Update v20 and v21 tests
In v20, only minor stuff that was addressing wrong spec. In v21, align tests with new/changed properties in the specsstix2.1
parent
bdfc221cb0
commit
965d7fa788
|
@ -58,7 +58,7 @@ def test_report_example_objects_in_object_refs():
|
||||||
published="2016-01-20T17:00:00Z",
|
published="2016-01-20T17:00:00Z",
|
||||||
labels=["campaign"],
|
labels=["campaign"],
|
||||||
object_refs=[
|
object_refs=[
|
||||||
stix2.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
|
stix2.v20.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
|
||||||
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
||||||
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
|
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
|
||||||
],
|
],
|
||||||
|
@ -79,7 +79,7 @@ def test_report_example_objects_in_object_refs_with_bad_id():
|
||||||
published="2016-01-20T17:00:00Z",
|
published="2016-01-20T17:00:00Z",
|
||||||
labels=["campaign"],
|
labels=["campaign"],
|
||||||
object_refs=[
|
object_refs=[
|
||||||
stix2.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
|
stix2.v20.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
|
||||||
"campaign-83422c77-904c-4dc1-aff5-5c38f3a2c55c", # the "bad" id, missing a "-"
|
"campaign-83422c77-904c-4dc1-aff5-5c38f3a2c55c", # the "bad" id, missing a "-"
|
||||||
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
|
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
|
||||||
],
|
],
|
||||||
|
|
|
@ -215,21 +215,20 @@ def test_revoke_invalid_cls():
|
||||||
|
|
||||||
|
|
||||||
def test_remove_custom_stix_property():
|
def test_remove_custom_stix_property():
|
||||||
mal = stix2.Malware(name="ColePowers",
|
mal = stix2.v20.Malware(name="ColePowers",
|
||||||
labels=["rootkit"],
|
labels=["rootkit"],
|
||||||
is_family=False,
|
x_custom="armada",
|
||||||
x_custom="armada",
|
allow_custom=True)
|
||||||
allow_custom=True)
|
|
||||||
|
|
||||||
mal_nc = stix2.utils.remove_custom_stix(mal)
|
mal_nc = stix2.utils.remove_custom_stix(mal)
|
||||||
|
|
||||||
assert "x_custom" not in mal_nc
|
assert "x_custom" not in mal_nc
|
||||||
assert stix2.utils.parse_into_datetime(mal["modified"], precision="millisecond") < stix2.utils.parse_into_datetime(mal_nc["modified"],
|
assert (stix2.utils.parse_into_datetime(mal["modified"], precision="millisecond") <
|
||||||
precision="millisecond")
|
stix2.utils.parse_into_datetime(mal_nc["modified"], precision="millisecond"))
|
||||||
|
|
||||||
|
|
||||||
def test_remove_custom_stix_object():
|
def test_remove_custom_stix_object():
|
||||||
@stix2.CustomObject("x-animal", [
|
@stix2.v20.CustomObject("x-animal", [
|
||||||
("species", stix2.properties.StringProperty(required=True)),
|
("species", stix2.properties.StringProperty(required=True)),
|
||||||
("animal_class", stix2.properties.StringProperty()),
|
("animal_class", stix2.properties.StringProperty()),
|
||||||
])
|
])
|
||||||
|
|
|
@ -3,7 +3,6 @@ import os
|
||||||
import pytest
|
import pytest
|
||||||
|
|
||||||
import stix2
|
import stix2
|
||||||
from stix2 import Bundle
|
|
||||||
from stix2.workbench import (AttackPattern, Campaign, CourseOfAction,
|
from stix2.workbench import (AttackPattern, Campaign, CourseOfAction,
|
||||||
ExternalReference, FileSystemSource, Filter,
|
ExternalReference, FileSystemSource, Filter,
|
||||||
Identity, Indicator, IntrusionSet, Malware,
|
Identity, Indicator, IntrusionSet, Malware,
|
||||||
|
@ -29,6 +28,7 @@ from .constants import (ATTACK_PATTERN_ID, ATTACK_PATTERN_KWARGS, CAMPAIGN_ID,
|
||||||
VULNERABILITY_KWARGS)
|
VULNERABILITY_KWARGS)
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_workbench_environment():
|
def test_workbench_environment():
|
||||||
|
|
||||||
# Create a STIX object
|
# Create a STIX object
|
||||||
|
@ -83,6 +83,7 @@ def test_workbench_get_all_identities():
|
||||||
assert resp[0].id == IDENTITY_ID
|
assert resp[0].id == IDENTITY_ID
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_workbench_get_all_indicators():
|
def test_workbench_get_all_indicators():
|
||||||
resp = indicators()
|
resp = indicators()
|
||||||
assert len(resp) == 1
|
assert len(resp) == 1
|
||||||
|
@ -117,6 +118,7 @@ def test_workbench_get_all_observed_data():
|
||||||
assert resp[0].id == OBSERVED_DATA_ID
|
assert resp[0].id == OBSERVED_DATA_ID
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_workbench_get_all_reports():
|
def test_workbench_get_all_reports():
|
||||||
rep = Report(id=REPORT_ID, **REPORT_KWARGS)
|
rep = Report(id=REPORT_ID, **REPORT_KWARGS)
|
||||||
save(rep)
|
save(rep)
|
||||||
|
@ -126,6 +128,7 @@ def test_workbench_get_all_reports():
|
||||||
assert resp[0].id == REPORT_ID
|
assert resp[0].id == REPORT_ID
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_workbench_get_all_threat_actors():
|
def test_workbench_get_all_threat_actors():
|
||||||
thr = ThreatActor(id=THREAT_ACTOR_ID, **THREAT_ACTOR_KWARGS)
|
thr = ThreatActor(id=THREAT_ACTOR_ID, **THREAT_ACTOR_KWARGS)
|
||||||
save(thr)
|
save(thr)
|
||||||
|
@ -135,6 +138,7 @@ def test_workbench_get_all_threat_actors():
|
||||||
assert resp[0].id == THREAT_ACTOR_ID
|
assert resp[0].id == THREAT_ACTOR_ID
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_workbench_get_all_tools():
|
def test_workbench_get_all_tools():
|
||||||
tool = Tool(id=TOOL_ID, **TOOL_KWARGS)
|
tool = Tool(id=TOOL_ID, **TOOL_KWARGS)
|
||||||
save(tool)
|
save(tool)
|
||||||
|
@ -153,12 +157,14 @@ def test_workbench_get_all_vulnerabilities():
|
||||||
assert resp[0].id == VULNERABILITY_ID
|
assert resp[0].id == VULNERABILITY_ID
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_workbench_add_to_bundle():
|
def test_workbench_add_to_bundle():
|
||||||
vuln = Vulnerability(**VULNERABILITY_KWARGS)
|
vuln = Vulnerability(**VULNERABILITY_KWARGS)
|
||||||
bundle = Bundle(vuln)
|
bundle = stix2.v20.Bundle(vuln)
|
||||||
assert bundle.objects[0].name == 'Heartbleed'
|
assert bundle.objects[0].name == 'Heartbleed'
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_workbench_relationships():
|
def test_workbench_relationships():
|
||||||
rel = Relationship(INDICATOR_ID, 'indicates', MALWARE_ID)
|
rel = Relationship(INDICATOR_ID, 'indicates', MALWARE_ID)
|
||||||
save(rel)
|
save(rel)
|
||||||
|
@ -212,6 +218,7 @@ def test_workbench_related_with_filters():
|
||||||
assert len(resp) == 1
|
assert len(resp) == 1
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_add_data_source():
|
def test_add_data_source():
|
||||||
fs_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), "stix2_data")
|
fs_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), "stix2_data")
|
||||||
fs = FileSystemSource(fs_path)
|
fs = FileSystemSource(fs_path)
|
||||||
|
@ -225,11 +232,13 @@ def test_add_data_source():
|
||||||
assert 'tool--242f3da3-4425-4d11-8f5c-b842886da966' in resp_ids
|
assert 'tool--242f3da3-4425-4d11-8f5c-b842886da966' in resp_ids
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_additional_filter():
|
def test_additional_filter():
|
||||||
resp = tools(Filter('created_by_ref', '=', 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5'))
|
resp = tools(Filter('created_by_ref', '=', 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5'))
|
||||||
assert len(resp) == 2
|
assert len(resp) == 2
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skip(reason='The workbench is not working correctly for 2.0')
|
||||||
def test_additional_filters_list():
|
def test_additional_filters_list():
|
||||||
resp = tools([Filter('created_by_ref', '=', 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5'),
|
resp = tools([Filter('created_by_ref', '=', 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5'),
|
||||||
Filter('name', '=', 'Windows Credential Editor')])
|
Filter('name', '=', 'Windows Credential Editor')])
|
||||||
|
@ -275,12 +284,12 @@ def test_default_object_marking_refs():
