def elevate_string(string): warn( "Results produced by the stix2-elevator are not for production purposes.", 201) clear_id_mapping() clear_pattern_mapping() validator_options = get_validator_options() try: output.set_level(validator_options.verbose) io = StringIO(string) stix_package = EntityParser().parse_xml(io) if not isinstance(stix_package, STIXPackage): raise TypeError("Must be an instance of stix.core.STIXPackage") setup_logger(stix_package.id_) json_string = json.dumps(convert_package( stix_package, get_option_value("package_created_by_id"), get_option_value("default_timestamp")), indent=4, separators=(',', ': '), sort_keys=True) validation_results = validate_string(json_string, validator_options) output.print_results(validation_results) return json_string except ValidationError as ex: output.error("Validation error occurred: '%s'" % ex, codes.EXIT_VALIDATION_ERROR) except OSError as ex: log.error(ex, extra={"ecode": 210})
def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ parser = EntityParser() return parser.parse_xml(xml_file, encoding=encoding)
def elevate_file(fn): warn( "WARNING: Results produced by the stix-elevator are not for production purposes." ) clear_id_mapping() clear_pattern_mapping() stix_package = EntityParser().parse_xml(fn) if isinstance(stix_package, STIXPackage): json_string = json.dumps(convert_package(stix_package), indent=4, separators=(',', ': '), sort_keys=True) validation_results = validate_string(json_string, ValidationOptions()) print_results(validation_results) return json_string else: raise TypeError("Must be an instance of stix.core.STIXPackage")
def from_xml(cls, xml_file): parser = EntityParser() return parser.parse_xml(xml_file)
def main(): # This is a work-around for the fact that the 1.0 indicator type was removed from the STIX python # library, even though it is the essentially the same as the 1.1 type. We want to still support 1.0 # indicators since they are out there, and there is no difference for the purposes of this script. # vocabs._VOCAB_MAP["stixVocabs:IndicatorTypeVocab-1.0"] = IndicatorType # Create XML parser that can strip namespaces xmlParser = EntityParser() stix_package = None argParser = get_parser() args = argParser.parse_args() if args[0].help: print_help(argParser) # Import from a TAXII server elif args[0].referenceset and args[0].taxii: begin_ts = None end_ts = None try: if args[0].begin_ts: structTime = time.strptime(args[0].begin_ts, '%Y-%m-%d %H:%M:%S') begin_ts = datetime.datetime(*structTime[:6]) begin_ts = begin_ts.replace(tzinfo=pytz.UTC) else: begin_ts = None if args[0].end_ts: structTime = time.strptime(args[0].end_ts, '%Y-%m-%d %H:%M:%S') end_ts = datetime.datetime(*structTime[:6]) end_ts = end_ts.replace(tzinfo=pytz.UTC) else: end_ts = None except ValueError: print >> sys.stderr, "Could not parse either start or end time" raise #Create Request Header poll_req = tm11.PollRequest( message_id=tm11.generate_message_id(), collection_name=args[0].collection, exclusive_begin_timestamp_label=begin_ts, inclusive_end_timestamp_label=end_ts, poll_parameters=tm11.PollRequest.PollParameters()) poll_req_xml = poll_req.to_xml() #Create request client object client = tc.HttpClient() #HTTPS Setting if args[0].taxii_ssl: client.set_use_https(True) # Basic Auth if args[0].taxii_username: if not args[0].taxii_password: args[0].taxii_password = getpass.getpass( "Enter your taxii password: "******"content_blocks"]: bindingId = content["content_binding"]["binding_id"] if bindingId and bindingId.startswith( "urn:stix.mitre.org:xml"): if args[0].verbose: print >> sys.stderr, "RECIEVED STIX DATA:\n" print >> sys.stderr, content["content"] try: # This string replace is a workaround for some invalid documents in my test server, if you don't need it, remove it xmlString = content["content"].replace( 'low', 'Low').replace('medium', 'Medium').replace('high', 'High') stix_package = xmlParser.parse_xml( io.BytesIO(xmlString), False) indicators += process_package_dict( args, stix_package.to_dict()) except ValueError: print >> sys.stderr, "Could not parse STIX document: " print >> sys.stderr, content["content"] raise print "Imported", indicators, "indicators into reference set", args[ 0].referenceset else: print >> sys.stderr, "Invalid reponse from TAXII server" pprint.pprint(response_dict, sys.stderr) exit(255) # Import from a XML file on disk elif args[0].referenceset and args[0].file: stix_package = xmlParser.parse_xml(args[0].file, False) indicators = process_package_dict(args, stix_package.to_dict()) print "Imported", indicators, "indicators into reference set", args[ 0].referenceset else: print >> sys.stderr, "Invalid arguments. Type 'python stix_import.py --help' for usage.\n"
