, obs20_id):
prod1x.product = soft20["name"]
# TODO: cpe
if "languages" in soft20:
prod1x.language = soft20["languages"][0]
if len(soft20["languages"]) > 1:
for l in soft20["languages"][1:]:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, obs20_id, "languages", l)
if "vendor" in soft20:
prod1x.vendor = soft20["vendor"]
if "version" in soft20:
prod1x.version = soft20["version"]
def convert_software_c_o(soft2x, prod1x, obs2x_id):
prod1x.product = soft2x["name"]
if "cpe" in soft2x:
warn("cpe not representable in a STIX 1.x Product. Found in %s", 503, obs2x_id)
if "languages" in soft2x:
prod1x.language = soft2x["languages"][0]
if len(soft2x["languages"]) > 1:
for l in soft2x["languages"][1:]:
warn("%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, obs2x_id, "languages", l)
if "vendor" in soft2x:
prod1x.vendor = soft2x["vendor"]
if "version" in soft2x:
prod1x.version = soft2x["version"]
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id):
obj1x = HTTPSession()
nc.layer7_connections = Layer7Connections()
nc.layer7_connections.http_session = obj1x
rr = HTTPRequestResponse()
obj1x.http_request_response.append(rr)
rr.http_client_request = HTTPClientRequest()
request_line = HTTPRequestLine()
request_line.http_method = http_request_ext["request_method"]
request_line.value = http_request_ext["request_value"]
if "request_version" in http_request_ext:
request_line.version = http_request_ext["request_version"]
rr.http_client_request.http_request_line = request_line
if "request_header" in http_request_ext:
rr.http_client_request.http_request_header = HTTPRequestHeader()
rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields(
)
convert_obj(http_request_ext["request_header"],
rr.http_client_request.http_request_header.parsed_header,
HTTP_REQUEST_HEADERS_MAP, obs20_id)
if "Host" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.host = \
add_host(http_request_ext["request_header"]["Host"])
if "From" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.from_ = \
EmailAddress(http_request_ext["request_header"]["From"])
if "Referer" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.referer = \
URI(http_request_ext["request_header"]["Referer"])
if "X_Wap_Profile" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \
URI(http_request_ext["request_header"]["X_Wap_Profile"])
if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext:
body = HTTPMessage()
if "message_body_length" in http_request_ext:
body.length = http_request_ext["message_body_length"]
if "message_body_data_ref" in http_request_ext:
if http_request_ext["message_body_length"] in _STIX1X_OBJS:
artifact_obj = _STIX1X_OBJS[
http_request_ext["message_body_length"]]
body.message_body = artifact_obj.packed_data
else:
warn("%s is not an index found in %s", 306,
http_request_ext["message_body_length"], obs20_id)
rr.http_client_request.http_message_body = body
def convert_addr_c_o(addr2x, addr1x, obs2x_id):
# CIDR values are not treated in any different way
addr1x.address_value = addr2x["value"]
if addr2x["type"] == 'ipv4-addr':
addr1x.category = Address.CAT_IPV4
elif addr2x["type"] == 'ipv6-addr':
addr1x.category = Address.CAT_IPV6
elif addr2x["type"] == 'mac-addr':
addr1x.category = Address.CAT_MAC
if "resolves_to_refs" in addr2x:
for ref in addr2x["resolves_to_refs"]:
if ref in _STIX1X_OBJS:
obj = _STIX1X_OBJS[ref]
addr1x.add_related(obj, "Resolved_To", inline=True)
else:
warn("%s is not an index found in %s", 306, ref, obs2x_id)
if "belongs_to_refs" in addr2x:
warn("%s property in %s not handled yet", 606, "belongs_to_refs", obs2x_id)
def convert_network_traffic_c_o(obj20, obj1x, obs20_id):
obj1x.source_socket_address = convert_address_ref(obj20, "src")
obj1x.destination_socket_address = convert_address_ref(obj20, "dst")
if "extensions" in obj20:
extensions = obj20["extensions"]
if "socket-ext" in extensions:
convert_network_traffic_to_network_socket(extensions["socket-ext"],
obj1x, obs20_id)
elif "icmp-ext" in extensions:
convert_network_traffic_to_network_icmp_packet(
extensions["icmp-ext"], obj1x, obs20_id)
elif "http-request-ext" in extensions:
convert_network_traffic_to_http_session(
extensions["http-request-ext"], obj1x, obs20_id)
elif "tcp-ext" in extensions:
warn("tcp-ext in %s not handled, yet", 609, obs20_id)
if "protocols" in obj20:
warn("%s property in %s not handled, yet", 608, "protocols", obs20_id)
def populate_received_line(rl2x, rl1x, obs2x_id):