|
||||||
|
|
||||||
|
|
||||||
def test_workbench_custom_property_object_in_observable_extension():
|
def test_workbench_custom_property_object_in_observable_extension():
|
||||||
ntfs = stix2.NTFSExt(
|
ntfs = stix2.v20.NTFSExt(
|
||||||
allow_custom=True,
|
allow_custom=True,
|
||||||
sid=1,
|
sid=1,
|
||||||
x_foo='bar',
|
x_foo='bar',
|
||||||
)
|
)
|
||||||
artifact = stix2.File(
|
artifact = stix2.v20.File(
|
||||||
name='test',
|
name='test',
|
||||||
extensions={'ntfs-ext': ntfs},
|
extensions={'ntfs-ext': ntfs},
|
||||||
)
|
)
|
||||||
|
@ -297,7 +306,7 @@ def test_workbench_custom_property_object_in_observable_extension():
|
||||||
|
|
||||||
|
|
||||||
def test_workbench_custom_property_dict_in_observable_extension():
|
def test_workbench_custom_property_dict_in_observable_extension():
|
||||||
artifact = stix2.File(
|
artifact = stix2.v20.File(
|
||||||
allow_custom=True,
|
allow_custom=True,
|
||||||
name='test',
|
name='test',
|
||||||
extensions={
|
extensions={
|
||||||
|
|
|
@ -53,7 +53,7 @@ def stix_objs1():
|
||||||
ind1 = {
|
ind1 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -66,7 +66,7 @@ def stix_objs1():
|
||||||
ind2 = {
|
ind2 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -79,7 +79,7 @@ def stix_objs1():
|
||||||
ind3 = {
|
ind3 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.936Z",
|
"modified": "2017-01-27T13:49:53.936Z",
|
||||||
|
@ -92,7 +92,7 @@ def stix_objs1():
|
||||||
ind4 = {
|
ind4 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -105,7 +105,7 @@ def stix_objs1():
|
||||||
ind5 = {
|
ind5 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -123,7 +123,7 @@ def stix_objs2():
|
||||||
ind6 = {
|
ind6 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-31T13:49:53.935Z",
|
"modified": "2017-01-31T13:49:53.935Z",
|
||||||
|
@ -136,7 +136,7 @@ def stix_objs2():
|
||||||
ind7 = {
|
ind7 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -149,7 +149,7 @@ def stix_objs2():
|
||||||
ind8 = {
|
ind8 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
|
|
@ -70,7 +70,7 @@ IDENTITY_KWARGS = dict(
|
||||||
)
|
)
|
||||||
|
|
||||||
INDICATOR_KWARGS = dict(
|
INDICATOR_KWARGS = dict(
|
||||||
labels=['malicious-activity'],
|
indicator_types=['malicious-activity'],
|
||||||
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -79,9 +79,9 @@ INTRUSION_SET_KWARGS = dict(
|
||||||
)
|
)
|
||||||
|
|
||||||
MALWARE_KWARGS = dict(
|
MALWARE_KWARGS = dict(
|
||||||
labels=['ransomware'],
|
malware_types=['ransomware'],
|
||||||
name="Cryptolocker",
|
name="Cryptolocker",
|
||||||
is_family=False
|
is_family=True
|
||||||
)
|
)
|
||||||
|
|
||||||
MALWARE_MORE_KWARGS = dict(
|
MALWARE_MORE_KWARGS = dict(
|
||||||
|
@ -89,7 +89,7 @@ MALWARE_MORE_KWARGS = dict(
|
||||||
id=MALWARE_ID,
|
id=MALWARE_ID,
|
||||||
created="2016-04-06T20:03:00.000Z",
|
created="2016-04-06T20:03:00.000Z",
|
||||||
modified="2016-04-06T20:03:00.000Z",
|
modified="2016-04-06T20:03:00.000Z",
|
||||||
labels=['ransomware'],
|
malware_types=['ransomware'],
|
||||||
name="Cryptolocker",
|
name="Cryptolocker",
|
||||||
description="A ransomware related to ...",
|
description="A ransomware related to ...",
|
||||||
is_family=False
|
is_family=False
|
||||||
|
@ -108,7 +108,7 @@ OBSERVED_DATA_KWARGS = dict(
|
||||||
)
|
)
|
||||||
|
|
||||||
REPORT_KWARGS = dict(
|
REPORT_KWARGS = dict(
|
||||||
labels=["campaign"],
|
report_types=["campaign"],
|
||||||
name="Bad Cybercrime",
|
name="Bad Cybercrime",
|
||||||
published=FAKE_TIME,
|
published=FAKE_TIME,
|
||||||
object_refs=[INDICATOR_ID],
|
object_refs=[INDICATOR_ID],
|
||||||
|
@ -125,12 +125,12 @@ SIGHTING_KWARGS = dict(
|
||||||
)
|
)
|
||||||
|
|
||||||
THREAT_ACTOR_KWARGS = dict(
|
THREAT_ACTOR_KWARGS = dict(
|
||||||
labels=["crime-syndicate"],
|
threat_actor_types=["crime-syndicate"],
|
||||||
name="Evil Org",
|
name="Evil Org",
|
||||||
)
|
)
|
||||||
|
|
||||||
TOOL_KWARGS = dict(
|
TOOL_KWARGS = dict(
|
||||||
labels=["remote-access"],
|
tool_types=["remote-access"],
|
||||||
name="VNC",
|
name="VNC",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"id": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38",
|
"id": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"malware"
|
"malware"
|
||||||
],
|
],
|
||||||
"modified": "2017-05-31T21:32:58.226477Z",
|
"modified": "2017-05-31T21:32:58.226477Z",
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"id": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
|
"id": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"malware"
|
"malware"
|
||||||
],
|
],
|
||||||
"modified": "2017-05-31T21:33:26.565056Z",
|
"modified": "2017-05-31T21:33:26.565056Z",
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"id": "malware--96b08451-b27a-4ff6-893f-790e26393a8e",
|
"id": "malware--96b08451-b27a-4ff6-893f-790e26393a8e",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"malware"
|
"malware"
|
||||||
],
|
],
|
||||||
"modified": "2017-05-31T21:32:48.482655Z",
|
"modified": "2017-05-31T21:32:48.482655Z",
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"id": "malware--b42378e0-f147-496f-992a-26a49705395b",
|
"id": "malware--b42378e0-f147-496f-992a-26a49705395b",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"malware"
|
"malware"
|
||||||
],
|
],
|
||||||
"modified": "2017-05-31T21:32:15.263882Z",
|
"modified": "2017-05-31T21:32:15.263882Z",
|
||||||
|
|
|
@ -23,7 +23,7 @@
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"id": "tool--03342581-f790-4f03-ba41-e82e67392e23",
|
"id": "tool--03342581-f790-4f03-ba41-e82e67392e23",
|
||||||
"labels": [
|
"tool_types": [
|
||||||
"tool"
|
"tool"
|
||||||
],
|
],
|
||||||
"modified": "2017-05-31T21:32:31.601148Z",
|
"modified": "2017-05-31T21:32:31.601148Z",
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"id": "tool--242f3da3-4425-4d11-8f5c-b842886da966",
|
"id": "tool--242f3da3-4425-4d11-8f5c-b842886da966",
|
||||||
"labels": [
|
"tool_types": [
|
||||||
"tool"
|
"tool"
|
||||||
],
|
],
|
||||||
"modified": "2017-05-31T21:32:12.684914Z",
|
"modified": "2017-05-31T21:32:12.684914Z",
|
||||||
|
|
|
@ -14,11 +14,11 @@ EXPECTED_BUNDLE = """{
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"created": "2017-01-01T12:34:56.000Z",
|
"created": "2017-01-01T12:34:56.000Z",
|
||||||
"modified": "2017-01-01T12:34:56.000Z",
|
"modified": "2017-01-01T12:34:56.000Z",
|
||||||
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
"indicator_types": [
|
||||||
"valid_from": "2017-01-01T12:34:56Z",
|
|
||||||
"labels": [
|
|
||||||
"malicious-activity"
|
"malicious-activity"
|
||||||
]
|
],
|
||||||
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
||||||
|
"valid_from": "2017-01-01T12:34:56Z"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "malware",
|
"type": "malware",
|
||||||
|
@ -26,11 +26,11 @@ EXPECTED_BUNDLE = """{
|
||||||
"id": "malware--00000000-0000-4000-8000-000000000003",
|
"id": "malware--00000000-0000-4000-8000-000000000003",
|
||||||
"created": "2017-01-01T12:34:56.000Z",
|
"created": "2017-01-01T12:34:56.000Z",
|
||||||
"modified": "2017-01-01T12:34:56.000Z",
|
"modified": "2017-01-01T12:34:56.000Z",
|
||||||
|
"is_family": true,
|
||||||
"name": "Cryptolocker",
|
"name": "Cryptolocker",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"ransomware"
|
"ransomware"
|
||||||
],
|
]
|
||||||
"is_family": false
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "relationship",
|
"type": "relationship",
|
||||||
|
@ -57,7 +57,7 @@ EXPECTED_BUNDLE_DICT = {
|
||||||
"modified": "2017-01-01T12:34:56.000Z",
|
"modified": "2017-01-01T12:34:56.000Z",
|
||||||
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
||||||
"valid_from": "2017-01-01T12:34:56Z",
|
"valid_from": "2017-01-01T12:34:56Z",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"malicious-activity"
|
"malicious-activity"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
