MISP
/
cti-python-stix2
mirror of https://github.com/MISP/cti-python-stix2
2
0
Fork 0
Code Issues Releases Wiki Activity

Format objects in observed_data

stix2.1
Emmanuelle Vargas-Gonzalez 2018-07-03 10:32:04 -04:00
parent 04680d8a3d
commit bfa86bf87e
1 changed files with 295 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

560
stix2/test/v21/test_observed_data.py
View File

@ -580,11 +580,12 @@ def test_observed_data_with_process_example():
# creating cyber observables directly # creating cyber observables directly
def test_artifact_example(): def test_artifact_example():
art = stix2.v21.Artifact(mime_type="image/jpeg", art = stix2.v21.Artifact(
url="https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg", mime_type="image/jpeg",
hashes={ url="https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg",
"MD5": "6826f9a05da08134006557758bb3afbb" hashes={
}) "MD5": "6826f9a05da08134006557758bb3afbb"
})
assert art.mime_type == "image/jpeg" assert art.mime_type == "image/jpeg"
assert art.url == "https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg" assert art.url == "https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg"
assert art.hashes["MD5"] == "6826f9a05da08134006557758bb3afbb" assert art.hashes["MD5"] == "6826f9a05da08134006557758bb3afbb"
@ -592,12 +593,13 @@ def test_artifact_example():
def test_artifact_mutual_exclusion_error(): def test_artifact_mutual_exclusion_error():
with pytest.raises(stix2.exceptions.MutuallyExclusivePropertiesError) as excinfo: with pytest.raises(stix2.exceptions.MutuallyExclusivePropertiesError) as excinfo:
stix2.v21.Artifact(mime_type="image/jpeg", stix2.v21.Artifact(
url="https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg", mime_type="image/jpeg",
hashes={ url="https://upload.wikimedia.org/wikipedia/commons/b/b4/JPEG_example_JPG_RIP_100.jpg",
"MD5": "6826f9a05da08134006557758bb3afbb" hashes={
}, "MD5": "6826f9a05da08134006557758bb3afbb"
payload_bin="VBORw0KGgoAAAANSUhEUgAAADI==") },
payload_bin="VBORw0KGgoAAAANSUhEUgAAADI==")
assert excinfo.value.cls == stix2.v21.Artifact assert excinfo.value.cls == stix2.v21.Artifact
assert excinfo.value.properties == ["payload_bin", "url"] assert excinfo.value.properties == ["payload_bin", "url"]
@ -605,12 +607,13 @@ def test_artifact_mutual_exclusion_error():
def test_directory_example(): def test_directory_example():
dir = stix2.v21.Directory(_valid_refs={"1": "file"}, dir = stix2.v21.Directory(
path='/usr/lib', _valid_refs={"1": "file"},
created="2015-12-21T19:00:00Z", path='/usr/lib',
modified="2015-12-24T19:00:00Z", created="2015-12-21T19:00:00Z",
accessed="2015-12-21T20:00:00Z", modified="2015-12-24T19:00:00Z",
contains_refs=["1"]) accessed="2015-12-21T20:00:00Z",
contains_refs=["1"])
assert dir.path == '/usr/lib' assert dir.path == '/usr/lib'
assert dir.created == dt.datetime(2015, 12, 21, 19, 0, 0, tzinfo=pytz.utc) assert dir.created == dt.datetime(2015, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
@ -621,21 +624,23 @@ def test_directory_example():
def test_directory_example_ref_error(): def test_directory_example_ref_error():
with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo: with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo:
stix2.v21.Directory(_valid_refs=[], stix2.v21.Directory(
path='/usr/lib', _valid_refs=[],
created="2015-12-21T19:00:00Z", path='/usr/lib',
modified="2015-12-24T19:00:00Z", created="2015-12-21T19:00:00Z",
accessed="2015-12-21T20:00:00Z", modified="2015-12-24T19:00:00Z",
contains_refs=["1"]) accessed="2015-12-21T20:00:00Z",
contains_refs=["1"])
assert excinfo.value.cls == stix2.v21.Directory assert excinfo.value.cls == stix2.v21.Directory
