MISP
/
cti-python-stix2
mirror of https://github.com/MISP/cti-python-stix2
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into stix2.1

master
Chris Lenk 2019-06-26 12:22:40 -04:00
parent 7e989dd13d a6fa3ff1d7
commit b8c5bec101
142 changed files with 2317 additions and 564 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGELOG
View File

@ -1,6 +1,17 @@
CHANGELOG
=========
1.1.2 - 2019-02-13
* #86 Adds helper function to Location objects to generate a URL to the location in an online map engine.
1.1.1 - 2019-01-11
* #234 Update documentation structure to better navigate between v20/v21 objects
* #232 FileSystemStore now raises an exception if you attempt to overwrite an existing file
* #236 Fix a serialization problem with the WindowsRegistryKey observable object
* #238 Fix a problem with the LanguageContent object not allowing its creation with an empty dictionary
1.1.0 - 2018-12-11
- Most (if not all) STIX 2.1 SDOs/SROs and core objects have been implemented according to the latest CSD/WD document

5
docs/api/stix2.v20.rst Normal file
View File

@ -0,0 +1,5 @@
v20
=========
.. automodule:: stix2.v20
:members:

5
docs/api/stix2.v21.rst Normal file
View File

@ -0,0 +1,5 @@
v21
=========
.. automodule:: stix2.v21
:members:

0
docs/api/stix2.v20.bundle.rst → docs/api/v20/stix2.v20.bundle.rst
View File

2
docs/api/stix2.v20.common.rst → docs/api/v20/stix2.v20.common.rst
View File

@ -2,4 +2,4 @@ common
================
.. automodule:: stix2.v20.common
:members:
:members:

2
docs/api/stix2.v20.observables.rst → docs/api/v20/stix2.v20.observables.rst
View File

@ -2,4 +2,4 @@ observables
=====================
.. automodule:: stix2.v20.observables
:members:
:members:

2
docs/api/stix2.v20.sdo.rst → docs/api/v20/stix2.v20.sdo.rst
View File

@ -2,4 +2,4 @@ sdo
=============
.. automodule:: stix2.v20.sdo
:members:
:members:

2
docs/api/stix2.v20.sro.rst → docs/api/v20/stix2.v20.sro.rst
View File

@ -2,4 +2,4 @@ sro
=============
.. automodule:: stix2.v20.sro
:members:
:members:

0
docs/api/stix2.v21.bundle.rst → docs/api/v21/stix2.v21.bundle.rst
View File

0
docs/api/stix2.v21.common.rst → docs/api/v21/stix2.v21.common.rst
View File

0
docs/api/stix2.v21.observables.rst → docs/api/v21/stix2.v21.observables.rst
View File

0
docs/api/stix2.v21.sdo.rst → docs/api/v21/stix2.v21.sdo.rst
View File

0
docs/api/stix2.v21.sro.rst → docs/api/v21/stix2.v21.sro.rst
View File

307
docs/guide/creating.ipynb
View File

@ -144,12 +144,12 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--548af3be-39d7-4a3e-93c2-1a63cccf8951&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:24.193Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:24.193Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:14:48.509Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:14:48.509Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;name&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;File hash for malware variant&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;pattern&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;[file:hashes.md5 = &#39;d41d8cd98f00b204e9800998ecf8427e&#39;]&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;valid_from&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:24.193659Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;valid_from&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:14:48.509629Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;labels&quot;</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n",
" <span class=\"s2\">&quot;malicious-activity&quot;</span>\n",
" <span class=\"p\">]</span>\n",
@ -465,9 +465,9 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--3d7f0c1c-616a-4868-aa7b-150821d2a429&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:46.584Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:46.584Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:04.698Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:04.698Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;name&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;Poison Ivy&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;labels&quot;</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n",
" <span class=\"s2\">&quot;remote-access-trojan&quot;</span>\n",
@ -498,7 +498,7 @@
"source": [
"As with indicators, the ``type``, ``id``, ``created``, and ``modified`` properties will be set automatically if not provided. For Malware objects, the ``labels`` and ``name`` properties must be provided.\n",
"\n",
"You can see the full list of SDO classes [here](../api/stix2.v20.sdo.rst)."
"You can see the full list of SDO classes [here](../api/v20/stix2.v20.sdo.rst)."
]
},
{
@ -588,12 +588,12 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship--34ddc7b4-4965-4615-b286-1c8bbaa1e7db&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:49.474Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:49.474Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship--80c174fa-36d1-47c2-9a9d-ce0c636bedcc&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:13.152Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:13.152Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;relationship_type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicates&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;source_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--548af3be-39d7-4a3e-93c2-1a63cccf8951&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;target_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--3d7f0c1c-616a-4868-aa7b-150821d2a429&quot;</span>\n",
" <span class=\"nt\">&quot;source_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;target_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67&quot;</span>\n",
"<span class=\"p\">}</span>\n",
"</pre></div>\n"
],
@ -700,12 +700,12 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship--0a646403-f7e7-4cfd-b945-cab5cde05857&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:51.417Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:51.417Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship--47395d23-dedd-45d4-8db1-c9ffaf44493d&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:16.566Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:16.566Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;relationship_type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicates&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;source_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--548af3be-39d7-4a3e-93c2-1a63cccf8951&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;target_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--3d7f0c1c-616a-4868-aa7b-150821d2a429&quot;</span>\n",
" <span class=\"nt\">&quot;source_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;target_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67&quot;</span>\n",
"<span class=\"p\">}</span>\n",
"</pre></div>\n"
],
@ -810,26 +810,26 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;bundle&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;bundle--f83477e5-f853-47e1-a267-43f3aa1bd5b0&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;bundle--388c9b2c-936c-420a-baa5-04f48d682a01&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;spec_version&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2.0&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;objects&quot;</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n",
" <span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--548af3be-39d7-4a3e-93c2-1a63cccf8951&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:24.193Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:24.193Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:14:48.509Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:14:48.509Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;name&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;File hash for malware variant&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;pattern&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;[file:hashes.md5 = &#39;d41d8cd98f00b204e9800998ecf8427e&#39;]&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;valid_from&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:24.193659Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;valid_from&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:14:48.509629Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;labels&quot;</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n",
" <span class=\"s2\">&quot;malicious-activity&quot;</span>\n",
" <span class=\"p\">]</span>\n",
" <span class=\"p\">},</span>\n",
" <span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--3d7f0c1c-616a-4868-aa7b-150821d2a429&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:46.584Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:46.584Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:04.698Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:04.698Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;name&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;Poison Ivy&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;labels&quot;</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n",
" <span class=\"s2\">&quot;remote-access-trojan&quot;</span>\n",
@ -837,12 +837,12 @@
" <span class=\"p\">},</span>\n",
" <span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship--34ddc7b4-4965-4615-b286-1c8bbaa1e7db&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:49.474Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2018-04-05T18:32:49.474Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;id&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;relationship--80c174fa-36d1-47c2-9a9d-ce0c636bedcc&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;created&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:13.152Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;modified&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;2019-05-13T13:15:13.152Z&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;relationship_type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicates&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;source_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--548af3be-39d7-4a3e-93c2-1a63cccf8951&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;target_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--3d7f0c1c-616a-4868-aa7b-150821d2a429&quot;</span>\n",
" <span class=\"nt\">&quot;source_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;target_ref&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67&quot;</span>\n",
" <span class=\"p\">}</span>\n",
" <span class=\"p\">]</span>\n",
"<span class=\"p\">}</span>\n",
@ -863,6 +863,249 @@
"bundle = Bundle(indicator, malware, relationship)\n",
"print(bundle)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Creating Cyber Observable References\n",
"Cyber Observable Objects have properties that can reference other Cyber Observable Objects. In order to create those references, use the ``_valid_refs`` property as shown in the following examples. It should be noted that ``_valid_refs`` is necessary when creating references to Cyber Observable Objects since some embedded references can only point to certain types, and ``_valid_refs`` helps ensure consistency. \n",
"\n",
"There are two cases."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"#### Case 1: Specifying the type of the Cyber Observable Objects being referenced\n",
"In the following example, the IPv4Address object has its ``resolves_to_refs`` property specified. As per the spec, this property's value must be a list of reference(s) to MACAddress objects. In this case, those references are strings that state the type of the Cyber Observable Object being referenced, and are provided in ``_valid_refs``."
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n",
".highlight { background: #f8f8f8; }\n",
".highlight .c { color: #408080; font-style: italic } /* Comment */\n",
".highlight .err { border: 1px solid #FF0000 } /* Error */\n",
".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n",
".highlight .o { color: #666666 } /* Operator */\n",
".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n",
".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n",
".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n",
".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n",
".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n",
".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n",
".highlight .gd { color: #A00000 } /* Generic.Deleted */\n",
".highlight .ge { font-style: italic } /* Generic.Emph */\n",
".highlight .gr { color: #FF0000 } /* Generic.Error */\n",
".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n",
".highlight .gi { color: #00A000 } /* Generic.Inserted */\n",
".highlight .go { color: #888888 } /* Generic.Output */\n",
".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n",
".highlight .gs { font-weight: bold } /* Generic.Strong */\n",
".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n",
".highlight .gt { color: #0044DD } /* Generic.Traceback */\n",
".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n",
".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n",
".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n",
".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n",
".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n",
".highlight .kt { color: #B00040 } /* Keyword.Type */\n",
".highlight .m { color: #666666 } /* Literal.Number */\n",
".highlight .s { color: #BA2121 } /* Literal.String */\n",
".highlight .na { color: #7D9029 } /* Name.Attribute */\n",
".highlight .nb { color: #008000 } /* Name.Builtin */\n",
".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n",
".highlight .no { color: #880000 } /* Name.Constant */\n",
".highlight .nd { color: #AA22FF } /* Name.Decorator */\n",
".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n",
".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n",
".highlight .nf { color: #0000FF } /* Name.Function */\n",
".highlight .nl { color: #A0A000 } /* Name.Label */\n",
".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n",
".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n",
".highlight .nv { color: #19177C } /* Name.Variable */\n",
".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n",
".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n",
".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n",
".highlight .mf { color: #666666 } /* Literal.Number.Float */\n",
".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n",
".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n",
".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n",
".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n",
".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n",
".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n",
".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n",
".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n",
".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n",
".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n",
".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n",
".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n",
".highlight .sx { color: #008000 } /* Literal.String.Other */\n",
".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n",
".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n",
".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n",
".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n",
".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n",
".highlight .vc { color: #19177C } /* Name.Variable.Class */\n",
".highlight .vg { color: #19177C } /* Name.Variable.Global */\n",
".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n",
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;ipv4-addr&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;value&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;177.60.40.7&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;resolves_to_refs&quot;</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n",
" <span class=\"s2\">&quot;1&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"s2\">&quot;2&quot;</span>\n",
" <span class=\"p\">]</span>\n",
"<span class=\"p\">}</span>\n",
"</pre></div>\n"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"execution_count": 16,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"from stix2 import IPv4Address\n",
"\n",
"ip4 = IPv4Address(\n",
" _valid_refs={\"1\": \"mac-addr\", \"2\": \"mac-addr\"},\n",
" value=\"177.60.40.7\",\n",
" resolves_to_refs=[\"1\", \"2\"]\n",
")\n",
"\n",
"print(ip4)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"#### Case 2: Specifying the name of the Cyber Observable Objects being referenced\n",
"The following example is just like the one provided in Case 1 above, with one key difference: instead of using strings to specify the type of the Cyber Observable Objects being referenced in ``_valid_refs``, the referenced Cyber Observable Objects are created beforehand and then their names are provided in ``_valid_refs``."
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n",
".highlight { background: #f8f8f8; }\n",
".highlight .c { color: #408080; font-style: italic } /* Comment */\n",
".highlight .err { border: 1px solid #FF0000 } /* Error */\n",
".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n",
".highlight .o { color: #666666 } /* Operator */\n",
".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n",
".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n",
".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n",
".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n",
".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n",
".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n",
".highlight .gd { color: #A00000 } /* Generic.Deleted */\n",
".highlight .ge { font-style: italic } /* Generic.Emph */\n",
".highlight .gr { color: #FF0000 } /* Generic.Error */\n",
".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n",
".highlight .gi { color: #00A000 } /* Generic.Inserted */\n",
".highlight .go { color: #888888 } /* Generic.Output */\n",
".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n",
".highlight .gs { font-weight: bold } /* Generic.Strong */\n",
".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n",
".highlight .gt { color: #0044DD } /* Generic.Traceback */\n",
".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n",
".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n",
".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n",
".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n",
".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n",
".highlight .kt { color: #B00040 } /* Keyword.Type */\n",
".highlight .m { color: #666666 } /* Literal.Number */\n",
".highlight .s { color: #BA2121 } /* Literal.String */\n",
".highlight .na { color: #7D9029 } /* Name.Attribute */\n",
".highlight .nb { color: #008000 } /* Name.Builtin */\n",
".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n",
".highlight .no { color: #880000 } /* Name.Constant */\n",
".highlight .nd { color: #AA22FF } /* Name.Decorator */\n",
".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n",
".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n",
".highlight .nf { color: #0000FF } /* Name.Function */\n",
".highlight .nl { color: #A0A000 } /* Name.Label */\n",
".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n",
".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n",
".highlight .nv { color: #19177C } /* Name.Variable */\n",
".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n",
".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n",
".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n",
".highlight .mf { color: #666666 } /* Literal.Number.Float */\n",
".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n",
".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n",
".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n",
".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n",
".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n",
".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n",
".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n",
".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n",
".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n",
".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n",
".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n",
".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n",
".highlight .sx { color: #008000 } /* Literal.String.Other */\n",
".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n",
".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n",
".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n",
".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n",
".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n",
".highlight .vc { color: #19177C } /* Name.Variable.Class */\n",
".highlight .vg { color: #19177C } /* Name.Variable.Global */\n",
".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n",
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n",
" <span class=\"nt\">&quot;type&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;ipv4-addr&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;value&quot;</span><span class=\"p\">:</span> <span class=\"s2\">&quot;177.60.40.7&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">&quot;resolves_to_refs&quot;</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n",
" <span class=\"s2\">&quot;1&quot;</span><span class=\"p\">,</span>\n",
" <span class=\"s2\">&quot;2&quot;</span>\n",
" <span class=\"p\">]</span>\n",
"<span class=\"p\">}</span>\n",
"</pre></div>\n"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"execution_count": 17,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"from stix2 import MACAddress\n",
"\n",
"mac_addr_a = MACAddress(value=\"a1:b2:c3:d4:e5:f6\")\n",
"mac_addr_b = MACAddress(value=\"a7:b8:c9:d0:e1:f2\")\n",
"\n",
"ip4_valid_refs = IPv4Address(\n",
" _valid_refs={\"1\": mac_addr_a, \"2\": mac_addr_b},\n",
" value=\"177.60.40.7\",\n",
" resolves_to_refs=[\"1\", \"2\"]\n",
")\n",
"\n",
"print(ip4_valid_refs)"
]
}
],
"metadata": {
@ -881,7 +1124,7 @@
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.6.5"
"version": "3.6.7"
}
},
"nbformat": 4,