@ -68,10 +68,10 @@ EXPECTED_BUNDLE_DICT = {
|
||||||
"created": "2017-01-01T12:34:56.000Z",
|
"created": "2017-01-01T12:34:56.000Z",
|
||||||
"modified": "2017-01-01T12:34:56.000Z",
|
"modified": "2017-01-01T12:34:56.000Z",
|
||||||
"name": "Cryptolocker",
|
"name": "Cryptolocker",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"ransomware"
|
"ransomware"
|
||||||
],
|
],
|
||||||
"is_family": False
|
"is_family": True
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "relationship",
|
"type": "relationship",
|
||||||
|
|
|
@ -330,14 +330,14 @@ def test_filesystem_store_all_versions(fs_store):
|
||||||
|
|
||||||
def test_filesystem_store_query(fs_store):
|
def test_filesystem_store_query(fs_store):
|
||||||
# query()
|
# query()
|
||||||
tools = fs_store.query([stix2.Filter("labels", "in", "tool")])
|
tools = fs_store.query([stix2.Filter("tool_types", "in", "tool")])
|
||||||
assert len(tools) == 2
|
assert len(tools) == 2
|
||||||
assert "tool--242f3da3-4425-4d11-8f5c-b842886da966" in [tool.id for tool in tools]
|
assert "tool--242f3da3-4425-4d11-8f5c-b842886da966" in [tool.id for tool in tools]
|
||||||
assert "tool--03342581-f790-4f03-ba41-e82e67392e23" in [tool.id for tool in tools]
|
assert "tool--03342581-f790-4f03-ba41-e82e67392e23" in [tool.id for tool in tools]
|
||||||
|
|
||||||
|
|
||||||
def test_filesystem_store_query_single_filter(fs_store):
|
def test_filesystem_store_query_single_filter(fs_store):
|
||||||
query = stix2.Filter("labels", "in", "tool")
|
query = stix2.Filter("tool_types", "in", "tool")
|
||||||
tools = fs_store.query(query)
|
tools = fs_store.query(query)
|
||||||
assert len(tools) == 2
|
assert len(tools) == 2
|
||||||
assert "tool--242f3da3-4425-4d11-8f5c-b842886da966" in [tool.id for tool in tools]
|
assert "tool--242f3da3-4425-4d11-8f5c-b842886da966" in [tool.id for tool in tools]
|
||||||
|
@ -352,7 +352,7 @@ def test_filesystem_store_empty_query(fs_store):
|
||||||
|
|
||||||
|
|
||||||
def test_filesystem_store_query_multiple_filters(fs_store):
|
def test_filesystem_store_query_multiple_filters(fs_store):
|
||||||
fs_store.source.filters.add(stix2.Filter("labels", "in", "tool"))
|
fs_store.source.filters.add(stix2.Filter("tool_types", "in", "tool"))
|
||||||
tools = fs_store.query(stix2.Filter("id", "=", "tool--242f3da3-4425-4d11-8f5c-b842886da966"))
|
tools = fs_store.query(stix2.Filter("id", "=", "tool--242f3da3-4425-4d11-8f5c-b842886da966"))
|
||||||
assert len(tools) == 1
|
assert len(tools) == 1
|
||||||
assert tools[0].id == "tool--242f3da3-4425-4d11-8f5c-b842886da966"
|
assert tools[0].id == "tool--242f3da3-4425-4d11-8f5c-b842886da966"
|
||||||
|
|
|
@ -10,7 +10,7 @@ stix_objs = [
|
||||||
"description": "\n\nTITLE:\n\tPoison Ivy",
|
"description": "\n\nTITLE:\n\tPoison Ivy",
|
||||||
"id": "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111",
|
"id": "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111",
|
||||||
"spec_version": "2.1",
|
"spec_version": "2.1",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"remote-access-trojan"
|
"remote-access-trojan"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.997Z",
|
"modified": "2017-01-27T13:49:53.997Z",
|
||||||
|
@ -21,7 +21,7 @@ stix_objs = [
|
||||||
{
|
{
|
||||||
"created": "2014-05-08T09:00:00.000Z",
|
"created": "2014-05-08T09:00:00.000Z",
|
||||||
"id": "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",
|
"id": "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"file-hash-watchlist"
|
"file-hash-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2014-05-08T09:00:00.000Z",
|
"modified": "2014-05-08T09:00:00.000Z",
|
||||||
|
@ -94,7 +94,7 @@ stix_objs = [
|
||||||
filters = [
|
filters = [
|
||||||
Filter("type", "!=", "relationship"),
|
Filter("type", "!=", "relationship"),
|
||||||
Filter("id", "=", "relationship--2f9a9aa9-108a-4333-83e2-4fb25add0463"),
|
Filter("id", "=", "relationship--2f9a9aa9-108a-4333-83e2-4fb25add0463"),
|
||||||
Filter("labels", "in", "remote-access-trojan"),
|
Filter("malware_types", "in", "remote-access-trojan"),
|
||||||
Filter("created", ">", "2015-01-01T01:00:00.000Z"),
|
Filter("created", ">", "2015-01-01T01:00:00.000Z"),
|
||||||
Filter("revoked", "=", True),
|
Filter("revoked", "=", True),
|
||||||
Filter("revoked", "!=", True),
|
Filter("revoked", "!=", True),
|
||||||
|
|
|
@ -15,7 +15,7 @@ from .constants import (CAMPAIGN_ID, CAMPAIGN_KWARGS, IDENTITY_ID,
|
||||||
IND1 = {
|
IND1 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -28,7 +28,7 @@ IND1 = {
|
||||||
IND2 = {
|
IND2 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -41,7 +41,7 @@ IND2 = {
|
||||||
IND3 = {
|
IND3 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.936Z",
|
"modified": "2017-01-27T13:49:53.936Z",
|
||||||
|
@ -54,7 +54,7 @@ IND3 = {
|
||||||
IND4 = {
|
IND4 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -67,7 +67,7 @@ IND4 = {
|
||||||
IND5 = {
|
IND5 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -80,7 +80,7 @@ IND5 = {
|
||||||
IND6 = {
|
IND6 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-31T13:49:53.935Z",
|
"modified": "2017-01-31T13:49:53.935Z",
|
||||||
|
@ -93,7 +93,7 @@ IND6 = {
|
||||||
IND7 = {
|
IND7 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
@ -106,7 +106,7 @@ IND7 = {
|
||||||
IND8 = {
|
IND8 = {
|
||||||
"created": "2017-01-27T13:49:53.935Z",
|
"created": "2017-01-27T13:49:53.935Z",
|
||||||
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
"id": "indicator--00000000-0000-4000-8000-000000000002",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"url-watchlist"
|
"url-watchlist"
|
||||||
],
|
],
|
||||||
"modified": "2017-01-27T13:49:53.935Z",
|
"modified": "2017-01-27T13:49:53.935Z",
|
||||||
|
|
|
@ -110,7 +110,7 @@ def test_add_stix2_object(collection):
|
||||||
|
|
||||||
# create new STIX threat-actor
|
# create new STIX threat-actor
|
||||||
ta = stix2.v21.ThreatActor(name="Teddy Bear",
|
ta = stix2.v21.ThreatActor(name="Teddy Bear",
|
||||||
labels=["nation-state"],
|
threat_actor_types=["nation-state"],
|
||||||
sophistication="innovator",
|
sophistication="innovator",
|
||||||
resource_level="government",
|
resource_level="government",
|
||||||
goals=[
|
goals=[
|
||||||
|
@ -126,7 +126,7 @@ def test_add_stix2_with_custom_object(collection):
|
||||||
|
|
||||||
# create new STIX threat-actor
|
# create new STIX threat-actor
|
||||||
ta = stix2.v21.ThreatActor(name="Teddy Bear",
|
ta = stix2.v21.ThreatActor(name="Teddy Bear",
|
||||||
labels=["nation-state"],
|
threat_actor_types=["nation-state"],
|
||||||
sophistication="innovator",
|
sophistication="innovator",
|
||||||
resource_level="government",
|
resource_level="government",
|
||||||
goals=[
|
goals=[
|
||||||
|
@ -144,7 +144,7 @@ def test_add_list_object(collection, indicator):
|
||||||
|
|
||||||
# create new STIX threat-actor
|
# create new STIX threat-actor
|
||||||
ta = stix2.v21.ThreatActor(name="Teddy Bear",
|
ta = stix2.v21.ThreatActor(name="Teddy Bear",
|
||||||
labels=["nation-state"],
|
threat_actor_types=["nation-state"],
|
||||||
sophistication="innovator",
|
sophistication="innovator",
|
||||||
resource_level="government",
|
resource_level="government",
|
||||||
goals=[
|
goals=[
|
||||||
|
@ -160,7 +160,7 @@ def test_add_stix2_bundle_object(collection):
|
||||||
|
|
||||||
# create new STIX threat-actor
|
# create new STIX threat-actor
|
||||||
ta = stix2.v21.ThreatActor(name="Teddy Bear",
|
ta = stix2.v21.ThreatActor(name="Teddy Bear",
|
||||||
labels=["nation-state"],
|
threat_actor_types=["nation-state"],
|
||||||
sophistication="innovator",
|
sophistication="innovator",
|
||||||
resource_level="government",
|
resource_level="government",
|
||||||
goals=[
|
goals=[
|
||||||
|
@ -182,15 +182,15 @@ def test_add_str_object(collection):
|
||||||
"created": "2018-04-23T16:40:50.847Z",
|
"created": "2018-04-23T16:40:50.847Z",
