2017-02-10 22:35:02 +01:00
|
|
|
"""Python APIs for STIX 2."""
|
2017-01-17 21:37:47 +01:00
|
|
|
|
2017-03-22 14:05:59 +01:00
|
|
|
# flake8: noqa
|
|
|
|
|
2017-05-09 21:10:53 +02:00
|
|
|
from . import exceptions
|
2017-02-10 22:35:02 +01:00
|
|
|
from .bundle import Bundle
|
2017-07-12 17:36:15 +02:00
|
|
|
from .environment import ObjectFactory
|
2017-05-15 19:48:41 +02:00
|
|
|
from .observables import (URL, AlternateDataStream, ArchiveExt, Artifact,
|
2017-07-14 20:55:57 +02:00
|
|
|
AutonomousSystem, CustomObservable, Directory,
|
|
|
|
DomainName, EmailAddress, EmailMessage,
|
|
|
|
EmailMIMEComponent, File, HTTPRequestExt, ICMPExt,
|
|
|
|
IPv4Address, IPv6Address, MACAddress, Mutex,
|
|
|
|
NetworkTraffic, NTFSExt, PDFExt, Process,
|
|
|
|
RasterImageExt, SocketExt, Software, TCPExt,
|
2017-05-15 19:48:41 +02:00
|
|
|
UNIXAccountExt, UserAccount, WindowsPEBinaryExt,
|
|
|
|
WindowsPEOptionalHeaderType, WindowsPESection,
|
|
|
|
WindowsProcessExt, WindowsRegistryKey,
|
|
|
|
WindowsRegistryValueType, WindowsServiceExt,
|
2017-07-14 20:55:57 +02:00
|
|
|
X509Certificate, X509V3ExtenstionsType,
|
|
|
|
parse_observable)
|
2017-07-05 19:21:06 +02:00
|
|
|
from .other import (TLP_AMBER, TLP_GREEN, TLP_RED, TLP_WHITE,
|
|
|
|
ExternalReference, GranularMarking, KillChainPhase,
|
2017-05-09 21:10:53 +02:00
|
|
|
MarkingDefinition, StatementMarking, TLPMarking)
|
2017-07-19 15:39:17 +02:00
|
|
|
from .patterns import (AndBooleanExpression, AndObservationExpression,
|
|
|
|
BasicObjectPathComponent, EqualityComparisonExpression,
|
|
|
|
FloatConstant, FollowedByObservationExpression,
|
|
|
|
GreaterThanComparisonExpression,
|
|
|
|
GreaterThanEqualComparisonExpression, HashConstant,
|
|
|
|
HexConstant, IntegerConstant,
|
|
|
|
IsSubsetComparisonExpression,
|
|
|
|
IsSupersetComparisonExpression,
|
|
|
|
LessThanComparisonExpression,
|
|
|
|
LessThanEqualComparisonExpression,
|
|
|
|
LikeComparisonExpression, ListConstant,
|
|
|
|
ListObjectPathComponent, MatchesComparisonExpression,
|
|
|
|
ObjectPath, ObservationExpression, OrBooleanExpression,
|
|
|
|
OrObservationExpression, ParentheticalExpression,
|
|
|
|
QualifiedObservationExpression,
|
|
|
|
ReferenceObjectPathComponent, RepeatQualifier,
|
|
|
|
StartStopQualifier, StringConstant, WithinQualifier)
|
2017-07-14 20:55:57 +02:00
|
|
|
from .sdo import (AttackPattern, Campaign, CourseOfAction, CustomObject,
|
|
|
|
Identity, Indicator, IntrusionSet, Malware, ObservedData,
|
|
|
|
Report, ThreatActor, Tool, Vulnerability)
|
2017-03-31 21:52:27 +02:00
|
|
|
from .sro import Relationship, Sighting
|
2017-04-19 20:32:56 +02:00
|
|
|
from .utils import get_dict
|
2017-07-06 15:39:33 +02:00
|
|
|
from .version import __version__
|
2017-04-05 23:12:44 +02:00
|
|
|
|
2017-04-24 22:33:59 +02:00
|
|
|
OBJ_MAP = {
|
|
|
|
'attack-pattern': AttackPattern,
|
|
|
|
'campaign': Campaign,
|
|
|
|
'course-of-action': CourseOfAction,
|
|
|
|
'identity': Identity,
|
|
|
|
'indicator': Indicator,
|
|
|
|
'intrusion-set': IntrusionSet,
|
|
|
|
'malware': Malware,
|
|
|
|
'marking-definition': MarkingDefinition,
|
|
|
|
'observed-data': ObservedData,
|
|
|
|
'report': Report,
|
|
|
|
'relationship': Relationship,
|
|
|
|
'threat-actor': ThreatActor,
|
|
|
|
'tool': Tool,
|
|
|
|
'sighting': Sighting,
|
|
|
|
'vulnerability': Vulnerability,
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-06-12 18:54:05 +02:00
|
|
|
def parse(data, allow_custom=False):
|
|
|
|
"""Deserialize a string or file-like object into a STIX object.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
data: The STIX 2 string to be parsed.
|
|
|
|
allow_custom (bool): Whether to allow custom properties or not. Default: False.
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
An instantiated Python STIX object.
|
|
|
|
"""
|
2017-04-05 23:12:44 +02:00
|
|
|
|
2017-04-19 20:32:56 +02:00
|
|
|
obj = get_dict(data)
|
2017-04-05 23:12:44 +02:00
|
|
|
|
|
|
|
if 'type' not in obj:
|
2017-06-12 18:54:05 +02:00
|
|
|
raise exceptions.ParseError("Can't parse object with no 'type' property: %s" % str(obj))
|
|
|
|
|
|
|
|
try:
|
|
|
|
obj_class = OBJ_MAP[obj['type']]
|
|
|
|
except KeyError:
|
2017-06-14 15:34:42 +02:00
|
|
|
raise exceptions.ParseError("Can't parse unknown object type '%s'! For custom types, use the CustomObject decorator." % obj['type'])
|
2017-06-12 18:54:05 +02:00
|
|
|
return obj_class(allow_custom=allow_custom, **obj)
|
|
|
|
|
|
|
|
|
2017-06-12 22:15:12 +02:00
|
|
|
def _register_type(new_type):
|
|
|
|
"""Register a custom STIX Object type.
|
|
|
|
"""
|
|
|
|
|
|
|
|
OBJ_MAP[new_type._type] = new_type
|