def __parse_email_message(self, msg): """ Parses the supplied message Returns a map of message parts expressed as cybox objects. Keys: 'message', 'files', 'urls' """ files = [] url_list = [] domain_list = [] message = EmailMessage() # Headers are required (for now) message.header = self.__create_cybox_headers(msg) if self.include_attachments: files = self.__create_cybox_files(msg) message.attachments = Attachments() for f in files: message.attachments.append(f.parent.id_) f.add_related(message, "Contained_Within", inline=False) if self.include_raw_headers: raw_headers_str = self.__get_raw_headers(msg).strip() if raw_headers_str: message.raw_header = String(raw_headers_str) # need this for parsing urls AND raw body text raw_body = "\n".join(self.__get_raw_body_text(msg)).strip() if self.include_raw_body and raw_body: message.raw_body = String(raw_body) if self.include_urls: (url_list, domain_list) = self.__parse_urls(raw_body) if url_list: links = Links() for u in url_list: links.append(LinkReference(u.parent.id_)) if links: message.links = links # Return a list of all objects we've built return [message] + files + url_list + domain_list
def test_get_namespaces(self): m = EmailMessage() m.to = "*****@*****.**" m.subject = "Here's a cool picture" m.links = Links() u = URI("http://example.com/cool.jpg", URI.TYPE_URL) m.links.append(u.parent.id_) o = Observables([u, m]) print o.to_xml() actual_namespaces = o._get_namespaces() print "\n".join([str(x) for x in actual_namespaces]) self.assertEqual(5, len(actual_namespaces))
def test_round_trip_list(self): l = Links() l.append("example:URI-watchlist1") l.append("example:URI-watchlist2") l2 = cybox.test.round_trip(l, list_=True) self.assertEqual(l.to_list(), l2.to_list())
def populate_email(self, cybox_email, attribute): # returns a cybox email object out of a ce1sus object def_name = attribute.definition.name if def_name == 'email_attachment_file_name': attachment = File() attachment.file_name = attribute.value attachment.file_name.condition = self.get_condition(attribute) # cybox_email.attachments = Attachments() # cybox_email.attachments.append(File) elif def_name == 'email_bcc': self.__check_set_email_header(cybox_email) if not cybox_email.header.bcc: cybox_email.header.bcc = EmailRecipients() cybox_email.header.bcc.append(self.create_EmailAddress(attribute)) elif def_name == 'email_cc': self.__check_set_email_header(cybox_email) if not cybox_email.header.cc: cybox_email.header.cc = EmailRecipients() cybox_email.header.bcc.append(self.create_EmailAddress(attribute)) elif def_name == 'email_errors_to': self.__check_set_email_header(cybox_email) self.set_check_attr(cybox_email, 'header.errors_to', attribute) elif def_name == 'email_message_id': self.__check_set_email_header(cybox_email) self.set_check_attr(cybox_email, 'header.message_id', attribute) elif def_name == 'email_mime_version': self.__check_set_email_header(cybox_email) self.set_check_attr(cybox_email, 'header.mime_version', attribute) elif def_name == 'email_raw_body': self.set_check_attr(cybox_email, 'raw_body', attribute) elif def_name == 'email_raw_header': self.set_check_attr(cybox_email, 'raw_header', attribute) elif def_name == 'email_reply_to': if not cybox_email.header.in_reply_to: self.__check_set_email_header(cybox_email) cybox_email.header.in_reply_to = EmailRecipients() cybox_email.header.in_reply_to.append( self.create_EmailAddress(attribute)) elif def_name == 'email_server': self.set_check_attr(cybox_email, 'email_server', attribute) elif def_name == 'email_subject': self.set_check_attr(cybox_email, 'subject', attribute) elif def_name == 'email_from': self.__check_set_email_header(cybox_email) if not cybox_email.header.from_: cybox_email.header.from_ = self.create_EmailAddress(attribute) elif def_name == 'email_to': self.__check_set_email_header(cybox_email) if not cybox_email.header.to: cybox_email.header.to = EmailRecipients() cybox_email.header.to.append(self.create_EmailAddress(attribute)) elif def_name == 'email_x_mailer': self.set_check_attr(cybox_email, 'header.x_mailer', attribute) elif def_name == 'email_x_originating_ip': self.set_check_attr(cybox_email, 'header.x_originating_ip', attribute) elif 'hash' in def_name: raise CyboxMapperException('Not defined') elif def_name == 'email_link': if not cybox_email.links: cybox_email.links = Links() cybox_email.links.append(Link(attribute.value)) elif def_name == 'email_send_date': cybox_email.date = attribute.value elif def_name == 'email_in_reply_to': self.__check_set_email_header(cybox_email) cybox_email.header.in_reply_to = attribute.value else: raise CyboxMapperException('Not defined for {0}'.format(def_name))
def cybox_object_email(obj): e = EmailMessage() e.raw_body = obj.raw_body e.raw_header = obj.raw_header # Links e.links = Links() for link in obj.links.all(): pass # Attachments e.attachments = Attachments() attachment_objects = [] for att in obj.attachments.all(): for meta in att.file_meta.all(): fobj = cybox_object_file(att, meta) e.attachments.append(fobj.parent.id_) fobj.add_related(e, "Contained_Within", inline=False) attachment_objects.append(fobj) # construct header information h = EmailHeader() h.subject = obj.subject h.date = obj.email_date h.message_id = obj.message_id h.content_type = obj.content_type h.mime_version = obj.mime_version h.user_agent = obj.user_agent h.x_mailer = obj.x_mailer # From for from_ in obj.from_string.all(): from_address = EmailAddress(from_.sender) from_address.is_spoofed = from_.is_spoofed from_address.condition = from_.condition h.from_ = from_address # Sender for sender in obj.sender.all(): sender_address = EmailAddress(sender.sender) sender_address.is_spoofed = sender.is_spoofed sender_address.condition = sender.condition h.sender.add(sender_address) # To recipients = EmailRecipients() for recipient in obj.recipients.all(): rec_address = EmailAddress(recipient.recipient) rec_address.is_spoofed = recipient.is_spoofed rec_address.condition = recipient.condition recipients.append(rec_address) h.to = recipients # CC recipients = EmailRecipients() for recipient in obj.recipients_cc.all(): rec_address = EmailAddress(recipient.recipient) rec_address.is_spoofed = recipient.is_spoofed rec_address.condition = recipient.condition recipients.append(rec_address) h.cc = recipients # BCC recipients = EmailRecipients() for recipient in obj.recipients_bcc.all(): rec_address = EmailAddress(recipient.recipient) rec_address.is_spoofed = recipient.is_spoofed rec_address.condition = recipient.condition recipients.append(rec_address) h.bcc = recipients e.header = h return e, attachment_objects