|
||||||
"modified": "2018-04-23T16:40:50.847Z",
|
"modified": "2018-04-23T16:40:50.847Z",
|
||||||
"name": "Teddy Bear",
|
"name": "Teddy Bear",
|
||||||
|
"threat_actor_types": [
|
||||||
|
"nation-state"
|
||||||
|
],
|
||||||
"goals": [
|
"goals": [
|
||||||
"compromising environment NGOs",
|
"compromising environment NGOs",
|
||||||
"water-hole attacks geared towards energy sector"
|
"water-hole attacks geared towards energy sector"
|
||||||
],
|
],
|
||||||
"sophistication": "innovator",
|
"sophistication": "innovator",
|
||||||
"resource_level": "government",
|
"resource_level": "government"
|
||||||
"labels": [
|
|
||||||
"nation-state"
|
|
||||||
]
|
|
||||||
}"""
|
}"""
|
||||||
|
|
||||||
tc_sink.add(ta)
|
tc_sink.add(ta)
|
||||||
|
@ -212,7 +212,7 @@ def test_add_dict_object(collection):
|
||||||
],
|
],
|
||||||
"sophistication": "innovator",
|
"sophistication": "innovator",
|
||||||
"resource_level": "government",
|
"resource_level": "government",
|
||||||
"labels": [
|
"threat_actor_types": [
|
||||||
"nation-state"
|
"nation-state"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -240,7 +240,7 @@ def test_add_dict_bundle_object(collection):
|
||||||
],
|
],
|
||||||
"sophistication": "innovator",
|
"sophistication": "innovator",
|
||||||
"resource_level": "government",
|
"resource_level": "government",
|
||||||
"labels": [
|
"threat_actor_types": [
|
||||||
"nation-state"
|
"nation-state"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -288,7 +288,7 @@ def test_add_get_remove_filter(collection):
|
||||||
valid_filters = [
|
valid_filters = [
|
||||||
Filter('type', '=', 'malware'),
|
Filter('type', '=', 'malware'),
|
||||||
Filter('id', '!=', 'stix object id'),
|
Filter('id', '!=', 'stix object id'),
|
||||||
Filter('labels', 'in', ["heartbleed", "malicious-activity"]),
|
Filter('threat_actor_types', 'in', ["heartbleed", "malicious-activity"]),
|
||||||
]
|
]
|
||||||
|
|
||||||
assert len(ds.filters) == 0
|
assert len(ds.filters) == 0
|
||||||
|
|
|
@ -135,7 +135,7 @@ def test_environment_functions():
|
||||||
def test_environment_source_and_sink():
|
def test_environment_source_and_sink():
|
||||||
ind = stix2.v21.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
|
ind = stix2.v21.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
|
||||||
env = stix2.Environment(source=stix2.MemorySource([ind]), sink=stix2.MemorySink([ind]))
|
env = stix2.Environment(source=stix2.MemorySource([ind]), sink=stix2.MemorySink([ind]))
|
||||||
assert env.get(INDICATOR_ID).labels[0] == 'malicious-activity'
|
assert env.get(INDICATOR_ID).indicator_types[0] == 'malicious-activity'
|
||||||
|
|
||||||
|
|
||||||
def test_environment_datastore_and_sink():
|
def test_environment_datastore_and_sink():
|
||||||
|
@ -195,7 +195,7 @@ def test_parse_malware():
|
||||||
"created": "2017-01-01T12:34:56.000Z",
|
"created": "2017-01-01T12:34:56.000Z",
|
||||||
"modified": "2017-01-01T12:34:56.000Z",
|
"modified": "2017-01-01T12:34:56.000Z",
|
||||||
"name": "Cryptolocker",
|
"name": "Cryptolocker",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"ransomware"
|
"ransomware"
|
||||||
],
|
],
|
||||||
"is_family": false
|
"is_family": false
|
||||||
|
@ -207,7 +207,7 @@ def test_parse_malware():
|
||||||
assert mal.id == MALWARE_ID
|
assert mal.id == MALWARE_ID
|
||||||
assert mal.created == FAKE_TIME
|
assert mal.created == FAKE_TIME
|
||||||
assert mal.modified == FAKE_TIME
|
assert mal.modified == FAKE_TIME
|
||||||
assert mal.labels == ['ransomware']
|
assert mal.malware_types == ['ransomware']
|
||||||
assert mal.name == "Cryptolocker"
|
assert mal.name == "Cryptolocker"
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -569,11 +569,11 @@ IS_MARKED_TEST_DATA = [
|
||||||
"marking_ref": MARKING_IDS[1]
|
"marking_ref": MARKING_IDS[1]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"selectors": ["labels", "description"],
|
"selectors": ["malware_types", "description"],
|
||||||
"marking_ref": MARKING_IDS[2]
|
"marking_ref": MARKING_IDS[2]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"selectors": ["labels", "description"],
|
"selectors": ["malware_types", "description"],
|
||||||
"marking_ref": MARKING_IDS[3]
|
"marking_ref": MARKING_IDS[3]
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
|
@ -586,11 +586,11 @@ IS_MARKED_TEST_DATA = [
|
||||||
"marking_ref": MARKING_IDS[1]
|
"marking_ref": MARKING_IDS[1]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"selectors": ["labels", "description"],
|
"selectors": ["malware_types", "description"],
|
||||||
"marking_ref": MARKING_IDS[2]
|
"marking_ref": MARKING_IDS[2]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"selectors": ["labels", "description"],
|
"selectors": ["malware_types", "description"],
|
||||||
"marking_ref": MARKING_IDS[3]
|
"marking_ref": MARKING_IDS[3]
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
|
@ -630,7 +630,7 @@ def test_is_marked_invalid_selector(data, selector):
|
||||||
@pytest.mark.parametrize("data", IS_MARKED_TEST_DATA)
|
@pytest.mark.parametrize("data", IS_MARKED_TEST_DATA)
|
||||||
def test_is_marked_mix_selector(data):
|
def test_is_marked_mix_selector(data):
|
||||||
"""Test valid selector, one marked and one not marked returns True."""
|
"""Test valid selector, one marked and one not marked returns True."""
|
||||||
assert markings.is_marked(data, selectors=["description", "labels"])
|
assert markings.is_marked(data, selectors=["description", "malware_types"])
|
||||||
assert markings.is_marked(data, selectors=["description"])
|
assert markings.is_marked(data, selectors=["description"])
|
||||||
|
|
||||||
|
|
||||||
|
@ -654,10 +654,10 @@ def test_is_marked_valid_selector_and_refs(data):
|
||||||
def test_is_marked_valid_selector_multiple_refs(data):
|
def test_is_marked_valid_selector_multiple_refs(data):
|
||||||
"""Test that a valid selector returns True if aall marking_refs match.
|
"""Test that a valid selector returns True if aall marking_refs match.
|
||||||
Otherwise False."""
|
Otherwise False."""
|
||||||
assert markings.is_marked(data, [MARKING_IDS[2], MARKING_IDS[3]], ["labels"])
|
assert markings.is_marked(data, [MARKING_IDS[2], MARKING_IDS[3]], ["malware_types"])
|
||||||
assert markings.is_marked(data, [MARKING_IDS[2], MARKING_IDS[1]], ["labels"]) is False
|
assert markings.is_marked(data, [MARKING_IDS[2], MARKING_IDS[1]], ["malware_types"]) is False
|
||||||
assert markings.is_marked(data, MARKING_IDS[2], ["labels"])
|
assert markings.is_marked(data, MARKING_IDS[2], ["malware_types"])
|
||||||
assert markings.is_marked(data, ["marking-definition--1234"], ["labels"]) is False
|
assert markings.is_marked(data, ["marking-definition--1234"], ["malware_types"]) is False
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize("data", IS_MARKED_TEST_DATA)
|
@pytest.mark.parametrize("data", IS_MARKED_TEST_DATA)
|
||||||
|
@ -666,7 +666,7 @@ def test_is_marked_no_marking_refs(data):
|
||||||
if there is a granular_marking that asserts that field, False
|
if there is a granular_marking that asserts that field, False
|
||||||
otherwise."""
|
otherwise."""
|
||||||
assert markings.is_marked(data, selectors=["type"]) is False
|
assert markings.is_marked(data, selectors=["type"]) is False
|
||||||
assert markings.is_marked(data, selectors=["labels"])
|
assert markings.is_marked(data, selectors=["malware_types"])
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize("data", IS_MARKED_TEST_DATA)
|
@pytest.mark.parametrize("data", IS_MARKED_TEST_DATA)
|
||||||
|
@ -1065,4 +1065,4 @@ def test_clear_marking_bad_selector(data, selector):
|
||||||
def test_clear_marking_not_present(data):
|
def test_clear_marking_not_present(data):
|
||||||
"""Test clearing markings for a selector that has no associated markings."""
|
"""Test clearing markings for a selector that has no associated markings."""
