class WhoisContact(entities.Entity):
_binding = whois_binding
_binding_class = whois_binding.WhoisContactType
_namespace = "http://cybox.mitre.org/objects#WhoisObject-2"
contact_type = fields.TypedField("contact_type")
contact_id = fields.TypedField("Contact_ID", String)
name = fields.TypedField("Name", String)
address = fields.TypedField("Address", String)
email_address = fields.TypedField("Email_Address", EmailAddress)
phone_number = fields.TypedField("Phone_Number", String)
fax_number = fields.TypedField("Fax_Number", String)
organization = fields.TypedField("Organization", String)
class NetworkInterface(entities.Entity):
_namespace = "http://cybox.mitre.org/objects#SystemObject-2"
_binding = system_binding
_binding_class = system_binding.NetworkInterfaceType
adapter = fields.TypedField("Adapter", String)
description = fields.TypedField("Description", String)
dhcp_lease_expires = fields.TypedField("DHCP_Lease_Expires", DateTime)
dhcp_lease_obtained = fields.TypedField("DHCP_Lease_Obtained", DateTime)
dhcp_server_list = fields.TypedField("DHCP_Server_List", DHCPServerList)
ip_gateway_list = fields.TypedField("IP_Gateway_List", IPGatewayList)
ip_list = fields.TypedField("IP_List", IPInfoList)
mac = fields.TypedField("MAC", String)
class TLPMarkingStructure(MarkingStructure):
_binding = tlp_binding
_binding_class = tlp_binding.TLPMarkingStructureType
_namespace = 'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1'
_XSI_TYPE = "tlpMarking:TLPMarkingStructureType"
color = fields.TypedField("color")
def __init__(self, color=None):
super(TLPMarkingStructure, self).__init__()
self.color = color
class IPv6Header(entities.Entity):
_binding = network_packet_binding
_binding_class = network_packet_binding.IPv6HeaderType
_namespace = "http://cybox.mitre.org/objects#PacketObject-2"
ip_version = fields.TypedField("IP_Version", String)
traffic_class = fields.TypedField("Traffic_Class", HexBinary)
flow_label = fields.TypedField("Flow_Label", HexBinary)
payload_length = fields.TypedField("Payload_Length", HexBinary)
next_header = fields.TypedField("Next_Header", String)
ttl = fields.TypedField("TTL", HexBinary)
src_ipv6_addr = fields.TypedField("Src_IPv6_Addr", Address)
dest_ipv6_addr = fields.TypedField("Dest_IPv6_Addr", Address)
class Marking(stix.EntityList):
_binding = stix_data_marking_binding
_binding_class = stix_data_marking_binding.MarkingType
_namespace = 'http://data-marking.mitre.org/Marking-1'
marking = fields.TypedField("Marking", MarkingSpecification, multiple=True)
def __init__(self, markings=None):
super(Marking, self).__init__(markings)
def add_marking(self, value):
self.marking.append(value)
class RelatedIndicators(GenericRelationshipList):
_namespace = "http://stix.mitre.org/Campaign-1"
_binding = campaign_binding
_binding_class = campaign_binding.RelatedIndicatorsType
indicator = fields.TypedField(name="Related_Indicator",
type_=RelatedIndicator,
multiple=True,
key_name="indicators",
listfunc=partial(DeprecatedList,
type=RelatedIndicator))
class PEResource(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEResourceType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
type_ = fields.TypedField("Type", String)
name = fields.TypedField("Name", String)
size = fields.TypedField("Size", PositiveInteger)
virtual_address = fields.TypedField("Virtual_Address", HexBinary)
language = fields.TypedField("Language", String)
sub_language = fields.TypedField("Sub_Language", String)
hashes = fields.TypedField("Hashes", HashList)
data = fields.TypedField("Data", String)
class Time(entities.Entity):
_binding = common_binding
_binding_class = common_binding.TimeType
_namespace = 'http://cybox.mitre.org/common-2'
start_time = fields.TypedField("Start_Time", DateTimeWithPrecision)
end_time = fields.TypedField("End_Time", DateTimeWithPrecision)
produced_time = fields.TypedField("Produced_Time", DateTimeWithPrecision)
received_time = fields.TypedField("Received_Time", DateTimeWithPrecision)
def __init__(self,
start_time=None,
