MISP
/
cti-python-stix2
mirror of https://github.com/MISP/cti-python-stix2
2
0
Fork 0
Code Issues Releases Wiki Activity

Format objects in observed_data

stix2.1
Emmanuelle Vargas-Gonzalez 2018-07-03 10:32:04 -04:00
parent 04680d8a3d
commit bfa86bf87e
1 changed files with 295 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
stix2/test/v21/test_observed_data.py
View File

@ -580,7 +580,8 @@ def test_observed_data_with_process_example():
# creating cyber observables directly # creating cyber observables directly
def test_artifact_example(): def test_artifact_example():
art = stix2.v21.Artifact(mime_type="image/jpeg", art = stix2.v21.Artifact(
mime_type="image/jpeg",
url="https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg", url="https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg",
hashes={ hashes={
"MD5": "6826f9a05da08134006557758bb3afbb" "MD5": "6826f9a05da08134006557758bb3afbb"
@ -592,7 +593,8 @@ def test_artifact_example():
def test_artifact_mutual_exclusion_error(): def test_artifact_mutual_exclusion_error():
with pytest.raises(stix2.exceptions.MutuallyExclusivePropertiesError) as excinfo: with pytest.raises(stix2.exceptions.MutuallyExclusivePropertiesError) as excinfo:
stix2.v21.Artifact(mime_type="image/jpeg", stix2.v21.Artifact(
mime_type="image/jpeg",
url="https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg", url="https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg",
hashes={ hashes={
"MD5": "6826f9a05da08134006557758bb3afbb" "MD5": "6826f9a05da08134006557758bb3afbb"
@ -605,7 +607,8 @@ def test_artifact_mutual_exclusion_error():
def test_directory_example(): def test_directory_example():
dir = stix2.v21.Directory(_valid_refs={"1": "file"}, dir = stix2.v21.Directory(
_valid_refs={"1": "file"},
path='/usr/lib', path='/usr/lib',
created="2015-12-21T19:00:00Z", created="2015-12-21T19:00:00Z",
modified="2015-12-24T19:00:00Z", modified="2015-12-24T19:00:00Z",
@ -621,7 +624,8 @@ def test_directory_example():
def test_directory_example_ref_error(): def test_directory_example_ref_error():
with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo: with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo:
stix2.v21.Directory(_valid_refs=[], stix2.v21.Directory(
_valid_refs=[],
path='/usr/lib', path='/usr/lib',
created="2015-12-21T19:00:00Z", created="2015-12-21T19:00:00Z",
modified="2015-12-24T19:00:00Z", modified="2015-12-24T19:00:00Z",
@ -633,7 +637,8 @@ def test_directory_example_ref_error():
def test_domain_name_example(): def test_domain_name_example():
dn = stix2.v21.DomainName(_valid_refs={"1": 'domain-name'}, dn = stix2.v21.DomainName(
_valid_refs={"1": 'domain-name'},
value="example.com", value="example.com",
resolves_to_refs=["1"]) resolves_to_refs=["1"])
@ -643,7 +648,8 @@ def test_domain_name_example():
def test_domain_name_example_invalid_ref_type(): def test_domain_name_example_invalid_ref_type():
with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo: with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo:
stix2.v21.DomainName(_valid_refs={"1": "file"}, stix2.v21.DomainName(
_valid_refs={"1": "file"},
value="example.com", value="example.com",
resolves_to_refs=["1"]) resolves_to_refs=["1"])
@ -652,7 +658,8 @@ def test_domain_name_example_invalid_ref_type():
def test_file_example(): def test_file_example():
f = stix2.v21.File(name="qwerty.dll", f = stix2.v21.File(
name="qwerty.dll",
hashes={ hashes={
"SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"}, "SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"},