assert excinfo.value.prop_name == "contains_refs" assert excinfo.value.prop_name == "contains_refs"
def test_domain_name_example(): def test_domain_name_example():
dn = stix2.v21.DomainName(_valid_refs={"1": 'domain-name'}, dn = stix2.v21.DomainName(
value="example.com", _valid_refs={"1": 'domain-name'},
resolves_to_refs=["1"]) value="example.com",
resolves_to_refs=["1"])
assert dn.value == "example.com" assert dn.value == "example.com"
assert dn.resolves_to_refs == ["1"] assert dn.resolves_to_refs == ["1"]
@ -643,28 +648,29 @@ def test_domain_name_example():
def test_domain_name_example_invalid_ref_type(): def test_domain_name_example_invalid_ref_type():
with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo: with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo:
stix2.v21.DomainName(_valid_refs={"1": "file"}, stix2.v21.DomainName(
value="example.com", _valid_refs={"1": "file"},
resolves_to_refs=["1"]) value="example.com",
resolves_to_refs=["1"])
assert excinfo.value.cls == stix2.v21.DomainName assert excinfo.value.cls == stix2.v21.DomainName
assert excinfo.value.prop_name == "resolves_to_refs" assert excinfo.value.prop_name == "resolves_to_refs"
def test_file_example(): def test_file_example():
f = stix2.v21.File(name="qwerty.dll", f = stix2.v21.File(
hashes={ name="qwerty.dll",
"SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"}, hashes={
size=100, "SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"},
magic_number_hex="1C", size=100,
mime_type="application/msword", magic_number_hex="1C",
created="2016-12-21T19:00:00Z", mime_type="application/msword",
modified="2016-12-24T19:00:00Z", created="2016-12-21T19:00:00Z",
accessed="2016-12-21T20:00:00Z", modified="2016-12-24T19:00:00Z",
is_encrypted=True, accessed="2016-12-21T20:00:00Z",
encryption_algorithm="AES128-CBC", is_encrypted=True,
decryption_key="fred" encryption_algorithm="AES128-CBC",
) decryption_key="fred")
assert f.name == "qwerty.dll" assert f.name == "qwerty.dll"
assert f.size == 100 assert f.size == 100
@ -680,17 +686,18 @@ def test_file_example():
def test_file_example_with_NTFSExt(): def test_file_example_with_NTFSExt():
f = stix2.v21.File(name="abc.txt", f = stix2.v21.File(
extensions={ name="abc.txt",
"ntfs-ext": { extensions={
"alternate_data_streams": [ "ntfs-ext": {
{ "alternate_data_streams": [
"name": "second.stream", {
"size": 25536 "name": "second.stream",
} "size": 25536
] }
} ]
}) }
})
assert f.name == "abc.txt" assert f.name == "abc.txt"
assert f.extensions["ntfs-ext"].alternate_data_streams[0].size == 25536 assert f.extensions["ntfs-ext"].alternate_data_streams[0].size == 25536
@ -698,32 +705,33 @@ def test_file_example_with_NTFSExt():
def test_file_example_with_empty_NTFSExt(): def test_file_example_with_empty_NTFSExt():
with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo: with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo:
stix2.v21.File(name="abc.txt", stix2.v21.File(
extensions={ name="abc.txt",
"ntfs-ext": { extensions={
} "ntfs-ext": {}
}) })
assert excinfo.value.cls == stix2.NTFSExt assert excinfo.value.cls == stix2.NTFSExt
assert excinfo.value.properties == sorted(list(stix2.NTFSExt._properties.keys())) assert excinfo.value.properties == sorted(list(stix2.NTFSExt._properties.keys()))
def test_file_example_with_PDFExt(): def test_file_example_with_PDFExt():
f = stix2.v21.File(name="qwerty.dll", f = stix2.v21.File(
extensions={ name="qwerty.dll",
"pdf-ext": { extensions={
"version": "1.7", "pdf-ext": {
"document_info_dict": { "version": "1.7",
"Title": "Sample document", "document_info_dict": {
"Author": "Adobe Systems Incorporated", "Title": "Sample document",