end_time=None,
produced_time=None,
received_time=None):
super(Time, self).__init__()
self.start_time = start_time
self.end_time = end_time
self.produced_time = produced_time
self.received_time = received_time
class NetworkConnection(ObjectProperties):
_binding = network_connection_binding
_binding_class = network_connection_binding.NetworkConnectionObjectType
_namespace = "http://cybox.mitre.org/objects#NetworkConnectionObject-2"
_XSI_NS = "NetworkConnectionObj"
_XSI_TYPE = "NetworkConnectionObjectType"
tls_used = fields.TypedField('tls_used')
creation_time = fields.TypedField('Creation_Time', DateTime)
layer3_protocol = fields.TypedField('Layer3_Protocol', String)
layer4_protocol = fields.TypedField('Layer4_Protocol', String)
layer7_protocol = fields.TypedField('Layer7_Protocol', String)
source_socket_address = fields.TypedField('Source_Socket_Address',
SocketAddress)
source_tcp_state = fields.TypedField('Source_TCP_State')
destination_socket_address = fields.TypedField(
'Destination_Socket_Address', SocketAddress)
destination_tcp_state = fields.TypedField('Destination_TCP_State')
layer7_connections = fields.TypedField('Layer7_Connections',
Layer7Connections)
class PEFileHeader(entities.Entity):
_binding = win_executable_file_binding
_binding_class = win_executable_file_binding.PEFileHeaderType
_namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"
machine = fields.TypedField("Machine", HexBinary)
number_of_sections = fields.TypedField("Number_Of_Sections", NonNegativeInteger)
time_date_stamp = fields.TypedField("Time_Date_Stamp", HexBinary)
pointer_to_symbol_table = fields.TypedField("Pointer_To_Symbol_Table", HexBinary)
number_of_symbols = fields.TypedField("Number_Of_Symbols", NonNegativeInteger)
size_of_optional_header = fields.TypedField("Size_Of_Optional_Header", HexBinary)
characteristics = fields.TypedField("Characteristics", HexBinary)
hashes = fields.TypedField("Hashes", HashList)
class DataSegment(entities.Entity):
_binding = common_binding
_binding_class = common_binding.DataSegmentType
_namespace = 'http://cybox.mitre.org/common-2'
id_ = fields.TypedField("id")
data_format = fields.TypedField("Data_Format")
data_size = fields.TypedField("Data_Size", DataSize)
byte_order = fields.TypedField("Byte_Order", String)
data_segment = fields.TypedField("Data_Segment", String)
offset = fields.TypedField("Offset", Integer)
search_distance = fields.TypedField("Search_Distance", Integer)
search_within = fields.TypedField("Search_Within", Integer)
class RawArtifact(String):
_binding = artifact_binding
_binding_class = _binding.RawArtifactType
_namespace = 'http://cybox.mitre.org/objects#ArtifactObject-2'
BIG_ENDIAN = "Big-endian"
LITTLE_ENDIAN = "Little-endian"
MIDDLE_ENDIAN = "Middle-endian"
ENDIANNESS = (BIG_ENDIAN, LITTLE_ENDIAN, MIDDLE_ENDIAN)
byte_order = fields.TypedField("byte_order", preset_hook=validate_byte_order_endianness)
class TermsOfUseMarkingStructure(MarkingStructure):
_binding = tou_marking_binding
_binding_class = tou_marking_binding.TermsOfUseMarkingStructureType
_namespace = 'http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1'
_XSI_TYPE = "TOUMarking:TermsOfUseMarkingStructureType"
terms_of_use = fields.TypedField("Terms_Of_Use")
def __init__(self, terms_of_use=None):
super(TermsOfUseMarkingStructure, self).__init__()
self.terms_of_use = terms_of_use
class CandidateIndicatorCollection(BaseCollection):
_binding = bundle_binding
_binding_class = bundle_binding.CandidateIndicatorCollectionType
_namespace = _namespace
id_ = fields.TypedField("id")
candidate_indicator_list = fields.TypedField("Candidate_Indicator_List",
CandidateIndicatorList)
def __init__(self, name=None, id=None):
super(CandidateIndicatorCollection, self).__init__(name)
if id:
self.id_ = id
else:
self.id_ = idgen.create_id(prefix="candidate_indicator_collection")
self.candidate_indicator_list = CandidateIndicatorList()
def add_candidate_indicator(self, candidate_indicator):
"""Add an input Candidate Indicator to the Collection."""
