def get_port_from_idmef(self, device, tag_converted):
"""
Get port or portlist from IDMEF
:param device: specific IDMEF source or target element
:param tag_converted: boolean, which says if port (portlist should be tag as converted
:return: list of ports, which was retrieved from portlist or port element
"""
ports = get_elementvalues(device, "Service/port", tag_converted)
if not ports:
portlist = get_elementvalue(device, "Service/portlist",
tag_converted)
if portlist:
portlist_items = portlist.split(",")
for portlist_item in portlist_items:
portlist_item = portlist_item.replace(" ", "")
if "-" in portlist_item:
range_borders = portlist_item.split("-")
# here if range borders has count not 2, throw an exception
port_inside_range = int(range_borders[0])
up_border = int(range_borders[1])
while port_inside_range <= up_border:
ports.append(port_inside_range)
port_inside_range += 1
else:
ports.append(int(portlist_item))
else:
ports = [int(port) for port in ports]
return ports
def modify_data(self, input_message=None):
"""
Takes input elementtree with "IDMEF-Message" root and converts it into IDEA dictionary
:param input_message: elementtree with "Alert" root, if None, takes input_message from class attributes
:return list of dictionaries with alerts converted from IDMEF to IDEA (one dict, one alert of single message)
"""
self.input_message = input_message
tag_converted = True
idea_dict = {}
if input_message:
save_value_to_dict(idea_dict, "Format", "IDEA0")
save_value_to_dict(
idea_dict, "ID",
get_elementattribute(input_message, ".", "messageid",
tag_converted, None))
self.save_time(idea_dict, input_message, "CreateTime",
"CreateTime")
self.save_time(idea_dict, input_message, "DetectTime",
"DetectTime")
save_value_to_dict(
idea_dict, "CorrelID",
get_elementvalues(input_message,
"./CorrelationAlert/alertident",
tag_converted))
save_value_to_dict(
idea_dict, "Ref",
get_elementvalues(input_message,
"./Classification/Reference/url",
tag_converted))
save_value_to_dict(
idea_dict, "Category",
get_elementattributes(input_message, "./Classification",
"text", tag_converted))
self.save_confidence(input_message, idea_dict, tag_converted)
save_value_to_dict(idea_dict, "Source",
self.save_sources_into_idea(input_message))
save_value_to_dict(idea_dict, "Target",
self.save_targets_into_idea(input_message))
node = self.save_analyzer_into_idea(input_message)
if node:
save_value_to_dict(idea_dict, "Node", [node])
self.save_additionaldata_into_idea(input_message, idea_dict)
self.add_rest_values(input_message, idea_dict)
return idea_dict
def save_devices(self, path_to_device, alert, tag_converted):
"""
Save all Sources or Targets (depends on path to device) from IDMEF elementtree to IDEA dictionary
:param path_to_device: relative path from Alert to Source or Target in IDMEF
:param alert: input IDMEF alert
:param tag_converted: boolean, which says if confidence should be tag as converted
"""
xml_devices = alert.findall(path_to_device)
device_list = []
for item in xml_devices:
device_dict = {}
save_value_to_dict(
device_dict, "Hostname",
get_elementvalues(item, "Node/name", tag_converted))
save_value_to_dict(device_dict, "Port",
self.get_port_from_idmef(item, tag_converted))
save_value_to_dict(
device_dict, "Proto",
get_elementvalues(item, "Service/protocol", tag_converted))
save_value_to_dict(
device_dict, "Url",
get_elementvalues(item, "Service/URL", tag_converted))
save_value_to_dict(
device_dict, "Router",
get_elementattributes(item, ".", "interface", tag_converted))
spoofed_string = "decoy"
if "Source" in path_to_device:
spoofed_string = "spoofed"
save_value_to_dict(
device_dict, "Spoofed",
get_elementattribute(item,
".",
spoofed_string,
tag_converted,
default_value=None))
save_addresses(item, device_dict, tag_converted)
device_list.append(device_dict)
return device_list
def test_get_elementvalues_root(self):
root = Element("root")
root.text = "Roottext"
child1 = SubElement(root, "child1")
child1.set("attr", "attr")
child1.text = "Value2"
child11 = SubElement(child1, "child11")
child111 = SubElement(child11, "child111")
child111.text = "Value"
child1111 = SubElement(child111, "child1111")
child1111.set("attrib", "attrib")
child2 = SubElement(root, "child1")
child2.set("attr", "attr")
child2.text = "Different"
child2.text = "Different"
expected_result = [root.text]
result = get_elementvalues(root, ".", True)
self.assertListEqual(expected_result, result)
def save_addresses(idmef_element, device_dict, tag_converted):
"""
Save addresses from specific idmef node into device (means "Source" or "Target") in IDEA representing by dictionary
:param idmef_element: idmef device element ("Source" or "Target")
:param device_dict: device ("Source" or "Target") dictionary, where addresses will be saved
:param tag_converted: boolean, which says if addresses should be tag as converted
"""
save_value_to_dict(
device_dict, "IP4",
get_elementvalues(idmef_element,
"Node/Address[@category='ipv4-addr']/address",
tag_converted))
save_value_to_dict(
device_dict, "IP6",
get_elementvalues(idmef_element,
"Node/Address[@category='ipv6-addr']/address",
tag_converted))
save_value_to_dict(
device_dict, "MAC",
get_elementvalues(idmef_element,
"Node/Address[@category='mac']/address",
tag_converted))
save_value_to_dict(
device_dict, "Email",
get_elementvalues(idmef_element,
"Node/Address[@category='e-mail']/address",
tag_converted))
save_value_to_dict(
device_dict, "IP4-hex",
get_elementvalues(idmef_element,
"Node/Address[@category='ipv4-addr-hex']/address",
tag_converted))
save_value_to_dict(
device_dict, "IP6-hex",
get_elementvalues(idmef_element,
"Node/Address[@category='ipv6-addr-hex']/address",
tag_converted))