def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.stage = VocabString.from_obj(obj.get_Stage()) return_obj.type_ = VocabString.from_obj(obj.get_Type()) return_obj.description = StructuredText.from_obj( obj.get_Description()) return_obj.short_description = StructuredText.from_obj( obj.get_Short_Description()) return_obj.objective = Objective.from_obj(obj.get_Objective()) return_obj.parameter_observables = \ Observables.from_obj(obj.get_Parameter_Observables()) return_obj.impact = Statement.from_obj(obj.get_Impact()) return_obj.cost = Statement.from_obj(obj.get_Cost()) return_obj.efficacy = Statement.from_obj(obj.get_Efficacy()) return_obj.information_source = InformationSource.from_obj( obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.get_Related_COAs()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def parse(xml_file): obs_obj = cybox_core_binding.parse(xml_file) # create binding object from xml file obs = Observables.from_obj(obs_obj) # convert binding object into python-cybox object #pro = process_binding.parse(xml_file) #p = Process.from_obj(pro) #print p.pid return obs
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.stage = VocabString.from_obj(obj.Stage) return_obj.type_ = VocabString.from_obj(obj.Type) return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.objective = Objective.from_obj(obj.Objective) return_obj.parameter_observables = \ Observables.from_obj(obj.Parameter_Observables) return_obj.impact = Statement.from_obj(obj.Impact) return_obj.cost = Statement.from_obj(obj.Cost) return_obj.efficacy = Statement.from_obj(obj.Efficacy) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.Related_COAs) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def parse(xml_file): # create binding object from xml file observables_obj = cybox_core_binding.parse(xml_file) # convert binding object into python-cybox object observables = Observables.from_obj(observables_obj) return observables
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj( obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj( obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_packages = RelatedPackages.from_obj( obj.Related_Packages) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.stage = VocabString.from_obj(obj.get_Stage()) return_obj.type_ = VocabString.from_obj(obj.get_Type()) return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.objective = Objective.from_obj(obj.get_Objective()) return_obj.parameter_observables = \ Observables.from_obj(obj.get_Parameter_Observables()) return_obj.impact = Statement.from_obj(obj.get_Impact()) return_obj.cost = Statement.from_obj(obj.get_Cost()) return_obj.efficacy = Statement.from_obj(obj.get_Efficacy()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.get_Related_COAs()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() # ReportBaseType fields return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp # ReportType fields if isinstance(obj, cls._binding_class): return_obj.header = Header.from_obj(obj.Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_reports = RelatedReports.from_obj(obj.Related_Reports) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()] if obj.get_Indicators(): return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()] if obj.get_Observables(): return_obj.observables = Observables.from_obj(obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()] if obj.get_Threat_Actors(): return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(CourseOfAction, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.title = obj.Title return_obj.stage = VocabString.from_obj(obj.Stage) return_obj.type_ = VocabString.from_obj(obj.Type) return_obj.objective = Objective.from_obj(obj.Objective) return_obj.parameter_observables = \ Observables.from_obj(obj.Parameter_Observables) return_obj.impact = Statement.from_obj(obj.Impact) return_obj.cost = Statement.from_obj(obj.Cost) return_obj.efficacy = Statement.from_obj(obj.Efficacy) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.Related_COAs) return_obj.related_packages = \ related.RelatedPackageRefs.from_obj(obj.Related_Packages) return_obj.structured_coa = \ _BaseStructuredCOA.from_obj(obj.Structured_COA) return return_obj
def main(): infilename = '' outfilename = '' #Get the command-line arguments args = sys.argv[1:] if len(args) < 4: usage() sys.exit(1) for i in range(0,len(args)): if args[i] == '-i': infilename = args[i+1] elif args[i] == '-o': outfilename = args[i+1] if os.path.isfile(infilename): try: # Perform the translation using the methods from the OpenIOC to CybOX Script openioc_indicators = openioc.parse(infilename) observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True) observables_cls = Observables.from_obj(observables_obj) # Set the namespace to be used in the STIX Package stix.utils.set_id_namespace({"https://github.com/STIXProject/openioc-to-stix":"openiocToSTIX"}) # Wrap the created Observables in a STIX Package/Indicator stix_package = STIXPackage() # Add the OpenIOC namespace input_namespaces = {"http://openioc.org/":"openioc"} stix_package.