def validate(**object_data):
title_validation = None
short_description_validation = None
description_validation = None
tlp_validation = None
if not object_data.get('title'):
title_validation = FieldValidationInfo(ValidationStatus.ERROR,
'Title missing')
if not object_data.get('short_description'):
short_description_validation = FieldValidationInfo(
ValidationStatus.INFO, 'No short description')
if not object_data.get('description'):
description_validation = FieldValidationInfo(
ValidationStatus.ERROR, 'Description is missing')
if not object_data.get('tlp'):
tlp_validation = FieldValidationInfo(ValidationStatus.ERROR,
'No TLP')
return {
'title': title_validation,
'short_description': short_description_validation,
'description': description_validation,
'tlp': tlp_validation
}
def validate(cls, **observable_data):
domain_type = observable_data.get('type')
value = observable_data.get('value')
value_validation = None
type_validation = None
domain_matcher = None
if domain_type == cls.FQDN_TYPE:
domain_matcher = cls.FQDN_MATCHER
elif domain_type == cls.TLD_TYPE:
domain_matcher = cls.TLD_MATCHER
if not value:
value_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Domain value is missing')
if domain_matcher:
if value and not domain_matcher.match(value):
value_validation = FieldValidationInfo(ValidationStatus.WARN,
'Domain value is invalid %s' % domain_type)
else:
type_validation = FieldValidationInfo(
ValidationStatus.ERROR, 'Domain type is missing' if domain_type else 'Unrecognizable domain type')
return cls(observable_data, type=type_validation, value=value_validation)
def __validate_email(address):
if not address:
return FieldValidationInfo(ValidationStatus.ERROR, 'Email address is missing')
_, email_address = parseaddr(address)
if AddressValidationInfo.EMAIL_MATCHER.match(email_address) is None:
return FieldValidationInfo(ValidationStatus.WARN, 'The email address may be invalid')
return None
def validate(cls, **observable_data):
subject_validation = None
from_validation = None
date_validation = None
if not (observable_data.get('subject') or observable_data.get('from')
or observable_data.get('date')):
subject_validation = from_validation = date_validation = \
FieldValidationInfo(ValidationStatus.ERROR,
'Email requires at least one of Subject, From or Date fields')
else:
if not cls.__validate_address(observable_data.get('from')):
from_validation = FieldValidationInfo(
ValidationStatus.WARN, 'Email From address may be invalid')
if not cls.__validate_date(observable_data.get('date')):
date_validation = FieldValidationInfo(
ValidationStatus.WARN, 'Email Date may be invalid')
to_validation = cls.__validate_address_list(observable_data.get('to'),
'To')
cc_validation = cls.__validate_address_list(observable_data.get('cc'),
'Cc')
bcc_validation = cls.__validate_address_list(
observable_data.get('bcc'), 'Bcc')
return cls(observable_data,
subject=subject_validation,
from_address=from_validation,
date=date_validation,
to=to_validation,
cc=cc_validation,
bcc=bcc_validation)
def __validate_mac(address):
if not address:
return FieldValidationInfo(ValidationStatus.ERROR,
'MAC address is missing')
if AddressValidationInfo.MAC_MATCHER.match(address) is None:
return FieldValidationInfo(ValidationStatus.WARN,
'MAC address may be invalid')
return None
def __validate_ipv6(address):
if not address:
return FieldValidationInfo(ValidationStatus.ERROR,
'IPv6 address value is missing')
if not AddressValidationInfo.is_ipv6(address):
return FieldValidationInfo(ValidationStatus.WARN,
'IPv6 address appears invalid')
return None
def __validate_type(observable_type):
actual_type = getattr(observable_type, 'field_value', observable_type)
field_path_name = getattr(observable_type, 'field_path_name', None)
if not actual_type:
return FieldValidationInfo(ValidationStatus.ERROR, 'Missing observable type', field_path_name)
elif actual_type == ObservableValidationInfo.TYPE:
return FieldValidationInfo(ValidationStatus.WARN, 'Unrecognizable observable type', field_path_name)
else:
return None
def validate(cls, **observable_data):
user_agent = observable_data.get('user_agent')
user_agent_validation = None
if not user_agent:
user_agent_validation = FieldValidationInfo(
ValidationStatus.ERROR, 'User Agent value is missing')
elif not cls.USER_AGENT_MATCHER.match(user_agent):
user_agent_validation = FieldValidationInfo(
ValidationStatus.WARN, 'User Agent value may be invalid')
return cls(observable_data, user_agent=user_agent_validation)
def __validate_uri_type(cls, uri_type):
if not uri_type:
return FieldValidationInfo(ValidationStatus.ERROR,
'URI type is missing')
