Merge pull request #272 from chisholm/malware_analysis

Add stix2.1 malware-analysis SDO
master
Chris Lenk 2019-06-28 09:57:47 -04:00 committed by GitHub
commit 266516ebbc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 128 additions and 2 deletions

View File

@ -0,0 +1,82 @@
import json
import pytest
import stix2.exceptions
import stix2.utils
import stix2.v21
MALWARE_ANALYSIS_JSON = """{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--f8afc020-f92f-4906-a971-88ee5882eb46",
"created": "2017-11-28T09:44:58.418Z",
"modified": "2017-12-31T21:27:49.754Z",
"created_by_ref": "identity--e0353ed3-991e-4f71-a332-114c2f10b84f",
"labels": [
"label1",
"label2"
],
"product": "Acme Malware Analyzer",
"version": "2.5",
"host_vm_ref": "software--1bda7336-fe67-469f-a8ca-ab6268b0449b",
"operating_system_ref": "software--c96bfaef-861b-408b-b0f1-b685881725ef",
"installed_software_refs": [
"software--7325bf2d-de9e-441e-b3b3-63df43149897",
"software--46a6a91d-1160-4867-a4d1-b14e080e4e5b"
],
"configuration_version": "1.7",
"module": "Super Analyzer",
"analysis_engine_version": "1.2",
"analysis_definition_version": "3.4",
"submitted": "2018-11-23T06:45:55.747Z",
"analysis_started": "2018-11-29T07:30:03.895Z",
"analysis_ended": "2018-11-29T08:30:03.895Z",
"av_result": "malicious",
"analysis_sco_refs": [
"file--fc27e371-6c88-4c5c-868a-4dda0e60b167",
"url--6f7a74cd-8eb2-4b88-a4da-aa878e50ac2e"
]
}"""
MALWARE_ANALYSIS_DICT = json.loads(MALWARE_ANALYSIS_JSON)
def test_malware_analysis_example():
ma = stix2.v21.MalwareAnalysis(**MALWARE_ANALYSIS_DICT)
assert str(ma) == MALWARE_ANALYSIS_JSON
@pytest.mark.parametrize(
"data", [
MALWARE_ANALYSIS_JSON,
MALWARE_ANALYSIS_DICT,
],
)
def test_parse_malware_analysis(data):
ma = stix2.parse(data, version="2.1")
# timestamp-valued attributes whose values (from JSON) can't be compared
# directly, since stix2 internally converts them to datetime objects.
ts_attrs = {
"created",
"modified",
"submitted",
"analysis_started",
"analysis_ended",
}
for attr_name, attr_value in MALWARE_ANALYSIS_DICT.items():
cmp_value = stix2.utils.parse_into_datetime(attr_value) \
if attr_name in ts_attrs else attr_value
assert getattr(ma, attr_name) == cmp_value
def test_malware_analysis_constraint():
with pytest.raises(stix2.exceptions.AtLeastOnePropertyError):
stix2.v21.MalwareAnalysis(
product="Acme Malware Analyzer",
)

View File

@ -33,8 +33,8 @@ from .observables import (
) )
from .sdo import ( from .sdo import (
AttackPattern, Campaign, CourseOfAction, CustomObject, Identity, Indicator, AttackPattern, Campaign, CourseOfAction, CustomObject, Identity, Indicator,
IntrusionSet, Location, Malware, Note, ObservedData, Opinion, Report, IntrusionSet, Location, Malware, MalwareAnalysis, Note, ObservedData,
ThreatActor, Tool, Vulnerability, Opinion, Report, ThreatActor, Tool, Vulnerability,
) )
from .sro import Relationship, Sighting from .sro import Relationship, Sighting
@ -49,6 +49,7 @@ OBJ_MAP = {
'language-content': LanguageContent, 'language-content': LanguageContent,
'location': Location, 'location': Location,
'malware': Malware, 'malware': Malware,
'malware-analysis': MalwareAnalysis,
'note': Note, 'note': Note,
'marking-definition': MarkingDefinition, 'marking-definition': MarkingDefinition,
'observed-data': ObservedData, 'observed-data': ObservedData,

View File

@ -356,6 +356,49 @@ class Malware(STIXDomainObject):
]) ])
class MalwareAnalysis(STIXDomainObject):
# TODO: Add link
"""For more detailed information on this object's properties, see
`the STIX 2.1 specification <link here>`__.
"""
_type = 'malware-analysis'
_properties = OrderedDict([
('type', TypeProperty(_type)),
('spec_version', StringProperty(fixed='2.1')),
('id', IDProperty(_type, spec_version='2.1')),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('created_by_ref', ReferenceProperty(type='identity', spec_version='2.1')),
('revoked', BooleanProperty(default=lambda: False)),
('labels', ListProperty(StringProperty)),
('confidence', IntegerProperty()),
('lang', StringProperty()),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type='marking-definition', spec_version='2.1'))),
('granular_markings', ListProperty(GranularMarking)),
('product', StringProperty(required=True)),
('version', StringProperty()),
('host_vm_ref', ReferenceProperty(type='software', spec_version='2.1')),
('operating_system_ref', ReferenceProperty(type='software', spec_version='2.1')),
('installed_software_refs', ListProperty(ReferenceProperty(type='software', spec_version='2.1'))),
('configuration_version', StringProperty()),
('module', StringProperty()),
('analysis_engine_version', StringProperty()),
('analysis_definition_version', StringProperty()),
('submitted', TimestampProperty()),
('analysis_started', TimestampProperty()),
('analysis_ended', TimestampProperty()),
('av_result', StringProperty()),
('analysis_sco_refs', ListProperty(ReferenceProperty(spec_version='2.1'))),
])
def _check_object_constraints(self):
super(MalwareAnalysis, self)._check_object_constraints()
self._check_at_least_one_property(["av_result", "analysis_sco_refs"])
class Note(STIXDomainObject): class Note(STIXDomainObject):
# TODO: Add link # TODO: Add link
"""For more detailed information on this object's properties, see """For more detailed information on this object's properties, see