# do we need to consider case?
# can't there be multiple lines with the same prefix??
if rl2x.startswith("from"):
rl1x.from_ = rl2x
elif rl2x.startswith("by"):
rl1x.by = rl2x
elif rl2x.startswith("via"):
rl1x.via = rl2x
elif rl2x.startswith("with"):
rl1x.with_ = rl2x
elif rl2x.startswith("for"):
rl1x.for_ = rl2x
elif rl2x.startswith("id"):
rl1x.id_ = rl2x
elif rl2x.startswith("timestamp"):
rl1x.timestamp = rl2x
else:
warn("Received Line %s in %s has a prefix that is not representable in STIX 1.x", 507, rl2x), obs2x_id
def convert_addr_c_o(addr20, addr1x, obs20_id):
# TODO: does the slider need to handle CIDR values?
addr1x.address_value = addr20["value"]
if addr20["type"] == 'ipv4-addr':
addr1x.category = Address.CAT_IPV4
elif addr20["type"] == 'ipv6-addr':
addr1x.category = Address.CAT_IPV6
elif addr20["type"] == 'mac-addr':
addr1x.category = Address.CAT_MAC
if "resolves_to_refs" in addr20:
for ref in addr20["resolves_to_refs"]:
if ref in _STIX1X_OBJS:
obj = _STIX1X_OBJS[ref]
addr1x.add_related(obj, "Resolved_To", inline=True)
else:
warn("%s ia not an index found in %s", 306, ref, obs20_id)
if "belongs_to_refs" in addr20:
warn("%s property in %s not handled yet", 606, "belongs_to_refs",
obs20_id)
def process_relationships(rel):
target_obj = None
if rel["source_ref"] in _ID_OBJECT_MAPPING:
source_obj = _ID_OBJECT_MAPPING[rel["source_ref"]]
else:
warn("No source object exists for %s to add the relationship %s", 301,
rel["source_ref"], rel["id"])
return
if rel["target_ref"] in _ID_OBJECT_MAPPING:
target_obj = _ID_OBJECT_MAPPING[rel["target_ref"]]
type_of_source = get_type_from_id(rel["source_ref"])
type_of_target = get_type_from_id(rel["target_ref"])
type_of_relationship = rel["relationship_type"]
add_method_info = get_relationship_adder(type_of_source, type_of_target,
type_of_relationship)
if not add_method_info:
warn(
"The '%s' relationship of %s between %s and %s is not supported in STIX 1.x",
501, type_of_relationship, rel["id"], type_of_source,
type_of_target)
return
if not add_method_info["method"]:
# handled elsewhere
return
source_obj_class = add_method_info["stix1x_source_type"]
target_obj_class = add_method_info["stix1x_target_type"]
if add_method_info["reverse"] and target_obj:
source_obj_ref_1x = source_obj_class(idref=source_obj.id_)
add_method_info["method"](target_obj, source_obj_ref_1x)
else:
if target_obj:
target_obj_idref_1x = target_obj_class(idref=target_obj.id_)
else:
target_obj_idref_1x = target_obj_class(
idref=convert_id20(rel["target_ref"]))
# type_of_source == type_of_target implies its a self-referencing related-to relationship
if target_obj_class == Identity or target_obj_class == ExploitTarget or type_of_source == type_of_target:
add_method_info["method"](source_obj, rel["target_ref"],
target_obj_idref_1x)
else:
add_method_info["method"](source_obj, target_obj_idref_1x)
def convert_address_ref(obj2x, direction, obs2x_id):
sa = None
add_property = direction + "_ref"
port_property = direction + "_port"
if add_property in obj2x:
