MISP
/
cti-python-stix2
mirror of https://github.com/MISP/cti-python-stix2
2
0
Fork 0
Code Issues Releases Wiki Activity

MALWARE RESTORE POINT - Reverted changes to Malware based on STIX 2.1 CSD01 

Use this commit to restore Malware changes.
stix2.1
Emmanuelle Vargas-Gonzalez 2018-07-25 13:34:56 -04:00
parent 303159a818
commit ad76e7155c
9 changed files with 12 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
stix2/test/v21/constants.py
View File

@ -81,7 +81,6 @@ INTRUSION_SET_KWARGS = dict(
MALWARE_KWARGS = dict( MALWARE_KWARGS = dict(
malware_types=['ransomware'], malware_types=['ransomware'],
name="Cryptolocker", name="Cryptolocker",
is_family=True,
) )
MALWARE_MORE_KWARGS = dict( MALWARE_MORE_KWARGS = dict(
@ -92,7 +91,6 @@ MALWARE_MORE_KWARGS = dict(
malware_types=['ransomware'], malware_types=['ransomware'],
name="Cryptolocker", name="Cryptolocker",
description="A ransomware related to ...", description="A ransomware related to ...",
is_family=False,
) )
OBSERVED_DATA_KWARGS = dict( OBSERVED_DATA_KWARGS = dict(

2
stix2/test/v21/test_bundle.py
View File

@ -26,7 +26,6 @@ EXPECTED_BUNDLE = """{
"id": "malware--00000000-0000-4000-8000-000000000003", "id": "malware--00000000-0000-4000-8000-000000000003",
"created": "2017-01-01T12:34:56.000Z", "created": "2017-01-01T12:34:56.000Z",
"modified": "2017-01-01T12:34:56.000Z", "modified": "2017-01-01T12:34:56.000Z",
"is_family": true,
"name": "Cryptolocker", "name": "Cryptolocker",
"malware_types": [ "malware_types": [
"ransomware" "ransomware"
@ -71,7 +70,6 @@ EXPECTED_BUNDLE_DICT = {
"malware_types": [ "malware_types": [
"ransomware", "ransomware",
], ],
"is_family": True,
}, },
{ {
"type": "relationship", "type": "relationship",

1
stix2/test/v21/test_datastore_filters.py
View File

@ -16,7 +16,6 @@ stix_objs = [
"modified": "2017-01-27T13:49:53.997Z", "modified": "2017-01-27T13:49:53.997Z",
"name": "Poison Ivy", "name": "Poison Ivy",
"type": "malware", "type": "malware",
"is_family": False,
}, },
{ {
"created": "2014-05-08T09:00:00.000Z", "created": "2014-05-08T09:00:00.000Z",

3
stix2/test/v21/test_environment.py
View File

@ -219,8 +219,7 @@ def test_parse_malware():
"name": "Cryptolocker", "name": "Cryptolocker",
"malware_types": [ "malware_types": [
"ransomware" "ransomware"
], ]
"is_family": false
}""" }"""
mal = env.parse(data, version="2.1") mal = env.parse(data, version="2.1")