def main(): # This is a work-around for the fact that the 1.0 indicator type was removed from the STIX python # library, even though it is the essentially the same as the 1.1 type. We want to still support 1.0 # indicators since they are out there, and there is no difference for the purposes of this script. vocabs._VOCAB_MAP["stixVocabs:IndicatorTypeVocab-1.0"] = IndicatorType # Create XML parser that can strip namespaces xmlParser = EntityParser() stix_package = None argParser = get_parser() args = argParser.parse_args() if args[0].help: print_help(argParser) # Import from a TAXII server elif args[0].referenceset and args[0].taxii: begin_ts = None end_ts = None try: if args[0].begin_ts: structTime = time.strptime(args[0].begin_ts,'%Y-%m-%d %H:%M:%S') begin_ts = datetime.datetime(*structTime[:6]) begin_ts = begin_ts.replace(tzinfo=pytz.UTC) else: begin_ts = None if args[0].end_ts: structTime = time.strptime(args[0].end_ts,'%Y-%m-%d %H:%M:%S') end_ts = datetime.datetime(*structTime[:6]) end_ts = end_ts.replace(tzinfo=pytz.UTC) else: end_ts = None except ValueError: print >> sys.stderr, "Could not parse either start or end time" raise poll_req = tm11.PollRequest(message_id=tm11.generate_message_id(), collection_name=args[0].collection, exclusive_begin_timestamp_label=begin_ts, inclusive_end_timestamp_label=end_ts, poll_parameters=tm11.PollRequest.PollParameters()) poll_req_xml = poll_req.to_xml() client = tc.HttpClient() if args[0].taxii_ssl: client.setUseHttps(True) if args[0].taxii_username: client.setAuthType(1) if not args[0].taxii_password: args[0].taxii_password = getpass.getpass("Enter your taxii password: "******"/poll/", t.VID_TAXII_XML_11, poll_req_xml, args[0].taxiiport) response_message = t.get_message_from_http_response(resp, '0') response_dict = response_message.to_dict(); indicators = 0 if 'content_blocks' in response_dict: for content in response_dict["content_blocks"]: bindingId = content["content_binding"]["binding_id"] if bindingId and bindingId.startswith("urn:stix.mitre.org:xml"): if args[0].verbose: print >> sys.stderr, "RECIEVED STIX DATA:\n" print >> sys.stderr, content["content"] try: # This string replace is a workaround for some invalid documents in my test server, if you don't need it, remove it xmlString = content["content"].replace('low','Low').replace('medium','Medium').replace('high','High') stix_package = xmlParser.parse_xml(io.BytesIO(xmlString), False) indicators += process_package_dict( args, stix_package.to_dict() ) except ValueError: print >> sys.stderr, "Could not parse STIX document: " print >> sys.stderr, content["content"] raise print "Imported", indicators, "indicators into reference set", args[0].referenceset else: print >> sys.stderr, "Invalid reponse from TAXII server" pprint.pprint( response_dict, sys.stderr ) exit(255) # Import from a XML file on disk elif args[0].referenceset and args[0].file: stix_package = xmlParser.parse_xml(args[0].file, False) indicators = process_package_dict( args, stix_package.to_dict() ) print "Imported", indicators, "indicators into reference set", args[0].referenceset else: print >> sys.stderr, "Invalid arguments. Type 'python stix_import.py --help' for usage.\n"
def main(): # Create XML parser that can strip namespaces xmlParser = EntityParser() stix_package = None argParser = get_parser() args = argParser.parse_args() if args[0].help: print_help(argParser) # Import from a TAXII server elif args[0].taxii: begin_ts = None end_ts = None try: if args[0].begin_ts: structTime = time.strptime(args[0].begin_ts, '%Y-%m-%d %H:%M:%S') begin_ts = datetime.datetime(*structTime[:6]) begin_ts = begin_ts.replace(tzinfo=pytz.UTC) else: begin_ts = None if args[0].end_ts: structTime = time.strptime(args[0].end_ts, '%Y-%m-%d %H:%M:%S') end_ts = datetime.datetime(*structTime[:6]) end_ts = end_ts.replace(tzinfo=pytz.UTC) else: end_ts = None except ValueError: print >> sys.stderr, "Could not parse either start or end time" raise poll_req = tm11.PollRequest( message_id=tm11.generate_message_id(), collection_name=args[0].collection, exclusive_begin_timestamp_label=begin_ts, inclusive_end_timestamp_label=end_ts, poll_parameters=tm11.PollRequest.PollParameters()) poll_req_xml = poll_req.to_xml() client = tc.HttpClient() if args[0].taxii_ssl: client.setUseHttps(True) if args[0].taxii_username: client.setAuthType(1) if not args[0].taxii_password: args[0].taxii_password = getpass.getpass( "Enter your taxii password: "******"/poll/", t.VID_TAXII_XML_11, poll_req_xml, args[0].taxiiport) response_message = t.get_message_from_http_response(resp, '0') response_dict = response_message.to_dict() indicators = 0 if 'content_blocks' in response_dict: for content in response_dict["content_blocks"]: bindingId = content["content_binding"]["binding_id"] if bindingId and bindingId.startswith( "urn:stix.mitre.org:xml"): #if args[0].verbose: # print >> sys.stderr, "RECIEVED STIX DATA:\n" #print >> sys.stderr, content["content"] try: # Parse the information stix_pkg = STIXPackage.from_xml( io.BytesIO(content["content"])) stix_package = stix_pkg indicators += process_package_dict( args, stix_package.to_dict()) except ValueError: print >> sys.stderr, "Could not parse STIX document: " print >> sys.stderr, content["content"] raise print "Imported", indicators, "indicators into set" else: print >> sys.stderr, "Invalid reponse from TAXII server" pprint.pprint(response_dict, sys.stderr) exit(255) # Import from a XML file on disk elif args[0].file: stix_package = STIXPackage.from_xml(args[0].file) indicators = process_package_dict(args, stix_package.to_dict()) print "Imported", indicators, "indicators into set" else: print >> sys.stderr, "Invalid arguments. Type 'python stix_Arcsight.py --help' for usage.\n"