|
||||||
with pytest.raises(MarkingNotFoundError):
|
with pytest.raises(MarkingNotFoundError):
|
||||||
markings.clear_markings(data, ["labels"])
|
markings.clear_markings(data, ["malware_types"])
|
||||||
|
|
|
@ -14,11 +14,11 @@ EXPECTED_INDICATOR = """{
|
||||||
"id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
"id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
||||||
"created": "2017-01-01T00:00:01.000Z",
|
"created": "2017-01-01T00:00:01.000Z",
|
||||||
"modified": "2017-01-01T00:00:01.000Z",
|
"modified": "2017-01-01T00:00:01.000Z",
|
||||||
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
"indicator_types": [
|
||||||
"valid_from": "1970-01-01T00:00:01Z",
|
|
||||||
"labels": [
|
|
||||||
"malicious-activity"
|
"malicious-activity"
|
||||||
]
|
],
|
||||||
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
||||||
|
"valid_from": "1970-01-01T00:00:01Z"
|
||||||
}"""
|
}"""
|
||||||
|
|
||||||
EXPECTED_INDICATOR_REPR = "Indicator(" + " ".join("""
|
EXPECTED_INDICATOR_REPR = "Indicator(" + " ".join("""
|
||||||
|
@ -27,9 +27,9 @@ EXPECTED_INDICATOR_REPR = "Indicator(" + " ".join("""
|
||||||
id='indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7',
|
id='indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7',
|
||||||
created='2017-01-01T00:00:01.000Z',
|
created='2017-01-01T00:00:01.000Z',
|
||||||
modified='2017-01-01T00:00:01.000Z',
|
modified='2017-01-01T00:00:01.000Z',
|
||||||
|
indicator_types=['malicious-activity'],
|
||||||
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
||||||
valid_from='1970-01-01T00:00:01Z',
|
valid_from='1970-01-01T00:00:01Z'
|
||||||
labels=['malicious-activity']
|
|
||||||
""".split()) + ")"
|
""".split()) + ")"
|
||||||
|
|
||||||
|
|
||||||
|
@ -44,7 +44,7 @@ def test_indicator_with_all_required_properties():
|
||||||
modified=now,
|
modified=now,
|
||||||
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
||||||
valid_from=epoch,
|
valid_from=epoch,
|
||||||
labels=['malicious-activity'],
|
indicator_types=['malicious-activity'],
|
||||||
)
|
)
|
||||||
|
|
||||||
assert ind.revoked is False
|
assert ind.revoked is False
|
||||||
|
@ -59,7 +59,7 @@ def test_indicator_autogenerated_properties(indicator):
|
||||||
assert indicator.id == 'indicator--00000000-0000-4000-8000-000000000001'
|
assert indicator.id == 'indicator--00000000-0000-4000-8000-000000000001'
|
||||||
assert indicator.created == FAKE_TIME
|
assert indicator.created == FAKE_TIME
|
||||||
assert indicator.modified == FAKE_TIME
|
assert indicator.modified == FAKE_TIME
|
||||||
assert indicator.labels == ['malicious-activity']
|
assert indicator.indicator_types == ['malicious-activity']
|
||||||
assert indicator.pattern == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
assert indicator.pattern == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
||||||
assert indicator.valid_from == FAKE_TIME
|
assert indicator.valid_from == FAKE_TIME
|
||||||
|
|
||||||
|
@ -68,7 +68,7 @@ def test_indicator_autogenerated_properties(indicator):
|
||||||
assert indicator['id'] == 'indicator--00000000-0000-4000-8000-000000000001'
|
assert indicator['id'] == 'indicator--00000000-0000-4000-8000-000000000001'
|
||||||
assert indicator['created'] == FAKE_TIME
|
assert indicator['created'] == FAKE_TIME
|
||||||
assert indicator['modified'] == FAKE_TIME
|
assert indicator['modified'] == FAKE_TIME
|
||||||
assert indicator['labels'] == ['malicious-activity']
|
assert indicator['indicator_types'] == ['malicious-activity']
|
||||||
assert indicator['pattern'] == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
assert indicator['pattern'] == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
||||||
assert indicator['valid_from'] == FAKE_TIME
|
assert indicator['valid_from'] == FAKE_TIME
|
||||||
|
|
||||||
|
@ -98,13 +98,13 @@ def test_indicator_required_properties():
|
||||||
stix2.v21.Indicator()
|
stix2.v21.Indicator()
|
||||||
|
|
||||||
assert excinfo.value.cls == stix2.v21.Indicator
|
assert excinfo.value.cls == stix2.v21.Indicator
|
||||||
assert excinfo.value.properties == ["labels", "pattern"]
|
assert excinfo.value.properties == ["indicator_types", "pattern"]
|
||||||
assert str(excinfo.value) == "No values for required properties for Indicator: (labels, pattern)."
|
assert str(excinfo.value) == "No values for required properties for Indicator: (indicator_types, pattern)."
|
||||||
|
|
||||||
|
|
||||||
def test_indicator_required_property_pattern():
|
def test_indicator_required_property_pattern():
|
||||||
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
|
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
|
||||||
stix2.v21.Indicator(labels=['malicious-activity'])
|
stix2.v21.Indicator(indicator_types=['malicious-activity'])
|
||||||
|
|
||||||
assert excinfo.value.cls == stix2.v21.Indicator
|
assert excinfo.value.cls == stix2.v21.Indicator
|
||||||
assert excinfo.value.properties == ["pattern"]
|
assert excinfo.value.properties == ["pattern"]
|
||||||
|
@ -159,7 +159,7 @@ def test_created_modified_time_are_identical_by_default():
|
||||||
"id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
"id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
||||||
"created": "2017-01-01T00:00:01Z",
|
"created": "2017-01-01T00:00:01Z",
|
||||||
"modified": "2017-01-01T00:00:01Z",
|
"modified": "2017-01-01T00:00:01Z",
|
||||||
"labels": [
|
"indicator_types": [
|
||||||
"malicious-activity"
|
"malicious-activity"
|
||||||
],
|
],
|
||||||
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
||||||
|
@ -175,14 +175,14 @@ def test_parse_indicator(data):
|
||||||
assert idctr.created == dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
assert idctr.created == dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
||||||
assert idctr.modified == dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
assert idctr.modified == dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
||||||
assert idctr.valid_from == dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
assert idctr.valid_from == dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc)
|
||||||
assert idctr.labels[0] == "malicious-activity"
|
assert idctr.indicator_types[0] == "malicious-activity"
|
||||||
assert idctr.pattern == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
assert idctr.pattern == "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']"
|
||||||
|
|
||||||
|
|
||||||
def test_invalid_indicator_pattern():
|
def test_invalid_indicator_pattern():
|
||||||
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
||||||
stix2.v21.Indicator(
|
stix2.v21.Indicator(
|
||||||
labels=['malicious-activity'],
|
indicator_types=['malicious-activity'],
|
||||||
pattern="file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e'",
|
pattern="file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e'",
|
||||||
)
|
)
|
||||||
assert excinfo.value.cls == stix2.v21.Indicator
|
assert excinfo.value.cls == stix2.v21.Indicator
|
||||||
|
@ -191,7 +191,7 @@ def test_invalid_indicator_pattern():
|
||||||
|
|
||||||
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
||||||
stix2.v21.Indicator(
|
stix2.v21.Indicator(
|
||||||
labels=['malicious-activity'],
|
indicator_types=['malicious-activity'],
|
||||||
pattern='[file:hashes.MD5 = "d41d8cd98f00b204e9800998ecf8427e"]',
|
pattern='[file:hashes.MD5 = "d41d8cd98f00b204e9800998ecf8427e"]',
|
||||||
)
|
)
|
||||||
assert excinfo.value.cls == stix2.v21.Indicator
|
assert excinfo.value.cls == stix2.v21.Indicator
|
||||||
|
|
|
@ -14,11 +14,11 @@ EXPECTED_MALWARE = """{
|
||||||
"id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
|
"id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
|
||||||
"created": "2016-05-12T08:17:27.000Z",
|
"created": "2016-05-12T08:17:27.000Z",
|
||||||
"modified": "2016-05-12T08:17:27.000Z",
|
"modified": "2016-05-12T08:17:27.000Z",
|
||||||
|
"is_family": true,
|
||||||
"name": "Cryptolocker",
|
"name": "Cryptolocker",
|
||||||
"labels": [
|
"malware_types": [
|
||||||
"ransomware"
|
"ransomware"
|
||||||
],
|
]