"Creator": "Adobe FrameMaker 5.5.3 for Power Macintosh", "Author": "Adobe Systems Incorporated",
"Producer": "Acrobat Distiller 3.01 for Power Macintosh", "Creator": "Adobe FrameMaker 5.5.3 for Power Macintosh",
"CreationDate": "20070412090123-02" "Producer": "Acrobat Distiller 3.01 for Power Macintosh",
}, "CreationDate": "20070412090123-02"
"pdfid0": "DFCE52BD827ECF765649852119D", },
"pdfid1": "57A1E0F9ED2AE523E313C" "pdfid0": "DFCE52BD827ECF765649852119D",
} "pdfid1": "57A1E0F9ED2AE523E313C"
}) }
})
assert f.name == "qwerty.dll" assert f.name == "qwerty.dll"
assert f.extensions["pdf-ext"].version == "1.7" assert f.extensions["pdf-ext"].version == "1.7"
@ -731,20 +739,21 @@ def test_file_example_with_PDFExt():
def test_file_example_with_PDFExt_Object(): def test_file_example_with_PDFExt_Object():
f = stix2.v21.File(name="qwerty.dll", f = stix2.v21.File(
extensions={ name="qwerty.dll",
"pdf-ext": extensions={
stix2.v21.PDFExt(version="1.7", "pdf-ext": stix2.v21.PDFExt(
document_info_dict={ version="1.7",
"Title": "Sample document", document_info_dict={
"Author": "Adobe Systems Incorporated", "Title": "Sample document",
"Creator": "Adobe FrameMaker 5.5.3 for Power Macintosh", "Author": "Adobe Systems Incorporated",
"Producer": "Acrobat Distiller 3.01 for Power Macintosh", "Creator": "Adobe FrameMaker 5.5.3 for Power Macintosh",
"CreationDate": "20070412090123-02" "Producer": "Acrobat Distiller 3.01 for Power Macintosh",
}, "CreationDate": "20070412090123-02"
pdfid0="DFCE52BD827ECF765649852119D", },
pdfid1="57A1E0F9ED2AE523E313C") pdfid0="DFCE52BD827ECF765649852119D",
}) pdfid1="57A1E0F9ED2AE523E313C")
})
assert f.name == "qwerty.dll" assert f.name == "qwerty.dll"
assert f.extensions["pdf-ext"].version == "1.7" assert f.extensions["pdf-ext"].version == "1.7"
@ -752,18 +761,19 @@ def test_file_example_with_PDFExt_Object():
def test_file_example_with_RasterImageExt_Object(): def test_file_example_with_RasterImageExt_Object():
f = stix2.v21.File(name="qwerty.jpeg", f = stix2.v21.File(
extensions={ name="qwerty.jpeg",
"raster-image-ext": { extensions={
"bits_per_pixel": 123, "raster-image-ext": {
"exif_tags": { "bits_per_pixel": 123,
"Make": "Nikon", "exif_tags": {
"Model": "D7000", "Make": "Nikon",
"XResolution": 4928, "Model": "D7000",
"YResolution": 3264 "XResolution": 4928,
} "YResolution": 3264
} }
}) }
})
assert f.name == "qwerty.jpeg" assert f.name == "qwerty.jpeg"
assert f.extensions["raster-image-ext"].bits_per_pixel == 123 assert f.extensions["raster-image-ext"].bits_per_pixel == 123
assert f.extensions["raster-image-ext"].exif_tags["XResolution"] == 4928 assert f.extensions["raster-image-ext"].exif_tags["XResolution"] == 4928
@ -816,78 +826,80 @@ def test_raster_images_ext_create():
def test_file_example_with_WindowsPEBinaryExt(): def test_file_example_with_WindowsPEBinaryExt():
f = stix2.v21.File(name="qwerty.dll", f = stix2.v21.File(
extensions={ name="qwerty.dll",
"windows-pebinary-ext": { extensions={
"pe_type": "exe", "windows-pebinary-ext": {
"machine_hex": "014c", "pe_type": "exe",
"number_of_sections": 4, "machine_hex": "014c",
"time_date_stamp": "2016-01-22T12:31:12Z", "number_of_sections": 4,
"pointer_to_symbol_table_hex": "74726144", "time_date_stamp": "2016-01-22T12:31:12Z",
"number_of_symbols": 4542568, "pointer_to_symbol_table_hex": "74726144",
"size_of_optional_header": 224, "number_of_symbols": 4542568,
"characteristics_hex": "818f", "size_of_optional_header": 224,
"optional_header": { "characteristics_hex": "818f",
"magic_hex": "010b", "optional_header": {
"major_linker_version": 2, "magic_hex": "010b",
"minor_linker_version": 25, "major_linker_version": 2,
"size_of_code": 512, "minor_linker_version": 25,
