def to_stix_rfi(obj):
from stix.indicator import Indicator as S_Ind
list_rfis = []
for each in obj.rfi:
ind = S_Ind()
ind.title = "CRITs RFI"
ind.timestamp = each.date
ind.description = each.topic
ind.id_ = each.source
list_rfis.append(ind)
for item in each.instance:
ind_2 = S_Ind()
ind_2.title = "CRITs RFI"
ind_2.timestamp = each.date
ind_2.description = each.topic
ind_2.producer = to_source(item)
ind_2.id_ = each.source
list_rfis.append(ind_2)
return list_rfis
def to_stix_comments(obj):
from crits.comments.handlers import get_comments
from stix.indicator import Indicator as S_Ind
comments = get_comments(obj.id, obj._meta['crits_type'], False)
ind_comments = []
for each in comments:
if not each.private:
ind = S_Ind()
ind.title = "CRITs Comment(s)"
ind.description = each.comment
ind.short_description = each.url_key
ind.producer = to_stix_information_source(each)
ind.timestamp = each.edit_date #should be date, but for some reason, it's not getting the correct value
ind_comments.append(ind)
return ind_comments
def to_stix_indicator(obj):
"""
Creates a STIX Indicator object from a CybOX object.
Returns the STIX Indicator and the original CRITs object's
releasability list.
"""
from stix.indicator import Indicator as S_Ind
from stix.common.identity import Identity
ind = S_Ind()
obs, releas = to_cybox_observable(obj)
for ob in obs:
ind.add_observable(ob)
#TODO: determine if a source wants its name shared. This will
# probably have to happen on a per-source basis rather than a per-
# object basis.
identity = Identity(name=settings.COMPANY_NAME)
ind.set_producer_identity(identity)
return (ind, releas)
def to_stix(obj, items_to_convert=[], loaded=False, bin_fmt="raw"):
"""
Converts a CRITs object to a STIX document.
The resulting document includes standardized representations
of all related objects noted within items_to_convert.
:param items_to_convert: The list of items to convert to STIX/CybOX
:type items_to_convert: Either a list of CRITs objects OR
a list of {'_type': CRITS_TYPE, '_id': CRITS_ID} dicts
:param loaded: Set to True if you've passed a list of CRITs objects as
the value for items_to_convert, else leave False.
:type loaded: bool
:param bin_fmt: Specifies the format for Sample data encoding.
Options: None (don't include binary data in STIX output),
"raw" (include binary data as is),
"base64" (base64 encode binary data)
:returns: A dict indicating which items mapped to STIX indicators, ['stix_indicators']
which items mapped to STIX observables, ['stix_observables']
which items are included in the resulting STIX doc, ['final_objects']
and the STIX doc itself ['stix_obj'].
"""