206
docs/guide/markings.ipynb
View File

@ -1310,6 +1310,212 @@
"source": [
"malware.is_marked(TLP_WHITE.id, 'description')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Extracting Lang Data Markings or marking-definition Data Markings\n",
"\n",
"If you need a specific kind of marking, you can also filter them using the API. By default the library will get both types of markings by default. You can choose between `lang=True/False` or `marking_ref=True/False` depending on your use-case."
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{\n",
" \"type\": \"indicator\",\n",
" \"spec_version\": \"2.1\",\n",
" \"id\": \"indicator--634ef462-d6b5-48bc-9d9f-b46a6919227c\",\n",
" \"created\": \"2019-05-03T18:36:44.354Z\",\n",
" \"modified\": \"2019-05-03T18:36:44.354Z\",\n",
" \"description\": \"Una descripcion sobre este indicador\",\n",
" \"indicator_types\": [\n",
" \"malware\"\n",
" ],\n",
" \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n",
" \"valid_from\": \"2019-05-03T18:36:44.354443Z\",\n",
" \"object_marking_refs\": [\n",
" \"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82\"\n",
" ],\n",
" \"granular_markings\": [\n",
" {\n",
" \"lang\": \"es\",\n",
" \"selectors\": [\n",
" \"description\"\n",
" ]\n",
" },\n",
" {\n",
" \"marking_ref\": \"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\",\n",
" \"selectors\": [\n",
" \"description\"\n",
" ]\n",
" }\n",
" ]\n",
"}\n",
"['es', 'marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da']\n",
"['marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da']\n",
"['es']\n"
]
}
],
"source": [
"from stix2 import v21\n",
"\n",
"v21_indicator = v21.Indicator(\n",
" description=\"Una descripcion sobre este indicador\",\n",
" pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n",
" object_marking_refs=['marking-definition--f88d31f6-486f-44da-b317-01333bde0b82'],\n",
" indicator_types=['malware'],\n",
" granular_markings=[\n",
" {\n",
" 'selectors': ['description'],\n",
" 'lang': 'es'\n",
" },\n",
" {\n",
" 'selectors': ['description'],\n",
" 'marking_ref': 'marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da'\n",
" }\n",
" ]\n",
")\n",
"print(v21_indicator)\n",
"\n",
"# Gets both lang and marking_ref markings for 'description'\n",
"print(v21_indicator.get_markings('description'))\n",
"\n",
"# Exclude lang markings from results\n",
"print(v21_indicator.get_markings('description', lang=False))\n",
"\n",
"# Exclude marking-definition markings from results\n",
"print(v21_indicator.get_markings('description', marking_ref=False))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"In this same manner, calls to `clear_markings` and `set_markings` also have the ability to operate in for one or both types of markings."
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{\n",
" \"type\": \"indicator\",\n",
" \"spec_version\": \"2.1\",\n",
" \"id\": \"indicator--a612665a-2df4-4fd2-851c-7fbb8c92339a\",\n",
" \"created\": \"2019-05-03T19:13:59.010Z\",\n",
" \"modified\": \"2019-05-03T19:15:41.173Z\",\n",
" \"description\": \"Una descripcion sobre este indicador\",\n",
" \"indicator_types\": [\n",
" \"malware\"\n",
" ],\n",
" \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n",
" \"valid_from\": \"2019-05-03T19:13:59.010624Z\",\n",
" \"object_marking_refs\": [\n",
" \"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82\"\n",
" ]\n",
"}\n"
]
}
],
"source": [
"print(v21_indicator.clear_markings(\"description\")) # By default, both types of markings will be removed"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{\n",
" \"type\": \"indicator\",\n",
" \"spec_version\": \"2.1\",\n",
" \"id\": \"indicator--982aeb4d-4dd3-4b04-aa50-a1d00c31986c\",\n",
" \"created\": \"2019-05-03T19:19:26.542Z\",\n",
" \"modified\": \"2019-05-03T19:20:51.818Z\",\n",
" \"description\": \"Una descripcion sobre este indicador\",\n",
" \"indicator_types\": [\n",
" \"malware\"\n",
" ],\n",
" \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n",
" \"valid_from\": \"2019-05-03T19:19:26.542267Z\",\n",
" \"object_marking_refs\": [\n",
" \"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82\"\n",
" ],\n",
" \"granular_markings\": [\n",
" {\n",
" \"lang\": \"es\",\n",
" \"selectors\": [\n",
" \"description\"\n",
" ]\n",
" }\n",
" ]\n",
"}\n"
]
}
],
"source": [
"# If lang is False, no lang markings will be removed\n",
"print(v21_indicator.clear_markings(\"description\", lang=False))"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{\n",
" \"type\": \"indicator\",\n",
" \"spec_version\": \"2.1\",\n",
" \"id\": \"indicator--de0316d6-38e1-43c2-af4f-649305251864\",\n",
" \"created\": \"2019-05-03T19:40:21.459Z\",\n",
" \"modified\": \"2019-05-03T19:40:26.431Z\",\n",
" \"description\": \"Una descripcion sobre este indicador\",\n",
" \"indicator_types\": [\n",
" \"malware\"\n",
" ],\n",
" \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n",
" \"valid_from\": \"2019-05-03T19:40:21.459582Z\",\n",
" \"object_marking_refs\": [\n",
" \"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82\"\n",
" ],\n",
" \"granular_markings\": [\n",
" {\n",
" \"marking_ref\": \"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\",\n",
" \"selectors\": [\n",
" \"description\"\n",
" ]\n",
" }\n",
" ]\n",
"}\n"
]
}
],
"source": [
"# If marking_ref is False, no marking-definition markings will be removed\n",
"print(v21_indicator.clear_markings(\"description\", marking_ref=False))"
]
}
],
"metadata": {

2
setup.cfg
View File

@ -1,5 +1,5 @@
[bumpversion]
current_version = 1.1.0
current_version = 1.1.2
commit = True
tag = True

12
stix2/__init__.py
View File

@ -12,16 +12,8 @@
patterns
properties
utils
v20.bundle
v20.common
v20.observables
v20.sdo
v20.sro
v21.bundle
v21.common
v21.observables
v21.sdo
v21.sro
v20
v21
workbench
"""

9
stix2/base.py
View File

@ -143,12 +143,12 @@ class _STIXBase(collections.Mapping):
if custom_props:
self.__allow_custom = True
# Remove any keyword arguments whose value is None
# Remove any keyword arguments whose value is None or [] (i.e. empty list)
setting_kwargs = {}
props = kwargs.copy()
props.update(custom_props)
for prop_name, prop_value in props.items():
if prop_value is not None:
if prop_value is not None and prop_value != []:
setting_kwargs[prop_name] = prop_value
# Detect any missing required properties
@ -308,7 +308,10 @@ class _Observable(_STIXBase):
allowed_types = prop.valid_types
try:
ref_type = self._STIXBase__valid_refs[ref]
try:
ref_type = self._STIXBase__valid_refs[ref].type
except AttributeError:
ref_type = self._STIXBase__valid_refs[ref]
except TypeError:
raise ValueError("'%s' must be created with _valid_refs as a dict, not a list." % self.__class__.__name__)

2
stix2/datastore/__init__.py
View File

@ -420,7 +420,7 @@ class CompositeDataSource(DataSource):
"""Controller for all the attached DataSources.
A user can have a single CompositeDataSource as an interface
the a set of DataSources. When an API call is made to the
to a set of DataSources. When an API call is made to the
CompositeDataSource, it is delegated to each of the (real)
DataSources that are attached to it.

11
stix2/datastore/filesystem.py
View File

@ -1,21 +1,19 @@
"""Python STIX2 FileSystem Source/Sink"""
# Temporary while we address TODO statement
from __future__ import print_function
import errno
import io
import json
import os
import re
import stat
import sys
import six
from stix2 import v20, v21
from stix2.base import _STIXBase
from stix2.core import parse
from stix2.datastore import DataSink, DataSource, DataStoreMixin
from stix2.datastore import (
DataSink, DataSource, DataSourceError, DataStoreMixin,
)
from stix2.datastore.filters import Filter, FilterSet, apply_common_filters
from stix2.utils import format_datetime, get_type_from_id, is_marking
@ -544,9 +542,8 @@ class FileSystemSink(DataSink):
else:
stix_obj = v20.Bundle(stix_obj, allow_custom=self.allow_custom)
# TODO: Better handling of the overwriting case.
if os.path.isfile(file_path):
print("Attempted to overwrite file!", file_path, file=sys.stderr)
raise DataSourceError("Attempted to overwrite file (!) at: {}".format(file_path))
else:
with io.open(file_path, 'w', encoding=encoding) as f:
stix_obj = stix_obj.serialize(pretty=True, encoding=encoding, ensure_ascii=False)

13
stix2/exceptions.py
View File

@ -203,3 +203,16 @@ class MarkingNotFoundError(STIXError, AssertionError):
def __str__(self):
msg = "Marking {0} was not found in {1}!"
return msg.format(self.key, self.cls.__class__.__name__)
class TLPMarkingDefinitionError(STIXError, AssertionError):
"""Marking violation. The marking-definition for TLP MUST follow the mandated instances from the spec."""
def __init__(self, user_obj, spec_obj):
super(TLPMarkingDefinitionError, self).__init__()
self.user_obj = user_obj
self.spec_obj = spec_obj
def __str__(self):
msg = "Marking {0} does not match spec marking {1}!"
return msg.format(self.user_obj, self.spec_obj)

42
stix2/markings/__init__.py
View File

@ -22,7 +22,7 @@ Note:
from stix2.markings import granular_markings, object_markings
def get_markings(obj, selectors=None, inherited=False, descendants=False):
def get_markings(obj, selectors=None, inherited=False, descendants=False, marking_ref=True, lang=True):
"""
Get all markings associated to the field(s) specified by selectors.
@ -30,10 +30,13 @@ def get_markings(obj, selectors=None, inherited=False, descendants=False):
obj: An SDO or SRO object.
selectors: string or list of selectors strings relative to the SDO or
SRO in which the properties appear.
inherited: If True, include object level markings and granular markings
inherited relative to the properties.
descendants: If True, include granular markings applied to any children
relative to the properties.
inherited (bool): If True, include object level markings and granular
markings inherited relative to the properties.
descendants (bool): If True, include granular markings applied to any
children relative to the properties.
marking_ref (bool): If False, excludes markings that use
``marking_ref`` property.
lang (bool): If False, excludes markings that use ``lang`` property.
Returns:
list: Marking identifiers that matched the selectors expression.
@ -51,6 +54,8 @@ def get_markings(obj, selectors=None, inherited=False, descendants=False):
selectors,
inherited,
descendants,
marking_ref,
lang,
)
if inherited:
@ -59,7 +64,7 @@ def get_markings(obj, selectors=None, inherited=False, descendants=False):
return list(set(results))
def set_markings(obj, marking, selectors=None):
def set_markings(obj, marking, selectors=None, marking_ref=True, lang=True):
"""
Remove all markings associated with selectors and appends a new granular
marking. Refer to `clear_markings` and `add_markings` for details.
@ -70,6 +75,10 @@ def set_markings(obj, marking, selectors=None):
properties selected by `selectors`.
selectors: string or list of selectors strings relative to the SDO or
SRO in which the properties appear.
marking_ref (bool): If False, markings that use the ``marking_ref``
property will not be removed.
lang (bool): If False, markings that use the ``lang`` property
will not be removed.
Returns:
A new version of the given SDO or SRO with specified markings removed
@ -83,7 +92,7 @@ def set_markings(obj, marking, selectors=None):
if selectors is None:
return object_markings.set_markings(obj, marking)
else:
return granular_markings.set_markings(obj, marking, selectors)
return granular_markings.set_markings(obj, marking, selectors, marking_ref, lang)
def remove_markings(obj, marking, selectors=None):
@ -144,7 +153,7 @@ def add_markings(obj, marking, selectors=None):
return granular_markings.add_markings(obj, marking, selectors)
def clear_markings(obj, selectors=None):
def clear_markings(obj, selectors=None, marking_ref=True, lang=True):
"""
Remove all markings associated with the selectors.
@ -152,6 +161,10 @@ def clear_markings(obj, selectors=None):
obj: An SDO or SRO object.
selectors: string or list of selectors strings relative to the SDO or
SRO in which the field(s) appear(s).
marking_ref (bool): If False, markings that use the ``marking_ref``
property will not be removed.
lang (bool): If False, markings that use the ``lang`` property
will not be removed.
Raises:
InvalidSelectorError: If `selectors` fail validation.
@ -169,7 +182,7 @@ def clear_markings(obj, selectors=None):
if selectors is None:
return object_markings.clear_markings(obj)
else:
return granular_markings.clear_markings(obj, selectors)
return granular_markings.clear_markings(obj, selectors, marking_ref, lang)
def is_marked(obj, marking=None, selectors=None, inherited=False, descendants=False):
@ -182,10 +195,11 @@ def is_marked(obj, marking=None, selectors=None, inherited=False, descendants=Fa
properties selected by `selectors`.
selectors: string or list of selectors strings relative to the SDO or
SRO in which the field(s) appear(s).
inherited: If True, include object level markings and granular markings
inherited to determine if the properties is/are marked.
descendants: If True, include granular markings applied to any children
of the given selector to determine if the properties is/are marked.
inherited (bool): If True, include object level markings and granular
markings inherited to determine if the properties is/are marked.
descendants (bool): If True, include granular markings applied to any
children of the given selector to determine if the properties
is/are marked.
Returns:
bool: True if ``selectors`` is found on internal SDO or SRO collection.
@ -228,7 +242,7 @@ def is_marked(obj, marking=None, selectors=None, inherited=False, descendants=Fa
return result
class _MarkingsMixin():
class _MarkingsMixin(object):
pass