"size_of_initialized_data": 283648, "size_of_code": 512,
"size_of_uninitialized_data": 0, "size_of_initialized_data": 283648,
"address_of_entry_point": 4096, "size_of_uninitialized_data": 0,
"base_of_code": 4096, "address_of_entry_point": 4096,
"base_of_data": 8192, "base_of_code": 4096,
"image_base": 14548992, "base_of_data": 8192,
"section_alignment": 4096, "image_base": 14548992,
"file_alignment": 4096, "section_alignment": 4096,
"major_os_version": 1, "file_alignment": 4096,
"minor_os_version": 0, "major_os_version": 1,
"major_image_version": 0, "minor_os_version": 0,
"minor_image_version": 0, "major_image_version": 0,
"major_subsystem_version": 4, "minor_image_version": 0,
"minor_subsystem_version": 0, "major_subsystem_version": 4,
"win32_version_value_hex": "00", "minor_subsystem_version": 0,
"size_of_image": 299008, "win32_version_value_hex": "00",
"size_of_headers": 4096, "size_of_image": 299008,
"checksum_hex": "00", "size_of_headers": 4096,
"subsystem_hex": "03", "checksum_hex": "00",
"dll_characteristics_hex": "00", "subsystem_hex": "03",
"size_of_stack_reserve": 100000, "dll_characteristics_hex": "00",
"size_of_stack_commit": 8192, "size_of_stack_reserve": 100000,
"size_of_heap_reserve": 100000, "size_of_stack_commit": 8192,
"size_of_heap_commit": 4096, "size_of_heap_reserve": 100000,
"loader_flags_hex": "abdbffde", "size_of_heap_commit": 4096,
"number_of_rva_and_sizes": 3758087646 "loader_flags_hex": "abdbffde",
}, "number_of_rva_and_sizes": 3758087646
"sections": [ },
{ "sections": [
"name": "CODE", {
"entropy": 0.061089 "name": "CODE",
}, "entropy": 0.061089
{ },
"name": "DATA", {
"entropy": 7.980693 "name": "DATA",
}, "entropy": 7.980693
{ },
"name": "NicolasB", {
"entropy": 0.607433 "name": "NicolasB",
}, "entropy": 0.607433
{ },
"name": ".idata", {
"entropy": 0.607433 "name": ".idata",
} "entropy": 0.607433
] }
} ]
}) }
})
assert f.name == "qwerty.dll" assert f.name == "qwerty.dll"
assert f.extensions["windows-pebinary-ext"].sections[2].entropy == 0.607433 assert f.extensions["windows-pebinary-ext"].sections[2].entropy == 0.607433
def test_file_example_encryption_error(): def test_file_example_encryption_error():
with pytest.raises(stix2.exceptions.DependentPropertiesError) as excinfo: with pytest.raises(stix2.exceptions.DependentPropertiesError) as excinfo:
stix2.v21.File(name="qwerty.dll", stix2.v21.File(
is_encrypted=False, name="qwerty.dll",
encryption_algorithm="AES128-CBC") is_encrypted=False,
encryption_algorithm="AES128-CBC")
assert excinfo.value.cls == stix2.v21.File assert excinfo.value.cls == stix2.v21.File
assert excinfo.value.dependencies == [("is_encrypted", "encryption_algorithm")] assert excinfo.value.dependencies == [("is_encrypted", "encryption_algorithm")]
@ -899,9 +911,10 @@ def test_file_example_encryption_error():
def test_ip4_address_example(): def test_ip4_address_example():
ip4 = stix2.v21.IPv4Address(_valid_refs={"4": "mac-addr", "5": "mac-addr"}, ip4 = stix2.v21.IPv4Address(
value="198.51.100.3", _valid_refs={"4": "mac-addr", "5": "mac-addr"},
resolves_to_refs=["4", "5"]) value="198.51.100.3",
resolves_to_refs=["4", "5"])
assert ip4.value == "198.51.100.3" assert ip4.value == "198.51.100.3"
assert ip4.resolves_to_refs == ["4", "5"] assert ip4.resolves_to_refs == ["4", "5"]
@ -926,28 +939,31 @@ def test_mac_address_example():
def test_network_traffic_example(): def test_network_traffic_example():
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr", "1": "ipv4-addr"}, nt = stix2.v21.NetworkTraffic(
protocols="tcp", _valid_refs={"0": "ipv4-addr", "1": "ipv4-addr"},
src_ref="0", protocols="tcp",
dst_ref="1") src_ref="0",
dst_ref="1")
assert nt.protocols == ["tcp"] assert nt.protocols == ["tcp"]