if obj2x[add_property] in _STIX1X_OBJS:
sa = SocketAddress()
obj = _STIX1X_OBJS[obj2x[add_property]]
if isinstance(obj, Address):
sa.ip_address = obj
elif isinstance(obj, DomainName):
sa.hostname = Hostname()
sa.hostname.hostname_value = obj.value
else:
warn("%s is not an index found in %s", 306, obj2x[add_property], obs2x_id)
if port_property in obj2x:
if not sa:
sa = SocketAddress()
sa.port = Port()
sa.port.port_value = obj2x[port_property]
return sa
def convert_network_traffic_c_o(obj20, obj1x, obs20_id):
obj1x.source_socket_address = convert_address_ref(obj20, "src", obs20_id)
obj1x.destination_socket_address = convert_address_ref(
obj20, "dst", obs20_id)
if "extensions" in obj20:
extensions = obj20["extensions"]
if "socket-ext" in extensions:
convert_network_traffic_to_network_socket(extensions["socket-ext"],
obj1x, obs20_id)
elif "icmp-ext" in extensions:
convert_network_traffic_to_network_icmp_packet(
extensions["icmp-ext"], obj1x, obs20_id)
elif "http-request-ext" in extensions:
convert_network_traffic_to_http_session(
extensions["http-request-ext"], obj1x, obs20_id)
elif "tcp-ext" in extensions:
warn("tcp-ext in %s not handled, yet", 609, obs20_id)
if "protocols" in obj20:
warn("%s property in %s not handled, yet", 608, "protocols", obs20_id)
# how is is_active related to tcp_state?
for name in ("start", "end", "src_byte_count", "dst_byte_count",
"src_packets", "dst_packets", "ipfix", "src_payload_ref",
"dst_payload_ref", "encapsulates_refs",
"encapsulated_by_ref"):
if name in obj20:
warn("%s not representable in a STIX 1.x %s. Found in %s", 503,
name, "NetworkConnection", obs20_id)
def create_references(obj):
if identity_ref(obj["id"]):
warn("Identity has no property to store external-references from %s",
510, obj["id"])
return
info_source = None
for er in obj["external_references"]:
if (er["source_name"] != 'capec'
and er["source_name"] != 'cve') and "url" in er:
# TODO: description, hashes, external_id
if not info_source:
if obj["id"] in _ID_OBJECT_MAPPING:
ob1x = _ID_OBJECT_MAPPING[obj["id"]]
if ob1x.information_source:
info_source = ob1x.information_source
else:
if obj["id"] in _INFORMATION_SOURCES:
info_source = _INFORMATION_SOURCES[obj["id"]]
ob1x.information_source = info_source
else:
info_source = InformationSource(
references=References())
_INFORMATION_SOURCES[obj["id"]] = info_source
ob1x.information_source = info_source
else:
warn("No object %s is found to add the reference to", 307,
obj["id"])
info_source.add_reference(er["url"])
elif (er["source_name"] != 'capec' and er["source_name"] != 'cve'):
warn(
"Source name %s in external references of %s not handled, yet",
605, er["source_name"], obj["id"])
def convert_file_c_o(file20, file1x, obs20_id):
if "hashes" in file20:
for k, v in sort_objects_into_processing_order(file20["hashes"]):
add_hashes_property(file1x, k, v)
convert_obj(file20, file1x, FILE_MAP, obs20_id)
if "parent_directory_ref" in file20:
if file20["parent_directory_ref"] in _STIX1X_OBJS:
directory_object = _STIX1X_OBJS[file20["parent_directory_ref"]]