from cybox.common import Time, ToolInformationList, ToolInformation
from stix.common import StructuredText, InformationSource
from stix.core import STIXPackage, STIXHeader
from stix.common.identity import Identity
# These lists are used to determine which CRITs objects
# go in which part of the STIX document.
ind_list = ['Indicator']
obs_list = [
'Certificate', 'Domain', 'Email', 'IP', 'PCAP', 'RawData', 'Sample'
]
actor_list = ['Actor']
# Store message
stix_msg = {
'stix_incidents': [],
'stix_indicators': [],
'stix_observables': [],
'stix_actors': [],
'final_objects': []
}
if not loaded: # if we have a list of object metadata, load it before processing
items_to_convert = [
class_from_id(item['_type'], item['_id'])
for item in items_to_convert
]
# add self to the list of items to STIXify
if obj not in items_to_convert:
items_to_convert.append(obj)
# add any email attachments
attachments = []
for obj in items_to_convert:
if obj._meta['crits_type'] == 'Email':
for rel in obj.relationships:
if rel.relationship == RelationshipTypes.CONTAINS:
atch = class_from_id('Sample', rel.object_id)
if atch not in items_to_convert:
attachments.append(atch)
items_to_convert.extend(attachments)
# grab ObjectId of items
refObjs = {key.id: 0 for key in items_to_convert}
relationships = {}
stix = []
from stix.indicator import Indicator as S_Ind
for obj in items_to_convert:
obj_type = obj._meta['crits_type']
if obj_type == class_from_type('Event')._meta['crits_type']:
stx, release = to_stix_incident(obj)
stix_msg['stix_incidents'].append(stx)
elif obj_type in ind_list: # convert to STIX indicators
stx, releas = to_stix_indicator(obj)
stix_msg['stix_indicators'].append(stx)
refObjs[obj.id] = S_Ind(idref=stx.id_)
elif obj_type in obs_list: # convert to CybOX observable
if obj_type == class_from_type('Sample')._meta['crits_type']:
stx, releas = to_cybox_observable(obj, bin_fmt=bin_fmt)
else:
stx, releas = to_cybox_observable(obj)
# wrap in stix Indicator
ind = S_Ind()
for ob in stx:
ind.add_observable(ob)
ind.title = "CRITs %s Top-Level Object" % obj_type
ind.description = ("This is simply a CRITs %s top-level "
"object, not actually an Indicator. "
"The Observable is wrapped in an Indicator"
" to facilitate documentation of the "
"relationship." % obj_type)
ind.confidence = 'None'
stx = ind
stix_msg['stix_indicators'].append(stx)
refObjs[obj.id] = S_Ind(idref=stx.id_)
elif obj_type in actor_list: # convert to STIX actor
stx, releas = to_stix_actor(obj)
stix_msg['stix_actors'].append(stx)
# get relationships from CRITs objects
for rel in obj.relationships:
if rel.object_id in refObjs:
relationships.setdefault(stx.id_, {})
relationships[stx.id_][rel.object_id] = (
rel.relationship, rel.rel_confidence.capitalize(),
rel.rel_type)
stix_msg['final_objects'].append(obj)
stix.append(stx)
# set relationships on STIX objects
for stix_obj in stix:
for rel in relationships.get(stix_obj.id_, {}):
if isinstance(refObjs.get(rel), S_Ind): # if is STIX Indicator
stix_obj.related_indicators.append(refObjs[rel])
rel_meta = relationships.get(stix_obj.id_)[rel]
stix_obj.related_indicators[-1].relationship = rel_meta[0]
stix_obj.related_indicators[-1].confidence = rel_meta[1]
# Add any Email Attachments to CybOX EmailMessage Objects
if isinstance(stix_obj, S_Ind):
if 'EmailMessage' in stix_obj.observable.object_.id_:
if rel_meta[0] == 'Contains' and rel_meta[
2] == 'Sample':
email = stix_obj.observable.object_.properties
email.attachments.append(refObjs[rel].idref)
tool_list = ToolInformationList()
tool = ToolInformation("CRITs", "MITRE")
tool.version = settings.CRITS_VERSION
tool_list.append(tool)
i_s = InformationSource(time=Time(produced_time=datetime.now()),
identity=Identity(name=settings.COMPANY_NAME),
tools=tool_list)
if obj._meta['crits_type'] == "Event":
stix_desc = obj.description()
stix_int = obj.event_type()
stix_title = obj.title()
else:
stix_desc = "STIX from %s" % settings.COMPANY_NAME
stix_int = "Collective Threat Intelligence"
stix_title = "Threat Intelligence Sharing"
header = STIXHeader(information_source=i_s,
description=StructuredText(value=stix_desc),
package_intents=[stix_int],
title=stix_title)
stix_msg['stix_obj'] = STIXPackage(incidents=stix_msg['stix_incidents'],
indicators=stix_msg['stix_indicators'],
threat_actors=stix_msg['stix_actors'],
stix_header=header,
id_=uuid.uuid4())
return stix_msg