8
stix2/test/v21/test_malware.py
View File

@ -14,7 +14,6 @@ EXPECTED_MALWARE = """{
"id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e", "id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
"created": "2016-05-12T08:17:27.000Z", "created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z", "modified": "2016-05-12T08:17:27.000Z",
"is_family": true,
"name": "Cryptolocker", "name": "Cryptolocker",
"malware_types": [ "malware_types": [
"ransomware" "ransomware"
@ -32,7 +31,6 @@ def test_malware_with_all_required_properties():
modified=now, modified=now,
malware_types=["ransomware"], malware_types=["ransomware"],
name="Cryptolocker", name="Cryptolocker",
is_family=True,
) )
assert str(mal) == EXPECTED_MALWARE assert str(mal) == EXPECTED_MALWARE
@ -79,12 +77,12 @@ def test_malware_required_properties():
stix2.v21.Malware() stix2.v21.Malware()
assert excinfo.value.cls == stix2.v21.Malware assert excinfo.value.cls == stix2.v21.Malware
assert excinfo.value.properties == ["is_family", "malware_types", "name"] assert excinfo.value.properties == ["malware_types", "name"]
def test_malware_required_property_name(): def test_malware_required_property_name():
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo: with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
stix2.v21.Malware(malware_types=['ransomware'], is_family=False) stix2.v21.Malware(malware_types=['ransomware'])
assert excinfo.value.cls == stix2.v21.Malware assert excinfo.value.cls == stix2.v21.Malware
assert excinfo.value.properties == ["name"] assert excinfo.value.properties == ["name"]
@ -117,7 +115,6 @@ def test_invalid_kwarg_to_malware():
"modified": "2016-05-12T08:17:27.000Z", "modified": "2016-05-12T08:17:27.000Z",
"malware_types": ["ransomware"], "malware_types": ["ransomware"],
"name": "Cryptolocker", "name": "Cryptolocker",
"is_family": True,
}, },
], ],
) )
@ -131,7 +128,6 @@ def test_parse_malware(data):
assert mal.modified == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc) assert mal.modified == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
assert mal.malware_types == ['ransomware'] assert mal.malware_types == ['ransomware']
assert mal.name == 'Cryptolocker' assert mal.name == 'Cryptolocker'
assert mal.is_family is True
def test_parse_malware_invalid_labels(): def test_parse_malware_invalid_labels():

8
stix2/test/v21/test_relationship.py
View File

@ -123,14 +123,14 @@ def test_create_relationship_from_objects_rather_than_ids1(indicator, malware):
relationship_type="indicates", relationship_type="indicates",
source_ref=indicator, source_ref=indicator,
target_ref=malware, target_ref=malware,
stop_time="2018-04-06T20:06:37Z", stop_time="2016-04-06T20:03:48Z",
) )
assert rel.relationship_type == 'indicates' assert rel.relationship_type == 'indicates'
assert rel.source_ref == 'indicator--00000000-0000-4000-8000-000000000001' assert rel.source_ref == 'indicator--00000000-0000-4000-8000-000000000001'
assert rel.target_ref == 'malware--00000000-0000-4000-8000-000000000003' assert rel.target_ref == 'malware--00000000-0000-4000-8000-000000000003'
assert rel.id == 'relationship--00000000-0000-4000-8000-000000000005' assert rel.id == 'relationship--00000000-0000-4000-8000-000000000005'
assert rel.stop_time == '2018-04-06T20:06:37Z' assert rel.stop_time == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
def test_create_relationship_from_objects_rather_than_ids2(indicator, malware): def test_create_relationship_from_objects_rather_than_ids2(indicator, malware):
@ -138,14 +138,14 @@ def test_create_relationship_from_objects_rather_than_ids2(indicator, malware):
relationship_type="indicates", relationship_type="indicates",
source_ref=indicator, source_ref=indicator,
target_ref=malware, target_ref=malware,
start_time="2018-04-06T20:06:37Z", start_time="2016-04-06T20:03:48Z",
) )
assert rel.relationship_type == 'indicates' assert rel.relationship_type == 'indicates'
assert rel.source_ref == 'indicator--00000000-0000-4000-8000-000000000001' assert rel.source_ref == 'indicator--00000000-0000-4000-8000-000000000001'
assert rel.target_ref == 'malware--00000000-0000-4000-8000-000000000003' assert rel.target_ref == 'malware--00000000-0000-4000-8000-000000000003'
assert rel.id == 'relationship--00000000-0000-4000-8000-000000000005' assert rel.id == 'relationship--00000000-0000-4000-8000-000000000005'
assert rel.start_time == '2018-04-06T20:06:37Z' assert rel.start_time == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
def test_create_relationship_with_positional_args(indicator, malware): def test_create_relationship_with_positional_args(indicator, malware):

1
stix2/test/v21/test_versioning.py
View File

@ -228,7 +228,6 @@ def test_remove_custom_stix_property():
mal = stix2.v21.Malware( mal = stix2.v21.Malware(
name="ColePowers", name="ColePowers",
malware_types=["rootkit"], malware_types=["rootkit"],
is_family=False,
x_custom="armada", x_custom="armada",
allow_custom=True, allow_custom=True,
) )