# TODO separator?
file1x.full_path = str(
directory_object.full_path) + "/" + file20["name"]
if "is_encrypted" in file20:
if file20["is_encrypted"]:
if "encryption_algorithm" in file20:
file1x.encryption_algorithm = file20["encryption_algorithm"]
else:
info(
"is_encrypted in %s is true, but no encryption_algorithm is given",
309, obs20_id)
if "decryption_key" in file20:
file1x.decryption_key = file20["decryption_key"]
else:
info(
"is_encrypted in %s is true, but no decryption_key is given",
311, obs20_id)
else:
if "encryption_algorithm" in file20:
info(
"is_encrypted in %s is false, but encryption_algorithm is given",
310, obs20_id)
if "decryption_key" in file20:
info(
"is_encrypted in %s is false, but decryption_key is given",
312, obs20_id)
if "extensions" in file20:
convert_file_extensions(file20, file1x, obs20_id)
# in STIX 2.0, there are two contains_ref properties, one in the basic File object, and one on the Archive File extension
# the slider does not handle the one in the basic File object
if "contains_refs" in file20:
warn("contains_refs in %s not handled", 607, obs20_id)
def convert_pdf_file_extension(pdf_ext, file1x, obs20_id):
if "version" in pdf_ext:
file1x.version = pdf_ext["version"]
if "is_optimized" in pdf_ext or "document_info_dict" in pdf_ext:
file1x.metadata = PDFFileMetadata()
if "is_optimized" in pdf_ext:
file1x.metadata.optimized = pdf_ext["is_optimized"]
if "document_info_dict" in pdf_ext:
file1x.metadata.document_information_dictionary = PDFDocumentInformationDictionary(
)
convert_obj(pdf_ext["document_info_dict"],
file1x.metadata.document_information_dictionary,
PDF_DOCUMENT_INFORMATION_DICT_MAP, obs20_id)
if "pdfid0" in pdf_ext or "pdfid1" in pdf_ext:
warn("Order may not be maintained for pdfids in %s", 514, obs20_id)
file1x.trailers = PDFTrailerList()
trailer = PDFTrailer()
file1x.trailers.trailer.append(trailer)
trailer.id_ = PDFFileID()
if "pdfid0" in pdf_ext:
trailer.id_.id_string.append(pdf_ext["pdfid0"])
if "pdfid1" in pdf_ext:
trailer.id_.id_string.append(pdf_ext["pdfid1"])
def create_references(obj):
if id_of_type(obj["id"], "identity"):
warn("Identity has no property to store external-references from %s",
510, obj["id"])
return
elif id_of_type(obj["id"], "vulnerability"):
create_references_for_vulnerability(obj)
return
if obj["id"] in _ID_OBJECT_MAPPING:
ob1x = _ID_OBJECT_MAPPING[obj["id"]]
else:
warn("No object %s is found to add the reference to", 307, obj["id"])
return
for er in obj["external_references"]:
# capec and cve handled elsewhere
if (er["source_name"] != 'capec'
and er["source_name"] != 'cve') and ("url" in er
or "external_id" in er):
ref_texts = []
if "url" in er:
ref_texts.append("SOURCE: " + er["source_name"] + " - " +
er["url"])
if "external_id" in er:
ref_texts.append("SOURCE: " + er["source_name"] + " - " +
"EXTERNAL ID: " + er["external_id"])
if "hashes" in er:
warn("hashes not representable in a STIX 1.x %s. Found in %s",
503, "InformationSource", obj["id"])
if "description" in er:
ob1x.add_description(er["description"])
if ref_texts != []:
if isinstance(ob1x, Indicator):
for rt in ref_texts:
ob1x.add_description(rt)
else:
info_source = get_info_source(ob1x, obj)
for rt in ref_texts:
info_source.add_reference(rt)
elif (er["source_name"] != 'capec' and er["source_name"] != 'cve'):
warn(
"Source name %s in external references of %s not handled, yet",
605, er["source_name"], obj["id"])
if (er["source_name"] == 'capec'
or er["source_name"] == 'cve') and "url" in er:
info_source = get_info_source(ob1x, obj)
info_source.add_reference("SOURCE: " + er["source_name"] + " - " +
er["url"])