size=100, size=100,
@ -663,8 +670,7 @@ def test_file_example():
accessed="2016-12-21T20:00:00Z", accessed="2016-12-21T20:00:00Z",
is_encrypted=True, is_encrypted=True,
encryption_algorithm="AES128-CBC", encryption_algorithm="AES128-CBC",
decryption_key="fred" decryption_key="fred")
)
assert f.name == "qwerty.dll" assert f.name == "qwerty.dll"
assert f.size == 100 assert f.size == 100
@ -680,7 +686,8 @@ def test_file_example():
def test_file_example_with_NTFSExt(): def test_file_example_with_NTFSExt():
f = stix2.v21.File(name="abc.txt", f = stix2.v21.File(
name="abc.txt",
extensions={ extensions={
"ntfs-ext": { "ntfs-ext": {
"alternate_data_streams": [ "alternate_data_streams": [
@ -698,10 +705,10 @@ def test_file_example_with_NTFSExt():
def test_file_example_with_empty_NTFSExt(): def test_file_example_with_empty_NTFSExt():
with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo: with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo:
stix2.v21.File(name="abc.txt", stix2.v21.File(
name="abc.txt",
extensions={ extensions={
"ntfs-ext": { "ntfs-ext": {}
}
}) })
assert excinfo.value.cls == stix2.NTFSExt assert excinfo.value.cls == stix2.NTFSExt
@ -709,7 +716,8 @@ def test_file_example_with_empty_NTFSExt():
def test_file_example_with_PDFExt(): def test_file_example_with_PDFExt():
f = stix2.v21.File(name="qwerty.dll", f = stix2.v21.File(
name="qwerty.dll",
extensions={ extensions={
"pdf-ext": { "pdf-ext": {
"version": "1.7", "version": "1.7",
@ -731,10 +739,11 @@ def test_file_example_with_PDFExt():
def test_file_example_with_PDFExt_Object(): def test_file_example_with_PDFExt_Object():
f = stix2.v21.File(name="qwerty.dll", f = stix2.v21.File(
name="qwerty.dll",
extensions={ extensions={
"pdf-ext": "pdf-ext": stix2.v21.PDFExt(
stix2.v21.PDFExt(version="1.7", version="1.7",
document_info_dict={ document_info_dict={
"Title": "Sample document", "Title": "Sample document",
"Author": "Adobe Systems Incorporated", "Author": "Adobe Systems Incorporated",
@ -752,7 +761,8 @@ def test_file_example_with_PDFExt_Object():
def test_file_example_with_RasterImageExt_Object(): def test_file_example_with_RasterImageExt_Object():
f = stix2.v21.File(name="qwerty.jpeg", f = stix2.v21.File(
name="qwerty.jpeg",
extensions={ extensions={
"raster-image-ext": { "raster-image-ext": {
"bits_per_pixel": 123, "bits_per_pixel": 123,
@ -816,7 +826,8 @@ def test_raster_images_ext_create():
def test_file_example_with_WindowsPEBinaryExt(): def test_file_example_with_WindowsPEBinaryExt():
f = stix2.v21.File(name="qwerty.dll", f = stix2.v21.File(
name="qwerty.dll",
extensions={ extensions={
"windows-pebinary-ext": { "windows-pebinary-ext": {
"pe_type": "exe", "pe_type": "exe",
@ -885,7 +896,8 @@ def test_file_example_with_WindowsPEBinaryExt():
def test_file_example_encryption_error(): def test_file_example_encryption_error():
with pytest.raises(stix2.exceptions.DependentPropertiesError) as excinfo: with pytest.raises(stix2.exceptions.DependentPropertiesError) as excinfo:
stix2.v21.File(name="qwerty.dll", stix2.v21.File(
name="qwerty.dll",
is_encrypted=False, is_encrypted=False,
encryption_algorithm="AES128-CBC") encryption_algorithm="AES128-CBC")
@ -899,7 +911,8 @@ def test_file_example_encryption_error():
def test_ip4_address_example(): def test_ip4_address_example():
ip4 = stix2.v21.IPv4Address(_valid_refs={"4": "mac-addr", "5": "mac-addr"}, ip4 = stix2.v21.IPv4Address(
_valid_refs={"4": "mac-addr", "5": "mac-addr"},
