diff --git a/stix2/test/v20/test_indicator.py b/stix2/test/v20/test_indicator.py index f20c902..1ae33ec 100644 --- a/stix2/test/v20/test_indicator.py +++ b/stix2/test/v20/test_indicator.py @@ -197,6 +197,7 @@ def test_invalid_indicator_pattern(): def test_indicator_stix21_invalid_pattern(): now = dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc) epoch = dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc) + patrn = "[EXISTS windows-registry-key:values]" with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo: stix2.v20.Indicator( @@ -204,7 +205,7 @@ def test_indicator_stix21_invalid_pattern(): id=INDICATOR_ID, created=now, modified=now, - pattern="[EXISTS windows-registry-key:values]", + pattern=patrn, valid_from=epoch, labels=["malicious-activity"], ) diff --git a/stix2/test/v21/test_indicator.py b/stix2/test/v21/test_indicator.py index 77f9fde..152f253 100644 --- a/stix2/test/v21/test_indicator.py +++ b/stix2/test/v21/test_indicator.py @@ -256,6 +256,7 @@ def test_indicator_with_custom_embed_objs_extra_props_error(): def test_indicator_stix20_invalid_pattern(): now = dt.datetime(2017, 1, 1, 0, 0, 1, tzinfo=pytz.utc) epoch = dt.datetime(1970, 1, 1, 0, 0, 1, tzinfo=pytz.utc) + patrn = "[win-registry-key:key = 'hkey_local_machine\\\\foo\\\\bar'] WITHIN 5 SECONDS WITHIN 6 SECONDS" with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo: stix2.v21.Indicator( @@ -263,7 +264,7 @@ def test_indicator_stix20_invalid_pattern(): id=INDICATOR_ID, created=now, modified=now, - pattern="[win-registry-key:key = 'hkey_local_machine\\\\foo\\\\bar'] WITHIN 5 SECONDS WITHIN 6 SECONDS", + pattern=patrn, pattern_type="stix", valid_from=epoch, indicator_types=['malicious-activity'], @@ -271,3 +272,21 @@ def test_indicator_stix20_invalid_pattern(): assert excinfo.value.cls == stix2.v21.Indicator assert "FAIL: The same qualifier is used more than once" in str(excinfo.value) + + ind = stix2.v21.Indicator( + type="indicator", + id=INDICATOR_ID, + created=now, + modified=now, + pattern=patrn, + pattern_type="stix", + pattern_version="2.0", + valid_from=epoch, + indicator_types=['malicious-activity'], + ) + + assert ind.id == INDICATOR_ID + assert ind.indicator_types == ['malicious-activity'] + assert ind.pattern == patrn + assert ind.pattern_type == "stix" + assert ind.pattern_version == "2.0"