assert nt.src_ref == "0" assert nt.src_ref == "0"
assert nt.dst_ref == "1" assert nt.dst_ref == "1"
def test_network_traffic_http_request_example(): def test_network_traffic_http_request_example():
h = stix2.v21.HTTPRequestExt(request_method="get", h = stix2.v21.HTTPRequestExt(
request_value="/download.html", request_method="get",
request_version="http/1.1", request_value="/download.html",
request_header={ request_version="http/1.1",
"Accept-Encoding": "gzip,deflate", request_header={
"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113", "Accept-Encoding": "gzip,deflate",
"Host": "www.example.com" "User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113",
}) "Host": "www.example.com"
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, })
protocols="tcp", nt = stix2.v21.NetworkTraffic(
src_ref="0", _valid_refs={"0": "ipv4-addr"},
extensions={'http-request-ext': h}) protocols="tcp",
src_ref="0",
extensions={'http-request-ext': h})
assert nt.extensions['http-request-ext'].request_method == "get" assert nt.extensions['http-request-ext'].request_method == "get"
assert nt.extensions['http-request-ext'].request_value == "/download.html" assert nt.extensions['http-request-ext'].request_value == "/download.html"
assert nt.extensions['http-request-ext'].request_version == "http/1.1" assert nt.extensions['http-request-ext'].request_version == "http/1.1"
@ -957,25 +973,27 @@ def test_network_traffic_http_request_example():
def test_network_traffic_icmp_example(): def test_network_traffic_icmp_example():
h = stix2.v21.ICMPExt(icmp_type_hex="08", h = stix2.v21.ICMPExt(icmp_type_hex="08", icmp_code_hex="00")
icmp_code_hex="00") nt = stix2.v21.NetworkTraffic(
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, _valid_refs={"0": "ipv4-addr"},
protocols="tcp", protocols="tcp",
src_ref="0", src_ref="0",
extensions={'icmp-ext': h}) extensions={'icmp-ext': h})
assert nt.extensions['icmp-ext'].icmp_type_hex == "08" assert nt.extensions['icmp-ext'].icmp_type_hex == "08"
assert nt.extensions['icmp-ext'].icmp_code_hex == "00" assert nt.extensions['icmp-ext'].icmp_code_hex == "00"
def test_network_traffic_socket_example(): def test_network_traffic_socket_example():
h = stix2.v21.SocketExt(is_listening=True, h = stix2.v21.SocketExt(
address_family="AF_INET", is_listening=True,
protocol_family="PF_INET", address_family="AF_INET",
socket_type="SOCK_STREAM") protocol_family="PF_INET",
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, socket_type="SOCK_STREAM")
protocols="tcp", nt = stix2.v21.NetworkTraffic(
src_ref="0", _valid_refs={"0": "ipv4-addr"},
extensions={'socket-ext': h}) protocols="tcp",
src_ref="0",
extensions={'socket-ext': h})
assert nt.extensions['socket-ext'].is_listening assert nt.extensions['socket-ext'].is_listening
assert nt.extensions['socket-ext'].address_family == "AF_INET" assert nt.extensions['socket-ext'].address_family == "AF_INET"
assert nt.extensions['socket-ext'].protocol_family == "PF_INET" assert nt.extensions['socket-ext'].protocol_family == "PF_INET"
@ -984,10 +1002,11 @@ def test_network_traffic_socket_example():
def test_network_traffic_tcp_example(): def test_network_traffic_tcp_example():
h = stix2.v21.TCPExt(src_flags_hex="00000002") h = stix2.v21.TCPExt(src_flags_hex="00000002")
nt = stix2.v21.NetworkTraffic(_valid_refs={"0": "ipv4-addr"}, nt = stix2.v21.NetworkTraffic(
protocols="tcp", _valid_refs={"0": "ipv4-addr"},
src_ref="0", protocols="tcp",
extensions={'tcp-ext': h}) src_ref="0",
extensions={'tcp-ext': h})
assert nt.extensions['tcp-ext'].src_flags_hex == "00000002" assert nt.extensions['tcp-ext'].src_flags_hex == "00000002"
