def maec_s(maecs): print "maec" maec_obj = package_binding.parse(maecs) obs = Package.from_obj(maec_obj) pac = Package(obs) dic = pac.to_dict() print "name:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["name"] print "pid:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["pid"] print "spawned_process:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["spawned_process"] print "id:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["id"]
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(MAECInstance, cls).from_obj(obj, return_obj) if _MAEC_INSTALLED: return_obj.maec = maecPackage.from_obj(obj.MAEC) else: return_obj.maec = obj.MAEC return return_obj
def from_obj(cls, obj): if not obj: return None return_obj = cls() if _MAEC_INSTALLED: obj.MAEC = maecPackage.from_obj(obj.MAEC) else: obj.MAEC = obj.MAEC return_obj = super(MAECInstance, cls).from_obj(obj) return return_obj
def parse_xml(self, xml_file, check_version=True): """Creates a python-maec Bundle or Package object from the supplied xml_file. Arguments: xml_file -- A filename/path or a file-like object reprenting a MAEC instance (i.e. Package or Bundle) document check_version -- Inspect the version before parsing. """ parser = etree.ETCompatXMLParser(huge_tree=True, resolve_entities=False) tree = etree.parse(xml_file, parser=parser) api_obj = None binding_obj = self.parse_xml_to_obj(xml_file, check_version) if self.is_package: from maec.package.package import Package # resolve circular dependencies api_obj = Package.from_obj(binding_obj) elif self.is_bundle: from maec.bundle.bundle import Bundle # resolve circular dependencies api_obj = Bundle.from_obj(binding_obj) self._apply_input_namespaces(tree, api_obj) return api_obj
def generate_oval(self): #Basic input file checking if os.path.isfile(self.infilename): #Try parsing the MAEC file with both bindings package_obj = package_binding.parse(self.infilename) bundle_obj = bundle_binding.parse(self.infilename) try: sys.stdout.write('Generating ' + self.outfilename + ' from ' + self.infilename + '...') #Test whether the input is a Package or Bundle and process accordingly if bundle_obj.hasContent_(): maec_bundle = Bundle.from_obj(bundle_obj) self.process_bundle(maec_bundle) elif package_obj.hasContent_(): maec_package = Package.from_obj(package_obj) for malware_subject in maec_package.malware_subjects: for maec_bundle in malware_subject.findings_bundles.bundles: self.process_bundle(maec_bundle) #Build up the OVAL document from the parsed data and corresponding objects self.__build_oval_document() if len(self.converted_ids) > 0: #Export to the output file outfile = open(self.outfilename, 'w') self.ovaldefroot.export(outfile, 0, namespacedef_='xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows http://oval.mitre.org/language/version5.7/ovaldefinition/complete/windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-common-schema.xsd"') sys.stdout.write('Done\n') else: sys.stdout.write('no OVAL output written; 0 actions were converted.\n') if self.stat_mode: print '\n**Converted Actions**' for action_id in self.converted_ids: print 'Action ' + action_id + ' converted successfully' print '**Skipped Actions**' for action_id in self.skipped_actions: print 'Action ' + action_id + ' skipped; incompatible action/object type or missing object attributes' except Exception, err: print('\nError: %s\n' % str(err)) if self.verbose_mode: traceback.print_exc()