self.candidate_indicator_list.append(candidate_indicator)
class PropertyAffected(stix.Entity):
_namespace = "http://stix.mitre.org/Incident-1"
_binding = incident_binding
_binding_class = incident_binding.PropertyAffectedType
property_ = vocabs.VocabField("Property", vocabs.LossProperty, key_name="property")
descriptions_of_effect = fields.TypedField("Description_Of_Effect", StructuredTextList)
type_of_availability_loss = vocabs.VocabField("Type_Of_Availability_Loss", vocabs.AvailabilityLossType)
duration_of_availability_loss = vocabs.VocabField("Duration_Of_Availability_Loss", vocabs.LossDuration)
non_public_data_compromised = fields.TypedField("Non_Public_Data_Compromised", NonPublicDataCompromised)
def __init__(self):
super(PropertyAffected, self).__init__()
self.descriptions_of_effect = StructuredTextList()
@property
def description_of_effect(self):
"""A :class:`.StructuredTextList` object, containing descriptions about
the purpose or intent of this object.
Iterating over this object will yield its contents sorted by their
``ordinality`` value.
Default Value: Empty :class:`.StructuredTextList` object.
Note:
IF this is set to a value that is not an instance of
:class:`.StructuredText`, an effort will ne made to convert it.
If this is set to an iterable, any values contained that are not
an instance of :class:`.StructuredText` will be be converted.
Returns:
An instance of
:class:`.StructuredTextList`
"""
return next(iter(self.descriptions_of_effect), None)
@description_of_effect.setter
def description_of_effect(self, value):
self.descriptions_of_effect = value
class PublicRelease(stix.Entity):
_binding = cyber_profile
_binding_class = _binding.PublicReleaseType
_namespace = 'urn:edm:edh:cyber:v3'
released_by = fields.TypedField("releasedBy",
key_name="released_by",
preset_hook=validate_token)
released_on = fields.DateField("releasedOn", key_name="released_on")
def __init__(self):
super(PublicRelease, self).__init__()
class PotentialCOAs(GenericRelationshipList):
"""
A list of ``Potential_COA`` objects, defaults to empty array
"""
_namespace = "http://stix.mitre.org/ExploitTarget-1"
_binding = exploit_target_binding
_binding_class = exploit_target_binding.PotentialCOAsType
potential_coa = fields.TypedField("Potential_COA", RelatedCOA, multiple=True, key_name="coas")
def __init__(self, coas=None, scope=None):
super(PotentialCOAs, self).__init__(scope, coas)
class Compression(Packaging):
"""A Compression packaging layer
Currently only zlib and bz2 are supported.
Also, compression_mechanism_ref is not currently supported.
