def __create_cybox_http_header(self, raw, port, whitelist):
if not raw:
return None
request = HTTPRequestParser(raw)
raw_header = str(request.headers)
client_header = HTTPRequestHeaderFields()
if 'accept' in request.headers:
client_header.accept = String(request.headers['accept'])
if 'content-length' in request.headers:
client_header.content_length = int(request.headers['content-length'])
if 'cache-control' in request.headers:
client_header.cache_control = String(request.headers['cache-control'])
if 'user-agent' in request.headers:
client_header.user_agent = String(request.headers['user-agent'])
if 'host' in request.headers:
client_header.host = self.__create_cybox_host_object(request.headers['host'], port, whitelist)
if not client_header.host:
return None
if 'pragma' in request.headers:
client_header.pragma = String(request.headers['pragma'])
if 'connection' in request.headers:
client_header.connection = String(request.headers['connection'])
http_req_head = HTTPRequestHeader()
http_req_head.raw_header = String(raw_header)
http_req_head.parsed_header = client_header
return http_req_head
def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def cybox_object_http(obj):
http_session = HTTPSession()
hh = HTTPRequestResponse()
hc = HTTPClientRequest()
if obj.client_request.message_body:
hm = HTTPMessage()
hm.lenght = len(obj.client_request.message_body)
hm.message_body = String(obj.client_request.message_body)
hc.http_message_body = hm
rh = HTTPRequestHeader()
if obj.client_request.raw_header:
rh.raw_header = String(obj.client_request.raw_header)
hhf = HTTPRequestHeaderFields()
hhf.user_agent = String(obj.client_request.user_agent)
host_field = HostField()
host_field.domain_name = URI(value=obj.client_request.domain_name)
port = Port()
port.port_value = PositiveInteger(obj.client_request.port.port)
host_field.port = port
hhf.host = host_field
rh.parsed_header = hhf
hc.http_request_header = rh
hl = HTTPRequestLine()
hl.http_method = String(obj.client_request.request_method)
hl.version = String(obj.client_request.request_version)
hl.value = String(obj.client_request.request_uri)
hc.http_request_line = hl
hh.http_client_request = hc
http_session.http_request_response = [hh]
return http_session
def builder_to_stix_object(self, object_data):
fields = HTTPRequestHeaderFields()
fields.user_agent = object_data.get('user_agent')
header = HTTPRequestHeader()
header.parsed_header = fields
req = HTTPClientRequest()
req.http_request_header = header
req_res = HTTPRequestResponse()
req_res.http_client_request = req
session = HTTPSession()
session.http_request_response = [req_res]
return session
def gen_user_agents(self, count):
'''Generate list of User-Agents'''
user_agents = []
for i in range(0, count):
http_session = HTTPSession()
http_request_response = HTTPRequestResponse()
http_request = HTTPClientRequest()
http_request_header = HTTPRequestHeader()
parsed_header = HTTPRequestHeaderFields()
parsed_header.user_agent = self.fake.user_agent()
http_request_header.parsed_header = parsed_header
http_request.http_request_header = http_request_header
http_request_response.http_client_request = http_request
http_session.http_request_response = http_request_response
user_agents.append(http_session)
return user_agents
def convert_network_traffic_to_http_session(http_request_ext, nc, obs20_id):
obj1x = HTTPSession()
nc.layer7_connections = Layer7Connections()
nc.layer7_connections.http_session = obj1x
rr = HTTPRequestResponse()
obj1x.http_request_response.append(rr)
rr.http_client_request = HTTPClientRequest()
request_line = HTTPRequestLine()
request_line.http_method = http_request_ext["request_method"]
request_line.value = http_request_ext["request_value"]
if "request_version" in http_request_ext:
request_line.version = http_request_ext["request_version"]
rr.http_client_request.http_request_line = request_line
if "request_header" in http_request_ext:
rr.http_client_request.http_request_header = HTTPRequestHeader()
rr.http_client_request.http_request_header.parsed_header = HTTPRequestHeaderFields(
)
convert_obj(http_request_ext["request_header"],
rr.http_client_request.http_request_header.parsed_header,
HTTP_REQUEST_HEADERS_MAP, obs20_id)
if "Host" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.host = \
add_host(http_request_ext["request_header"]["Host"])
if "From" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.from_ = \
EmailAddress(http_request_ext["request_header"]["From"])
if "Referer" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.referer = \
URI(http_request_ext["request_header"]["Referer"])
if "X_Wap_Profile" in http_request_ext["request_header"]:
rr.http_client_request.http_request_header.parsed_header.x_wap_profile = \
URI(http_request_ext["request_header"]["X_Wap_Profile"])
if "message_body_length" in http_request_ext or "message_body_data_ref" in http_request_ext:
body = HTTPMessage()
if "message_body_length" in http_request_ext:
body.length = http_request_ext["message_body_length"]
if "message_body_data_ref" in http_request_ext:
if http_request_ext["message_body_length"] in _STIX1X_OBJS:
artifact_obj = _STIX1X_OBJS[
http_request_ext["message_body_length"]]
body.message_body = artifact_obj.packed_data
else:
warn("%s is not an index found in %s", 306,
http_request_ext["message_body_length"], obs20_id)
rr.http_client_request.http_message_body = body
def http_conversations(httpconv):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Connect to URL"
a.type_ = "Connect"
ao.properties = NetworkConnection()
ao.properties.layer4_protocol = httpconv["protocol"]
header = HTTPResponseHeader()
headerfiled = HTTPResponseHeaderFields()
response = HTTPServerResponse()
if httpconv["response_headers"].has_key("Transfer-Encoding"):
headerfiled.transfer_encoding = httpconv["response_headers"]["Transfer-Encoding"]
headerfiled.content_type = httpconv["response_headers"]["Content-Type"]
headerfiled.server = httpconv["response_headers"]["Server"]
headerfiled.connection = httpconv["response_headers"]["Connection"]
#headerfiled.date = DateTime(httpconv["response_headers"]["Date"])
t = datetime.strptime(httpconv["response_headers"]["Date"],'%a, %d %b %Y %H:%M:%S %Z').replace(tzinfo=pytz.utc)
#print t
headerfiled.date = DateTime(t)
headerfiled.content_type = httpconv["response_headers"]["type"]
header.parsed_header = headerfiled
if httpconv.has_key("download_content"):
body = HTTPMessage()
body.message_body = str(httpconv["download_content"]).encode('string-escape')
response.http_message_body = body
line = HTTPStatusLine()
tmp = httpconv["response_headers"]["Status-Line"].split()
line.version = tmp[0]
line.status_code = PositiveInteger(tmp[1])
line.reason_phrase = tmp[2]
response.http_status_line = line
response.http_response_header = header
client = HTTPClientRequest()
line = HTTPRequestLine()
tmp = httpconv["url"].split()
line.http_method = tmp[0]
line.value = tmp[1]
line.version = tmp[2]
client.http_request_line = line
cheader = HTTPRequestHeader()
cheaderfiled = HTTPRequestHeaderFields()
host = HostField()
host.domain_name = URI(httpconv["dst_host"])
val = Port()
val.port_value = PositiveInteger(httpconv["dst_port"])
host.port = val
cheaderfiled.host = host
cheader.parsed_header = cheaderfiled
client.http_request_header = cheader
httpsession = HTTPSession()
requestresponse = HTTPRequestResponse()
requestresponse.http_client_request = client
requestresponse.http_server_response = response
httpsession.http_request_response = [requestresponse]
layer7 = Layer7Connections()
layer7.http_session = httpsession
ao.properties.layer7_connections = layer7
#print ao.properties.to_dict()
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a