本文整理汇总了Python中cybox.core.Observables.add方法的典型用法代码示例。如果您正苦于以下问题:Python Observables.add方法的具体用法?Python Observables.add怎么用?Python Observables.add使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类cybox.core.Observables的用法示例。
在下文中一共展示了Observables.add方法的13个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: walkobservables
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
def walkobservables(obs):
'''Recursive function for checking observables in an Observables, Observable_composition, Observable tree'''
try:
remove = Observables()
for x in obs.observables:
if walkobservables(x) is None:
remove.add(x)
for x in remove:
obs.remove(x)
return obs
except AttributeError:
pass
try:
remove = Observables()
for x in obs.observable_composition.observables:
if walkobservables(x) is None:
remove.add(x)
for x in remove:
obs.observable_composition.observables.remove(x)
return obs
except AttributeError:
pass
try:
if not checkcompatible_observable(obs):
return None
except AttributeError:
pass
return obs示例2: cybox_http
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
def cybox_http(observable, observable_type, objects):
nsname, nsurl = observable.namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
h = cybox_object_http(obj)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
o = Observable(h)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables示例3: strip_observables
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
def strip_observables(pkg_path):
'''Strips observable from a package, support multiple structures'''
result = Observables()
pkg = STIXPackage.from_xml(pkg_path)
processed = []
for ind in pkg.indicators:
if ind.composite_indicator_expression:
"""The indicator is a compsite structure, this references other indicators, which reference the observables..."""
cyboxobject = ObservableComposition()
cyboxobject.operator = str(ind.observable_composition_operator)
for x in ind.composite_indicator_expression:
"""For every indicator in the composite list, get referenced indicator"""
ref_ind = getindicator_by_id(pkg, str(x._idref))
if ref_ind.observables:
for y in ref_ind.observables:
"""For every referenced observable, get the object"""
ref_obs = getobservable_by_id(pkg, y._idref)
if ref_obs:
cyboxobject.add(ref_obs)
processed.append(ref_obs.id_)
result.add(cyboxobject)
if ind.observables:
for x in ind.observables:
if x is not None:
if x.id_ not in processed:
result.add(x)
processed.append(x.id_)
if pkg.observables:
for x in pkg.observables:
if x is not None:
if x.id_ not in processed:
result.add(x)
scanfile = open(os.path.join(iocname,"scan.json"),'w')
scanfile.write(json.dumps(walkobservables(result).to_dict(), indent=4))
scanfile.close()示例4: cybox_file
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
def cybox_file(observable, observable_type, objects):
nsname, nsurl = observable.namespace.split(':', 1)
NS = cybox.utils.Namespace(nsurl, nsname)
cybox.utils.set_id_namespace(NS)
observables = Observables()
for obj in objects:
for meta in obj.file_meta.all():
f = cybox_object_file(obj, meta)
# get related objects
related_objects_list = get_related_objects_for_object(obj.id, observable_type)
for rel_obj_dict in related_objects_list:
for rel_obj in rel_obj_dict['objects']:
if isinstance(rel_obj, EmailMessage_Object):
rel_o, attachments_list = cybox_object_email(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
for att in attachments_list:
observables.add(Observable(att))
continue
elif isinstance(rel_obj, File_Object):
for rel_meta in rel_obj.file_meta.all():
rel_o = cybox_object_file(rel_obj, rel_meta)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, Address_Object):
rel_o = cybox_object_address(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, URI_Object):
rel_o = cybox_object_uri(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
elif isinstance(rel_obj, HTTPSession_Object):
rel_o = cybox_object_http(rel_obj)
f.add_related(rel_o, rel_obj_dict['relation'], True)
continue
o = Observable(f)
o.title = observable.name
o.description = observable.description
observables.add(o)
return observables示例5: STIXPackage
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
#.........这里部分代码省略.........
Note:
This property refers to the version of the schema component
type and should not be used for the purpose of content versioning.
Default Value: '1.2'
"""
return self._version
@property
def stix_header(self):
"""The :class:`.STIXHeader` section of the STIX Package.