value="198.51.100.3", value="198.51.100.3",
resolves_to_refs=["4", "5"]) resolves_to_refs=["4", "5"])
@ -926,7 +939,8 @@ def test_mac_address_example():
def test_network_traffic_example(): def test_network_traffic_example():
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr", "1": "ipv4-addr"}, nt = stix2.v21.NetworkTraffic(
_valid_refs={"0": "ipv4-addr", "1": "ipv4-addr"},
protocols="tcp", protocols="tcp",
src_ref="0", src_ref="0",
dst_ref="1") dst_ref="1")
@ -936,7 +950,8 @@ def test_network_traffic_example():
def test_network_traffic_http_request_example(): def test_network_traffic_http_request_example():
h = stix2.v21.HTTPRequestExt(request_method="get", h = stix2.v21.HTTPRequestExt(
request_method="get",
request_value="/download.html", request_value="/download.html",
request_version="http/1.1", request_version="http/1.1",
request_header={ request_header={
@ -944,7 +959,8 @@ def test_network_traffic_http_request_example():
"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113", "User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113",
"Host": "www.example.com" "Host": "www.example.com"
}) })
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, nt = stix2.v21.NetworkTraffic(
_valid_refs={"0": "ipv4-addr"},
protocols="tcp", protocols="tcp",
src_ref="0", src_ref="0",
extensions={'http-request-ext': h}) extensions={'http-request-ext': h})
@ -957,9 +973,9 @@ def test_network_traffic_http_request_example():
def test_network_traffic_icmp_example(): def test_network_traffic_icmp_example():
h = stix2.v21.ICMPExt(icmp_type_hex="08", h = stix2.v21.ICMPExt(icmp_type_hex="08", icmp_code_hex="00")
icmp_code_hex="00") nt = stix2.v21.NetworkTraffic(
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, _valid_refs={"0": "ipv4-addr"},
protocols="tcp", protocols="tcp",
src_ref="0", src_ref="0",
extensions={'icmp-ext': h}) extensions={'icmp-ext': h})
@ -968,11 +984,13 @@ def test_network_traffic_icmp_example():
def test_network_traffic_socket_example(): def test_network_traffic_socket_example():
h = stix2.v21.SocketExt(is_listening=True, h = stix2.v21.SocketExt(
is_listening=True,
address_family="AF_INET", address_family="AF_INET",
protocol_family="PF_INET", protocol_family="PF_INET",
socket_type="SOCK_STREAM") socket_type="SOCK_STREAM")
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, nt = stix2.v21.NetworkTraffic(
_valid_refs={"0": "ipv4-addr"},
protocols="tcp", protocols="tcp",
src_ref="0", src_ref="0",
extensions={'socket-ext': h}) extensions={'socket-ext': h})
@ -984,7 +1002,8 @@ def test_network_traffic_socket_example():
def test_network_traffic_tcp_example(): def test_network_traffic_tcp_example():
h = stix2.v21.TCPExt(src_flags_hex="00000002") h = stix2.v21.TCPExt(src_flags_hex="00000002")
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, nt = stix2.v21.NetworkTraffic(
_valid_refs={"0": "ipv4-addr"},
protocols="tcp", protocols="tcp",
src_ref="0", src_ref="0",
extensions={'tcp-ext': h}) extensions={'tcp-ext': h})
@ -998,7 +1017,8 @@ def test_mutex_example():
def test_process_example(): def test_process_example():
p = stix2.v21.Process(_valid_refs={"0": "file"}, p = stix2.v21.Process(
_valid_refs={"0": "file"},
pid=1221, pid=1221,
name="gedit-bin", name="gedit-bin",
created="2016-01-20T14:11:25.55Z", created="2016-01-20T14:11:25.55Z",
@ -1035,7 +1055,8 @@ def test_process_example_empty_with_extensions():
def test_process_example_windows_process_ext(): def test_process_example_windows_process_ext():