@ -998,12 +1017,13 @@ def test_mutex_example():
def test_process_example(): def test_process_example():
p = stix2.v21.Process(_valid_refs={"0": "file"}, p = stix2.v21.Process(
pid=1221, _valid_refs={"0": "file"},
name="gedit-bin", pid=1221,
created="2016-01-20T14:11:25.55Z", name="gedit-bin",
arguments=["--new-window"], created="2016-01-20T14:11:25.55Z",
binary_ref="0") arguments=["--new-window"],
binary_ref="0")
assert p.name == "gedit-bin" assert p.name == "gedit-bin"
assert p.arguments == ["--new-window"] assert p.arguments == ["--new-window"]
@ -1035,16 +1055,17 @@ def test_process_example_empty_with_extensions():
def test_process_example_windows_process_ext(): def test_process_example_windows_process_ext():
proc = stix2.v21.Process(pid=314, proc = stix2.v21.Process(
name="foobar.exe", pid=314,
extensions={ name="foobar.exe",
"windows-process-ext": { extensions={
"aslr_enabled": True, "windows-process-ext": {
"dep_enabled": True, "aslr_enabled": True,
"priority": "HIGH_PRIORITY_CLASS", "dep_enabled": True,
"owner_sid": "S-1-5-21-186985262-1144665072-74031268-1309" "priority": "HIGH_PRIORITY_CLASS",
} "owner_sid": "S-1-5-21-186985262-1144665072-74031268-1309"
}) }
})
assert proc.extensions["windows-process-ext"].aslr_enabled assert proc.extensions["windows-process-ext"].aslr_enabled
assert proc.extensions["windows-process-ext"].dep_enabled assert proc.extensions["windows-process-ext"].dep_enabled
assert proc.extensions["windows-process-ext"].priority == "HIGH_PRIORITY_CLASS" assert proc.extensions["windows-process-ext"].priority == "HIGH_PRIORITY_CLASS"
@ -1053,11 +1074,12 @@ def test_process_example_windows_process_ext():
def test_process_example_windows_process_ext_empty(): def test_process_example_windows_process_ext_empty():
with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo: with pytest.raises(stix2.exceptions.AtLeastOnePropertyError) as excinfo:
stix2.v21.Process(pid=1221, stix2.v21.Process(
name="gedit-bin", pid=1221,
extensions={ name="gedit-bin",
"windows-process-ext": {} extensions={
}) "windows-process-ext": {}
})
assert excinfo.value.cls == stix2.v21.WindowsProcessExt assert excinfo.value.cls == stix2.v21.WindowsProcessExt
properties_of_extension = list(stix2.v21.WindowsProcessExt._properties.keys()) properties_of_extension = list(stix2.v21.WindowsProcessExt._properties.keys())
@ -1075,10 +1097,11 @@ def test_process_example_extensions_empty():
def test_process_example_with_WindowsProcessExt_Object(): def test_process_example_with_WindowsProcessExt_Object():
p = stix2.v21.Process(extensions={ p = stix2.v21.Process(extensions={
"windows-process-ext": stix2.v21.WindowsProcessExt(aslr_enabled=True, "windows-process-ext": stix2.v21.WindowsProcessExt(
dep_enabled=True, aslr_enabled=True,
priority="HIGH_PRIORITY_CLASS", dep_enabled=True,
owner_sid="S-1-5-21-186985262-1144665072-74031268-1309") # noqa priority="HIGH_PRIORITY_CLASS",
owner_sid="S-1-5-21-186985262-1144665072-74031268-1309") # noqa
}) })
assert p.extensions["windows-process-ext"].dep_enabled assert p.extensions["windows-process-ext"].dep_enabled
@ -1087,13 +1110,13 @@ def test_process_example_with_WindowsProcessExt_Object():
def test_process_example_with_WindowsServiceExt(): def test_process_example_with_WindowsServiceExt():
p = stix2.v21.Process(extensions={ p = stix2.v21.Process(extensions={
"windows-service-ext": { "windows-service-ext": {
"service_name": "sirvizio", "service_name": "sirvizio",
"display_name": "Sirvizio", "display_name": "Sirvizio",
"start_type": "SERVICE_AUTO_START", "start_type": "SERVICE_AUTO_START",
"service_type": "SERVICE_WIN32_OWN_PROCESS", "service_type": "SERVICE_WIN32_OWN_PROCESS",