"""
return self._stix_header
@stix_header.setter
def stix_header(self, value):
self._set_var(STIXHeader, try_cast=False, stix_header=value)
@property
def indicators(self):
"""The top-level :class:`.Indicator` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
self.indicators.append(indicator)
@property
def campaigns(self):
"""The top-level :class:`.Campaign` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
self.campaigns.append(campaign)
@property
def observables(self):
"""The top-level ``Observable`` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._observables
示例6: STIXPackage
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None,
courses_of_action=None, exploit_targets=None, indicators=None,
observables=None, incidents=None, threat_actors=None,
ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = utils.dates.now() if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = utils.dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
self._set_var(STIXHeader, try_cast=False, stix_header=value)
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
self.indicators.append(indicator)
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
self.campaigns.append(campaign)
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
self._set_var(Observables, observables=value)
#.........这里部分代码省略.........
示例7: STIXPackage
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_indicator(v)
else:
self.add_indicator(value)
def add_indicator(self, indicator):
if not indicator:
return
elif isinstance(indicator, Indicator):
self.indicators.append(indicator)
else:
raise ValueError('indicator must be instance of stix.indicator.Indicator')
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = []
#.........这里部分代码省略.........
示例8: STIXPackage
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
class STIXPackage(stix.Entity):
'''
classdocs
'''
def __init__(self, id_=None, idref_=None, stix_header=None, indicators=None, observables=None):
'''
Constructor
'''
self.id_ = id_ if id_ else stix.utils.create_id()
self.idref_ = idref_
self.version = '1.0'
self.indicators = indicators
self.observables = observables
self.stix_header = stix_header
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, valuelist):
self._indicators = [] # initialize
if valuelist:
for value in valuelist:
self.add_indicator(value)
@property
def observables(self):
return self._observables
@observables.setter
def observables(self, value):
if value and not isinstance(value, Observables):
raise ValueError('value must be instance of cybox.core.Observables')
self._observables = value
def add_indicator(self, indicator):
if indicator and not isinstance(indicator, Indicator):
raise ValueError('indicator must be instance of stix.indicator.Indicator')
self.indicators.append(indicator)
def add_observable(self, observable):
if not self.observables:
self.observables = Observables(observable)
else:
self.observables.add(observable)
def to_obj(self, return_obj=None):
if not return_obj:
return_obj = stix_core_binding.STIXType()
return_obj.set_id(self.id_)
return_obj.set_idref(self.idref_)
return_obj.set_version(self.version)
if self.stix_header:
return_obj.set_STIX_Header(self.stix_header.to_obj())
if self.indicators:
indicators_obj = stix_core_binding.IndicatorsType()
for indicator in self.indicators:
indicators_obj.add_Indicator(indicator.to_obj())
return_obj.set_Indicators(indicators_obj)
if self.observables:
observables_obj = self.observables.to_obj()
return_obj.set_Observables(observables_obj)
return return_obj
def to_dict(self, return_dict=None):
if not return_dict:
return_dict = {}
if self.id_:
return_dict['id'] = self.id_
return_dict['version'] = self.version
if self.idref_:
return_dict['idref'] = self.idref_
if self.stix_header:
#.........这里部分代码省略.........
示例9: STIXPackage
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
class STIXPackage(stix.Entity):
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.1.1"
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None):
self.id_ = id_ or stix.utils.create_id("Package")
self.idref = idref
self.version = self._version
self.stix_header = stix_header
self.campaigns = campaigns
self.courses_of_action = courses_of_action
self.exploit_targets = exploit_targets
self.observables = observables
self.indicators = indicators
self.incidents = incidents
self.threat_actors = threat_actors
self.ttps = ttps
self.related_packages = RelatedPackages()
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
@property
def id_(self):
return self._id
@id_.setter
def id_(self, value):
if not value:
self._id = None
else:
self._id = value
self.idref = None
@property
def idref(self):
return self._idref
@idref.setter
def idref(self, value):
if not value:
self._idref = None
else:
self._idref = value
self.id_ = None # unset id_ if idref is present
@property
def timestamp(self):
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = dates.parse_value(value)
@property
def stix_header(self):
return self._stix_header
@stix_header.setter
def stix_header(self, value):
if value and not isinstance(value, STIXHeader):
raise ValueError('value must be instance of STIXHeader')
self._stix_header = value
@property
def indicators(self):
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = []
if not value:
return
elif isinstance(value, list):
for v in value:
self.add_indicator(v)
else:
self.add_indicator(value)
def add_indicator(self, indicator):
if not indicator:
return
elif isinstance(indicator, Indicator):
self.indicators.append(indicator)
else:
raise ValueError('indicator must be instance of stix.indicator.Indicator')
@property
def campaigns(self):
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = []
#.........这里部分代码省略.........