__input_namespaces__ = input_namespaces for observable in observables_cls.observables: indicator_dict = {} producer_dict = {} producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}] indicator_dict['producer'] = producer_dict indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File" indicator = Indicator.from_dict(indicator_dict) indicator.add_observable(observables_cls.observables[0]) stix_package.add_indicator(indicator) # Create and write the STIX Header stix_header = STIXHeader() stix_header.package_intent = "Indicators - Malware Artifacts" stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File" stix_package.stix_header = stix_header # Write the generated STIX Package as XML to the output file outfile = open(outfilename, 'w') # Ignore any warnings - temporary fix for no schemaLocation w/ namespace with warnings.catch_warnings(): warnings.simplefilter("ignore") outfile.write(stix_package.to_xml()) warnings.resetwarnings() outfile.flush() outfile.close() except Exception, err: print('\nError: %s\n' % str(err)) traceback.print_exc()
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) if obj.version: return_obj.version = obj.version if obj.Campaigns: return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign] if obj.Courses_Of_Action: return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action] if obj.Exploit_Targets: return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target] if obj.Indicators: return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator] if obj.Observables: return_obj.observables = Observables.from_obj(obj.Observables) if obj.Incidents: return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident] if obj.Threat_Actors: return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor] if obj.TTPs: return_obj.ttps = TTPs.from_obj(obj.TTPs) return return_obj
def test_round_trip_xml(self): np = NetworkPacket.from_dict(self._full_dict) xml = Observables(np).to_xml() new_obj = Observables.from_obj(parseString(xml)) new_dict = new_obj.observables[0].object_.properties.to_dict() self.maxDiff = None self.assertEqual(self._full_dict, new_dict)
def test_round_trip_xml(self): np = NetworkPacket.from_dict(self._full_dict) xml = Observables(np).to_xml(encoding=None) new_obj = Observables.from_obj(parseString(xml)) new_dict = new_obj.observables[0].object_.properties.to_dict() self.maxDiff = None self.assertEqual(self._full_dict, new_dict)
def main(): infilename = '' outfilename = '' #Get the command-line arguments args = sys.argv[1:] if len(args) < 4: usage() sys.exit(1) for i in range(0, len(args)): if args[i] == '-i': infilename = args[i + 1] elif args[i] == '-o': outfilename = args[i + 1] if os.path.isfile(infilename): try: # Perform the translation using the methods from the OpenIOC to CybOX Script openioc_indicators = openioc.parse(infilename) observables_obj = openioc_to_cybox.generate_cybox( openioc_indicators, infilename, True) observables_cls = Observables.from_obj(observables_obj) # Wrap the created Observables in a STIX Package/Indicator stix_package = STIXPackage() for observable in observables_cls.observables: indicator_dict = {} producer_dict = {} producer_dict['tools'] = [{ 'name': 'OpenIOC to STIX Utility', 'version': str(__VERSION__) }] indicator_dict['producer'] = producer_dict indicator_dict[ 'title'] = "CybOX-represented Indicator Created from OpenIOC File" indicator = Indicator.from_dict(indicator_dict) indicator.add_observable(observables_cls.observables[0]) stix_package.add_indicator(indicator) # Create and write the STIX Header stix_header = STIXHeader() stix_header.package_intent = "Indicators - Malware Artifacts" stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File" stix_package.stix_header = stix_header # Write the generated STIX Package as XML to the output file outfile = open(outfilename, 'w') outfile.write(stix_package.to_xml()) outfile.flush() outfile.close() except Exception, err: print('\nError: %s\n' % str(err)) traceback.print_exc()
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.Identity) return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details) return_obj.targeted_systems = TargetedSystems.from_obj(obj.Targeted_Systems) return_obj.targeted_information = TargetedInformation.from_obj(obj.Targeted_Information) return return_obj
def main(): infilename = '' outfilename = '' #Get the command-line arguments args = sys.argv[1:] if len(args) < 4: usage() sys.exit(1) for i in range(0,len(args)): if args[i] == '-i': infilename = args[i+1] elif args[i] == '-o': outfilename = args[i+1] if os.path.isfile(infilename): try: # Perform the translation using the methods from the OpenIOC to CybOX Script openioc_indicators = openioc.parse(infilename) observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True) observables_cls = Observables.from_obj(observables_obj) # Wrap the created Observables in a STIX Package/Indicator stix_package = STIXPackage() for observable in observables_cls.observables: indicator_dict = {} producer_dict = {} producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}] indicator_dict['producer'] = producer_dict indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File" indicator = Indicator.from_dict(indicator_dict) indicator.add_observable(observables_cls.observables[0]) stix_package.add_indicator(indicator) # Create and write the STIX Header stix_header = STIXHeader() stix_header.package_intent = "Indicators - Malware Artifacts" stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File" stix_package.stix_header = stix_header # Write the generated STIX Package as XML to the output file outfile = open(outfilename, 'w') outfile.write(stix_package.to_xml()) outfile.flush() outfile.close() except Exception, err: print('\nError: %s\n' % str(err)) traceback.print_exc()