|
||||||
"is_family": false
|
|
||||||
}"""
|
}"""
|
||||||
|
|
||||||
|
|
||||||
|
@ -30,9 +30,9 @@ def test_malware_with_all_required_properties():
|
||||||
id=MALWARE_ID,
|
id=MALWARE_ID,
|
||||||
created=now,
|
created=now,
|
||||||
modified=now,
|
modified=now,
|
||||||
labels=["ransomware"],
|
malware_types=["ransomware"],
|
||||||
name="Cryptolocker",
|
name="Cryptolocker",
|
||||||
is_family=False
|
is_family=True
|
||||||
)
|
)
|
||||||
|
|
||||||
assert str(mal) == EXPECTED_MALWARE
|
assert str(mal) == EXPECTED_MALWARE
|
||||||
|
@ -43,14 +43,14 @@ def test_malware_autogenerated_properties(malware):
|
||||||
assert malware.id == 'malware--00000000-0000-4000-8000-000000000001'
|
assert malware.id == 'malware--00000000-0000-4000-8000-000000000001'
|
||||||
assert malware.created == FAKE_TIME
|
assert malware.created == FAKE_TIME
|
||||||
assert malware.modified == FAKE_TIME
|
assert malware.modified == FAKE_TIME
|
||||||
assert malware.labels == ['ransomware']
|
assert malware.malware_types == ['ransomware']
|
||||||
assert malware.name == "Cryptolocker"
|
assert malware.name == "Cryptolocker"
|
||||||
|
|
||||||
assert malware['type'] == 'malware'
|
assert malware['type'] == 'malware'
|
||||||
assert malware['id'] == 'malware--00000000-0000-4000-8000-000000000001'
|
assert malware['id'] == 'malware--00000000-0000-4000-8000-000000000001'
|
||||||
assert malware['created'] == FAKE_TIME
|
assert malware['created'] == FAKE_TIME
|
||||||
assert malware['modified'] == FAKE_TIME
|
assert malware['modified'] == FAKE_TIME
|
||||||
assert malware['labels'] == ['ransomware']
|
assert malware['malware_types'] == ['ransomware']
|
||||||
assert malware['name'] == "Cryptolocker"
|
assert malware['name'] == "Cryptolocker"
|
||||||
|
|
||||||
|
|
||||||
|
@ -79,12 +79,12 @@ def test_malware_required_properties():
|
||||||
stix2.v21.Malware()
|
stix2.v21.Malware()
|
||||||
|
|
||||||
assert excinfo.value.cls == stix2.v21.Malware
|
assert excinfo.value.cls == stix2.v21.Malware
|
||||||
assert excinfo.value.properties == ["is_family", "labels", "name"]
|
assert excinfo.value.properties == ["is_family", "malware_types", "name"]
|
||||||
|
|
||||||
|
|
||||||
def test_malware_required_property_name():
|
def test_malware_required_property_name():
|
||||||
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
|
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
|
||||||
stix2.v21.Malware(labels=['ransomware'], is_family=False)
|
stix2.v21.Malware(malware_types=['ransomware'], is_family=False)
|
||||||
|
|
||||||
assert excinfo.value.cls == stix2.v21.Malware
|
assert excinfo.value.cls == stix2.v21.Malware
|
||||||
assert excinfo.value.properties == ["name"]
|
assert excinfo.value.properties == ["name"]
|
||||||
|
@ -114,28 +114,29 @@ def test_invalid_kwarg_to_malware():
|
||||||
"id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
|
"id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
|
||||||
"created": "2016-05-12T08:17:27.000Z",
|
"created": "2016-05-12T08:17:27.000Z",
|
||||||
"modified": "2016-05-12T08:17:27.000Z",
|
"modified": "2016-05-12T08:17:27.000Z",
|
||||||
"labels": ["ransomware"],
|
"malware_types": ["ransomware"],
|
||||||
"name": "Cryptolocker",
|
"name": "Cryptolocker",
|
||||||
"is_family": False
|
"is_family": True
|
||||||
},
|
},
|
||||||
])
|
])
|
||||||
def test_parse_malware(data):
|
def test_parse_malware(data):
|
||||||
mal = stix2.parse(data, version="2.1")
|
mal = stix2.parse(data)
|
||||||
|
|
||||||
assert mal.type == 'malware'
|
assert mal.type == 'malware'
|
||||||
assert mal.spec_version == '2.1'
|
assert mal.spec_version == '2.1'
|
||||||
assert mal.id == MALWARE_ID
|
assert mal.id == MALWARE_ID
|
||||||
assert mal.created == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
|
assert mal.created == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
|
||||||
assert mal.modified == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
|
assert mal.modified == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
|
||||||
assert mal.labels == ['ransomware']
|
assert mal.malware_types == ['ransomware']
|
||||||
assert mal.name == "Cryptolocker"
|
assert mal.name == 'Cryptolocker'
|
||||||
|
assert mal.is_family is True
|
||||||
|
|
||||||
|
|
||||||
def test_parse_malware_invalid_labels():
|
def test_parse_malware_invalid_labels():
|
||||||
data = re.compile('\\[.+\\]', re.DOTALL).sub('1', EXPECTED_MALWARE)
|
data = re.compile('\\[.+\\]', re.DOTALL).sub('1', EXPECTED_MALWARE)
|
||||||
with pytest.raises(ValueError) as excinfo:
|
with pytest.raises(ValueError) as excinfo:
|
||||||
stix2.parse(data, version="2.1")
|
stix2.parse(data)
|
||||||
assert "Invalid value for Malware 'labels'" in str(excinfo.value)
|
assert "Invalid value for Malware 'malware_types'" in str(excinfo.value)
|
||||||
|
|
||||||
|
|
||||||
def test_parse_malware_kill_chain_phases():
|
def test_parse_malware_kill_chain_phases():
|
||||||
|
|
|
@ -71,7 +71,7 @@ def test_add_markings_combination():
|
||||||
object_marking_refs=[MARKING_IDS[0], MARKING_IDS[1]],
|
object_marking_refs=[MARKING_IDS[0], MARKING_IDS[1]],
|
||||||
granular_markings=[
|
granular_markings=[
|
||||||
{
|
{
|
||||||
"selectors": ["labels"],
|
"selectors": ["malware_types"],
|
||||||
"marking_ref": MARKING_IDS[2]
|
"marking_ref": MARKING_IDS[2]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -84,7 +84,7 @@ def test_add_markings_combination():
|
||||||
|
|
||||||
before = markings.add_markings(before, MARKING_IDS[0], None)
|
before = markings.add_markings(before, MARKING_IDS[0], None)
|
||||||
before = markings.add_markings(before, MARKING_IDS[1], None)
|
before = markings.add_markings(before, MARKING_IDS[1], None)
|
||||||
before = markings.add_markings(before, MARKING_IDS[2], "labels")
|
before = markings.add_markings(before, MARKING_IDS[2], "malware_types")
|
||||||
before = markings.add_markings(before, MARKING_IDS[3], "name")
|
before = markings.add_markings(before, MARKING_IDS[3], "name")
|
||||||
|
|
||||||
for m in before["granular_markings"]:
|
for m in before["granular_markings"]:
|
||||||
|
|
|
@ -566,7 +566,7 @@ def test_observed_data_with_process_example():
|
||||||
"arguments": [
|
"arguments": [
|
||||||
"--new-window"
|
"--new-window"
|
||||||
],
|
],
|
||||||
"binary_ref": "0"
|
"image_ref": "0"
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -662,16 +662,15 @@ def test_file_example():
|
||||||
f = stix2.v21.File(
|
f = stix2.v21.File(
|
||||||
name="qwerty.dll",
|
name="qwerty.dll",
|
||||||
hashes={
|
hashes={
|
||||||
"SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"},
|
"SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"
|
||||||
|
},
|
||||||
size=100,
|
size=100,
|
||||||
magic_number_hex="1C",
|
magic_number_hex="1C",
|
||||||
mime_type="application/msword",
|
mime_type="application/msword",
|
||||||
created="2016-12-21T19:00:00Z",
|
created="2016-12-21T19:00:00Z",
|
||||||
modified="2016-12-24T19:00:00Z",
|
modified="2016-12-24T19:00:00Z",
|
||||||
accessed="2016-12-21T20:00:00Z",
|
accessed="2016-12-21T20:00:00Z"
|
||||||
is_encrypted=True,
|
)
|
||||||
encryption_algorithm="AES128-CBC",
|
|
||||||
decryption_key="fred")
|
|
||||||
|
|
||||||
assert f.name == "qwerty.dll"
|
assert f.name == "qwerty.dll"
|
||||||
assert f.size == 100
|
assert f.size == 100
|
||||||
|
@ -681,9 +680,6 @@ def test_file_example():
|
||||||
assert f.created == dt.datetime(2016, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
|
assert f.created == dt.datetime(2016, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
|
||||||
assert f.modified == dt.datetime(2016, 12, 24, 19, 0, 0, tzinfo=pytz.utc)
|
assert f.modified == dt.datetime(2016, 12, 24, 19, 0, 0, tzinfo=pytz.utc)
|
||||||
assert f.accessed == dt.datetime(2016, 12, 21, 20, 0, 0, tzinfo=pytz.utc)
|
assert f.accessed == dt.datetime(2016, 12, 21, 20, 0, 0, tzinfo=pytz.utc)
|
||||||
assert f.is_encrypted
|
|
||||||
assert f.encryption_algorithm == "AES128-CBC"
|
|
||||||
assert f.decryption_key == "fred" # does the key have a format we can test for?