示例10: STIXPackage
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
class STIXPackage(stix.Entity):
"""A STIX Package object.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``mixbox.idgen.create_id()``. If set, this will unset the
``idref`` property.
idref: **DEPRECATED** An identifier reference. If set this will unset
the ``id_`` property.
timestamp: **DEPRECATED** A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
header: A Report :class:`.Header` object.
campaigns: A collection of :class:`.Campaign` objects.
course_of_action: A collection of :class:`.CourseOfAction` objects.
exploit_targets: A collection of :class:`.ExploitTarget` objects.
incidents: A collection of :class:`.Incident` objects.
indicators: A collection of :class:`.Indicator` objects.
threat_actors: A collection of :class:`.ThreatActor` objects.
ttps: A collection of :class:`.TTP` objects.
related_packages: **DEPRECATED**. A collection of
:class:`.RelatedPackage` objects.
reports: A collection of :class:`.Report` objects.
"""
_binding = stix_core_binding
_binding_class = _binding.STIXType
_namespace = 'http://stix.mitre.org/stix-1'
_version = "1.2"
_ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2")
id_ = fields.IdField("id")
idref = fields.IdrefField("idref", preset_hook=deprecated.field)
version = fields.TypedField("version")
timestamp = fields.DateTimeField("timestamp", preset_hook=deprecated.field)
stix_header = fields.TypedField("STIX_Header", STIXHeader)
campaigns = fields.TypedField("Campaigns", Campaigns)
courses_of_action = fields.TypedField("Courses_Of_Action", CoursesOfAction)
exploit_targets = fields.TypedField("Exploit_Targets", ExploitTargets)
observables = fields.TypedField("Observables", Observables)
indicators = fields.TypedField("Indicators", Indicators)
incidents = fields.TypedField("Incidents", Incidents)
threat_actors = fields.TypedField("Threat_Actors", ThreatActors)
ttps = fields.TypedField("TTPs", TTPs)
related_packages = fields.TypedField("Related_Packages", RelatedPackages)
reports = fields.TypedField("Reports", Reports)
def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None,
courses_of_action=None, exploit_targets=None, indicators=None,
observables=None, incidents=None, threat_actors=None,
ttps=None, campaigns=None, related_packages=None,
reports=None):
super(STIXPackage, self).__init__()
self.id_ = id_ or idgen.create_id("Package")
self.idref = idref
self.version = STIXPackage._version
self.stix_header = stix_header
self.campaigns = campaigns or Campaigns()
self.courses_of_action = courses_of_action or CoursesOfAction()
self.exploit_targets = exploit_targets or ExploitTargets()
self.observables = observables or Observables()
self.indicators = indicators or Indicators()
self.incidents = incidents or Incidents()
self.threat_actors = threat_actors or ThreatActors()
self.ttps = ttps or TTPs()
self.related_packages = related_packages
self.reports = reports or Reports()
self.timestamp = timestamp
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
if self.indicators is None:
self.indicators = Indicators()
self.indicators.append(indicator)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
if self.campaigns is None:
self.campaigns = Campaigns()
self.campaigns.append(campaign)
def add_observable(self, observable):
"""Adds an ``Observable`` object to the :attr:`observables` collection.
If `observable` is not an ``Observable`` instance, an effort will be
made to convert it to one.
"""
if not self.observables:
self.observables = Observables(observables=observable)
else:
self.observables.add(observable)
def add_incident(self, incident):
#.........这里部分代码省略.........
示例11: Report
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
#.........这里部分代码省略.........
"""Specifies a timestamp for the definition of this specific Report
object.
"""
return self._timestamp
@timestamp.setter
def timestamp(self, value):
self._timestamp = utils.dates.parse_value(value)
@property
def header(self):
"""The :class:`.Header` section for the Report.