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj( obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [ Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign() ] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [ CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action() ] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target() ] if obj.get_Indicators(): return_obj.indicators = [ Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator() ] if obj.get_Observables(): return_obj.observables = Observables.from_obj( obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [ Incident.from_obj(x) for x in obj.get_Incidents().get_Incident() ] if obj.get_Threat_Actors(): return_obj.threat_actors = [ ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor() ] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj
def main(): fn = 'se_07.xml' print "parsing input xml document..." observables_obj = cybox_core_binding.parse(fn) # build a binding object observables = Observables.from_obj(observables_obj) # build an api object from binding observables_dict = observables.to_dict() # create dictionary from api object pprint(observables_dict) print "building xml from dictionary..." observables_two = Observables.from_dict(observables_dict) # create copy api object from dictionary xml = observables_two.to_xml() # generate xml from copied api object print xml
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.Identity) return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details) if obj.Targeted_Systems: return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.Targeted_Systems] if obj.Targeted_Information: return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.Targeted_Information] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.Identity) return_obj.targeted_technical_details = Observables.from_obj( obj.Targeted_Technical_Details) return_obj.targeted_systems = TargetedSystems.from_obj( obj.Targeted_Systems) return_obj.targeted_information = TargetedInformation.from_obj( obj.Targeted_Information) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.targeted_technical_details = Observables.from_obj(obj.get_Targeted_Technical_Details()) if obj.get_Targeted_Systems(): return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.get_Targeted_Systems()] if obj.get_Targeted_Information(): return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.get_Targeted_Information()] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.observable_characterization = Observables.from_obj(obj.get_Observable_Characterization()) if obj.get_Type(): return_obj.types = [AttackerInfrastructureType.from_obj(x) for x in obj.get_Type()] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.observable_characterization = Observables.from_obj(obj.Observable_Characterization) if obj.Type: return_obj.types = [VocabString.from_obj(x) for x in obj.Type] return return_obj
def read_cybox(input_file, isJson): if not isJson: cybox_obj = cybox_core_binding.parse(input_file) cybox_observables = Observables.from_obj(cybox_obj) cybox_data = cybox_observables.to_dict() else: with open(input_file, 'r') as f: cybox_data = json.load(input_file) # TODO: Add other indicator types indicator_data = {'ip_addresses': [], 'hostnames': [] } # TODO: Support additional logic (build parse tree or similar?) for each in cybox_data['observables']: if each['object']['properties']['category'] == 'ipv4-addr': indicator_data['ip_addresses'].append(each['object']['properties']['address_value']) return indicator_data
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj( obj.get_Short_Description()) return_obj.observable_characterization = Observables.from_obj( obj.get_Observable_Characterization()) if obj.get_Type(): return_obj.types = [ VocabString.from_obj(x) for x in obj.get_Type() ] return return_obj
def __get_email_cybox_object(self, email_sha256, log, config=None): if not config: return None, None, None mail_path = os.path.join(config['emailpath'], email_sha256[0:2], email_sha256[2:4], email_sha256) email_path = os.path.join(mail_path, 'cybox-%s-message.xml' % (email_sha256)) email_stix_path = os.path.join(mail_path, 'stix-%s-email-message.xml' % (email_sha256)) email_stix_filename = 'stix-%s-email-message.xml' % (email_sha256) if os.path.exists(mail_path) and os.path.exists(email_path): try: observables_obj = cybox_core_binding.parse(email_path) obs = Observables.from_obj(observables_obj) email_observables = obs.observables[1:] email_object = Object.from_obj(obs.observables[0].to_obj().Object) return email_object._properties, email_observables, (email_stix_path, email_stix_filename) except StandardError as e: log.error("failed extracting cybox email observable: %s" % (e)) return None, None, None log.warning("no cybox report or email found for given hash: %s" % (email_path)) return None, None, None
