Merge pull request #393 from emmanvg/391-ssdeep-hash-case
resolve problem with SSDEEP use in hashing-algorithm-ovmaster^2
commit
33e07edf3b
|
@ -121,21 +121,21 @@ class BooleanConstant(_Constant):
|
||||||
|
|
||||||
|
|
||||||
_HASH_REGEX = {
|
_HASH_REGEX = {
|
||||||
"MD5": ("^[a-fA-F0-9]{32}$", "MD5"),
|
"MD5": (r"^[a-fA-F0-9]{32}$", "MD5"),
|
||||||
"MD6": ("^[a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{56}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128}$", "MD6"),
|
"MD6": (r"^[a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{56}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128}$", "MD6"),
|
||||||
"RIPEMD160": ("^[a-fA-F0-9]{40}$", "RIPEMD-160"),
|
"RIPEMD160": (r"^[a-fA-F0-9]{40}$", "RIPEMD-160"),
|
||||||
"SHA1": ("^[a-fA-F0-9]{40}$", "SHA-1"),
|
"SHA1": (r"^[a-fA-F0-9]{40}$", "SHA-1"),
|
||||||
"SHA224": ("^[a-fA-F0-9]{56}$", "SHA-224"),
|
"SHA224": (r"^[a-fA-F0-9]{56}$", "SHA-224"),
|
||||||
"SHA256": ("^[a-fA-F0-9]{64}$", "SHA-256"),
|
"SHA256": (r"^[a-fA-F0-9]{64}$", "SHA-256"),
|
||||||
"SHA384": ("^[a-fA-F0-9]{96}$", "SHA-384"),
|
"SHA384": (r"^[a-fA-F0-9]{96}$", "SHA-384"),
|
||||||
"SHA512": ("^[a-fA-F0-9]{128}$", "SHA-512"),
|
"SHA512": (r"^[a-fA-F0-9]{128}$", "SHA-512"),
|
||||||
"SHA3224": ("^[a-fA-F0-9]{56}$", "SHA3-224"),
|
"SHA3224": (r"^[a-fA-F0-9]{56}$", "SHA3-224"),
|
||||||
"SHA3256": ("^[a-fA-F0-9]{64}$", "SHA3-256"),
|
"SHA3256": (r"^[a-fA-F0-9]{64}$", "SHA3-256"),
|
||||||
"SHA3384": ("^[a-fA-F0-9]{96}$", "SHA3-384"),
|
"SHA3384": (r"^[a-fA-F0-9]{96}$", "SHA3-384"),
|
||||||
"SHA3512": ("^[a-fA-F0-9]{128}$", "SHA3-512"),
|
"SHA3512": (r"^[a-fA-F0-9]{128}$", "SHA3-512"),
|
||||||
"SSDEEP": ("^[a-zA-Z0-9/+:.]{1,128}$", "ssdeep"),
|
"SSDEEP": (r"^[a-zA-Z0-9/+:.]{1,128}$", "SSDEEP"),
|
||||||
"WHIRLPOOL": ("^[a-fA-F0-9]{128}$", "WHIRLPOOL"),
|
"WHIRLPOOL": (r"^[a-fA-F0-9]{128}$", "WHIRLPOOL"),
|
||||||
"TLSH": ("^[a-fA-F0-9]{70}$", "TLSH"),
|
"TLSH": (r"^[a-fA-F0-9]{70}$", "TLSH"),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -417,7 +417,7 @@ HASHES_REGEX = {
|
||||||
"SHA3256": (r"^[a-fA-F0-9]{64}$", "SHA3-256"),
|
"SHA3256": (r"^[a-fA-F0-9]{64}$", "SHA3-256"),
|
||||||
"SHA3384": (r"^[a-fA-F0-9]{96}$", "SHA3-384"),
|
"SHA3384": (r"^[a-fA-F0-9]{96}$", "SHA3-384"),
|
||||||
"SHA3512": (r"^[a-fA-F0-9]{128}$", "SHA3-512"),
|
"SHA3512": (r"^[a-fA-F0-9]{128}$", "SHA3-512"),
|
||||||
"SSDEEP": (r"^[a-zA-Z0-9/+:.]{1,128}$", "ssdeep"),
|
"SSDEEP": (r"^[a-zA-Z0-9/+:.]{1,128}$", "SSDEEP"),
|
||||||
"WHIRLPOOL": (r"^[a-fA-F0-9]{128}$", "WHIRLPOOL"),
|
"WHIRLPOOL": (r"^[a-fA-F0-9]{128}$", "WHIRLPOOL"),
|
||||||
"TLSH": (r"^[a-fA-F0-9]{70}$", "TLSH"),
|
"TLSH": (r"^[a-fA-F0-9]{70}$", "TLSH"),
|
||||||
}
|
}
|
||||||
|
@ -431,6 +431,8 @@ class HashesProperty(DictionaryProperty):
|
||||||
key = k.upper().replace('-', '')
|
key = k.upper().replace('-', '')
|
||||||
if key in HASHES_REGEX:
|
if key in HASHES_REGEX:
|
||||||
vocab_key = HASHES_REGEX[key][1]
|
vocab_key = HASHES_REGEX[key][1]
|
||||||
|
if vocab_key == "SSDEEP" and self.spec_version == "2.0":
|
||||||
|
vocab_key = vocab_key.lower()
|
||||||
if not re.match(HASHES_REGEX[key][0], v):
|
if not re.match(HASHES_REGEX[key][0], v):
|
||||||
raise ValueError("'{0}' is not a valid {1} hash".format(v, vocab_key))
|
raise ValueError("'{0}' is not a valid {1} hash".format(v, vocab_key))
|
||||||
if k != vocab_key:
|
if k != vocab_key:
|
||||||
|
|
|
@ -714,6 +714,22 @@ def test_file_example():
|
||||||
assert f.decryption_key == "fred" # does the key have a format we can test for?