"service_status": "SERVICE_RUNNING" "service_status": "SERVICE_RUNNING"
} }
}) })
assert p.extensions["windows-service-ext"].service_name == "sirvizio" assert p.extensions["windows-service-ext"].service_name == "sirvizio"
@ -1124,10 +1147,11 @@ def test_process_example_with_WindowsProcessServiceExt():
def test_software_example(): def test_software_example():
s = stix2.v21.Software(name="Word", s = stix2.v21.Software(
cpe="cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*", name="Word",
version="2002", cpe="cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*",
vendor="Microsoft") version="2002",
vendor="Microsoft")
assert s.name == "Word" assert s.name == "Word"
assert s.cpe == "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*" assert s.cpe == "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*"
@ -1143,17 +1167,18 @@ def test_url_example():
def test_user_account_example(): def test_user_account_example():
a = stix2.v21.UserAccount(user_id="1001", a = stix2.v21.UserAccount(
account_login="jdoe", user_id="1001",
account_type="unix", account_login="jdoe",
display_name="John Doe", account_type="unix",
is_service_account=False, display_name="John Doe",
is_privileged=False, is_service_account=False,
can_escalate_privs=True, is_privileged=False,
account_created="2016-01-20T12:31:12Z", can_escalate_privs=True,
password_last_changed="2016-01-20T14:27:43Z", account_created="2016-01-20T12:31:12Z",
account_first_login="2016-01-20T14:26:07Z", password_last_changed="2016-01-20T14:27:43Z",
account_last_login="2016-07-22T16:08:28Z") account_first_login="2016-01-20T14:26:07Z",
account_last_login="2016-07-22T16:08:28Z")
assert a.user_id == "1001" assert a.user_id == "1001"
assert a.account_login == "jdoe" assert a.account_login == "jdoe"
@ -1169,14 +1194,16 @@ def test_user_account_example():
def test_user_account_unix_account_ext_example(): def test_user_account_unix_account_ext_example():
u = stix2.v21.UNIXAccountExt(gid=1001, u = stix2.v21.UNIXAccountExt(
groups=["wheel"], gid=1001,
home_dir="/home/jdoe", groups=["wheel"],
shell="/bin/bash") home_dir="/home/jdoe",
a = stix2.v21.UserAccount(user_id="1001", shell="/bin/bash")
account_login="jdoe", a = stix2.v21.UserAccount(
account_type="unix", user_id="1001",
extensions={'unix-account-ext': u}) account_login="jdoe",
account_type="unix",
extensions={'unix-account-ext': u})
assert a.extensions['unix-account-ext'].gid == 1001 assert a.extensions['unix-account-ext'].gid == 1001
assert a.extensions['unix-account-ext'].groups == ["wheel"] assert a.extensions['unix-account-ext'].groups == ["wheel"]
assert a.extensions['unix-account-ext'].home_dir == "/home/jdoe" assert a.extensions['unix-account-ext'].home_dir == "/home/jdoe"
@ -1185,15 +1212,18 @@ def test_user_account_unix_account_ext_example():
def test_windows_registry_key_example(): def test_windows_registry_key_example():
with pytest.raises(ValueError): with pytest.raises(ValueError):
stix2.v21.WindowsRegistryValueType(name="Foo", stix2.v21.WindowsRegistryValueType(
data="qwerty", name="Foo",
data_type="string") data="qwerty",
data_type="string")
v = stix2.v21.WindowsRegistryValueType(name="Foo", v = stix2.v21.WindowsRegistryValueType(
data="qwerty", name="Foo",
data_type="REG_SZ") data="qwerty",
w = stix2.v21.WindowsRegistryKey(key="hkey_local_machine\\system\\bar\\foo", data_type="REG_SZ")
values=[v]) w = stix2.v21.WindowsRegistryKey(
key="hkey_local_machine\\system\\bar\\foo",
values=[v])
assert w.key == "hkey_local_machine\\system\\bar\\foo" assert w.key == "hkey_local_machine\\system\\bar\\foo"
assert w.values[0].name == "Foo" assert w.values[0].name == "Foo"
assert w.values[0].data == "qwerty" assert w.values[0].data == "qwerty"