2017-03-22 13:46:39 +01:00
|
|
|
import datetime as dt
|
2017-04-25 00:29:56 +02:00
|
|
|
import re
|
2017-03-22 13:46:39 +01:00
|
|
|
|
|
|
|
import pytest
|
|
|
|
import pytz
|
2017-05-09 21:10:53 +02:00
|
|
|
|
2017-03-22 13:46:39 +01:00
|
|
|
import stix2
|
|
|
|
|
|
|
|
from .constants import FAKE_TIME, INDICATOR_ID, INDICATOR_KWARGS
|
|
|
|
|
|
|
|
EXPECTED_INDICATOR = """{
|
2017-08-15 19:41:51 +02:00
|
|
|
"type": "indicator",
|
2018-06-27 18:34:49 +02:00
|
|
|
"id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
2017-08-15 19:41:51 +02:00
|
|
|
"created": "2017-01-01T00:00:01.000Z",
|
|
|
|
"modified": "2017-01-01T00:00:01.000Z",
|
2017-10-06 16:29:30 +02:00
|
|
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
|
|
|
"valid_from": "1970-01-01T00:00:01Z",
|
2017-03-22 13:46:39 +01:00
|
|
|
"labels": [
|
|
|
|
"malicious-activity"
|
2017-10-06 16:29:30 +02:00
|
|
|
]
|
2017-03-22 13:46:39 +01:00
|
|
|
}"""
|
|
|
|
|
|
|
|
EXPECTED_INDICATOR_REPR = "Indicator(" + " ".join("""
|
2017-08-15 19:41:51 +02:00
|
|
|
type='indicator',
|
2018-06-27 18:34:49 +02:00
|
|
|
id='indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7',
|
2017-08-15 19:41:51 +02:00
|
|
|
created='2017-01-01T00:00:01.000Z',
|
|
|
|
modified='2017-01-01T00:00:01.000Z',
|
2017-03-22 13:46:39 +01:00
|
|
|
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
2017-10-06 16:29:30 +02:00
|
|
|
valid_from='1970-01-01T00:00:01Z',
|
|
|
|
labels=['malicious-activity']
|
2017-03-22 13:46:39 +01:00
|
|
|
""".split()) + ")"
|
|
|
|
|
|
|
|
|
2017-05-16 18:27:30 +02:00
|
|
|
def test_indicator_with_all_required_properties():
|
2017-03-22 13:46:39 +01:00
|
|
|
now = dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
|
|
|
epoch = dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
|
|
|
|
2017-03-22 14:05:59 +01:00
|
|
|
ind = stix2.Indicator(
|
2017-03-22 13:46:39 +01:00
|
|
|
type="indicator",
|
|
|
|
id=INDICATOR_ID,
|
|
|
|
created=now,
|
|
|
|
modified=now,
|
2017-10-06 16:29:30 +02:00
|
|
|
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
2017-03-22 13:46:39 +01:00
|
|
|
valid_from=epoch,
|
2017-10-06 16:29:30 +02:00
|
|
|
labels=['malicious-activity'],
|
2017-03-22 13:46:39 +01:00
|
|
|
)
|
|
|
|
|
2018-04-16 20:37:07 +02:00
|
|
|
assert ind.revoked is False
|
2017-03-22 14:05:59 +01:00
|
|
|
assert str(ind) == EXPECTED_INDICATOR
|
2017-04-18 15:21:38 +02:00
|
|
|
rep = re.sub(r"(\[|=| )u('|\"|\\\'|\\\")", r"\g<1>\g<2>", repr(ind))
|
|
|
|
assert rep == EXPECTED_INDICATOR_REPR
|
2017-03-22 13:46:39 +01:00
|
|
|
|
|
|
|
|
2017-05-16 18:27:30 +02:00
|
|
|
def test_indicator_autogenerated_properties(indicator):
|
2017-03-22 13:46:39 +01:00
|
|
|
assert indicator.type == 'indicator'
|
2018-06-27 18:34:49 +02:00
|
|
|
assert indicator.id == 'indicator--00000000-0000-4000-8000-000000000001'
|
2017-03-22 13:46:39 +01:00
|
|
|
assert indicator.created == FAKE_TIME
|
|
|
|
assert indicator.modified == FAKE_TIME
|
|
|
|
assert indicator.labels == ['malicious-activity']
|
|
|
|
assert indicator.pattern == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
|
|
|
assert indicator.valid_from == FAKE_TIME
|
|
|
|
|
|
|
|
assert indicator['type'] == 'indicator'
|
2018-06-27 18:34:49 +02:00
|
|
|