|
assert f.decryption_key == "fred" # does the key have a format we can test for?
|
||||||
|
|
||||||
|
|
||||||
|
def test_file_ssdeep_example():
|
||||||
|
f = stix2.v20.File(
|
||||||
|
name="example.dll",
|
||||||
|
hashes={
|
||||||
|
"SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a",
|
||||||
|
"ssdeep": "96:gS/mFkCpXTWLr/PbKQHbr/S/mFkCpXTWLr/PbKQHbrB:Tu6SXTWGQHbeu6SXTWGQHbV",
|
||||||
|
},
|
||||||
|
size=1024,
|
||||||
|
)
|
||||||
|
|
||||||
|
assert f.name == "example.dll"
|
||||||
|
assert f.size == 1024
|
||||||
|
assert f.hashes["SHA-256"] == "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"
|
||||||
|
assert f.hashes["ssdeep"] == "96:gS/mFkCpXTWLr/PbKQHbr/S/mFkCpXTWLr/PbKQHbrB:Tu6SXTWGQHbeu6SXTWGQHbV"
|
||||||
|
|
||||||
|
|
||||||
def test_file_example_with_NTFSExt():
|
def test_file_example_with_NTFSExt():
|
||||||
f = stix2.v20.File(
|
f = stix2.v20.File(
|
||||||
name="abc.txt",
|
name="abc.txt",
|
||||||
|
|
|
@ -785,6 +785,22 @@ def test_file_example():
|
||||||
assert f.atime == dt.datetime(2016, 12, 21, 20, 0, 0, tzinfo=pytz.utc)
|
assert f.atime == dt.datetime(2016, 12, 21, 20, 0, 0, tzinfo=pytz.utc)
|
||||||
|
|
||||||
|
|
||||||
|
def test_file_ssdeep_example():
|
||||||
|
f = stix2.v21.File(
|
||||||
|
name="example.dll",
|
||||||
|
hashes={
|
||||||
|
"SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a",
|
||||||
|
"SSDEEP": "96:gS/mFkCpXTWLr/PbKQHbr/S/mFkCpXTWLr/PbKQHbrB:Tu6SXTWGQHbeu6SXTWGQHbV",
|
||||||
|
},
|
||||||
|
size=1024,
|
||||||
|
)
|
||||||
|
|
||||||
|
assert f.name == "example.dll"
|
||||||
|
assert f.size == 1024
|
||||||
|
assert f.hashes["SHA-256"] == "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"
|
||||||
|
assert f.hashes["SSDEEP"] == "96:gS/mFkCpXTWLr/PbKQHbr/S/mFkCpXTWLr/PbKQHbrB:Tu6SXTWGQHbeu6SXTWGQHbV"
|
||||||
|
|
||||||
|
|
||||||
def test_file_example_with_NTFSExt():
|
def test_file_example_with_NTFSExt():
|
||||||
f = stix2.v21.File(
|
f = stix2.v21.File(
|
||||||
name="abc.txt",
|
name="abc.txt",
|
||||||
|
|
|
@ -518,7 +518,7 @@ def test_invalid_boolean_constant():
|
||||||
@pytest.mark.parametrize(
|
@pytest.mark.parametrize(
|
||||||
"hashtype, data", [
|
"hashtype, data", [
|
||||||
('MD5', 'zzz'),
|
('MD5', 'zzz'),
|
||||||
('ssdeep', 'zzz=='),
|
('SSDEEP', 'zzz=='),
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
def test_invalid_hash_constant(hashtype, data):
|
def test_invalid_hash_constant(hashtype, data):
|
||||||
|
|
Loading…
Reference in New Issue