diff --git a/stix2/test/test_interoperability.py b/stix2/test/test_interoperability.py new file mode 100644 index 0000000..ed716b2 --- /dev/null +++ b/stix2/test/test_interoperability.py @@ -0,0 +1,188 @@ +import datetime +import pytz +import stix2 + +FAKE_TIME = datetime.datetime(2017, 1, 1, 12, 34, 56, tzinfo=pytz.utc) + +ATTACK_PATTERN_ID = "attack-pattern--168b3330-fc69-11e8-b98e-0800279d6dc6" +BUNDLE_ID = "bundle--2acecf31-5262-3981-8eff-db8a1de5945b" +CAMPAIGN_ID = "campaign--f22d70fa-871d-5155-9812-89b3a48f6e50" +COURSE_OF_ACTION_ID = "course-of-action--f9ae0d21-f4c9-360e-8743-b064b2ad2a2e" +IDENTITY_ID = "identity--035a5348-2485-3bca-99ce-62da0f14c37a" +INDICATOR_ID = "indicator--412aba5b-75b4-5827-99f1-c62d91504e97" +INTRUSION_SET_ID = "intrusion-set--2d1db502-fc6c-11e8-8b3f-00216af611cf" +MALWARE_ID = "malware--64ee70a4-8cc1-5d25-8bf2-dea6c79a09c8" +MARKING_DEFINITION_ID = "marking-definition--f8427579-bd0f-3550-8eef-c3f2cb33cd0f" +OBSERVED_DATA_ID = "observed-data--9a74c83e-2c09-3513-874b-91d679be82b8" +RELATIONSHIP_ID = "relationship--ee36ba22-c954-5d25-89c8-5a435eaebeb3" +REPORT_ID = "report--dbfe2a52-fc6c-11e8-8b3f-00216af611cf" +SIGHTING_ID = "sighting--9ae1145d-b1b2-57b6-83f1-36a173a24112" +THREAT_ACTOR_ID = "threat-actor--e5313ad6-6b11-3c07-8ace-7dc52824e063" +TOOL_ID = "tool--bf0895d6-7626-361f-89dd-d404aa340bc2" +VULNERABILITY_ID = "vulnerability--20296e55-98b9-5988-851a-51eddd5022c8" + +OBJECT_REFS = [ATTACK_PATTERN_ID, CAMPAIGN_ID, COURSE_OF_ACTION_ID, INDICATOR_ID, INTRUSION_SET_ID, + MALWARE_ID, MARKING_DEFINITION_ID, OBSERVED_DATA_ID, RELATIONSHIP_ID, SIGHTING_ID, + THREAT_ACTOR_ID, TOOL_ID, VULNERABILITY_ID] + +ATTACK_PATTERN_KWARGS = dict( + type='attack-pattern', + id=ATTACK_PATTERN_ID, + name="Phishing", + created_by_ref=IDENTITY_ID +) + +BUNDLE_KWARGS = dict( + type='bundle', + id=BUNDLE_ID, + spec_version='2.0' +) + +CAMPAIGN_KWARGS = dict( + type='campaign', + id=CAMPAIGN_ID, + created_by_ref=IDENTITY_ID, + created="2016-04-06T20:03:00.000Z", + modified="2016-04-06T20:03:00.000Z", + name="Green Group Attacks Against Finance", + description="Campaign by Green Group against a series of targets in the financial services sector.", +) + +COURSE_OF_ACTION_KWARGS = dict( + type='course-of-action', + id=COURSE_OF_ACTION_ID, + name="Block", + created_by_ref=IDENTITY_ID +) + +IDENTITY_KWARGS = dict( + type='identity', + id=IDENTITY_ID, + name="John Smith", + identity_class="individual", +) + +INDICATOR_KWARGS = dict( + type='indicator', + id=INDICATOR_ID, + labels=['malicious-activity'], + pattern="[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']", + created_by_ref=IDENTITY_ID +) + +INTRUSION_SET_KWARGS = dict( + type='intrusion-set', + id=INTRUSION_SET_ID, + name="Bobcat Breakin", + created_by_ref=IDENTITY_ID +) + +MALWARE_KWARGS = dict( + type='malware', + id=MALWARE_ID, + created="2016-04-06T20:03:00.000Z", + modified="2016-04-06T20:03:00.000Z", + labels=['ransomware'], + name="Cryptolocker", + description="A ransomware related to ...", + created_by_ref=IDENTITY_ID +) + +MARKING_DEFINITION_KWARGS = dict( + type='marking-definition', + id=MARKING_DEFINITION_ID, + definition_type='statement', + definition={'statement': "Copyright 2016, Example Corp"}, + created_by_ref=IDENTITY_ID +) + +OBSERVED_DATA_KWARGS = dict( + type='observed-data', + id=OBSERVED_DATA_ID, + first_observed=FAKE_TIME, + last_observed=FAKE_TIME, + number_observed=1, + objects={ + "0": { + "type": "windows-registry-key", + "key": "HKEY_LOCAL_MACHINE\\System\\Foo\\Bar", + } + }, + created_by_ref=IDENTITY_ID +) + +REPORT_KWARGS = dict( + type='report', + id=REPORT_ID, + labels=["campaign"], + name="Bad Cybercrime", + published=FAKE_TIME, + object_refs=OBJECT_REFS, + created_by_ref=IDENTITY_ID +) + +RELATIONSHIP_KWARGS = dict( + type='relationship', + id=RELATIONSHIP_ID, + relationship_type="indicates", + source_ref=INDICATOR_ID, + target_ref=MALWARE_ID, + created_by_ref=IDENTITY_ID +) + +SIGHTING_KWARGS = dict( + type='sighting', + id=SIGHTING_ID, + sighting_of_ref=INDICATOR_ID, + created_by_ref=IDENTITY_ID, + observed_data_refs=[OBSERVED_DATA_ID], + where_sighted_refs=[IDENTITY_ID] +) + +THREAT_ACTOR_KWARGS = dict( + type='threat-actor', + id=THREAT_ACTOR_ID, + labels=["crime-syndicate"], + name="Evil Org", + created_by_ref=IDENTITY_ID +) + +TOOL_KWARGS = dict( + type='tool', + id=TOOL_ID, + labels=["remote-access"], + name="VNC", + created_by_ref=IDENTITY_ID, + interoperability=True +) + +VULNERABILITY_KWARGS = dict( + type='vulnerability', + id=VULNERABILITY_ID, + name="Heartbleed", + created_by_ref=IDENTITY_ID +) + + +if __name__ == '__main__': + attack_pattern = stix2.AttackPattern(**ATTACK_PATTERN_KWARGS, interoperability=True) + campaign = stix2.Campaign(**CAMPAIGN_KWARGS, interoperability=True) + course_of_action = stix2.CourseOfAction(**COURSE_OF_ACTION_KWARGS, interoperability=True) + identity = stix2.Identity(**IDENTITY_KWARGS, interoperability=True) + indicator = stix2.Indicator(**INDICATOR_KWARGS, interoperability=True) + intrusion_set = stix2.IntrusionSet(**INTRUSION_SET_KWARGS, interoperability=True) + malware = stix2.Malware(**MALWARE_KWARGS, interoperability=True) + marking_definition = stix2.MarkingDefinition(**MARKING_DEFINITION_KWARGS, interoperability=True) + observed_data = stix2.ObservedData(**OBSERVED_DATA_KWARGS, interoperability=True) + relationship = stix2.Relationship(**RELATIONSHIP_KWARGS, interoperability=True) + sighting = stix2.Sighting(**SIGHTING_KWARGS, interoperability=True) + threat_actor = stix2.ThreatActor(**THREAT_ACTOR_KWARGS, interoperability=True) + tool = stix2.Tool(**TOOL_KWARGS)#, interoperability=True), + vulnerability = stix2.Vulnerability(**VULNERABILITY_KWARGS, interoperability=True) + report = stix2.Report(**REPORT_KWARGS, interoperability=True) + bundle = stix2.Bundle(**BUNDLE_KWARGS, interoperability=True, + objects=[attack_pattern, campaign, course_of_action, identity, indicator, + intrusion_set, malware, marking_definition, observed_data, tool, + relationship, sighting, threat_actor, vulnerability, report]) + stix2.parse(dict(bundle), interoperability=True) + print("All interoperability tests passed !")