proc = stix2.v21.Process(pid=314, proc = stix2.v21.Process(
pid=314,
name="foobar.exe", name="foobar.exe",
extensions={ extensions={
"windows-process-ext": { "windows-process-ext": {
@ -1053,7 +1074,8 @@ def test_process_example_windows_process_ext():
def test_process_example_windows_process_ext_empty(): def test_process_example_windows_process_ext_empty():
with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo: with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo:
stix2.v21.Process(pid=1221, stix2.v21.Process(
pid=1221,
name="gedit-bin", name="gedit-bin",
extensions={ extensions={
"windows-process-ext": {} "windows-process-ext": {}
@ -1075,7 +1097,8 @@ def test_process_example_extensions_empty():
def test_process_example_with_WindowsProcessExt_Object(): def test_process_example_with_WindowsProcessExt_Object():
p = stix2.v21.Process(extensions={ p = stix2.v21.Process(extensions={
"windows-process-ext": stix2.v21.WindowsProcessExt(aslr_enabled=True, "windows-process-ext": stix2.v21.WindowsProcessExt(
aslr_enabled=True,
dep_enabled=True, dep_enabled=True,
priority="HIGH_PRIORITY_CLASS", priority="HIGH_PRIORITY_CLASS",
owner_sid="S-1-5-21-186985262-1144665072-74031268-1309") # noqa owner_sid="S-1-5-21-186985262-1144665072-74031268-1309") # noqa
@ -1124,7 +1147,8 @@ def test_process_example_with_WindowsProcessServiceExt():
def test_software_example(): def test_software_example():
s = stix2.v21.Software(name="Word", s = stix2.v21.Software(
name="Word",
cpe="cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*", cpe="cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*",
version="2002", version="2002",
vendor="Microsoft") vendor="Microsoft")
@ -1143,7 +1167,8 @@ def test_url_example():
def test_user_account_example(): def test_user_account_example():
a = stix2.v21.UserAccount(user_id="1001", a = stix2.v21.UserAccount(
user_id="1001",
account_login="jdoe", account_login="jdoe",
account_type="unix", account_type="unix",
display_name="John Doe", display_name="John Doe",
@ -1169,11 +1194,13 @@ def test_user_account_example():
def test_user_account_unix_account_ext_example(): def test_user_account_unix_account_ext_example():
u = stix2.v21.UNIXAccountExt(gid=1001, u = stix2.v21.UNIXAccountExt(
gid=1001,
groups=["wheel"], groups=["wheel"],
home_dir="/home/jdoe", home_dir="/home/jdoe",
shell="/bin/bash") shell="/bin/bash")
a = stix2.v21.UserAccount(user_id="1001", a = stix2.v21.UserAccount(
user_id="1001",
account_login="jdoe", account_login="jdoe",
account_type="unix", account_type="unix",
extensions={'unix-account-ext': u}) extensions={'unix-account-ext': u})
@ -1185,14 +1212,17 @@ def test_user_account_unix_account_ext_example():
def test_windows_registry_key_example(): def test_windows_registry_key_example():
with pytest.raises(ValueError): with pytest.raises(ValueError):
stix2.v21.WindowsRegistryValueType(name="Foo", stix2.v21.WindowsRegistryValueType(
name="Foo",
data="qwerty", data="qwerty",
data_type="string") data_type="string")
v = stix2.v21.WindowsRegistryValueType(name="Foo", v = stix2.v21.WindowsRegistryValueType(
name="Foo",
data="qwerty", data="qwerty",
data_type="REG_SZ") data_type="REG_SZ")
w = stix2.v21.WindowsRegistryKey(key="hkey_local_machine\\system\\bar\\foo", w = stix2.v21.WindowsRegistryKey(
key="hkey_local_machine\\system\\bar\\foo",
values=[v]) values=[v])
assert w.key == "hkey_local_machine\\system\\bar\\foo" assert w.key == "hkey_local_machine\\system\\bar\\foo"
assert w.values[0].name == "Foo" assert w.values[0].name == "Foo"