84
stix2/markings/granular_markings.py
View File

@ -2,10 +2,10 @@
from stix2 import exceptions
from stix2.markings import utils
from stix2.utils import new_version
from stix2.utils import is_marking, new_version
def get_markings(obj, selectors, inherited=False, descendants=False):
def get_markings(obj, selectors, inherited=False, descendants=False, marking_ref=True, lang=True):
"""
Get all granular markings associated to with the properties.
@ -13,10 +13,13 @@ def get_markings(obj, selectors, inherited=False, descendants=False):
obj: An SDO or SRO object.
selectors: string or list of selector strings relative to the SDO or
SRO in which the properties appear.
inherited: If True, include markings inherited relative to the
inherited (bool): If True, include markings inherited relative to the
properties.
descendants: If True, include granular markings applied to any children
relative to the properties.
descendants (bool): If True, include granular markings applied to any
children relative to the properties.
marking_ref (bool): If False, excludes markings that use
``marking_ref`` property.
lang (bool): If False, excludes markings that use ``lang`` property.
Raises:
InvalidSelectorError: If `selectors` fail validation.
@ -43,13 +46,18 @@ def get_markings(obj, selectors, inherited=False, descendants=False):
(user_selector.startswith(marking_selector) and inherited), # Catch inherited selectors.
(marking_selector.startswith(user_selector) and descendants),
]): # Catch descendants selectors
refs = marking.get('marking_ref', [])
results.update([refs])
ref = marking.get('marking_ref')
lng = marking.get('lang')
if ref and marking_ref:
results.add(ref)
if lng and lang:
results.add(lng)
return list(results)
def set_markings(obj, marking, selectors):
def set_markings(obj, marking, selectors, marking_ref=True, lang=True):
"""
Remove all granular markings associated with selectors and append a new
granular marking. Refer to `clear_markings` and `add_markings` for details.
@ -60,19 +68,25 @@ def set_markings(obj, marking, selectors):
SRO in which the properties appear.
marking: identifier or list of marking identifiers that apply to the
properties selected by `selectors`.
marking_ref (bool): If False, markings that use the ``marking_ref``
property will not be removed.
lang (bool): If False, markings that use the ``lang`` property
will not be removed.
Returns:
A new version of the given SDO or SRO with specified markings removed
and new ones added.
"""
obj = clear_markings(obj, selectors)
obj = clear_markings(obj, selectors, marking_ref, lang)
return add_markings(obj, marking, selectors)
def remove_markings(obj, marking, selectors):
"""
Remove a granular marking from the granular_markings collection.
Remove a granular marking from the granular_markings collection. The method
makes a best-effort attempt to distinguish between a marking-definition
or language granular marking.
Args:
obj: An SDO or SRO object.
@ -103,7 +117,10 @@ def remove_markings(obj, marking, selectors):
to_remove = []
for m in marking:
to_remove.append({'marking_ref': m, 'selectors': selectors})
if is_marking(m):
to_remove.append({'marking_ref': m, 'selectors': selectors})
else:
to_remove.append({'lang': m, 'selectors': selectors})
remove = utils.build_granular_marking(to_remove).get('granular_markings')
@ -124,7 +141,9 @@ def remove_markings(obj, marking, selectors):
def add_markings(obj, marking, selectors):
"""
Append a granular marking to the granular_markings collection.
Append a granular marking to the granular_markings collection. The method
makes a best-effort attempt to distinguish between a marking-definition
or language granular marking.
Args:
obj: An SDO or SRO object.
@ -146,7 +165,10 @@ def add_markings(obj, marking, selectors):
granular_marking = []
for m in marking:
granular_marking.append({'marking_ref': m, 'selectors': sorted(selectors)})
if is_marking(m):
granular_marking.append({'marking_ref': m, 'selectors': sorted(selectors)})
else:
granular_marking.append({'lang': m, 'selectors': sorted(selectors)})
if obj.get('granular_markings'):
granular_marking.extend(obj.get('granular_markings'))
@ -156,7 +178,7 @@ def add_markings(obj, marking, selectors):
return new_version(obj, granular_markings=granular_marking, allow_custom=True)
def clear_markings(obj, selectors):
def clear_markings(obj, selectors, marking_ref=True, lang=True):
"""
Remove all granular markings associated with the selectors.
@ -164,6 +186,10 @@ def clear_markings(obj, selectors):
obj: An SDO or SRO object.
selectors: string or list of selectors strings relative to the SDO or
SRO in which the properties appear.
marking_ref (bool): If False, markings that use the ``marking_ref``
property will not be removed.
lang (bool): If False, markings that use the ``lang`` property
will not be removed.
Raises:
InvalidSelectorError: If `selectors` fail validation.
@ -184,11 +210,12 @@ def clear_markings(obj, selectors):
granular_markings = utils.expand_markings(granular_markings)
sdo = utils.build_granular_marking(
[{'selectors': selectors, 'marking_ref': 'N/A'}],
)
granular_dict = utils.build_granular_marking([
{'selectors': selectors, 'marking_ref': 'N/A'},
{'selectors': selectors, 'lang': 'N/A'},
])
clear = sdo.get('granular_markings', [])
clear = granular_dict.get('granular_markings', [])
if not any(
clear_selector in sdo_selectors.get('selectors', [])
@ -201,10 +228,13 @@ def clear_markings(obj, selectors):
for granular_marking in granular_markings:
for s in selectors:
if s in granular_marking.get('selectors', []):
marking_refs = granular_marking.get('marking_ref')
ref = granular_marking.get('marking_ref')
lng = granular_marking.get('lang')
if marking_refs:
if ref and marking_ref:
granular_marking['marking_ref'] = ''
if lng and lang:
granular_marking['lang'] = ''
granular_markings = utils.compress_markings(granular_markings)
@ -222,11 +252,12 @@ def is_marked(obj, marking=None, selectors=None, inherited=False, descendants=Fa
obj: An SDO or SRO object.
marking: identifier or list of marking identifiers that apply to the
properties selected by `selectors`.
selectors: string or list of selectors strings relative to the SDO or
SRO in which the properties appear.
inherited: If True, return markings inherited from the given selector.
descendants: If True, return granular markings applied to any children
of the given selector.
selectors (bool): string or list of selectors strings relative to the
SDO or SRO in which the properties appear.
inherited (bool): If True, return markings inherited from the given
selector.
descendants (bool): If True, return granular markings applied to any
children of the given selector.
Raises:
InvalidSelectorError: If `selectors` fail validation.
@ -262,9 +293,12 @@ def is_marked(obj, marking=None, selectors=None, inherited=False, descendants=Fa
(marking_selector.startswith(user_selector) and descendants),
]): # Catch descendants selectors
marking_ref = granular_marking.get('marking_ref', '')
lang = granular_marking.get('lang', '')
if marking and any(x == marking_ref for x in marking):
markings.update([marking_ref])
if marking and any(x == lang for x in marking):
markings.update([lang])
marked = True

110
stix2/markings/utils.py
View File

@ -4,7 +4,7 @@ import collections
import six
from stix2 import exceptions
from stix2 import exceptions, utils
def _evaluate_expression(obj, selector):
@ -121,10 +121,15 @@ def compress_markings(granular_markings):
if granular_marking.get('marking_ref'):
map_[granular_marking.get('marking_ref')].update(granular_marking.get('selectors'))
if granular_marking.get('lang'):
map_[granular_marking.get('lang')].update(granular_marking.get('selectors'))
compressed = \
[
{'marking_ref': marking_ref, 'selectors': sorted(selectors)}
for marking_ref, selectors in six.iteritems(map_)
{'marking_ref': item, 'selectors': sorted(selectors)}
if utils.is_marking(item) else
{'lang': item, 'selectors': sorted(selectors)}
for item, selectors in six.iteritems(map_)
]
return compressed
@ -174,13 +179,22 @@ def expand_markings(granular_markings):
for marking in granular_markings:
selectors = marking.get('selectors')
marking_ref = marking.get('marking_ref')
lang = marking.get('lang')
expanded.extend(
[
{'marking_ref': marking_ref, 'selectors': [selector]}
for selector in selectors
],
)
if marking_ref:
expanded.extend(
[
{'marking_ref': marking_ref, 'selectors': [selector]}
for selector in selectors
],
)
if lang:
expanded.extend(
[
{'lang': lang, 'selectors': [selector]}
for selector in selectors
],
)
return expanded
@ -240,3 +254,81 @@ def iterpath(obj, path=None):
path.pop()
path.pop()
def check_tlp_marking(marking_obj, spec_version):
# Specific TLP Marking validation case.
if marking_obj["definition_type"] == "tlp":
color = marking_obj["definition"]["tlp"]
if color == "white":
if spec_version == '2.0':
w = (
'{"created": "2017-01-20T00:00:00.000Z", "definition": {"tlp": "white"}, "definition_type": "tlp",'
' "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "type": "marking-definition"}'
)
else:
w = (
'{"created": "2017-01-20T00:00:00.000Z", "definition": {"tlp": "white"}, "definition_type": "tlp",'
' "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "type": "marking-definition",'
' "spec_version": "2.1"}'
)
if marking_obj["id"] != "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9":
raise exceptions.TLPMarkingDefinitionError(marking_obj["id"], w)
elif utils.format_datetime(marking_obj["created"]) != "2017-01-20T00:00:00.000Z":
raise exceptions.TLPMarkingDefinitionError(utils.format_datetime(marking_obj["created"]), w)
elif color == "green":
if spec_version == '2.0':
g = (
'{"created": "2017-01-20T00:00:00.000Z", "definition": {"tlp": "green"}, "definition_type": "tlp",'
' "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", "type": "marking-definition"}'
)
else:
g = (
'{"created": "2017-01-20T00:00:00.000Z", "definition": {"tlp": "green"}, "definition_type": "tlp",'
' "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", "type": "marking-definition",'
' "spec_version": "2.1"}'
)
if marking_obj["id"] != "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da":
raise exceptions.TLPMarkingDefinitionError(marking_obj["id"], g)
elif utils.format_datetime(marking_obj["created"]) != "2017-01-20T00:00:00.000Z":
raise exceptions.TLPMarkingDefinitionError(utils.format_datetime(marking_obj["created"]), g)
elif color == "amber":
if spec_version == '2.0':
a = (
'{"created": "2017-01-20T00:00:00.000Z", "definition": {"tlp": "amber"}, "definition_type": "tlp",'
' "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", "type": "marking-definition"}'
)
else:
a = (
'{"created": "2017-01-20T00:00:00.000Z", "definition": {"tlp": "amber"}, "definition_type": "tlp",'
' "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", "type": "marking-definition",'
' "spec_version": "2.1"}'
)
if marking_obj["id"] != "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82":
raise exceptions.TLPMarkingDefinitionError(marking_obj["id"], a)
elif utils.format_datetime(marking_obj["created"]) != "2017-01-20T00:00:00.000Z":
raise exceptions.TLPMarkingDefinitionError(utils.format_datetime(marking_obj["created"]), a)
elif color == "red":
if spec_version == '2.0':
r = (
'{"created": "2017-01-20T00:00:00.000Z", "definition": {"tlp": "red"}, "definition_type": "tlp",'
' "id": "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed", "type": "marking-definition"}'
)
else:
r = (
'{"created": "2017-01-20T00:00:00.000Z", "definition": {"tlp": "red"}, "definition_type": "tlp",'
' "id": "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed", "type": "marking-definition",'
' "spec_version": "2.1"}'
)
if marking_obj["id"] != "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed":
raise exceptions.TLPMarkingDefinitionError(marking_obj["id"], r)
elif utils.format_datetime(marking_obj["created"]) != "2017-01-20T00:00:00.000Z":
raise exceptions.TLPMarkingDefinitionError(utils.format_datetime(marking_obj["created"]), r)
else:
raise exceptions.TLPMarkingDefinitionError(marking_obj["id"], "Does not match any TLP Marking definition")