if uri_type not in cls.__get_type_map():
return FieldValidationInfo(
ValidationStatus.ERROR,
'Unable to determine URI type (%s)' % uri_type)
return None
def validate(cls, **observable_data):
type_validation = None
raw_artifact_validation = None
if not observable_data.get('type'):
type_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Artifact type is missing')
if not observable_data.get('raw_artifact'):
raw_artifact_validation = FieldValidationInfo(ValidationStatus.ERROR, 'Artifact data is missing')
return cls(observable_data, type=type_validation, raw_artifact=raw_artifact_validation)
def __validate_ipv4(address):
status = None
if not address:
status = FieldValidationInfo(ValidationStatus.ERROR, 'IP address is missing')
elif AddressValidationInfo.is_ipv4(address):
if AddressValidationInfo.__is_warning_ipv4(address):
status = FieldValidationInfo(ValidationStatus.WARN, 'IP address appears to be private')
else:
status = FieldValidationInfo(ValidationStatus.WARN, 'IPv4 address appears invalid')
return status
def __validate_cidr(address):
if not address:
return FieldValidationInfo(ValidationStatus.ERROR, 'CIDR value is missing')
address_parts = address.split('/')
if len(address_parts) == 2:
address_validation = AddressValidationInfo.__validate_ipv4(address_parts[0])
if address_validation is None:
try:
range_bits = int(address_parts[1])
if 0 <= range_bits <= 32:
return None
except ValueError:
pass
return FieldValidationInfo(ValidationStatus.WARN, 'CIDR value appears invalid')
def test_Validate_IfHostname_CallValidateHostnameValue(self, mock_hostname_validator):
mock_hostname_validator.return_value = FieldValidationInfo(ValidationStatus.INFO, 'Testing function call...')
hostname_value = 'blah'
socket_validation = SocketValidationInfo.validate(hostname=hostname_value)
self.assertEqual(socket_validation.hostname, mock_hostname_validator.return_value)
mock_hostname_validator.assert_called_with(False, hostname_value)
def validate_protocol(protocol):
protocol_validation = None
if protocol and any(char.isdigit() for char in protocol):
protocol_validation = FieldValidationInfo(
ValidationStatus.WARN, 'Protocol contains numeric characters')
return protocol_validation
def validate(cls, type_, id_):
field_validation = {}
if not NamespaceValidationInfo.__id_is_current_ns(id_):
field_validation[r'namespace'] = FieldValidationInfo(
ValidationStatus.WARN,
r'%s originates from an external namespace' %
CLIPPY_TYPES.get(type_, r'Object'))
return cls(**field_validation)
def validate(cls, **observable_data):
name = observable_data.get('name')
if name:
name_validation = None
else:
name_validation = FieldValidationInfo(ValidationStatus.ERROR,
'Mutex name is missing')
return cls(observable_data, name=name_validation)
def __validate_address_list(address_list, address_field_name):
if address_list:
for address in address_list:
if not EmailValidationInfo.__validate_address(address):
return FieldValidationInfo(
ValidationStatus.WARN,
'An email address in the %s field may be invalid' %
address_field_name)
return None
def validate(cls, **observable_data):
port = observable_data.get('port_value')
if port:
port_validation = None
else:
port_validation = FieldValidationInfo(ValidationStatus.ERROR,
'Port value is missing')
return cls(observable_data, port_value=port_validation)
def validate(cls, **observable_data):
value = observable_data.get('hostname_value')
if value:
value_validation = cls.validate_hostname_value(
observable_data.get('is_domain_name', False), value)
else:
value_validation = FieldValidationInfo(
ValidationStatus.ERROR, 'Hostname value is missing')
return cls(observable_data, hostname_value=value_validation)
def __validate_value(cls, value, uri_type):
if not value:
return FieldValidationInfo(ValidationStatus.ERROR,
'URI value is missing')
type_handler = cls.__get_type_map().get(uri_type)
if type_handler:
return type_handler(value)
return None
def __validate_hashes(hashes):
msgs = {}
if hashes:
for hash_ in hashes:
hash_type = hash_.get(r'type')
regex, msg = HASHES.get(hash_type)
if not regex.match(hash_.get(r'simple_hash_value')):
msgs[hash_type] = FieldValidationInfo(
ValidationStatus.WARN, msg)
return msgs
def __validate_file_extension(file_extension):
msg = None
if file_extension:
if FILE_EXTENSION.match(str(file_extension)):
pass
else:
msg = FieldValidationInfo(
ValidationStatus.WARN,
r'File Extension should be .{something}')
return msg
def __validate_size_in_bytes(size_in_bytes):
msg = None
if size_in_bytes:
if POSITIVE_INTEGER.match(str(size_in_bytes)):
pass
else:
msg = FieldValidationInfo(
ValidationStatus.ERROR,
r'Size In Bytes should be a positive integer')