|
|
||||||
|
|
||||||
|
|
||||||
def test_file_example_with_NTFSExt():
|
def test_file_example_with_NTFSExt():
|
||||||
|
@ -896,19 +892,11 @@ def test_file_example_with_WindowsPEBinaryExt():
|
||||||
|
|
||||||
|
|
||||||
def test_file_example_encryption_error():
|
def test_file_example_encryption_error():
|
||||||
with pytest.raises(stix2.exceptions.DependentPropertiesError) as excinfo:
|
with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo:
|
||||||
stix2.v21.File(
|
stix2.v21.File(magic_number_hex="010b")
|
||||||
name="qwerty.dll",
|
|
||||||
is_encrypted=False,
|
|
||||||
encryption_algorithm="AES128-CBC")
|
|
||||||
|
|
||||||
assert excinfo.value.cls == stix2.v21.File
|
assert excinfo.value.cls == stix2.v21.File
|
||||||
assert excinfo.value.dependencies == [("is_encrypted", "encryption_algorithm")]
|
assert "At least one of the (hashes, name)" in str(excinfo.value)
|
||||||
assert "property dependencies" in str(excinfo.value)
|
|
||||||
assert "are not met" in str(excinfo.value)
|
|
||||||
|
|
||||||
with pytest.raises(stix2.exceptions.DependentPropertiesError) as excinfo:
|
|
||||||
stix2.v21.File(name="qwerty.dll", encryption_algorithm="AES128-CBC")
|
|
||||||
|
|
||||||
|
|
||||||
def test_ip4_address_example():
|
def test_ip4_address_example():
|
||||||
|
@ -1024,7 +1012,7 @@ def test_process_example():
|
||||||
name="gedit-bin",
|
name="gedit-bin",
|
||||||
created="2016-01-20T14:11:25.55Z",
|
created="2016-01-20T14:11:25.55Z",
|
||||||
arguments=["--new-window"],
|
arguments=["--new-window"],
|
||||||
binary_ref="0")
|
image_ref="0")
|
||||||
|
|
||||||
assert p.name == "gedit-bin"
|
assert p.name == "gedit-bin"
|
||||||
assert p.arguments == ["--new-window"]
|
assert p.arguments == ["--new-window"]
|
||||||
|
@ -1177,7 +1165,7 @@ def test_user_account_example():
|
||||||
is_privileged=False,
|
is_privileged=False,
|
||||||
can_escalate_privs=True,
|
can_escalate_privs=True,
|
||||||
account_created="2016-01-20T12:31:12Z",
|
account_created="2016-01-20T12:31:12Z",
|
||||||
password_last_changed="2016-01-20T14:27:43Z",
|
credential_last_changed="2016-01-20T14:27:43Z",
|
||||||
account_first_login="2016-01-20T14:26:07Z",
|
account_first_login="2016-01-20T14:26:07Z",
|
||||||
account_last_login="2016-07-22T16:08:28Z")
|
account_last_login="2016-07-22T16:08:28Z")
|
||||||
|
|
||||||
|
@ -1189,7 +1177,7 @@ def test_user_account_example():
|
||||||
assert not a.is_privileged
|
assert not a.is_privileged
|
||||||
assert a.can_escalate_privs
|
assert a.can_escalate_privs
|
||||||
assert a.account_created == dt.datetime(2016, 1, 20, 12, 31, 12, tzinfo=pytz.utc)
|
assert a.account_created == dt.datetime(2016, 1, 20, 12, 31, 12, tzinfo=pytz.utc)
|
||||||
assert a.password_last_changed == dt.datetime(2016, 1, 20, 14, 27, 43, tzinfo=pytz.utc)
|
assert a.credential_last_changed == dt.datetime(2016, 1, 20, 14, 27, 43, tzinfo=pytz.utc)
|
||||||
assert a.account_first_login == dt.datetime(2016, 1, 20, 14, 26, 7, tzinfo=pytz.utc)
|
assert a.account_first_login == dt.datetime(2016, 1, 20, 14, 26, 7, tzinfo=pytz.utc)
|
||||||
assert a.account_last_login == dt.datetime(2016, 7, 22, 16, 8, 28, tzinfo=pytz.utc)
|
assert a.account_last_login == dt.datetime(2016, 7, 22, 16, 8, 28, tzinfo=pytz.utc)
|
||||||
|
|
||||||
|
@ -1221,10 +1209,12 @@ def test_windows_registry_key_example():
|
||||||
v = stix2.v21.WindowsRegistryValueType(
|
v = stix2.v21.WindowsRegistryValueType(
|
||||||
name="Foo",
|
name="Foo",
|
||||||
data="qwerty",
|
data="qwerty",
|
||||||
data_type="REG_SZ")
|
data_type="REG_SZ"
|
||||||
|
)
|
||||||
w = stix2.v21.WindowsRegistryKey(
|
w = stix2.v21.WindowsRegistryKey(
|
||||||
key="hkey_local_machine\\system\\bar\\foo",
|
key="hkey_local_machine\\system\\bar\\foo",
|
||||||
values=[v])
|
values=[v]
|
||||||
|
)
|
||||||
assert w.key == "hkey_local_machine\\system\\bar\\foo"
|
assert w.key == "hkey_local_machine\\system\\bar\\foo"
|
||||||
assert w.values[0].name == "Foo"
|
assert w.values[0].name == "Foo"
|
||||||
assert w.values[0].data == "qwerty"
|
assert w.values[0].data == "qwerty"
|
||||||
|
|
|
@ -15,15 +15,15 @@ EXPECTED = """{
|
||||||
"created": "2015-12-21T19:59:11.000Z",
|
"created": "2015-12-21T19:59:11.000Z",
|
||||||
"modified": "2015-12-21T19:59:11.000Z",
|
"modified": "2015-12-21T19:59:11.000Z",
|
||||||
"name": "The Black Vine Cyberespionage Group",
|
"name": "The Black Vine Cyberespionage Group",
|
||||||
|
"report_types": [
|
||||||
|
"campaign"
|
||||||
|
],
|
||||||
"description": "A simple report with an indicator and campaign",
|
"description": "A simple report with an indicator and campaign",
|
||||||
"published": "2016-01-20T17:00:00Z",
|
"published": "2016-01-20T17:00:00Z",
|
||||||
"object_refs": [
|
"object_refs": [
|
||||||
"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
|
"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
|
||||||
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
||||||
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
|
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
|
||||||
],
|
|
||||||
"labels": [
|
|
||||||
"campaign"
|
|
||||||
]
|
]
|
||||||
}"""
|
}"""
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@ def test_report_example():
|
||||||
name="The Black Vine Cyberespionage Group",
|
name="The Black Vine Cyberespionage Group",
|
||||||
description="A simple report with an indicator and campaign",
|
description="A simple report with an indicator and campaign",
|
||||||
published="2016-01-20T17:00:00Z",
|
published="2016-01-20T17:00:00Z",
|
||||||
labels=["campaign"],
|
report_types=["campaign"],
|
||||||
object_refs=[
|
object_refs=[
|
||||||
"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
|
"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
|
||||||
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
||||||
|
@ -57,7 +57,7 @@ def test_report_example_objects_in_object_refs():
|
||||||
name="The Black Vine Cyberespionage Group",
|
name="The Black Vine Cyberespionage Group",
|
||||||
description="A simple report with an indicator and campaign",
|
description="A simple report with an indicator and campaign",
|
||||||
published="2016-01-20T17:00:00Z",
|
published="2016-01-20T17:00:00Z",
|
||||||
labels=["campaign"],
|
report_types=["campaign"],
|
||||||
object_refs=[
|
object_refs=[
|
||||||
stix2.v21.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
|
stix2.v21.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
|
||||||
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
||||||
|
@ -78,7 +78,7 @@ def test_report_example_objects_in_object_refs_with_bad_id():
|
||||||
name="The Black Vine Cyberespionage Group",
|
name="The Black Vine Cyberespionage Group",
|
||||||
description="A simple report with an indicator and campaign",
|
description="A simple report with an indicator and campaign",
|
||||||
published="2016-01-20T17:00:00Z",
|
published="2016-01-20T17:00:00Z",
|
||||||
labels=["campaign"],
|
report_types=["campaign"],
|
||||||
object_refs=[
|
object_refs=[
|
||||||
stix2.v21.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
|
stix2.v21.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
|
||||||
"campaign-83422c77-904c-4dc1-aff5-5c38f3a2c55c", # the "bad" id, missing a "-"
|
"campaign-83422c77-904c-4dc1-aff5-5c38f3a2c55c", # the "bad" id, missing a "-"
|
||||||
|
@ -99,7 +99,7 @@ def test_report_example_objects_in_object_refs_with_bad_id():
|
||||||
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
|
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
|
||||||
"description": "A simple report with an indicator and campaign",
|
"description": "A simple report with an indicator and campaign",
|
||||||
"id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
|
"id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
|
||||||
"labels": [
|
"report_types": [
|
||||||
"campaign"
|
"campaign"
|
||||||
],
|
],
|
||||||
"modified": "2015-12-21T19:59:11.000Z",
|
"modified": "2015-12-21T19:59:11.000Z",
|
||||||
|
@ -127,7 +127,7 @@ def test_parse_report(data):
|
||||||
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
|
||||||
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"]
|
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"]
|
||||||
assert rept.description == "A simple report with an indicator and campaign"
|
assert rept.description == "A simple report with an indicator and campaign"
|
||||||
assert rept.labels == ["campaign"]
|
assert rept.report_types == ["campaign"]
|
||||||
assert rept.name == "The Black Vine Cyberespionage Group"
|
assert rept.name == "The Black Vine Cyberespionage Group"
|
||||||
|
|
||||||
# TODO: Add other examples
|
# TODO: Add other examples
|
||||||
|
|
|
@ -15,10 +15,10 @@ EXPECTED = """{
|
||||||
"created": "2016-04-06T20:03:48.000Z",
|
"created": "2016-04-06T20:03:48.000Z",
|
||||||
"modified": "2016-04-06T20:03:48.000Z",
|
"modified": "2016-04-06T20:03:48.000Z",
|
||||||
"name": "Evil Org",
|
"name": "Evil Org",
|
||||||
"description": "The Evil Org threat actor group",
|
"threat_actor_types": [
|
||||||
"labels": [
|
|
||||||
"crime-syndicate"
|
"crime-syndicate"
|
||||||
]
|
],
|
||||||
|
"description": "The Evil Org threat actor group"
|
||||||
}"""
|
}"""
|
||||||
|
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@ def test_threat_actor_example():
|
||||||