"""
return self._header
@header.setter
def header(self, value):
self._set_var(Header, try_cast=False, header=value)
@property
def indicators(self):
"""The top-level :class:`.Indicator` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._indicators
@indicators.setter
def indicators(self, value):
self._indicators = Indicators(value)
def add_indicator(self, indicator):
"""Adds an :class:`.Indicator` object to the :attr:`indicators`
collection.
"""
self.indicators.append(indicator)
@property
def campaigns(self):
"""The top-level :class:`.Campaign` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._campaigns
@campaigns.setter
def campaigns(self, value):
self._campaigns = Campaigns(value)
def add_campaign(self, campaign):
"""Adds a :class:`Campaign` object to the :attr:`campaigns` collection.
"""
self.campaigns.append(campaign)
@property
def observables(self):
"""The top-level ``Observable`` collection. This behaves like
a ``MutableSequence`` type.
"""
return self._observables
示例12: main
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
def main(Path_Malware):
malobs = Observables()
logobs = Observables()
Malware = parse(Path_Malware)
Log = parse(Path_Log)
CONFIDENCE = 0 #一致した数
mallist = []
loglist = []
m = 0
key = 0
for ob in Malware:
args = cyboxpop(ob.to_dict())
if args is not None:
mallist.append(args)
#print args.ActArg
malobs.add(ob)
for ob in Log:
args = cyboxpop(ob.to_dict())
if args is not None:
loglist.append(args)
logobs.add(ob)
#print "mallist_count:", len(mallist)
#print "loglist_count:", len(loglist)
'''
for mal_num in range(len(mallist)):
#if loglist[log_num]["event"]["actions"][0]["name"] == mallist[0]["event"]["actions"][0]["name"]:
cyboxpop(mallist[mal_num])
#print mallist
'''
print "------------------",os.path.basename(Path_Malware),"-------------------"
for n in range(len(loglist)):
#print "Log:",n,loglist[n].ActArg,loglist[n].Propertys,len(loglist[n].Propertys)
#print "[1]:",mallist[1].ActArg,mallist[1].Propertys[1]
#if loglist[n].ActName == mallist[1].ActName and loglist[n].ActArg == mallist[1].ActArg: #ShinoBOT.exe
#if loglist[n].ActName == mallist[1].ActName and loglist[n].Propertys[1] == mallist[1].Propertys[1]: #SHinoBOTSuiteで偽装したファイル
#if len(loglist[n].Propertys) > 1:
if loglist[n].Propertys[1] == mallist[0].Propertys[1]:
#if len(loglist)-n-len(loglist) < 0 : break
l=0
#print "POST!"
while True:
if len(mallist) < m+1 or len(loglist) < n+l+1:
key = n+l
break
if key < n+l and loglist[n+l].Propertys[1] == mallist[m].Propertys[1]:
print "Log[",n+l,"]:",loglist[n+l].ActArg,loglist[n+l].Propertys
print "Mal[",m,"]:",mallist[m].ActArg,mallist[m].Propertys
CONFIDENCE += 1
l +=1
m +=1
else :
l +=1
#print logobs.to_xml()
print "パターン一致数:",CONFIDENCE
print "マルウェアプロセス数:",len(mallist)
print "ログプロセス数:",len(loglist)
print "パターン一致割合:",float(CONFIDENCE)/len(mallist)示例13: Observables
# 需要导入模块: from cybox.core import Observables [as 别名]
# 或者: from cybox.core.Observables import add [as 别名]
from cybox.objects.file_object import File
from cybox.objects.win_service_object import WinService
from cybox.objects.win_registry_key_object import WinRegistryKey
# this can be changed to an output file
outfd = sys.stdout
# create an Observable object:
observables_doc = Observables([])
# add some different observables:
# you don't have to use every member and there are other members that are not being utilized here:
observables_doc.add(Process.from_dict({"name": "Process.exe",
"pid": 90,
"parent_pid": 10,
#"creation_time": "",
"image_info": {"command_line": "Process.exe /c blah.txt"}}))
observables_doc.add(File.from_dict({"file_name": "file.txt",
"file_extension": "txt",
"file_path": "path\\to\\file.txt"}))
observables_doc.add(helper.create_ipv4_observable("192.168.1.101"))
observables_doc.add(helper.create_url_observable("somedomain.com"))
observables_doc.add(WinService.from_dict({"service_name": "Service Name",
"display_name": "Service Display name",
"startup_type": "Service type",