2
stix2/test/v21/test_workbench.py
View File

@ -188,7 +188,7 @@ def test_workbench_related():
def test_workbench_related_with_filters(): def test_workbench_related_with_filters():
malware = Malware( malware = Malware(
malware_types=["ransomware"], name="CryptorBit", malware_types=["ransomware"], name="CryptorBit",
created_by_ref=IDENTITY_ID, is_family=False, created_by_ref=IDENTITY_ID,
) )
rel = Relationship(malware.id, 'variant-of', MALWARE_ID) rel = Relationship(malware.id, 'variant-of', MALWARE_ID)
save([malware, rel]) save([malware, rel])

45
stix2/v21/sdo.py
View File

@ -1,17 +1,15 @@
"""STIX 2.1 Domain Objects""" """STIX 2.1 Domain Objects"""
from collections import OrderedDict from collections import OrderedDict
from math import fabs
import itertools import itertools
from math import fabs
from ..base import _STIXBase
from ..core import STIXDomainObject from ..core import STIXDomainObject
from ..custom import _custom_object_builder from ..custom import _custom_object_builder
from ..properties import ( from ..properties import (
BooleanProperty, DictionaryProperty, EmbeddedObjectProperty, EnumProperty, BooleanProperty, EnumProperty, FloatProperty, IDProperty, IntegerProperty,
FloatProperty, IDProperty, IntegerProperty, ListProperty, ListProperty, ObservableProperty, PatternProperty, ReferenceProperty,
ObservableProperty, PatternProperty, ReferenceProperty, StringProperty, StringProperty, TimestampProperty, TypeProperty,
TimestampProperty, TypeProperty,
) )
from ..utils import NOW from ..utils import NOW
from .common import ExternalReference, GranularMarking, KillChainPhase from .common import ExternalReference, GranularMarking, KillChainPhase
@ -254,30 +252,6 @@ class Location(STIXDomainObject):
raise ValueError(msg.format(self)) raise ValueError(msg.format(self))
class AnalysisType(_STIXBase):
_properties = OrderedDict([
('start_time', TimestampProperty()),
('end_time', TimestampProperty()),
('analysis_tools', ObservableProperty(spec_version='2.1')),
('analysis_environment', DictionaryProperty(spec_version='2.1')),
('results', DictionaryProperty(spec_version='2.1', required=True)),
])
class AVResultsType(_STIXBase):
_properties = OrderedDict([
('product', StringProperty()),
('engine_version', StringProperty()),
('definition_version', StringProperty()),
('submitted', TimestampProperty()),
('scanned', TimestampProperty()),
('result', StringProperty()),
('details', StringProperty()),
])
class Malware(STIXDomainObject): class Malware(STIXDomainObject):
# TODO: Add link # TODO: Add link
"""For more detailed information on this object's properties, see """For more detailed information on this object's properties, see
@ -292,21 +266,10 @@ class Malware(STIXDomainObject):
('created_by_ref', ReferenceProperty(type='identity')), ('created_by_ref', ReferenceProperty(type='identity')),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')), ('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')), ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('is_family', BooleanProperty(required=True)),
('name', StringProperty(required=True)), ('name', StringProperty(required=True)),
('malware_types', ListProperty(StringProperty, required=True)), ('malware_types', ListProperty(StringProperty, required=True)),
('description', StringProperty()), ('description', StringProperty()),
('kill_chain_phases', ListProperty(KillChainPhase)), ('kill_chain_phases', ListProperty(KillChainPhase)),
('first_seen', TimestampProperty()),
('last_seen', TimestampProperty()),
('os_execution_envs', ListProperty(StringProperty)),
('architecture_execution_envs', ListProperty(StringProperty)),
('implementation_languages', ListProperty(StringProperty)),
('samples', ObservableProperty(spec_version='2.1')),
('static_analysis_results', ListProperty(EmbeddedObjectProperty(AnalysisType))),
('dynamic_analysis_results', ListProperty(EmbeddedObjectProperty(AnalysisType))),
('av_results', ListProperty(EmbeddedObjectProperty(AVResultsType))),
('capabilities', ListProperty(StringProperty)),
('revoked', BooleanProperty(default=lambda: False)), ('revoked', BooleanProperty(default=lambda: False)),
('labels', ListProperty(StringProperty)), ('labels', ListProperty(StringProperty)),
('confidence', IntegerProperty()), ('confidence', IntegerProperty()),