modified="2016-04-06T20:03:48.000Z",
|
modified="2016-04-06T20:03:48.000Z",
|
||||||
name="Evil Org",
|
name="Evil Org",
|
||||||
description="The Evil Org threat actor group",
|
description="The Evil Org threat actor group",
|
||||||
labels=["crime-syndicate"],
|
threat_actor_types=["crime-syndicate"],
|
||||||
)
|
)
|
||||||
|
|
||||||
assert str(threat_actor) == EXPECTED
|
assert str(threat_actor) == EXPECTED
|
||||||
|
@ -43,7 +43,7 @@ def test_threat_actor_example():
|
||||||
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
|
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
|
||||||
"description": "The Evil Org threat actor group",
|
"description": "The Evil Org threat actor group",
|
||||||
"id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
|
"id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
|
||||||
"labels": [
|
"threat_actor_types": [
|
||||||
"crime-syndicate"
|
"crime-syndicate"
|
||||||
],
|
],
|
||||||
"modified": "2016-04-06T20:03:48.000Z",
|
"modified": "2016-04-06T20:03:48.000Z",
|
||||||
|
@ -63,6 +63,6 @@ def test_parse_threat_actor(data):
|
||||||
assert actor.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
|
assert actor.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
|
||||||
assert actor.description == "The Evil Org threat actor group"
|
assert actor.description == "The Evil Org threat actor group"
|
||||||
assert actor.name == "Evil Org"
|
assert actor.name == "Evil Org"
|
||||||
assert actor.labels == ["crime-syndicate"]
|
assert actor.threat_actor_types == ["crime-syndicate"]
|
||||||
|
|
||||||
# TODO: Add other examples
|
# TODO: Add other examples
|
||||||
|
|
|
@ -15,7 +15,7 @@ EXPECTED = """{
|
||||||
"created": "2016-04-06T20:03:48.000Z",
|
"created": "2016-04-06T20:03:48.000Z",
|
||||||
"modified": "2016-04-06T20:03:48.000Z",
|
"modified": "2016-04-06T20:03:48.000Z",
|
||||||
"name": "VNC",
|
"name": "VNC",
|
||||||
"labels": [
|
"tool_types": [
|
||||||
"remote-access"
|
"remote-access"
|
||||||
]
|
]
|
||||||
}"""
|
}"""
|
||||||
|
@ -28,10 +28,10 @@ EXPECTED_WITH_REVOKED = """{
|
||||||
"created": "2016-04-06T20:03:48.000Z",
|
"created": "2016-04-06T20:03:48.000Z",
|
||||||
"modified": "2016-04-06T20:03:48.000Z",
|
"modified": "2016-04-06T20:03:48.000Z",
|
||||||
"name": "VNC",
|
"name": "VNC",
|
||||||
"revoked": false,
|
"tool_types": [
|
||||||
"labels": [
|
|
||||||
"remote-access"
|
"remote-access"
|
||||||
]
|
],
|
||||||
|
"revoked": false
|
||||||
}"""
|
}"""
|
||||||
|
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@ def test_tool_example():
|
||||||
created="2016-04-06T20:03:48.000Z",
|
created="2016-04-06T20:03:48.000Z",
|
||||||
modified="2016-04-06T20:03:48.000Z",
|
modified="2016-04-06T20:03:48.000Z",
|
||||||
name="VNC",
|
name="VNC",
|
||||||
labels=["remote-access"],
|
tool_types=["remote-access"],
|
||||||
)
|
)
|
||||||
|
|
||||||
assert str(tool) == EXPECTED
|
assert str(tool) == EXPECTED
|
||||||
|
@ -54,7 +54,7 @@ def test_tool_example():
|
||||||
"created": "2016-04-06T20:03:48Z",
|
"created": "2016-04-06T20:03:48Z",
|
||||||
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
|
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
|
||||||
"id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
|
"id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
|
||||||
"labels": [
|
"tool_types": [
|
||||||
"remote-access"
|
"remote-access"
|
||||||
],
|
],
|
||||||
"modified": "2016-04-06T20:03:48Z",
|
"modified": "2016-04-06T20:03:48Z",
|
||||||
|
@ -72,12 +72,12 @@ def test_parse_tool(data):
|
||||||
assert tool.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
|
assert tool.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
|
||||||
assert tool.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
|
assert tool.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
|
||||||
assert tool.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
|
assert tool.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
|
||||||
assert tool.labels == ["remote-access"]
|
assert tool.tool_types == ["remote-access"]
|
||||||
assert tool.name == "VNC"
|
assert tool.name == "VNC"
|
||||||
|
|
||||||
|
|
||||||
def test_tool_no_workbench_wrappers():
|
def test_tool_no_workbench_wrappers():
|
||||||
tool = stix2.v21.Tool(name='VNC', labels=['remote-access'])
|
tool = stix2.v21.Tool(name='VNC', tool_types=['remote-access'])
|
||||||
with pytest.raises(AttributeError):
|
with pytest.raises(AttributeError):
|
||||||
tool.created_by()
|
tool.created_by()
|
||||||
|
|
||||||
|
@ -89,7 +89,7 @@ def test_tool_serialize_with_defaults():
|
||||||
created="2016-04-06T20:03:48.000Z",
|
created="2016-04-06T20:03:48.000Z",
|
||||||
modified="2016-04-06T20:03:48.000Z",
|
modified="2016-04-06T20:03:48.000Z",
|
||||||
name="VNC",
|
name="VNC",
|
||||||
labels=["remote-access"],
|
tool_types=["remote-access"],
|
||||||
)
|
)
|
||||||
|
|
||||||
assert tool.serialize(pretty=True, include_optional_defaults=True) == EXPECTED_WITH_REVOKED
|
assert tool.serialize(pretty=True, include_optional_defaults=True) == EXPECTED_WITH_REVOKED
|
||||||
|
|
|
@ -221,17 +221,17 @@ def test_revoke_invalid_cls():
|
||||||
|
|
||||||
|
|
||||||
def test_remove_custom_stix_property():
|
def test_remove_custom_stix_property():
|
||||||
mal = stix2.Malware(name="ColePowers",
|
mal = stix2.v21.Malware(name="ColePowers",
|
||||||
labels=["rootkit"],
|
malware_types=["rootkit"],
|
||||||
is_family=False,
|
is_family=False,
|
||||||
x_custom="armada",
|
x_custom="armada",
|
||||||
allow_custom=True)
|
allow_custom=True)
|
||||||
|
|
||||||
mal_nc = stix2.utils.remove_custom_stix(mal)
|
mal_nc = stix2.utils.remove_custom_stix(mal)
|
||||||
|
|
||||||
assert "x_custom" not in mal_nc
|
assert "x_custom" not in mal_nc
|
||||||
assert stix2.utils.parse_into_datetime(mal["modified"], precision="millisecond") < stix2.utils.parse_into_datetime(mal_nc["modified"],
|
assert (stix2.utils.parse_into_datetime(mal["modified"], precision="millisecond") <
|
||||||
precision="millisecond")
|
stix2.utils.parse_into_datetime(mal_nc["modified"], precision="millisecond"))
|
||||||
|
|
||||||
|
|
||||||
def test_remove_custom_stix_object():
|
def test_remove_custom_stix_object():
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
import os
|
import os
|
||||||
|
|
||||||
import stix2
|
import stix2
|
||||||
from stix2 import Bundle
|
|
||||||
from stix2.workbench import (AttackPattern, Campaign, CourseOfAction,
|
from stix2.workbench import (AttackPattern, Campaign, CourseOfAction,
|
||||||
ExternalReference, FileSystemSource, Filter,
|
ExternalReference, FileSystemSource, Filter,
|
||||||
Identity, Indicator, IntrusionSet, Malware,
|
Identity, Indicator, IntrusionSet, Malware,
|
||||||
|
@ -34,7 +33,7 @@ def test_workbench_environment():
|
||||||
save(ind)
|
save(ind)
|
||||||
|
|
||||||
resp = get(INDICATOR_ID)
|
resp = get(INDICATOR_ID)
|
||||||
assert resp['labels'][0] == 'malicious-activity'
|
assert resp['indicator_types'][0] == 'malicious-activity'
|
||||||
|
|
||||||
resp = all_versions(INDICATOR_ID)
|
resp = all_versions(INDICATOR_ID)
|
||||||
assert len(resp) == 1
|
assert len(resp) == 1
|
||||||
|
@ -152,7 +151,7 @@ def test_workbench_get_all_vulnerabilities():
|
||||||
|
|
||||||
def test_workbench_add_to_bundle():
|
def test_workbench_add_to_bundle():
|
||||||
vuln = Vulnerability(**VULNERABILITY_KWARGS)
|
vuln = Vulnerability(**VULNERABILITY_KWARGS)
|
||||||
bundle = Bundle(vuln)
|
bundle = stix2.v21.Bundle(vuln)
|
||||||
assert bundle.objects[0].name == 'Heartbleed'
|
assert bundle.objects[0].name == 'Heartbleed'
|
||||||
|
|
||||||
|
|
||||||
|
@ -191,8 +190,8 @@ def test_workbench_related():
|
||||||
|
|
||||||
|
|
||||||
def test_workbench_related_with_filters():
|
def test_workbench_related_with_filters():
|
||||||
malware = Malware(labels=["ransomware"], name="CryptorBit", created_by_ref=IDENTITY_ID,
|
malware = Malware(malware_types=["ransomware"], name="CryptorBit",
|
||||||
is_family=False)
|
created_by_ref=IDENTITY_ID, is_family=False)
|
||||||
rel = Relationship(malware.id, 'variant-of', MALWARE_ID)
|
rel = Relationship(malware.id, 'variant-of', MALWARE_ID)
|
||||||
save([malware, rel])
|
save([malware, rel])
|
||||||
|
|
||||||
|
@ -271,12 +270,12 @@ def test_default_object_marking_refs():
|
||||||
|
|
||||||
|
|
||||||
def test_workbench_custom_property_object_in_observable_extension():
|
def test_workbench_custom_property_object_in_observable_extension():
|
||||||
ntfs = stix2.NTFSExt(
|
ntfs = stix2.v21.NTFSExt(
|
||||||
allow_custom=True,
|
allow_custom=True,
|
||||||
sid=1,
|
sid=1,
|
||||||
x_foo='bar',
|
x_foo='bar',
|
||||||
)
|
)
|
||||||
artifact = stix2.File(
|
artifact = stix2.v21.File(
|
||||||
name='test',
|
name='test',
|
||||||
extensions={'ntfs-ext': ntfs},
|
extensions={'ntfs-ext': ntfs},
|
||||||
)
|
)
|
||||||
|
@ -293,7 +292,7 @@ def test_workbench_custom_property_object_in_observable_extension():
|
||||||
|
|
||||||
|
|
||||||
def test_workbench_custom_property_dict_in_observable_extension():
|
def test_workbench_custom_property_dict_in_observable_extension():
|
||||||
artifact = stix2.File(
|
artifact = stix2.v21.File(
|
||||||
allow_custom=True,
|
allow_custom=True,
|
||||||
name='test',
|
name='test',
|
||||||
extensions={
|
extensions={
|
||||||
|
|
Loading…
Reference in New Issue