assert indicator['id'] == 'indicator--00000000-0000-4000-8000-000000000001'
|
2017-03-22 13:46:39 +01:00
|
|
|
assert indicator['created'] == FAKE_TIME
|
|
|
|
assert indicator['modified'] == FAKE_TIME
|
|
|
|
assert indicator['labels'] == ['malicious-activity']
|
|
|
|
assert indicator['pattern'] == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
|
|
|
assert indicator['valid_from'] == FAKE_TIME
|
|
|
|
|
|
|
|
|
|
|
|
def test_indicator_type_must_be_indicator():
|
2017-04-18 21:42:59 +02:00
|
|
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
2017-03-22 14:05:59 +01:00
|
|
|
stix2.Indicator(type='xxx', **INDICATOR_KWARGS)
|
2017-03-22 13:46:39 +01:00
|
|
|
|
2017-04-18 21:19:16 +02:00
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
|
|
|
assert excinfo.value.prop_name == "type"
|
|
|
|
assert excinfo.value.reason == "must equal 'indicator'."
|
2017-03-22 13:46:39 +01:00
|
|
|
assert str(excinfo.value) == "Invalid value for Indicator 'type': must equal 'indicator'."
|
|
|
|
|
|
|
|
|
|
|
|
def test_indicator_id_must_start_with_indicator():
|
2017-04-18 21:42:59 +02:00
|
|
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
2017-03-22 14:05:59 +01:00
|
|
|
stix2.Indicator(id='my-prefix--', **INDICATOR_KWARGS)
|
2017-03-22 13:46:39 +01:00
|
|
|
|
2017-04-18 21:19:16 +02:00
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
|
|
|
assert excinfo.value.prop_name == "id"
|
|
|
|
assert excinfo.value.reason == "must start with 'indicator--'."
|
2017-03-22 13:46:39 +01:00
|
|
|
assert str(excinfo.value) == "Invalid value for Indicator 'id': must start with 'indicator--'."
|
|
|
|
|
|
|
|
|
2017-05-16 18:27:30 +02:00
|
|
|
def test_indicator_required_properties():
|
2017-05-19 19:51:59 +02:00
|
|
|
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
|
2017-03-22 14:05:59 +01:00
|
|
|
stix2.Indicator()
|
2017-04-18 21:41:18 +02:00
|
|
|
|
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
2017-05-16 18:27:30 +02:00
|
|
|
assert excinfo.value.properties == ["labels", "pattern"]
|
|
|
|
assert str(excinfo.value) == "No values for required properties for Indicator: (labels, pattern)."
|
2017-03-22 13:46:39 +01:00
|
|
|
|
|
|
|
|
2017-05-16 18:27:30 +02:00
|
|
|
def test_indicator_required_property_pattern():
|
2017-05-19 19:51:59 +02:00
|
|
|
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
|
2017-03-22 14:05:59 +01:00
|
|
|
stix2.Indicator(labels=['malicious-activity'])
|
2017-04-18 21:41:18 +02:00
|
|
|
|
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
2017-05-16 18:27:30 +02:00
|
|
|
assert excinfo.value.properties == ["pattern"]
|
2017-03-22 13:46:39 +01:00
|
|
|
|
|
|
|
|
|
|
|
def test_indicator_created_ref_invalid_format():
|
2017-04-18 21:42:59 +02:00
|
|
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
2017-03-22 14:05:59 +01:00
|
|
|
stix2.Indicator(created_by_ref='myprefix--12345678', **INDICATOR_KWARGS)
|
2017-04-18 21:19:16 +02:00
|
|
|
|
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
|
|
|
assert excinfo.value.prop_name == "created_by_ref"
|
|
|
|
assert excinfo.value.reason == "must start with 'identity'."
|
2017-03-31 21:52:27 +02:00
|
|
|
assert str(excinfo.value) == "Invalid value for Indicator 'created_by_ref': must start with 'identity'."