"""
_namespace = 'http://cybox.mitre.org/objects#ArtifactObject-2'
_binding = artifact_binding
_binding_class = _binding.CompressionType
compression_mechanism = fields.TypedField("compression_mechanism")
compression_mechanism_ref = fields.TypedField("compression_mechanism_ref")
def __init__(self, compression_mechanism=None):
super(Compression, self).__init__()
self.compression_mechanism = compression_mechanism
def to_dict(self):
dict_ = super(Compression, self).to_dict()
dict_['packaging_type'] = 'compression'
return dict_
class AccessPrivilege(stix.Entity):
_binding = cyber_profile
_binding_class = _binding.AccessPrivilegeType
_namespace = 'urn:edm:edh:cyber:v3'
_ALLOWED_VALUES = ('permit', 'deny')
privilege_action = fields.TypedField("privilegeAction", key_name="privilege_action", preset_hook=validate_token)
privilege_scope = fields.TypedField("privilegeScope", type_="stix_edh.common.NMTokens", multiple=True, key_name="privilege_scope")
rule_effect = fields.TypedField("ruleEffect", key_name="rule_effect", preset_hook=validate_enum_token)
def __init__(self):
super(AccessPrivilege, self).__init__()
def add_privilege_scope(self, value):
from stix_edh import common
if not value:
return
nmtokens = common.NMTokens(value)
self.privilege_scope.append(nmtokens)
class RelatedExploitTargets(GenericRelationshipList):
"""
A list of ``RelatedExploitTargets`` objects, defaults to empty array
"""
_namespace = "http://stix.mitre.org/ExploitTarget-1"
_binding = exploit_target_binding
_binding_class = exploit_target_binding.RelatedExploitTargetsType
related_exploit_target = fields.TypedField("Related_Exploit_Target", RelatedExploitTarget, multiple=True, key_name="related_exploit_targets")
def __init__(self, related_exploit_targets=None, scope=None):
super(RelatedExploitTargets, self).__init__(scope, related_exploit_targets)
class MarkingSpecification(stix.Entity):
_binding = stix_data_marking_binding
_binding_class = stix_data_marking_binding.MarkingSpecificationType
_namespace = 'http://data-marking.mitre.org/Marking-1'
id_ = fields.IdField("id")
idref = fields.IdrefField("idref")
version = fields.TypedField("version")
controlled_structure = fields.TypedField("Controlled_Structure")
marking_structures = fields.TypedField("Marking_Structure", MarkingStructure, factory=MarkingStructureFactory, multiple=True, key_name="marking_structures")
information_source = fields.TypedField("Information_Source", InformationSource)
def __init__(self, controlled_structure=None, marking_structures=None):
super(MarkingSpecification, self).__init__()
self.id_ = None
self.idref = None
self.version = None
self.controlled_structure = controlled_structure
self.marking_structures = marking_structures
self.information_source = None
class MalwareSubjectRelationship(maec.Entity):
_binding = package_binding
_binding_class = package_binding.MalwareSubjectRelationshipType
_namespace = _namespace
malware_subject_reference = fields.TypedField("Malware_Subject_Reference",
MalwareSubjectReference,
multiple=True)
type_ = vocabs.VocabField("Type", MalwareSubjectRelationshipVocab)
def __init__(self):
super(MalwareSubjectRelationship, self).__init__()
class SnortTestMechanism(test_mechanism._BaseTestMechanism):
_namespace = "http://stix.mitre.org/extensions/TestMechanism#Snort-1"
_binding = snort_tm_binding
_binding_class = _binding.SnortTestMechanismType
_XSI_TYPE = "snortTM:SnortTestMechanismType"
product_name = fields.TypedField("Product_Name", EncodedCDATA)
version = fields.TypedField("Version", EncodedCDATA)
rules = fields.TypedField("Rule",
EncodedCDATA,
multiple=True,
key_name="rules")
event_filters = fields.TypedField("Event_Filter",
EncodedCDATA,
multiple=True,
key_name="event_filters")
rate_filters = fields.TypedField("Rate_Filter",
EncodedCDATA,
multiple=True,
key_name="rate_filters")
event_suppressions = fields.TypedField("Event_Suppression",
EncodedCDATA,
multiple=True,
key_name="event_suppressions")
def __init__(self, id_=None, idref=None):
super(SnortTestMechanism, self).__init__(id_=id_, idref=idref)
class ToolInformation(entities.Entity):
_binding = common_binding
_binding_class = common_binding.ToolInformationType
_namespace = 'http://cybox.mitre.org/common-2'
id_ = fields.IdField("id")
idref = fields.IdrefField("idref")
name = fields.TypedField("Name")
type_ = VocabField("Type", ToolType, multiple=True)
description = fields.TypedField("Description", StructuredText)
vendor = fields.TypedField("Vendor")
version = fields.TypedField("Version")
service_pack = fields.TypedField("Service_Pack")
tool_hashes = fields.TypedField("Tool_Hashes", HashList)
def __init__(self, tool_name=None, tool_vendor=None):
super(ToolInformation, self).__init__()