39
stix2/properties.py
View File

@ -13,7 +13,7 @@ from stix2patterns.validator import run_validator
import stix2
from .base import _STIXBase
from .base import _Observable, _STIXBase
from .core import STIX2_OBJ_MAPS, parse, parse_observable
from .exceptions import CustomContentError, DictionaryKeyError
from .utils import _get_dict, get_class_hierarchy_names, parse_into_datetime
@ -208,14 +208,28 @@ class ListProperty(Property):
return result
class CallableValues(list):
"""Wrapper to allow `values()` method on WindowsRegistryKey objects.
Needed because `values` is also a property.
"""
def __init__(self, parent_instance, *args, **kwargs):
self.parent_instance = parent_instance
super(CallableValues, self).__init__(*args, **kwargs)
def __call__(self):
return _Observable.values(self.parent_instance)
class StringProperty(Property):
def __init__(self, **kwargs):
self.string_type = text_type
super(StringProperty, self).__init__(**kwargs)
def clean(self, value):
return self.string_type(value)
if not isinstance(value, string_types):
return text_type(value)
return value
class TypeProperty(Property):
@ -330,8 +344,6 @@ class DictionaryProperty(Property):
dictified = _get_dict(value)
except ValueError:
raise ValueError("The dictionary property must contain a dictionary")
if dictified == {}:
raise ValueError("The dictionary property must contain a non-empty dictionary")
for k in dictified.keys():
if self.spec_version == '2.0':
if len(k) < 3:
@ -466,21 +478,22 @@ class EnumProperty(StringProperty):
super(EnumProperty, self).__init__(**kwargs)
def clean(self, value):
value = super(EnumProperty, self).clean(value)
if value not in self.allowed:
raise ValueError("value '{}' is not valid for this enumeration.".format(value))
return self.string_type(value)
cleaned_value = super(EnumProperty, self).clean(value)
if cleaned_value not in self.allowed:
raise ValueError("value '{}' is not valid for this enumeration.".format(cleaned_value))
return cleaned_value
class PatternProperty(StringProperty):
def clean(self, value):
str_value = super(PatternProperty, self).clean(value)
errors = run_validator(str_value)
cleaned_value = super(PatternProperty, self).clean(value)
errors = run_validator(cleaned_value)
if errors:
raise ValueError(str(errors[0]))
return self.string_type(value)
return cleaned_value
class ObservableProperty(Property):
@ -536,8 +549,6 @@ class ExtensionsProperty(DictionaryProperty):
dictified = copy.deepcopy(dictified)
except ValueError:
raise ValueError("The extensions property must contain a dictionary")
if dictified == {}:
raise ValueError("The extensions property must contain a non-empty dictionary")
v = 'v' + self.spec_version.replace('.', '')

2
stix2/test/v20/constants.py
View File

@ -50,7 +50,7 @@ CAMPAIGN_KWARGS = dict(
CAMPAIGN_MORE_KWARGS = dict(
type='campaign',
id=CAMPAIGN_ID,
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:00.000Z",
modified="2016-04-06T20:03:00.000Z",
name="Green Group Attacks Against Finance",

4
stix2/test/v20/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json
View File

@ -2,7 +2,7 @@
"id": "bundle--f68640b4-0cdc-42ae-b176-def1754a1ea0",
"objects": [
{
"created": "2017-05-31T21:30:19.73501Z",
"created": "2017-05-31T21:30:19.735Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\n\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective DLL Injection to reduce potential indicators of malicious activity.\n\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Legitimate Credentials in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[[Citation: Powersploit]] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs",
"external_references": [
@ -29,7 +29,7 @@
"phase_name": "credential-access"
}
],
"modified": "2017-05-31T21:30:19.73501Z",
"modified": "2017-05-31T21:30:19.735Z",
"name": "Credential Dumping",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json
View File

@ -2,7 +2,7 @@
"id": "bundle--b07d6fd6-7cc5-492d-a1eb-9ba956b329d5",
"objects": [
{
"created": "2017-05-31T21:30:26.496201Z",
"created": "2017-05-31T21:30:26.496Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the Basic Input/Output System.[[Citation: Wikipedia Rootkit]]\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[Citation: Wikipedia Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: BIOS, MBR, System calls",
"external_references": [
@ -24,7 +24,7 @@
"phase_name": "defense-evasion"
}
],
"modified": "2017-05-31T21:30:26.496201Z",
"modified": "2017-05-31T21:30:26.496Z",
"name": "Rootkit",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json
View File

@ -2,7 +2,7 @@
"id": "bundle--1a854c96-639e-4771-befb-e7b960a65974",
"objects": [
{
"created": "2017-05-31T21:30:29.45894Z",
"created": "2017-05-31T21:30:29.458Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.\n\nDetection: Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process use of network",
"external_references": [
@ -19,7 +19,7 @@
"phase_name": "exfiltration"
}
],
"modified": "2017-05-31T21:30:29.45894Z",
"modified": "2017-05-31T21:30:29.458Z",
"name": "Automated Exfiltration",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json
View File

@ -2,7 +2,7 @@
"id": "bundle--33e3e33a-38b8-4a37-9455-5b8c82d3b10a",
"objects": [
{
"created": "2017-05-31T21:30:45.139269Z",
"created": "2017-05-31T21:30:45.139Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system.\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Process command-line parameters, Process monitoring",
"external_references": [
@ -19,7 +19,7 @@
"phase_name": "discovery"
}
],
"modified": "2017-05-31T21:30:45.139269Z",
"modified": "2017-05-31T21:30:45.139Z",
"name": "Local Network Connections Discovery",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json
View File

@ -2,7 +2,7 @@
"id": "bundle--a87938c5-cc1e-4e06-a8a3-b10243ae397d",
"objects": [
{
"created": "2017-05-31T21:30:41.022897Z",
"created": "2017-05-31T21:30:41.022Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to cmd may be used to gather information.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters",
"external_references": [
@ -19,7 +19,7 @@
"phase_name": "collection"
}
],
"modified": "2017-05-31T21:30:41.022897Z",
"modified": "2017-05-31T21:30:41.022Z",
"name": "Data from Network Shared Drive",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json
View File

@ -2,7 +2,7 @@
"id": "bundle--5ddaeff9-eca7-4094-9e65-4f53da21a444",
"objects": [
{
"created": "2017-05-31T21:30:32.662702Z",
"created": "2017-05-31T21:30:32.662Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system.\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering",
"external_references": [
@ -19,7 +19,7 @@
"phase_name": "defense-evasion"
}
],
"modified": "2017-05-31T21:30:32.662702Z",
"modified": "2017-05-31T21:30:32.662Z",
"name": "Obfuscated Files or Information",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json
View File

@ -2,11 +2,11 @@
"id": "bundle--a42d26fe-c938-4074-a1b3-50d852e6f0bd",
"objects": [
{
"created": "2017-05-31T21:30:26.495974Z",
"created": "2017-05-31T21:30:26.495Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"id": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f",
"modified": "2017-05-31T21:30:26.495974Z",
"modified": "2017-05-31T21:30:26.495Z",
"name": "Rootkit Mitigation",
"type": "course-of-action"
}

4
stix2/test/v20/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json
View File

@ -1,9 +1,9 @@
{
"created": "2017-05-31T21:30:41.022744Z",
"created": "2017-05-31T21:30:41.022Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd",
"modified": "2017-05-31T21:30:41.022744Z",
"modified": "2017-05-31T21:30:41.022Z",
"name": "Data from Network Shared Drive Mitigation",
"type": "course-of-action"
}

4
stix2/test/v20/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json
View File

@ -2,10 +2,10 @@
"id": "bundle--81884287-2548-47fc-a997-39489ddd5462",
"objects": [
{
"created": "2017-06-01T00:00:00Z",
"created": "2017-06-01T00:00:00.000Z",
"id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"identity_class": "organization",
"modified": "2017-06-01T00:00:00Z",
"modified": "2017-06-01T00:00:00.000Z",
"name": "The MITRE Corporation",
"type": "identity"
}

4
stix2/test/v20/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json
View File

@ -10,7 +10,7 @@
"PinkPanther",
"Black Vine"
],
"created": "2017-05-31T21:31:49.412497Z",
"created": "2017-05-31T21:31:49.412Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]",
"external_references": [
@ -41,7 +41,7 @@
}
],
"id": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064",
"modified": "2017-05-31T21:31:49.412497Z",
"modified": "2017-05-31T21:31:49.412Z",
"name": "Deep Panda",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json
View File

@ -5,7 +5,7 @@
"aliases": [
"DragonOK"
],
"created": "2017-05-31T21:31:53.197755Z",
"created": "2017-05-31T21:31:53.197Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]",
"external_references": [
@ -31,7 +31,7 @@
}
],
"id": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"modified": "2017-05-31T21:31:53.197755Z",
"modified": "2017-05-31T21:31:53.197Z",
"name": "DragonOK",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json
View File

@ -2,7 +2,7 @@
"id": "bundle--f64de948-7067-4534-8018-85f03d470625",
"objects": [
{
"created": "2017-05-31T21:32:58.226477Z",
"created": "2017-05-31T21:32:58.226Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.[[Citation: Palo Alto Rover]]",
"external_references": [
@ -21,7 +21,7 @@
"labels": [
"malware"
],
"modified": "2017-05-31T21:32:58.226477Z",
"modified": "2017-05-31T21:32:58.226Z",
"name": "Rover",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json
View File

@ -2,7 +2,7 @@
"id": "bundle--c633942b-545c-4c87-91b7-9fe5740365e0",
"objects": [
{
"created": "2017-05-31T21:33:26.565056Z",
"created": "2017-05-31T21:33:26.565Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]",
"external_references": [
@ -21,7 +21,7 @@
"labels": [
"malware"
],
"modified": "2017-05-31T21:33:26.565056Z",
"modified": "2017-05-31T21:33:26.565Z",
"name": "RTM",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json
View File

@ -2,7 +2,7 @@
"id": "bundle--09ce4338-8741-4fcf-9738-d216c8e40974",
"objects": [
{
"created": "2017-05-31T21:32:48.482655Z",
"created": "2017-05-31T21:32:48.482Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.[[Citation: Dell Sakula]]\n\nAliases: Sakula, Sakurel, VIPER",
"external_references": [
@ -21,7 +21,7 @@
"labels": [
"malware"
],
"modified": "2017-05-31T21:32:48.482655Z",
"modified": "2017-05-31T21:32:48.482Z",
"name": "Sakula",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json
View File

@ -2,7 +2,7 @@
"id": "bundle--611947ce-ae3b-4fdb-b297-aed8eab22e4f",
"objects": [
{
"created": "2017-05-31T21:32:15.263882Z",
"created": "2017-05-31T21:32:15.263Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[[Citation: FireEye Poison Ivy]]\n\nAliases: PoisonIvy, Poison Ivy",
"external_references": [
@ -21,7 +21,7 @@
"labels": [
"malware"
],
"modified": "2017-05-31T21:32:15.263882Z",
"modified": "2017-05-31T21:32:15.263Z",
"name": "PoisonIvy",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json
View File

@ -2,10 +2,10 @@
"id": "bundle--7e715462-dd9d-40b9-968a-10ef0ecf126d",
"objects": [
{
"created": "2017-05-31T21:33:27.182784Z",
"created": "2017-05-31T21:33:27.182Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--0d4a7788-7f3b-4df8-a498-31a38003c883",
"modified": "2017-05-31T21:33:27.182784Z",
"modified": "2017-05-31T21:33:27.182Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v20/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json
View File

@ -2,10 +2,10 @@
"id": "bundle--a53eef35-abfc-4bcd-b84e-a048f7b4a9bf",
"objects": [
{
"created": "2017-05-31T21:33:27.082801Z",
"created": "2017-05-31T21:33:27.082Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227",
"modified": "2017-05-31T21:33:27.082801Z",
"modified": "2017-05-31T21:33:27.082Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v20/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json
View File

@ -2,10 +2,10 @@
"id": "bundle--0b9f6412-314f-44e3-8779-9738c9578ef5",
"objects": [
{
"created": "2017-05-31T21:33:27.018782Z",
"created": "2017-05-31T21:33:27.018Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--1e91cd45-a725-4965-abe3-700694374432",
"modified": "2017-05-31T21:33:27.018782Z",
"modified": "2017-05-31T21:33:27.018Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v20/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json
View File

@ -2,10 +2,10 @@
"id": "bundle--6d5b04a8-efb2-4179-990e-74f1dcc76e0c",
"objects": [
{
"created": "2017-05-31T21:33:27.100701Z",
"created": "2017-05-31T21:33:27.100Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e",
"modified": "2017-05-31T21:33:27.100701Z",
"modified": "2017-05-31T21:33:27.100Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v20/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json
View File

@ -2,10 +2,10 @@
"id": "bundle--a7efc025-040d-49c7-bf97-e5a1120ecacc",
"objects": [
{
"created": "2017-05-31T21:33:27.143973Z",
"created": "2017-05-31T21:33:27.143Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1",
"modified": "2017-05-31T21:33:27.143973Z",
"modified": "2017-05-31T21:33:27.143Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v20/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json
View File

@ -2,10 +2,10 @@
"id": "bundle--9f013d47-7704-41c2-9749-23d0d94af94d",
"objects": [
{
"created": "2017-05-31T21:33:27.021562Z",
"created": "2017-05-31T21:33:27.021Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--592d0c31-e61f-495e-a60e-70d7be59a719",
"modified": "2017-05-31T21:33:27.021562Z",
"modified": "2017-05-31T21:33:27.021Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v20/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json
View File

@ -2,10 +2,10 @@
"id": "bundle--15167b24-4cee-4c96-a140-32a6c37df4b4",
"objects": [
{
"created": "2017-05-31T21:33:27.044387Z",
"created": "2017-05-31T21:33:27.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1",
"modified": "2017-05-31T21:33:27.044387Z",
"modified": "2017-05-31T21:33:27.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v20/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json
View File

@ -2,10 +2,10 @@
"id": "bundle--ff845dca-7036-416f-aae0-95030994c49f",
"objects": [
{
"created": "2017-05-31T21:33:27.051532Z",
"created": "2017-05-31T21:33:27.051Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--8797579b-e3be-4209-a71b-255a4d08243d",
"modified": "2017-05-31T21:33:27.051532Z",
"modified": "2017-05-31T21:33:27.051Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v20/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json
View File

@ -2,7 +2,7 @@
"id": "bundle--d8826afc-1561-4362-a4e3-05a4c2c3ac3c",
"objects": [
{
"created": "2017-05-31T21:32:31.601148Z",
"created": "2017-05-31T21:32:31.601Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"external_references": [
@ -26,7 +26,7 @@
"labels": [
"tool"
],
"modified": "2017-05-31T21:32:31.601148Z",
"modified": "2017-05-31T21:32:31.601Z",
"name": "Net",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v20/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json
View File

@ -2,7 +2,7 @@
"id": "bundle--7dbde18f-6f14-4bf0-8389-505c89d6d5a6",
"objects": [
{
"created": "2017-05-31T21:32:12.684914Z",
"created": "2017-05-31T21:32:12.684Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
"external_references": [
@ -21,7 +21,7 @@
"labels": [
"tool"
],
"modified": "2017-05-31T21:32:12.684914Z",
"modified": "2017-05-31T21:32:12.684Z",
"name": "Windows Credential Editor",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