return msg
def test_Validate_IfValueExists_CallValidateHostnameValue(self, mock_validate_hostname_value):
hostname_value = 'dummy value'
mock_validate_result = FieldValidationInfo(ValidationStatus.INFO, 'blah')
mock_validate_hostname_value.return_value = mock_validate_result
for is_domain in [True, False, None]:
if is_domain is None:
hostname_validation = HostnameValidationInfo.validate(hostname_value=hostname_value)
else:
hostname_validation = HostnameValidationInfo.validate(hostname_value=hostname_value,
is_domain_name=is_domain)
mock_validate_hostname_value.assert_called_with(bool(is_domain), hostname_value)
self.assertEqual(hostname_validation.hostname_value, mock_validate_result)
def validate_hostname_value(is_domain, value):
if is_domain:
is_valid = DomainNameValidationInfo.get_domain_type_from_value(
value) is not None
else:
is_valid = HostnameValidationInfo.HOSTNAME_MATCHER.match(
value) is not None
error = 'Invalid %s value' % ('domain' if is_domain else 'hostname')
return None if is_valid else FieldValidationInfo(
ValidationStatus.WARN, error)
def __validate_port(port):
port_validation = None
if port is None:
port_validation = FieldValidationInfo(ValidationStatus.ERROR,
'Port value is missing')
else:
try:
port_value = int(port)
except ValueError:
port_validation = FieldValidationInfo(ValidationStatus.ERROR,
'Invalid port value')
else:
if not (0 <= port_value <= 65535):
port_validation = FieldValidationInfo(
ValidationStatus.ERROR, 'Port value outside valid range')
elif port_value == 0:
port_validation = FieldValidationInfo(ValidationStatus.WARN,
'Port value is zero')
return port_validation
def validate(cls, **observable_data):
hive_validation = None
key_validation = None
hive = observable_data.get('hive')
if hive and not cls.HIVE_MATCHER.match(hive):
hive_validation = FieldValidationInfo(
ValidationStatus.WARN, 'Registry hive may be invalid')
key = observable_data.get('key')
if not key:
key_validation = FieldValidationInfo(ValidationStatus.ERROR,
'Registry key is missing')
elif not cls.KEY_MATCHER.match(key):
key_validation = FieldValidationInfo(
ValidationStatus.WARN, 'Registry key may be invalid')
elif hive and key.startswith(hive):
key_validation = FieldValidationInfo(
ValidationStatus.WARN,
'Registry key prepended with hive value')
return cls(observable_data, hive=hive_validation, key=key_validation)
def validate(cls, **observable_data):
address_value = observable_data['address_value']
category = observable_data.get(
'category', AddressValidationInfo.IPv4_CATEGORY) or AddressValidationInfo.IPv4_CATEGORY
# Default according to Cybox Schema
category_validation = None
address_validation = None
address_validator = cls.__get_category_handler(category)
if address_validator:
address_validation = address_validator(address_value)
else:
category_validation = FieldValidationInfo(ValidationStatus.ERROR,
'Unable to determine the address category (%s)' % category)
return cls(observable_data, address_value=address_validation, category=category_validation)
def validate_socket(socket):
protocol = socket.get('protocol')
ip_address = socket.get('ip_address')
hostname = socket.get('hostname')
protocol_validation = validate_protocol(protocol)
ip_address_validation = None
hostname_validation = None
if bool(ip_address) == bool(hostname):
ip_address_validation = hostname_validation = \
FieldValidationInfo(ValidationStatus.ERROR, 'Only one of IP address or Hostname must be completed')
elif ip_address:
ip_address_validation = validate_ip_address(ip_address)
elif hostname:
hostname_validation = HostnameValidationInfo.validate_hostname_value(
False, hostname)
return dict(protocol=protocol_validation,
ip_address=ip_address_validation,
hostname=hostname_validation)
def __validate_incidents(incidents, stix_header):
incident_validation = {}
for incident in incidents:
id_ = incident['id']
namespace_validation = NamespaceValidationInfo.validate(r'inc', id_)
if namespace_validation.is_local():
other_properties = OtherStructureConverter.package_to_simple(incident, stix_header)
validation_results = CommonValidationInfo.validate(**other_properties)
if validation_results and validation_results.validation_dict:
incident_validation.update({id_: validation_results.validation_dict})
if len(other_properties.get('external_ids', [])):
field_validation = {'external_ids': FieldValidationInfo(
ValidationStatus.WARN,
r'External IDs exist within an Incident in the package')
}
incident_validation.update({id_: ObjectValidationInfo(**field_validation).validation_dict})
else:
incident_validation.update({id_: namespace_validation.validation_dict})
return incident_validation