def poll_20(taxii_client, protocol_version='2.0'): try: count = 0 fd = None js = _get_json_response(taxii_client, protocol_version) if 'objects' not in js: return 0 fd, stix_file_path = tempfile.mkstemp(suffix='.json') if protocol_version == '2.0': with open(stix_file_path, 'wb+') as fp: fp.write(json.dumps(js, indent=4).encode('utf-8')) elif protocol_version == '2.1': objects = _get_objects_21(taxii_client, protocol_version, [], js) if len(objects) == 0: return 0 bundle = Bundle(objects) with open(stix_file_path, 'wb+') as fp: fp.write(bundle.serialize(pretty=True).encode('utf-8')) from ctirs.core.stix.regist import regist if taxii_client._community is not None: regist(stix_file_path, taxii_client._community, taxii_client._via) count += 1 last_requested = datetime.datetime.now(pytz.utc) taxii_client._taxii.last_requested = last_requested taxii_client._taxii.save() return count except BaseException as e: traceback.print_exc() raise e finally: if fd is not None: try: os.close(fd) except Exception: pass
def post_language_contents(request, object_ref, ctirs_auth_user): try: j = json.loads(request.body) # S-TIP Identity 作成する stip_identity = _get_stip_identname(request.user) # bundle 作成 bundle = Bundle(stip_identity) # 参照元の obejct を取得 object_ = get_object(object_ref) if object_ is None: return error( Exception('No document. (object_ref=%s)' % (object_ref))) for language_content in j['language_contents']: selector_str = language_content['selector'] content_value = language_content['content'] language = language_content['language'] try: selector_elems = selector_str.split('.') last_elem = object_ # selector の 要素をチェックする if len(selector_elems) == 1: # selector が . でつながられていない場合 last_selector = selector_str last_elem = is_exist_objects(selector_str, last_elem) else: # selector が . でつながられている場合は最後までたどる for selector in selector_elems[:-1]: last_selector = selector last_elem = is_exist_objects(selector, last_elem) if last_elem is None: raise Exception('selector is invalid: ' + str(selector_str)) if isinstance(last_elem, list): # 空要素で初期化し、該当 index の要素だけ上書きする lc_lists = [''] * len(last_elem) lc_lists[get_list_index_from_selector( selector_elems[-1])] = content_value content = lc_lists selector = '.'.join(selector_elems[:-1]) elif isinstance(last_elem, dict): # 空辞書で初期化し、該当 index の要素だけ上書きする content = {} content[selector_elems[-1]] = content_value selector = '.'.join(selector_elems[:-1]) else: # list ではない content = content_value selector = last_selector except Exception as e: traceback.print_exc() raise e contents = {} contents[language] = {selector: content} language_content = LanguageContent( created_by_ref=stip_identity, object_ref=object_ref, object_modified=object_['modified'], contents=contents) bundle.objects.append(language_content) # viaを取得 via = Vias.get_via_rest_api_upload(uploader=ctirs_auth_user.id) community = Communities.get_default_community() # stixファイルを一時ファイルに出力 stix_file_path = tempfile.mktemp(suffix='.json') with open(stix_file_path, 'wb+') as fp: fp.write(bundle.serialize(indent=4, ensure_ascii=False)).encode() # 登録処理 regist(stix_file_path, community, via) resp = get_normal_response_json() bundle_json = json.loads(str(bundle)) resp['data'] = {'bundle': bundle_json} return JsonResponse(resp, status=201, safe=False) except Exception as e: traceback.print_exc() return error(e)
def processAndSubmit(self): # Create SDO's / Cyber Obs ext_ref = ExternalReference( source_name=f"Cuckoo Sandbox Report {str(self.report.info.id)}", url=f"{self.cuckoo_url}/analysis/{str(self.report.info.id)}/summary", external_id=str(self.report.info.id), ) if self.report.network.hosts: ips = self.createIPObs(self.report.network.hosts) else: ips = [] if self.report.network.domains: fqdns = self.createDNSObs(self.report.network.domains) else: fqdns = [[], []] if self.report.process: processes = self.createProcessObs(self.report.process) else: processes = [] if self.EnableRegKeys: if self.report.behavior: if self.report.behavior.regkey_written: registry_keys = self.createRegKeysObs( self.report.behavior.regkey_written ) else: registry_keys = None else: registry_keys = None else: registry_keys = None if self.EnableNetTraffic: if self.report.network: network_traffic = self.createNetTrafficObs(self.report.network) else: network_traffic = None else: network_traffic = None if self.report.dropped: dropped_binaries = self.createBinarieObs(self.report.dropped) else: dropped_binaries = [] if self.report.signatures: AttackPatterns = self.getAttackPatterns(self.report.signatures) else: AttackPatterns = [] self.helper.log_info(fqdns) # Get all IDs from ATPs/CyberObs IDs = self.get_related( ips, fqdns[0], processes, network_traffic, dropped_binaries, AttackPatterns, registry_keys, ) # Create Main binary and link All ATPs/Cyber Obs payload = self.createPrimaryBinary(self.report.target.file, ext_ref) payload_relations = [] bundle_ids = [] for ID in IDs: try: IDx = ID.id bundle_ids.append( ID ) # Get list for bundle w/o Attack Patterns that exisit except: IDx = ID payload_relations.append( Relationship( relationship_type="related-to", source_ref=payload[0].id, target_ref=IDx, ) ) for ATP in AttackPatterns: payload_relations.append( Relationship( relationship_type="related-to", source_ref=payload[0].id, target_ref=ATP, ) ) IDs.append(payload[0]) # Add Observeable IDs.append(payload[1]) # Add Indicator bundle_ids.append(payload[0]) bundle_ids.append(payload[1]) payload_relations.append(payload[2]) if int(self.report.info.score) >= self.ReportScore: # Create Report and link All ATPs/Cyber Obs/Payload report = self.createCuckooReport(self.report, IDs, ext_ref) b = Bundle( report, bundle_ids, payload_relations, fqdns[1] ) # fqdns[1] is the Resolves-to relations else: b = Bundle(bundle_ids, payload_relations, fqdns[1]) self.helper.send_stix2_bundle(b.serialize()) return None