38
stix2/test/v20/test_attack_pattern.py
View File

@ -25,7 +25,7 @@ EXPECTED = """{
def test_attack_pattern_example():
ap = stix2.v20.AttackPattern(
id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
id=ATTACK_PATTERN_ID,
created="2016-05-12T08:17:27.000Z",
modified="2016-05-12T08:17:27.000Z",
name="Spear Phishing",
@ -44,7 +44,7 @@ def test_attack_pattern_example():
EXPECTED,
{
"type": "attack-pattern",
"id": "attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
"id": ATTACK_PATTERN_ID,
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"description": "...",
@ -74,11 +74,43 @@ def test_parse_attack_pattern(data):
def test_attack_pattern_invalid_labels():
with pytest.raises(stix2.exceptions.InvalidValueError):
stix2.v20.AttackPattern(
id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
id=ATTACK_PATTERN_ID,
created="2016-05-12T08:17:27Z",
modified="2016-05-12T08:17:27Z",
name="Spear Phishing",
labels=1,
)
def test_overly_precise_timestamps():
ap = stix2.v20.AttackPattern(
id=ATTACK_PATTERN_ID,
created="2016-05-12T08:17:27.0000342Z",
modified="2016-05-12T08:17:27.000287Z",
name="Spear Phishing",
external_references=[{
"source_name": "capec",
"external_id": "CAPEC-163",
}],
description="...",
)
assert str(ap) == EXPECTED
def test_less_precise_timestamps():
ap = stix2.v20.AttackPattern(
id=ATTACK_PATTERN_ID,
created="2016-05-12T08:17:27.00Z",
modified="2016-05-12T08:17:27.0Z",
name="Spear Phishing",
external_references=[{
"source_name": "capec",
"external_id": "CAPEC-163",
}],
description="...",
)
assert str(ap) == EXPECTED
# TODO: Add other examples

101
stix2/test/v20/test_bundle.py
View File

@ -4,6 +4,8 @@ import pytest
import stix2
from .constants import IDENTITY_ID
EXPECTED_BUNDLE = """{
"type": "bundle",
"id": "bundle--00000000-0000-4000-8000-000000000007",
@ -185,7 +187,7 @@ def test_parse_unknown_type():
"id": "other--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created": "2016-04-06T20:03:00Z",
"modified": "2016-04-06T20:03:00Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": IDENTITY_ID,
"description": "Campaign by Green Group against a series of targets in the financial services sector.",
"name": "Green Group Attacks Against Finance",
}
@ -234,3 +236,100 @@ def test_bundle_with_different_spec_objects():
stix2.v20.Bundle(objects=data)
assert "Spec version 2.0 bundles don't yet support containing objects of a different spec version." in str(excinfo.value)
def test_bundle_obj_id_found():
bundle = stix2.parse(EXPECTED_BUNDLE)
mal_list = bundle.get_obj("malware--00000000-0000-4000-8000-000000000003")
assert bundle.objects[1] == mal_list[0]
assert len(mal_list) == 1
@pytest.mark.parametrize(
"bundle_data", [{
"type": "bundle",
"id": "bundle--00000000-0000-4000-8000-000000000007",
"spec_version": "2.0",
"objects": [
{
"type": "indicator",
"id": "indicator--00000000-0000-4000-8000-000000000001",
"created": "2017-01-01T12:34:56.000Z",
"modified": "2017-01-01T12:34:56.000Z",
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"valid_from": "2017-01-01T12:34:56Z",
"labels": [
"malicious-activity",
],
},
{
"type": "malware",
"id": "malware--00000000-0000-4000-8000-000000000003",
"created": "2017-01-01T12:34:56.000Z",
"modified": "2017-01-01T12:34:56.000Z",
"name": "Cryptolocker1",
"labels": [
"ransomware",
],
},
{
"type": "malware",
"id": "malware--00000000-0000-4000-8000-000000000003",
"created": "2017-01-01T12:34:56.000Z",
"modified": "2017-12-21T12:34:56.000Z",
"name": "CryptolockerOne",
"labels": [
"ransomware",
],
},
{
"type": "relationship",
"id": "relationship--00000000-0000-4000-8000-000000000005",
"created": "2017-01-01T12:34:56.000Z",
"modified": "2017-01-01T12:34:56.000Z",
"relationship_type": "indicates",
"source_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
"target_ref": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
},
],
}],
)
def test_bundle_objs_ids_found(bundle_data):
bundle = stix2.parse(bundle_data)
mal_list = bundle.get_obj("malware--00000000-0000-4000-8000-000000000003")
assert bundle.objects[1] == mal_list[0]
assert bundle.objects[2] == mal_list[1]
assert len(mal_list) == 2
def test_bundle_getitem_overload_property_found():
bundle = stix2.parse(EXPECTED_BUNDLE)
assert bundle.type == "bundle"
assert bundle['type'] == "bundle"
def test_bundle_getitem_overload_obj_id_found():
bundle = stix2.parse(EXPECTED_BUNDLE)
mal_list = bundle["malware--00000000-0000-4000-8000-000000000003"]
assert bundle.objects[1] == mal_list[0]
assert len(mal_list) == 1
def test_bundle_obj_id_not_found():
bundle = stix2.parse(EXPECTED_BUNDLE)
with pytest.raises(KeyError) as excinfo:
bundle.get_obj('non existent')
assert "does not match the id property of any of the bundle" in str(excinfo.value)
def test_bundle_getitem_overload_obj_id_not_found():
bundle = stix2.parse(EXPECTED_BUNDLE)
with pytest.raises(KeyError) as excinfo:
bundle['non existent']
assert "neither a property on the bundle nor does it match the id property" in str(excinfo.value)

19
stix2/test/v20/test_campaign.py
View File

@ -5,12 +5,12 @@ import pytz
import stix2
from .constants import CAMPAIGN_ID
from .constants import CAMPAIGN_ID, CAMPAIGN_MORE_KWARGS, IDENTITY_ID
EXPECTED = """{
"type": "campaign",
"id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T20:03:00.000Z",
"modified": "2016-04-06T20:03:00.000Z",
"name": "Green Group Attacks Against Finance",
@ -19,14 +19,7 @@ EXPECTED = """{
def test_campaign_example():
campaign = stix2.v20.Campaign(
id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created="2016-04-06T20:03:00Z",
modified="2016-04-06T20:03:00Z",
name="Green Group Attacks Against Finance",
description="Campaign by Green Group against a series of targets in the financial services sector.",
)
campaign = stix2.v20.Campaign(**CAMPAIGN_MORE_KWARGS)
assert str(campaign) == EXPECTED
@ -36,10 +29,10 @@ def test_campaign_example():
EXPECTED,
{
"type": "campaign",
"id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"id": CAMPAIGN_ID,
"created": "2016-04-06T20:03:00Z",
"modified": "2016-04-06T20:03:00Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": IDENTITY_ID,
"description": "Campaign by Green Group against a series of targets in the financial services sector.",
"name": "Green Group Attacks Against Finance",
},
@ -52,7 +45,7 @@ def test_parse_campaign(data):
assert cmpn.id == CAMPAIGN_ID
assert cmpn.created == dt.datetime(2016, 4, 6, 20, 3, 0, tzinfo=pytz.utc)
assert cmpn.modified == dt.datetime(2016, 4, 6, 20, 3, 0, tzinfo=pytz.utc)
assert cmpn.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
assert cmpn.created_by_ref == IDENTITY_ID
assert cmpn.description == "Campaign by Green Group against a series of targets in the financial services sector."
assert cmpn.name == "Green Group Attacks Against Finance"

6
stix2/test/v20/test_core.py
View File

@ -3,6 +3,8 @@ import pytest
import stix2
from stix2 import core, exceptions
from .constants import IDENTITY_ID
BUNDLE = {
"type": "bundle",
"spec_version": "2.0",
@ -96,7 +98,7 @@ def test_register_marking_with_no_version():
def test_register_observable_with_version():
observed_data = stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",
@ -134,7 +136,7 @@ def test_register_observable_with_version():
def test_register_observable_extension_with_version():
observed_data = stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",

14
stix2/test/v20/test_course_of_action.py
View File

@ -5,12 +5,12 @@ import pytz
import stix2
from .constants import COURSE_OF_ACTION_ID
from .constants import COURSE_OF_ACTION_ID, IDENTITY_ID
EXPECTED = """{
"type": "course-of-action",
"id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"name": "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
@ -20,8 +20,8 @@ EXPECTED = """{
def test_course_of_action_example():
coa = stix2.v20.CourseOfAction(
id="course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=COURSE_OF_ACTION_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:48.000Z",
modified="2016-04-06T20:03:48.000Z",
name="Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
@ -36,9 +36,9 @@ def test_course_of_action_example():
EXPECTED,
{
"created": "2016-04-06T20:03:48.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": IDENTITY_ID,
"description": "This is how to add a filter rule to block inbound access to TCP port 80 to the existing UDP 1434 filter ...",
"id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"id": COURSE_OF_ACTION_ID,
"modified": "2016-04-06T20:03:48.000Z",
"name": "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
"type": "course-of-action",
@ -52,7 +52,7 @@ def test_parse_course_of_action(data):
assert coa.id == COURSE_OF_ACTION_ID
assert coa.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
assert coa.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
assert coa.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
assert coa.created_by_ref == IDENTITY_ID
assert coa.description == "This is how to add a filter rule to block inbound access to TCP port 80 to the existing UDP 1434 filter ..."
assert coa.name == "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter"

16
stix2/test/v20/test_custom.py
View File

@ -2,7 +2,7 @@ import pytest
import stix2
from .constants import FAKE_TIME, MARKING_DEFINITION_ID
from .constants import FAKE_TIME, IDENTITY_ID, MARKING_DEFINITION_ID
IDENTITY_CUSTOM_PROP = stix2.v20.Identity(
name="John Smith",
@ -15,7 +15,7 @@ IDENTITY_CUSTOM_PROP = stix2.v20.Identity(
def test_identity_custom_property():
with pytest.raises(ValueError) as excinfo:
stix2.v20.Identity(
id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
id=IDENTITY_ID,
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
@ -26,7 +26,7 @@ def test_identity_custom_property():
with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
stix2.v20.Identity(
id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
id=IDENTITY_ID,
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
@ -39,7 +39,7 @@ def test_identity_custom_property():
assert "Unexpected properties for Identity" in str(excinfo.value)
identity = stix2.v20.Identity(
id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
id=IDENTITY_ID,
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
@ -54,7 +54,7 @@ def test_identity_custom_property():
def test_identity_custom_property_invalid():
with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
stix2.v20.Identity(
id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
id=IDENTITY_ID,
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
@ -68,7 +68,7 @@ def test_identity_custom_property_invalid():
def test_identity_custom_property_allowed():
identity = stix2.v20.Identity(
id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
id=IDENTITY_ID,
created="2015-12-21T19:59:11Z",
modified="2015-12-21T19:59:11Z",
name="John Smith",
@ -127,7 +127,7 @@ def test_custom_properties_object_in_bundled_object():
def test_custom_property_dict_in_bundled_object():
custom_identity = {
'type': 'identity',
'id': 'identity--311b2d2d-f010-4473-83ec-1edf84858f4c',
'id': IDENTITY_ID,
'created': '2015-12-21T19:59:11Z',
'name': 'John Smith',
'identity_class': 'individual',
@ -144,7 +144,7 @@ def test_custom_property_dict_in_bundled_object():
def test_custom_properties_dict_in_bundled_object():
custom_identity = {
'type': 'identity',
'id': 'identity--311b2d2d-f010-4473-83ec-1edf84858f4c',
'id': IDENTITY_ID,
'created': '2015-12-21T19:59:11Z',
'name': 'John Smith',
'identity_class': 'individual',

32
stix2/test/v20/test_datastore_filesystem.py
View File

@ -9,6 +9,7 @@ import pytest
import pytz
import stix2
from stix2.datastore import DataSourceError
from stix2.datastore.filesystem import (
AuthSet, _find_search_optimizations, _get_matching_dir_entries,
_timestamp2filename,
@ -420,8 +421,37 @@ def test_filesystem_sink_add_objects_list(fs_sink, fs_source):
os.remove(camp7filepath)
def test_filesystem_attempt_stix_file_overwrite(fs_store):
# add python stix object
camp8 = stix2.v20.Campaign(
name="George Washington",
objective="Create an awesome country",
aliases=["Georgey"],
)
fs_store.add(camp8)
camp8_r = fs_store.get(camp8.id)
assert camp8_r.id == camp8_r.id
assert camp8_r.name == camp8.name
filepath = os.path.join(
FS_PATH, "campaign", camp8_r.id,
_timestamp2filename(camp8_r.modified) + ".json",
)
# Now attempt to overwrite the existing file
with pytest.raises(DataSourceError) as excinfo:
fs_store.add(camp8)
assert "Attempted to overwrite file" in str(excinfo)
os.remove(filepath)
def test_filesystem_sink_marking(fs_sink):
marking = stix2.v20.MarkingDefinition(
id="marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
created="2017-01-20T00:00:00.000Z",
definition_type="tlp",
definition=stix2.v20.TLPMarking(tlp="green"),
)
@ -555,6 +585,8 @@ def test_filesystem_store_add_invalid_object(fs_store):
def test_filesystem_store_add_marking(fs_store):
marking = stix2.v20.MarkingDefinition(
id="marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
created="2017-01-20T00:00:00.000Z",
definition_type="tlp",
definition=stix2.v20.TLPMarking(tlp="green"),
)

4
stix2/test/v20/test_datastore_memory.py
View File

@ -275,13 +275,13 @@ def test_memory_store_object_creator_of_present(mem_store):
camp = Campaign(
name="Scipio Africanus",
objective="Defeat the Carthaginians",
created_by_ref="identity--e4196283-7420-4277-a7a3-d57f61ef1389",
created_by_ref=IDENTITY_ID,
x_empire="Roman",
allow_custom=True,
)
iden = Identity(
id="identity--e4196283-7420-4277-a7a3-d57f61ef1389",
id=IDENTITY_ID,
name="Foo Corp.",
identity_class="corporation",
)