|
2017-03-22 13:46:39 +01:00
|
|
|
|
|
|
|
|
|
|
|
def test_indicator_revoked_invalid():
|
2017-04-18 21:42:59 +02:00
|
|
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
2017-04-06 22:08:36 +02:00
|
|
|
stix2.Indicator(revoked='no', **INDICATOR_KWARGS)
|
2017-04-18 21:19:16 +02:00
|
|
|
|
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
|
|
|
assert excinfo.value.prop_name == "revoked"
|
|
|
|
assert excinfo.value.reason == "must be a boolean value."
|
2017-03-22 13:46:39 +01:00
|
|
|
|
|
|
|
|
2017-04-07 22:36:42 +02:00
|
|
|
def test_cannot_assign_to_indicator_attributes(indicator):
|
2017-04-18 22:05:20 +02:00
|
|
|
with pytest.raises(stix2.exceptions.ImmutableError) as excinfo:
|
2017-03-22 13:46:39 +01:00
|
|
|
indicator.valid_from = dt.datetime.now()
|
|
|
|
|
2017-06-02 13:34:37 +02:00
|
|
|
assert str(excinfo.value) == "Cannot modify 'valid_from' property in 'Indicator' after creation."
|
2017-03-22 13:46:39 +01:00
|
|
|
|
|
|
|
|
|
|
|
def test_invalid_kwarg_to_indicator():
|
2017-05-19 19:51:59 +02:00
|
|
|
with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
|
2017-03-22 14:05:59 +01:00
|
|
|
stix2.Indicator(my_custom_property="foo", **INDICATOR_KWARGS)
|
2017-04-18 21:56:16 +02:00
|
|
|
|
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
2017-05-16 18:27:30 +02:00
|
|
|
assert excinfo.value.properties == ['my_custom_property']
|
|
|
|
assert str(excinfo.value) == "Unexpected properties for Indicator: (my_custom_property)."
|
2017-03-22 13:46:39 +01:00
|
|
|
|
|
|
|
|
|
|
|
def test_created_modified_time_are_identical_by_default():
|
|
|
|
"""By default, the created and modified times should be the same."""
|
2017-03-22 14:05:59 +01:00
|
|
|
ind = stix2.Indicator(**INDICATOR_KWARGS)
|
2017-03-22 13:46:39 +01:00
|
|
|
|
2017-03-22 14:05:59 +01:00
|
|
|
assert ind.created == ind.modified
|
2017-04-19 15:22:08 +02:00
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize("data", [
|
|
|
|
EXPECTED_INDICATOR,
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
2018-06-27 18:34:49 +02:00
|
|
|
"id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
2017-04-19 15:22:08 +02:00
|
|
|
"created": "2017-01-01T00:00:01Z",
|
|
|
|
"modified": "2017-01-01T00:00:01Z",
|
|
|
|
"labels": [
|
|
|
|
"malicious-activity"
|
|
|
|
],
|
|
|
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
|
|
|
"valid_from": "1970-01-01T00:00:01Z"
|
|
|
|
},
|
|
|
|
])
|
|
|
|
def test_parse_indicator(data):
|
|
|
|
idctr = stix2.parse(data)
|
|
|
|
|
|
|
|
assert idctr.type == 'indicator'
|
|
|
|
assert idctr.id == INDICATOR_ID
|
|
|
|
assert idctr.created == dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
|
|
|
assert idctr.modified == dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
|
|
|
assert idctr.valid_from == dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
|
|
|
assert idctr.labels[0] == "malicious-activity"
|
|
|
|
assert idctr.pattern == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
2017-08-18 20:22:57 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_invalid_indicator_pattern():
|
|
|
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
|
|
|
stix2.Indicator(
|
|
|
|
labels=['malicious-activity'],
|
|
|
|
pattern="file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e'",
|
|
|
|
)
|
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
|
|
|
assert excinfo.value.prop_name == 'pattern'
|
|
|
|
assert 'input is missing square brackets' in excinfo.value.reason
|
|
|
|
|
|
|
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
|
|
|
stix2.Indicator(
|
|
|
|
labels=['malicious-activity'],
|
|
|
|
pattern='[file:hashes.MD5 = "d41d8cd98f00b204e9800998ecf8427e"]',
|
|
|
|
)
|
|
|
|
assert excinfo.value.cls == stix2.Indicator
|
|
|
|
assert excinfo.value.prop_name == 'pattern'
|
|
|
|
assert 'mismatched input' in excinfo.value.reason
|