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref_ = obj.get_idref() return_obj.version = obj.get_version() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) if obj.get_Indicators(): indicators_obj = obj.get_Indicators() if indicators_obj.get_Indicator(): for indicator_obj in indicators_obj.get_Indicator(): return_obj.add_indicator(Indicator.from_obj(indicator_obj)) if obj.get_Observables(): observables_obj = obj.get_Observables() return_obj.observables = Observables.from_obj(observables_obj) return return_obj
def alta_informacion(request): #""" #When in GET method return all the Content Blocks. #When in POST method, given a content binding id, a title, description and content we create a Content Block. #""" logger = logging.getLogger('TAXIIApplication.rest.views.alta_informacion') logger.debug('Entering alta_informacion') logger.debug(request.method) if request.method == 'GET': content = ContentBlock.objects.all() serializer = ContentBlockSerializer(content, many=True) return Response(serializer.data) elif request.method == 'POST': cont = request.DATA.get('content') c = StringIO.StringIO(cont) logger.debug(request.DATA.get('content_binding')) observables_obj = cybox_core_binding.parse(c) observables = Observables.from_obj(observables_obj) logger.debug(str(observables)) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = request.DATA.get('description') stix_header.title = request.DATA.get('title') stix_package.stix_header = stix_header stix_package.add_observable(observables) content_binding = ContentBindingId.objects.get(id=1) cb = ContentBlock(title=request.DATA.get('title'), description=request.DATA.get('description') ,content_binding=content_binding, content=stix_package.to_xml()) cb.save() df = DataFeed.objects.get(name='default') df.content_blocks.add(cb) return Response(status=status.HTTP_201_CREATED)
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.campaigns = Campaigns.from_obj(obj.Campaigns) return_obj.courses_of_action = CoursesOfAction.from_obj(obj.Courses_Of_Action) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.indicators = Indicators.from_obj(obj.Indicators) return_obj.observables = Observables.from_obj(obj.Observables) return_obj.incidents = Incidents.from_obj(obj.Incidents) return_obj.threat_actors = ThreatActors.from_obj(obj.Threat_Actors) return_obj.ttps = TTPs.from_obj(obj.TTPs) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) # Don't overwrite unless a version is passed in if obj.version: return_obj.version = obj.version return return_obj
def __make_stix_xml_string(self, filename, open_ioc_xml): # This is actually an adapted version of the openioc_to_stix.py to be compatible with ce1sus try: # save the file base_dir = self.get_dest_folder() open_ioc_filename = base_dir + '/' + filename open_stix_filename = base_dir + '/STIX_of_' + filename open_ioc_file = open(open_ioc_filename, 'w+') open_ioc_file.write(open_ioc_xml) open_ioc_file.close() openioc_indicators = openioc.parse(open_ioc_filename) observables_obj = openioc_to_cybox.generate_cybox( openioc_indicators, open_ioc_filename, True) observables_cls = Observables.from_obj(observables_obj) stix.utils.set_id_namespace({ "https://github.com/STIXProject/openioc-to-stix": "openiocToSTIX" }) stix_package = STIXPackage() stix_package.version = '1.1.1' input_namespaces = {"openioc": "http://openioc.org/"} stix_package.__input_namespaces__ = input_namespaces for observable in observables_cls.observables: indicator_dict = {} producer_dict = {} producer_dict['tools'] = [{ 'name': 'OpenIOC to STIX Utility', 'version': str(__VERSION__) }] indicator_dict['producer'] = producer_dict indicator_dict[ 'title'] = "CybOX-represented Indicator Created from OpenIOC File" indicator = Indicator.from_dict(indicator_dict) indicator.add_observable(observables_cls.observables[0]) stix_package.add_indicator(indicator) stix_header = STIXHeader() # set the correct header file_obj = open(open_ioc_filename, 'rb') file_contents = file_obj.read() print file_contents file_obj.close() root = etree.fromstring(file_contents) for child in root: if child.tag.endswith('short_description'): stix_header.short_description = child.text elif child.tag.endswith('description'): stix_header.description = child.text else: if stix_header.description and stix_header.short_description: break stix_header.package_intent = "Indicators - Malware Artifacts" stix_header.description = '{0}\n\n CybOX-represented Indicators Translated from OpenIOC File'.format( stix_header.description) stix_package.stix_header = stix_header # Write the generated STIX Package as XML to the output file outfile = open(open_stix_filename, 'w') # Ignore any warnings - temporary fix for no schemaLocation w/ namespace with warnings.catch_warnings(): warnings.simplefilter("ignore") outfile.write(stix_package.to_xml()) warnings.resetwarnings() outfile.flush() outfile.close() return base_dir, open_stix_filename except Exception as error: self.logger.error(error) raise cherrypy.HTTPError(500, '{0}'.format(error.message))
def parse(filepath): xml = open(filepath,"r") par = cybox_core_binding.parse(xml) obs = Observables.from_obj(par) return obs
def from_file(filename): cybox_obj = core_binding.parse(os.path.abspath(filename)) return Observables.from_obj(cybox_obj)