4
stix2/test/v20/test_identity.py
View File

@ -19,7 +19,7 @@ EXPECTED = """{
def test_identity_example():
identity = stix2.v20.Identity(
id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
id=IDENTITY_ID,
created="2015-12-21T19:59:11.000Z",
modified="2015-12-21T19:59:11.000Z",
name="John Smith",
@ -34,7 +34,7 @@ def test_identity_example():
EXPECTED,
{
"created": "2015-12-21T19:59:11.000Z",
"id": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"id": IDENTITY_ID,
"identity_class": "individual",
"modified": "2015-12-21T19:59:11.000Z",
"name": "John Smith",

2
stix2/test/v20/test_indicator.py
View File

@ -151,7 +151,7 @@ def test_created_modified_time_are_identical_by_default():
EXPECTED_INDICATOR,
{
"type": "indicator",
"id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
"id": INDICATOR_ID,
"created": "2017-01-01T00:00:01Z",
"modified": "2017-01-01T00:00:01Z",
"labels": [

12
stix2/test/v20/test_intrusion_set.py
View File

@ -5,12 +5,12 @@ import pytz
import stix2
from .constants import INTRUSION_SET_ID
from .constants import IDENTITY_ID, INTRUSION_SET_ID
EXPECTED = """{
"type": "intrusion-set",
"id": "intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"name": "Bobcat Breakin",
@ -28,8 +28,8 @@ EXPECTED = """{
def test_intrusion_set_example():
intrusion_set = stix2.v20.IntrusionSet(
id="intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=INTRUSION_SET_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:48.000Z",
modified="2016-04-06T20:03:48.000Z",
name="Bobcat Breakin",
@ -49,14 +49,14 @@ def test_intrusion_set_example():
"Zookeeper",
],
"created": "2016-04-06T20:03:48.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": IDENTITY_ID,
"description": "Incidents usually feature a shared TTP of a bobcat being released...",
"goals": [
"acquisition-theft",
"harassment",
"damage",
],
"id": "intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
"id": INTRUSION_SET_ID,
"modified": "2016-04-06T20:03:48.000Z",
"name": "Bobcat Breakin",
"type": "intrusion-set",

18
stix2/test/v20/test_malware.py
View File

@ -35,6 +35,22 @@ def test_malware_with_all_required_properties():
assert str(mal) == EXPECTED_MALWARE
def test_malware_with_empty_optional_field():
now = dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
mal = stix2.v20.Malware(
type="malware",
id=MALWARE_ID,
created=now,
modified=now,
labels=["ransomware"],
name="Cryptolocker",
external_references=[],
)
assert str(mal) == EXPECTED_MALWARE
def test_malware_autogenerated_properties(malware):
assert malware.type == 'malware'
assert malware.id == 'malware--00000000-0000-4000-8000-000000000001'
@ -108,7 +124,7 @@ def test_invalid_kwarg_to_malware():
EXPECTED_MALWARE,
{
"type": "malware",
"id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
"id": MALWARE_ID,
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"labels": ["ransomware"],

133
stix2/test/v20/test_marking_definition.py Normal file
View File

@ -0,0 +1,133 @@
import pytest
from stix2 import exceptions
from stix2.v20 import (
TLP_AMBER, TLP_GREEN, TLP_RED, TLP_WHITE, MarkingDefinition, TLPMarking,
)
def test_bad_id_marking_tlp_white():
with pytest.raises(exceptions.TLPMarkingDefinitionError):
MarkingDefinition(
id='marking-definition--4c9faac1-3558-43d2-919e-95c88d3bc332',
definition_type='tlp',
definition=TLPMarking(tlp='white'),
)
def test_bad_id_marking_tlp_green():
with pytest.raises(exceptions.TLPMarkingDefinitionError):
MarkingDefinition(
id='marking-definition--93023361-d3cf-4666-bca2-8c017948dc3d',
definition_type='tlp',
definition=TLPMarking(tlp='green'),
)
def test_bad_id_marking_tlp_amber():
with pytest.raises(exceptions.TLPMarkingDefinitionError):
MarkingDefinition(
id='marking-definition--05e32101-a940-42ba-8fe9-39283b999ce4',
definition_type='tlp',
definition=TLPMarking(tlp='amber'),
)
def test_bad_id_marking_tlp_red():
with pytest.raises(exceptions.TLPMarkingDefinitionError):
MarkingDefinition(
id='marking-definition--9eceb00c-c158-43f4-87f8-1e3648de17e2',
definition_type='tlp',
definition=TLPMarking(tlp='red'),
)
def test_bad_created_marking_tlp_white():
with pytest.raises(exceptions.TLPMarkingDefinitionError):
MarkingDefinition(
id='marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9',
definition_type='tlp',
definition=TLPMarking(tlp='white'),
)
def test_bad_created_marking_tlp_green():
with pytest.raises(exceptions.TLPMarkingDefinitionError):
MarkingDefinition(
id='marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da',
definition_type='tlp',
definition=TLPMarking(tlp='green'),
)
def test_bad_created_marking_tlp_amber():
with pytest.raises(exceptions.TLPMarkingDefinitionError):
MarkingDefinition(
id='marking-definition--f88d31f6-486f-44da-b317-01333bde0b82',
definition_type='tlp',
definition=TLPMarking(tlp='amber'),
)
def test_bad_created_marking_tlp_red():
with pytest.raises(exceptions.TLPMarkingDefinitionError) as excinfo:
MarkingDefinition(
id='marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed',
definition_type='tlp',
definition=TLPMarking(tlp='red'),
)
assert "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed" in str(excinfo.value)
def test_successful_tlp_white():
white = MarkingDefinition(
id='marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9',
created='2017-01-20T00:00:00.000Z',
definition_type='tlp',
definition=TLPMarking(tlp='white'),
)
assert white.serialize(sort_keys=True) == TLP_WHITE.serialize(sort_keys=True)
def test_successful_tlp_green():
green = MarkingDefinition(
id='marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da',
created='2017-01-20T00:00:00.000Z',
definition_type='tlp',
definition=TLPMarking(tlp='green'),
)
assert green.serialize(sort_keys=True) == TLP_GREEN.serialize(sort_keys=True)
def test_successful_tlp_amber():
amber = MarkingDefinition(
id='marking-definition--f88d31f6-486f-44da-b317-01333bde0b82',
created='2017-01-20T00:00:00.000Z',
definition_type='tlp',
definition=TLPMarking(tlp='amber'),
)
assert amber.serialize(sort_keys=True) == TLP_AMBER.serialize(sort_keys=True)
def test_successful_tlp_red():
red = MarkingDefinition(
id='marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed',
created='2017-01-20T00:00:00.000Z',
definition_type='tlp',
definition=TLPMarking(tlp='red'),
)
assert red.serialize(sort_keys=True) == TLP_RED.serialize(sort_keys=True)
def test_unknown_tlp_marking():
with pytest.raises(exceptions.TLPMarkingDefinitionError):
MarkingDefinition(
definition_type='tlp',
definition=TLPMarking(tlp='gray'),
)

42
stix2/test/v20/test_markings.py
View File

@ -6,7 +6,7 @@ import pytz
import stix2
from stix2.v20 import TLP_WHITE
from .constants import MARKING_DEFINITION_ID
from .constants import CAMPAIGN_ID, IDENTITY_ID, MARKING_DEFINITION_ID
EXPECTED_TLP_MARKING_DEFINITION = """{
"type": "marking-definition",
@ -31,7 +31,7 @@ EXPECTED_STATEMENT_MARKING_DEFINITION = """{
EXPECTED_CAMPAIGN_WITH_OBJECT_MARKING = """{
"type": "campaign",
"id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T20:03:00.000Z",
"modified": "2016-04-06T20:03:00.000Z",
"name": "Green Group Attacks Against Finance",
@ -54,7 +54,7 @@ EXPECTED_GRANULAR_MARKING = """{
EXPECTED_CAMPAIGN_WITH_GRANULAR_MARKINGS = """{
"type": "campaign",
"id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T20:03:00.000Z",
"modified": "2016-04-06T20:03:00.000Z",
"name": "Green Group Attacks Against Finance",
@ -76,7 +76,7 @@ def test_marking_def_example_with_tlp():
def test_marking_def_example_with_statement_positional_argument():
marking_definition = stix2.v20.MarkingDefinition(
id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
id=MARKING_DEFINITION_ID,
created="2017-01-20T00:00:00.000Z",
definition_type="statement",
definition=stix2.v20.StatementMarking(statement="Copyright 2016, Example Corp"),
@ -88,7 +88,7 @@ def test_marking_def_example_with_statement_positional_argument():
def test_marking_def_example_with_kwargs_statement():
kwargs = dict(statement="Copyright 2016, Example Corp")
marking_definition = stix2.v20.MarkingDefinition(
id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
id=MARKING_DEFINITION_ID,
created="2017-01-20T00:00:00.000Z",
definition_type="statement",
definition=stix2.v20.StatementMarking(**kwargs),
@ -100,7 +100,7 @@ def test_marking_def_example_with_kwargs_statement():
def test_marking_def_invalid_type():
with pytest.raises(ValueError):
stix2.v20.MarkingDefinition(
id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
id=MARKING_DEFINITION_ID,
created="2017-01-20T00:00:00.000Z",
definition_type="my-definition-type",
definition=stix2.v20.StatementMarking("Copyright 2016, Example Corp"),
@ -109,10 +109,11 @@ def test_marking_def_invalid_type():
def test_campaign_with_markings_example():
campaign = stix2.v20.Campaign(
id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created="2016-04-06T20:03:00Z",
modified="2016-04-06T20:03:00Z",
type='campaign',
id=CAMPAIGN_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:00.000Z",
modified="2016-04-06T20:03:00.000Z",
name="Green Group Attacks Against Finance",
description="Campaign by Green Group against a series of targets in the financial services sector.",
object_marking_refs=TLP_WHITE,
@ -122,7 +123,7 @@ def test_campaign_with_markings_example():
def test_granular_example():
granular_marking = stix2.v20.GranularMarking(
marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
marking_ref=MARKING_DEFINITION_ID,
selectors=["abc", "abc.[23]", "abc.def", "abc.[2].efg"],
)
@ -132,7 +133,7 @@ def test_granular_example():
def test_granular_example_with_bad_selector():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.v20.GranularMarking(
marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
marking_ref=MARKING_DEFINITION_ID,
selectors=["abc[0]"], # missing "."
)
@ -144,15 +145,16 @@ def test_granular_example_with_bad_selector():
def test_campaign_with_granular_markings_example():
campaign = stix2.v20.Campaign(
id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created="2016-04-06T20:03:00Z",
modified="2016-04-06T20:03:00Z",
type='campaign',
id=CAMPAIGN_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:00.000Z",
modified="2016-04-06T20:03:00.000Z",
name="Green Group Attacks Against Finance",
description="Campaign by Green Group against a series of targets in the financial services sector.",
granular_markings=[
stix2.v20.GranularMarking(
marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
marking_ref=MARKING_DEFINITION_ID,
selectors=["description"],
),
],
@ -164,7 +166,7 @@ def test_campaign_with_granular_markings_example():
"data", [
EXPECTED_TLP_MARKING_DEFINITION,
{
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"id": MARKING_DEFINITION_ID,
"type": "marking-definition",
"created": "2017-01-20T00:00:00Z",
"definition": {
@ -258,8 +260,8 @@ def test_marking_wrong_type_construction():
def test_campaign_add_markings():
campaign = stix2.v20.Campaign(
id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=CAMPAIGN_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:00Z",
modified="2016-04-06T20:03:00Z",
name="Green Group Attacks Against Finance",

2
stix2/test/v20/test_object_markings.py
View File

@ -107,7 +107,6 @@ def test_add_markings_combination():
"data", [
([""]),
(""),
([]),
([MARKING_IDS[0], 456]),
],
)
@ -576,7 +575,6 @@ def test_set_marking():
@pytest.mark.parametrize(
"data", [
([]),
([""]),
(""),
([MARKING_IDS[4], 687]),

69
stix2/test/v20/test_observed_data.py
View File

@ -6,7 +6,7 @@ import pytz
import stix2
from .constants import OBSERVED_DATA_ID
from .constants import IDENTITY_ID, OBSERVED_DATA_ID
OBJECTS_REGEX = re.compile('\"objects\": {(?:.*?)(?:(?:[^{]*?)|(?:{[^{]*?}))*}', re.DOTALL)
@ -14,7 +14,7 @@ OBJECTS_REGEX = re.compile('\"objects\": {(?:.*?)(?:(?:[^{]*?)|(?:{[^{]*?}))*}',
EXPECTED = """{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"first_observed": "2015-12-21T19:00:00Z",
@ -31,8 +31,8 @@ EXPECTED = """{
def test_observed_data_example():
observed_data = stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=OBSERVED_DATA_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",
@ -52,7 +52,7 @@ def test_observed_data_example():
EXPECTED_WITH_REF = """{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"first_observed": "2015-12-21T19:00:00Z",
@ -76,8 +76,8 @@ EXPECTED_WITH_REF = """{
def test_observed_data_example_with_refs():
observed_data = stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=OBSERVED_DATA_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",
@ -102,8 +102,8 @@ def test_observed_data_example_with_refs():
def test_observed_data_example_with_bad_refs():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=OBSERVED_DATA_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",
@ -130,8 +130,8 @@ def test_observed_data_example_with_bad_refs():
def test_observed_data_example_with_non_dictionary():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=OBSERVED_DATA_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",
@ -148,8 +148,8 @@ def test_observed_data_example_with_non_dictionary():
def test_observed_data_example_with_empty_dictionary():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=OBSERVED_DATA_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",
@ -168,9 +168,9 @@ def test_observed_data_example_with_empty_dictionary():
EXPECTED,
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"id": OBSERVED_DATA_ID,
"created": "2016-04-06T19:58:16.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": IDENTITY_ID,
"first_observed": "2015-12-21T19:00:00Z",
"last_observed": "2015-12-21T19:00:00Z",
"modified": "2016-04-06T19:58:16.000Z",
@ -193,7 +193,7 @@ def test_parse_observed_data(data):
assert odata.modified == dt.datetime(2016, 4, 6, 19, 58, 16, tzinfo=pytz.utc)
assert odata.first_observed == dt.datetime(2015, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
assert odata.last_observed == dt.datetime(2015, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
assert odata.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
assert odata.created_by_ref == IDENTITY_ID
assert odata.objects["0"].type == "file"
@ -533,7 +533,7 @@ def test_parse_basic_tcp_traffic_with_error(data):
EXPECTED_PROCESS_OD = """{
"created": "2016-04-06T19:58:16.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"first_observed": "2015-12-21T19:00:00Z",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"last_observed": "2015-12-21T19:00:00Z",
@ -563,8 +563,8 @@ EXPECTED_PROCESS_OD = """{
def test_observed_data_with_process_example():
observed_data = stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=OBSERVED_DATA_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",
@ -960,6 +960,24 @@ def test_ip4_address_example():
assert ip4.resolves_to_refs == ["4", "5"]
def test_ip4_address_valid_refs():
mac1 = stix2.v20.MACAddress(
value="a1:b2:c3:d4:e5:f6",
)
mac2 = stix2.v20.MACAddress(
value="a7:b8:c9:d0:e1:f2",
)
ip4 = stix2.v20.IPv4Address(
_valid_refs={"1": mac1, "2": mac2},
value="177.60.40.7",
resolves_to_refs=["1", "2"],
)
assert ip4.value == "177.60.40.7"
assert ip4.resolves_to_refs == ["1", "2"]
def test_ip4_address_example_cidr():
ip4 = stix2.v20.IPv4Address(value="198.51.100.0/24")
@ -1141,12 +1159,13 @@ def test_process_example_windows_process_ext_empty():
def test_process_example_extensions_empty():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.v20.Process(extensions={})
proc = stix2.v20.Process(
pid=314,
name="foobar.exe",
extensions={},
)
assert excinfo.value.cls == stix2.v20.Process
assert excinfo.value.prop_name == 'extensions'
assert 'non-empty dictionary' in excinfo.value.reason
assert '{}' in str(proc)
def test_process_example_with_WindowsProcessExt_Object():
@ -1290,6 +1309,8 @@ def test_windows_registry_key_example():
assert w.values[0].name == "Foo"
assert w.values[0].data == "qwerty"
assert w.values[0].data_type == "REG_SZ"
# ensure no errors in serialization because of 'values'
assert "Foo" in str(w)
def test_x509_certificate_example():

4
stix2/test/v20/test_pickle.py
View File

@ -2,13 +2,15 @@ import pickle
import stix2
from .constants import IDENTITY_ID
def test_pickling():
"""
Ensure a pickle/unpickle cycle works okay.
"""
identity = stix2.v20.Identity(
id="identity--d66cb89d-5228-4983-958c-fa84ef75c88c",
id=IDENTITY_ID,
name="alice",
description="this is a pickle test",
identity_class="some_class",

1
stix2/test/v20/test_properties.py
View File

@ -369,7 +369,6 @@ def test_dictionary_property_invalid_key(d):
@pytest.mark.parametrize(
"d", [
({}, "The dictionary property must contain a non-empty dictionary"),
# TODO: This error message could be made more helpful. The error is caused
# because `json.loads()` doesn't like the *single* quotes around the key
# name, even though they are valid in a Python dictionary. While technically

12
stix2/test/v20/test_relationship.py
View File

@ -142,12 +142,12 @@ def test_create_relationship_with_positional_args(indicator, malware):
EXPECTED_RELATIONSHIP,
{
"created": "2016-04-06T20:06:37Z",
"id": "relationship--df7c87eb-75d2-4948-af81-9d49d246f301",
"id": RELATIONSHIP_ID,
"modified": "2016-04-06T20:06:37Z",
"relationship_type": "indicates",
"source_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
"target_ref": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
"type": "relationship",
"relationship_type": "indicates",
"source_ref": INDICATOR_ID,
"target_ref": MALWARE_ID,
},
],
)
@ -159,5 +159,5 @@ def test_parse_relationship(data):
assert rel.created == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
assert rel.modified == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
assert rel.relationship_type == "indicates"
assert rel.source_ref == "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7"
assert rel.target_ref == "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e"
assert rel.source_ref == INDICATOR_ID
assert rel.target_ref == MALWARE_ID

59
stix2/test/v20/test_report.py
View File

@ -5,21 +5,24 @@ import pytz
import stix2
from .constants import INDICATOR_KWARGS, REPORT_ID
from .constants import (
CAMPAIGN_ID, IDENTITY_ID, INDICATOR_ID, INDICATOR_KWARGS, RELATIONSHIP_ID,
REPORT_ID,
)
EXPECTED = """{
"type": "report",
"id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2015-12-21T19:59:11.000Z",
"modified": "2015-12-21T19:59:11.000Z",
"name": "The Black Vine Cyberespionage Group",
"description": "A simple report with an indicator and campaign",
"published": "2016-01-20T17:00:00Z",
"object_refs": [
"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
"indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
"campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"relationship--df7c87eb-75d2-4948-af81-9d49d246f301"
],
"labels": [
"campaign"
@ -29,8 +32,8 @@ EXPECTED = """{
def test_report_example():
report = stix2.v20.Report(
id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
id=REPORT_ID,
created_by_ref=IDENTITY_ID,
created="2015-12-21T19:59:11.000Z",
modified="2015-12-21T19:59:11.000Z",
name="The Black Vine Cyberespionage Group",
@ -38,9 +41,9 @@ def test_report_example():
published="2016-01-20T17:00:00Z",
labels=["campaign"],
object_refs=[
"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
INDICATOR_ID,
CAMPAIGN_ID,
RELATIONSHIP_ID,
],
)
@ -49,8 +52,8 @@ def test_report_example():
def test_report_example_objects_in_object_refs():
report = stix2.v20.Report(
id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
id=REPORT_ID,
created_by_ref=IDENTITY_ID,
created="2015-12-21T19:59:11.000Z",
modified="2015-12-21T19:59:11.000Z",
name="The Black Vine Cyberespionage Group",
@ -58,9 +61,9 @@ def test_report_example_objects_in_object_refs():
published="2016-01-20T17:00:00Z",
labels=["campaign"],
object_refs=[
stix2.v20.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
stix2.v20.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS),
CAMPAIGN_ID,
RELATIONSHIP_ID,
],
)
@ -70,8 +73,8 @@ def test_report_example_objects_in_object_refs():
def test_report_example_objects_in_object_refs_with_bad_id():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.v20.Report(
id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
id=REPORT_ID,
created_by_ref=IDENTITY_ID,
created="2015-12-21T19:59:11.000Z",
modified="2015-12-21T19:59:11.000Z",
name="The Black Vine Cyberespionage Group",
@ -79,9 +82,9 @@ def test_report_example_objects_in_object_refs_with_bad_id():
published="2016-01-20T17:00:00Z",
labels=["campaign"],
object_refs=[
stix2.v20.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
stix2.v20.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS),
"campaign-83422c77-904c-4dc1-aff5-5c38f3a2c55c", # the "bad" id, missing a "-"
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
RELATIONSHIP_ID,
],
)
@ -94,18 +97,18 @@ def test_report_example_objects_in_object_refs_with_bad_id():
EXPECTED,
{
"created": "2015-12-21T19:59:11.000Z",
"created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
"created_by_ref": IDENTITY_ID,
"description": "A simple report with an indicator and campaign",
"id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
"id": REPORT_ID,
"labels": [
"campaign",
],
"modified": "2015-12-21T19:59:11.000Z",
"name": "The Black Vine Cyberespionage Group",
"object_refs": [
"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
INDICATOR_ID,
CAMPAIGN_ID,
RELATIONSHIP_ID,
],
"published": "2016-01-20T17:00:00Z",
"type": "report",
@ -119,11 +122,11 @@ def test_parse_report(data):
assert rept.id == REPORT_ID
assert rept.created == dt.datetime(2015, 12, 21, 19, 59, 11, tzinfo=pytz.utc)
assert rept.modified == dt.datetime(2015, 12, 21, 19, 59, 11, tzinfo=pytz.utc)
assert rept.created_by_ref == "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
assert rept.created_by_ref == IDENTITY_ID
assert rept.object_refs == [
"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
INDICATOR_ID,
CAMPAIGN_ID,
RELATIONSHIP_ID,
]
assert rept.description == "A simple report with an indicator and campaign"
assert rept.labels == ["campaign"]

14
stix2/test/v20/test_sighting.py
View File

@ -5,7 +5,7 @@ import pytz
import stix2
from .constants import INDICATOR_ID, SIGHTING_ID, SIGHTING_KWARGS
from .constants import IDENTITY_ID, INDICATOR_ID, SIGHTING_ID, SIGHTING_KWARGS
EXPECTED_SIGHTING = """{
"type": "sighting",
@ -14,7 +14,7 @@ EXPECTED_SIGHTING = """{
"modified": "2016-04-06T20:06:37.000Z",
"sighting_of_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
"where_sighted_refs": [
"identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"
"identity--311b2d2d-f010-4473-83ec-1edf84858f4c"
]
}"""
@ -39,7 +39,7 @@ def test_sighting_all_required_properties():
created=now,
modified=now,
sighting_of_ref=INDICATOR_ID,
where_sighted_refs=["identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"],
where_sighted_refs=[IDENTITY_ID],
)
assert str(s) == EXPECTED_SIGHTING
@ -90,12 +90,12 @@ def test_create_sighting_from_objects_rather_than_ids(malware): # noqa: F811
EXPECTED_SIGHTING,
{
"created": "2016-04-06T20:06:37Z",
"id": "sighting--bfbc19db-ec35-4e45-beed-f8bde2a772fb",
"id": SIGHTING_ID,
"modified": "2016-04-06T20:06:37Z",
"sighting_of_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
"type": "sighting",
"where_sighted_refs": [
"identity--8cc7afd6-5455-4d2b-a736-e614ee631d99",
IDENTITY_ID,
],
},
],
@ -107,5 +107,5 @@ def test_parse_sighting(data):
assert sighting.id == SIGHTING_ID
assert sighting.created == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
assert sighting.modified == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
assert sighting.sighting_of_ref == "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7"
assert sighting.where_sighted_refs == ["identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"]
assert sighting.sighting_of_ref == INDICATOR_ID
assert sighting.where_sighted_refs == [IDENTITY_ID]

20
stix2/test/v20/test_threat_actor.py
View File

@ -5,12 +5,12 @@ import pytz
import stix2
from .constants import THREAT_ACTOR_ID
from .constants import IDENTITY_ID, THREAT_ACTOR_ID
EXPECTED = """{
"type": "threat-actor",
"id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"name": "Evil Org",
@ -23,13 +23,13 @@ EXPECTED = """{
def test_threat_actor_example():
threat_actor = stix2.v20.ThreatActor(
id="threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=THREAT_ACTOR_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:48.000Z",
modified="2016-04-06T20:03:48.000Z",
name="Evil Org",
description="The Evil Org threat actor group",
labels=["crime-syndicate"],
name="Evil Org",
)
assert str(threat_actor) == EXPECTED
@ -40,13 +40,11 @@ def test_threat_actor_example():
EXPECTED,
{
"created": "2016-04-06T20:03:48.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": IDENTITY_ID,
"description": "The Evil Org threat actor group",
"id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"labels": [
"crime-syndicate",
],
"id": THREAT_ACTOR_ID,
"modified": "2016-04-06T20:03:48.000Z",
"labels": ["crime-syndicate"],
"name": "Evil Org",
"type": "threat-actor",
},
@ -59,7 +57,7 @@ def test_parse_threat_actor(data):
assert actor.id == THREAT_ACTOR_ID
assert actor.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
assert actor.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
assert actor.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
assert actor.created_by_ref == IDENTITY_ID
assert actor.description == "The Evil Org threat actor group"
assert actor.name == "Evil Org"
assert actor.labels == ["crime-syndicate"]

28
stix2/test/v20/test_tool.py
View File

@ -5,12 +5,12 @@ import pytz
import stix2
from .constants import TOOL_ID
from .constants import IDENTITY_ID, TOOL_ID
EXPECTED = """{
"type": "tool",
"id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"name": "VNC",
@ -22,7 +22,7 @@ EXPECTED = """{
EXPECTED_WITH_REVOKED = """{
"type": "tool",
"id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"name": "VNC",
@ -35,12 +35,12 @@ EXPECTED_WITH_REVOKED = """{
def test_tool_example():
tool = stix2.v20.Tool(
id="tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=TOOL_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:48.000Z",
modified="2016-04-06T20:03:48.000Z",
name="VNC",
labels=["remote-access"],
name="VNC",
)
assert str(tool) == EXPECTED
@ -51,12 +51,10 @@ def test_tool_example():
EXPECTED,
{
"created": "2016-04-06T20:03:48Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"labels": [
"remote-access",
],
"created_by_ref": IDENTITY_ID,
"id": TOOL_ID,
"modified": "2016-04-06T20:03:48Z",
"labels": ["remote-access"],
"name": "VNC",
"type": "tool",
},
@ -69,7 +67,7 @@ def test_parse_tool(data):
assert tool.id == TOOL_ID
assert tool.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
assert tool.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
assert tool.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
assert tool.created_by_ref == IDENTITY_ID
assert tool.labels == ["remote-access"]
assert tool.name == "VNC"
@ -82,12 +80,12 @@ def test_tool_no_workbench_wrappers():
def test_tool_serialize_with_defaults():
tool = stix2.v20.Tool(
id="tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
id=TOOL_ID,
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:48.000Z",
modified="2016-04-06T20:03:48.000Z",
name="VNC",
labels=["remote-access"],
name="VNC",
)
assert tool.serialize(pretty=True, include_optional_defaults=True) == EXPECTED_WITH_REVOKED

4
stix2/test/v20/test_utils.py
View File

@ -8,6 +8,8 @@ import pytz
import stix2.utils
from .constants import IDENTITY_ID
amsterdam = pytz.timezone('Europe/Amsterdam')
eastern = pytz.timezone('US/Eastern')
@ -123,7 +125,7 @@ def test_deduplicate(stix_objs1):
(
stix2.v20.ObservedData(
id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created_by_ref=IDENTITY_ID,
created="2016-04-06T19:58:16.000Z",
modified="2016-04-06T19:58:16.000Z",
first_observed="2015-12-21T19:00:00Z",

4
stix2/test/v20/test_vulnerability.py
View File

@ -24,7 +24,7 @@ EXPECTED = """{
def test_vulnerability_example():
vulnerability = stix2.v20.Vulnerability(
id="vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
id=VULNERABILITY_ID,
created="2016-05-12T08:17:27.000Z",
modified="2016-05-12T08:17:27.000Z",
name="CVE-2016-1234",
@ -50,7 +50,7 @@ def test_vulnerability_example():
"source_name": "cve",
},
],
"id": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
"id": VULNERABILITY_ID,
"modified": "2016-05-12T08:17:27Z",
"name": "CVE-2016-1234",
"type": "vulnerability",

8
stix2/test/v21/constants.py
View File

@ -31,6 +31,12 @@ MARKING_IDS = [
"marking-definition--68520ae2-fefe-43a9-84ee-2c2a934d2c7d",
"marking-definition--2802dfb1-1019-40a8-8848-68d0ec0e417f",
]
MARKING_LANGS = [
"en",
"es",
"de",
"ja",
]
RELATIONSHIP_IDS = [
'relationship--06520621-5352-4e6a-b976-e8fa3d437ffd',
'relationship--181c9c09-43e6-45dd-9374-3bec192f05ef',
@ -53,7 +59,7 @@ CAMPAIGN_MORE_KWARGS = dict(
type='campaign',
spec_version='2.1',
id=CAMPAIGN_ID,
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created_by_ref=IDENTITY_ID,
created="2016-04-06T20:03:00.000Z",
modified="2016-04-06T20:03:00.000Z",
name="Green Group Attacks Against Finance",

4
stix2/test/v21/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json
View File

@ -2,7 +2,7 @@
"id": "bundle--f68640b4-0cdc-42ae-b176-def1754a1ea0",
"objects": [
{
"created": "2017-05-31T21:30:19.73501Z",
"created": "2017-05-31T21:30:19.735Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\n\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective DLL Injection to reduce potential indicators of malicious activity.\n\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Legitimate Credentials in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[[Citation: Powersploit]] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs",
"external_references": [
@ -29,7 +29,7 @@
"phase_name": "credential-access"
}
],
"modified": "2017-05-31T21:30:19.73501Z",
"modified": "2017-05-31T21:30:19.735Z",
"name": "Credential Dumping",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json
View File

@ -2,7 +2,7 @@
"id": "bundle--b07d6fd6-7cc5-492d-a1eb-9ba956b329d5",
"objects": [
{
"created": "2017-05-31T21:30:26.496201Z",
"created": "2017-05-31T21:30:26.496Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the Basic Input/Output System.[[Citation: Wikipedia Rootkit]]\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[Citation: Wikipedia Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: BIOS, MBR, System calls",
"external_references": [
@ -24,7 +24,7 @@
"phase_name": "defense-evasion"
}
],
"modified": "2017-05-31T21:30:26.496201Z",
"modified": "2017-05-31T21:30:26.496Z",
"name": "Rootkit",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json
View File

@ -2,7 +2,7 @@
"id": "bundle--1a854c96-639e-4771-befb-e7b960a65974",
"objects": [
{
"created": "2017-05-31T21:30:29.45894Z",
"created": "2017-05-31T21:30:29.458Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.\n\nDetection: Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process use of network",
"external_references": [
@ -19,7 +19,7 @@
"phase_name": "exfiltration"
}
],
"modified": "2017-05-31T21:30:29.45894Z",
"modified": "2017-05-31T21:30:29.458Z",
"name": "Automated Exfiltration",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json
View File

@ -2,7 +2,7 @@
"id": "bundle--33e3e33a-38b8-4a37-9455-5b8c82d3b10a",
"objects": [
{
"created": "2017-05-31T21:30:45.139269Z",
"created": "2017-05-31T21:30:45.139Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system.\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Process command-line parameters, Process monitoring",
"external_references": [
@ -19,7 +19,7 @@
"phase_name": "discovery"
}
],
"modified": "2017-05-31T21:30:45.139269Z",
"modified": "2017-05-31T21:30:45.139Z",
"name": "Local Network Connections Discovery",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json
View File

@ -2,7 +2,7 @@
"id": "bundle--a87938c5-cc1e-4e06-a8a3-b10243ae397d",
"objects": [
{
"created": "2017-05-31T21:30:41.022897Z",
"created": "2017-05-31T21:30:41.022Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to cmd may be used to gather information.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters",
"external_references": [
@ -19,7 +19,7 @@
"phase_name": "collection"
}
],
"modified": "2017-05-31T21:30:41.022897Z",
"modified": "2017-05-31T21:30:41.022Z",
"name": "Data from Network Shared Drive",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json
View File

@ -2,7 +2,7 @@
"id": "bundle--5ddaeff9-eca7-4094-9e65-4f53da21a444",
"objects": [
{
"created": "2017-05-31T21:30:32.662702Z",
"created": "2017-05-31T21:30:32.662Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system.\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering",
"external_references": [
@ -19,7 +19,7 @@
"phase_name": "defense-evasion"
}
],
"modified": "2017-05-31T21:30:32.662702Z",
"modified": "2017-05-31T21:30:32.662Z",
"name": "Obfuscated Files or Information",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json
View File

@ -2,11 +2,11 @@
"id": "bundle--a42d26fe-c938-4074-a1b3-50d852e6f0bd",
"objects": [
{
"created": "2017-05-31T21:30:26.495974Z",
"created": "2017-05-31T21:30:26.495Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"id": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f",
"modified": "2017-05-31T21:30:26.495974Z",
"modified": "2017-05-31T21:30:26.495Z",
"name": "Rootkit Mitigation",
"spec_version": "2.1",
"type": "course-of-action"

4
stix2/test/v21/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json
View File

@ -1,9 +1,9 @@
{
"created": "2017-05-31T21:30:41.022744Z",
"created": "2017-05-31T21:30:41.022Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd",
"modified": "2017-05-31T21:30:41.022744Z",
"modified": "2017-05-31T21:30:41.022Z",
"name": "Data from Network Shared Drive Mitigation",
"spec_version": "2.1",
"type": "course-of-action"

4
stix2/test/v21/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json
View File

@ -2,10 +2,10 @@
"id": "bundle--81884287-2548-47fc-a997-39489ddd5462",
"objects": [
{
"created": "2017-06-01T00:00:00Z",
"created": "2017-06-01T00:00:00.000Z",
"id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"identity_class": "organization",
"modified": "2017-06-01T00:00:00Z",
"modified": "2017-06-01T00:00:00.000Z",
"name": "The MITRE Corporation",
"spec_version": "2.1",
"type": "identity"

4
stix2/test/v21/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json
View File

@ -10,7 +10,7 @@
"PinkPanther",
"Black Vine"
],
"created": "2017-05-31T21:31:49.412497Z",
"created": "2017-05-31T21:31:49.412Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]",
"external_references": [
@ -41,7 +41,7 @@
}
],
"id": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064",
"modified": "2017-05-31T21:31:49.412497Z",
"modified": "2017-05-31T21:31:49.412Z",
"name": "Deep Panda",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json
View File

@ -5,7 +5,7 @@
"aliases": [
"DragonOK"
],
"created": "2017-05-31T21:31:53.197755Z",
"created": "2017-05-31T21:31:53.197Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]",
"external_references": [
@ -31,7 +31,7 @@
}
],
"id": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"modified": "2017-05-31T21:31:53.197755Z",
"modified": "2017-05-31T21:31:53.197Z",
"name": "DragonOK",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json
View File

@ -2,7 +2,7 @@
"id": "bundle--f64de948-7067-4534-8018-85f03d470625",
"objects": [
{
"created": "2017-05-31T21:32:58.226477Z",
"created": "2017-05-31T21:32:58.226Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.[[Citation: Palo Alto Rover]]",
"external_references": [
@ -21,7 +21,7 @@
"malware_types": [
"malware"
],
"modified": "2017-05-31T21:32:58.226477Z",
"modified": "2017-05-31T21:32:58.226Z",
"name": "Rover",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json
View File

@ -2,7 +2,7 @@
"id": "bundle--c633942b-545c-4c87-91b7-9fe5740365e0",
"objects": [
{
"created": "2017-05-31T21:33:26.565056Z",
"created": "2017-05-31T21:33:26.565Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]",
"external_references": [
@ -21,7 +21,7 @@
"malware_types": [
"malware"
],
"modified": "2017-05-31T21:33:26.565056Z",
"modified": "2017-05-31T21:33:26.565Z",
"name": "RTM",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json
View File

@ -2,7 +2,7 @@
"id": "bundle--09ce4338-8741-4fcf-9738-d216c8e40974",
"objects": [
{
"created": "2017-05-31T21:32:48.482655Z",
"created": "2017-05-31T21:32:48.482Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.[[Citation: Dell Sakula]]\n\nAliases: Sakula, Sakurel, VIPER",
"external_references": [
@ -21,7 +21,7 @@
"malware_types": [
"malware"
],
"modified": "2017-05-31T21:32:48.482655Z",
"modified": "2017-05-31T21:32:48.482Z",
"name": "Sakula",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json
View File

@ -2,7 +2,7 @@
"id": "bundle--611947ce-ae3b-4fdb-b297-aed8eab22e4f",
"objects": [
{
"created": "2017-05-31T21:32:15.263882Z",
"created": "2017-05-31T21:32:15.263Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[[Citation: FireEye Poison Ivy]]\n\nAliases: PoisonIvy, Poison Ivy",
"external_references": [
@ -21,7 +21,7 @@
"labels": [
"malware"
],
"modified": "2017-05-31T21:32:15.263882Z",
"modified": "2017-05-31T21:32:15.263Z",
"name": "PoisonIvy",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"

4
stix2/test/v21/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json
View File

@ -2,10 +2,10 @@
"id": "bundle--7e715462-dd9d-40b9-968a-10ef0ecf126d",
"objects": [
{
"created": "2017-05-31T21:33:27.182784Z",
"created": "2017-05-31T21:33:27.182Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--0d4a7788-7f3b-4df8-a498-31a38003c883",
"modified": "2017-05-31T21:33:27.182784Z",
"modified": "2017-05-31T21:33:27.182Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v21/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json
View File

@ -2,10 +2,10 @@
"id": "bundle--a53eef35-abfc-4bcd-b84e-a048f7b4a9bf",
"objects": [
{
"created": "2017-05-31T21:33:27.082801Z",
"created": "2017-05-31T21:33:27.082Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227",
"modified": "2017-05-31T21:33:27.082801Z",
"modified": "2017-05-31T21:33:27.082Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v21/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json
View File

@ -2,10 +2,10 @@
"id": "bundle--0b9f6412-314f-44e3-8779-9738c9578ef5",
"objects": [
{
"created": "2017-05-31T21:33:27.018782Z",
"created": "2017-05-31T21:33:27.018Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--1e91cd45-a725-4965-abe3-700694374432",
"modified": "2017-05-31T21:33:27.018782Z",
"modified": "2017-05-31T21:33:27.018Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v21/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json
View File

@ -2,10 +2,10 @@
"id": "bundle--6d5b04a8-efb2-4179-990e-74f1dcc76e0c",
"objects": [
{
"created": "2017-05-31T21:33:27.100701Z",
"created": "2017-05-31T21:33:27.100Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e",
"modified": "2017-05-31T21:33:27.100701Z",
"modified": "2017-05-31T21:33:27.100Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v21/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json
View File

@ -2,10 +2,10 @@
"id": "bundle--a7efc025-040d-49c7-bf97-e5a1120ecacc",
"objects": [
{
"created": "2017-05-31T21:33:27.143973Z",
"created": "2017-05-31T21:33:27.143Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1",
"modified": "2017-05-31T21:33:27.143973Z",
"modified": "2017-05-31T21:33:27.143Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v21/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json
View File

@ -2,10 +2,10 @@
"id": "bundle--9f013d47-7704-41c2-9749-23d0d94af94d",
"objects": [
{
"created": "2017-05-31T21:33:27.021562Z",
"created": "2017-05-31T21:33:27.021Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--592d0c31-e61f-495e-a60e-70d7be59a719",
"modified": "2017-05-31T21:33:27.021562Z",
"modified": "2017-05-31T21:33:27.021Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v21/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json
View File

@ -2,10 +2,10 @@
"id": "bundle--15167b24-4cee-4c96-a140-32a6c37df4b4",
"objects": [
{
"created": "2017-05-31T21:33:27.044387Z",
"created": "2017-05-31T21:33:27.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1",
"modified": "2017-05-31T21:33:27.044387Z",
"modified": "2017-05-31T21:33:27.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

4
stix2/test/v21/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json
View File

@ -2,10 +2,10 @@
"id": "bundle--ff845dca-7036-416f-aae0-95030994c49f",
"objects": [
{
"created": "2017-05-31T21:33:27.051532Z",
"created": "2017-05-31T21:33:27.051Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "relationship--8797579b-e3be-4209-a71b-255a4d08243d",
"modified": "2017-05-31T21:33:27.051532Z",
"modified": "2017-05-31T21:33:27.051Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],

Some files were not shown because too many files have changed in this diff Show More