# TODO: Implement items commented out below.
self.name = tool_name
self.description = None
#self.references = None
self.vendor = tool_vendor
self.version = None
self.service_pack = None
#self.tool_specific_data = None
self.tool_hashes = None
class Activity(stix.Entity):
_binding = common_binding
_binding_class = common_binding.ActivityType
_namespace = 'http://stix.mitre.org/common-1'
date_time = fields.TypedField("Date_Time", DateTimeWithPrecision)
descriptions = fields.TypedField("Description", StructuredTextList)
def __init__(self):
super(Activity, self).__init__()
self.descriptions = StructuredTextList()
@property
def description(self):
"""A single description about the contents or purpose of this object.
Default Value: ``None``
Note:
If this object has more than one description set, this will return
the description with the lowest ordinality value.
Returns:
An instance of
:class:`.StructuredText`
"""
return next(iter(self.descriptions), None)
@description.setter
def description(self, value):
self.descriptions = StructuredTextList(value)
def add_description(self, description):
"""Adds a description to the ``descriptions`` collection.
This is the same as calling "foo.descriptions.add(bar)".
"""
self.descriptions.add(description)
class UserAccount(Account):
_binding = user_account_binding
_binding_class = user_account_binding.UserAccountObjectType
_namespace = 'http://cybox.mitre.org/objects#UserAccountObject-2'
_XSI_NS = "UserAccountObj"
_XSI_TYPE = "UserAccountObjectType"
password_required = fields.TypedField('password_required')
full_name = fields.TypedField('Full_Name', String)
home_directory = fields.TypedField('Home_Directory', String)
last_login = fields.TypedField('Last_Login', DateTime)
script_path = fields.TypedField('Script_Path', String)
username = fields.TypedField('Username', String)
user_password_age = fields.TypedField('User_Password_Age', Duration)
# These should be overriden by subclasses
group_list = fields.TypedField('Group_List', GroupList)
privilege_list = fields.TypedField('Privilege_List', PrivilegeList)
class NetflowV5FlowHeader(entities.Entity):
_binding = network_flow_binding
_binding_class = network_flow_binding.NetflowV5FlowHeaderType
_namespace = "http://cybox.mitre.org/objects#NetworkFlowObject-2"
version = fields.TypedField("Version", HexBinary)
count = fields.TypedField("Count", Integer)
sys_up_time = fields.TypedField("Sys_Up_Time", Integer)
unix_secs = fields.TypedField("Unix_Secs", Integer)
unix_nsecs = fields.TypedField("Unix_Nsecs", Integer)
flow_sequence = fields.TypedField("Flow_Sequence", Integer)
engine_type = fields.TypedField("Engine_Type", String)
engine_id = fields.TypedField("Engine_ID", Integer)
sampling_interval = fields.TypedField("Sampling_Interval", HexBinary)
def __init__(self):
super(NetflowV5FlowHeader, self).__init__()
self.version = "05"
class History(stix.EntityList):
_namespace = "http://stix.mitre.org/Incident-1"
_binding = incident_binding
_binding_class = incident_binding.HistoryType
history_items = fields.TypedField("History_Item",
HistoryItem,
multiple=True,
key_name="history_items")
@classmethod
def _dict_as_list(cls):
return False
class RelatedCampaignRefs(GenericRelationshipList):
_namespace = "http://stix.mitre.org/Indicator-2"
_binding = indicator_binding
_binding_class = _binding.RelatedCampaignReferencesType
related_campaign = fields.TypedField(name="Related_Campaign",
type_=RelatedCampaignRef,
multiple=True,
key_name="related_campaigns",
listfunc=_RelatedCampaignRefList)
def __init__(self, related_campaign_refs=None, scope=None):
super(RelatedCampaignRefs, self).__init__(scope, related_campaign_refs)
class KillChains(stix.EntityList):
_binding = common_binding
_namespace = 'http://stix.mitre.org/common-1'
_binding_class = _binding.KillChainsType
kill_chain = fields.TypedField("Kill_Chain",
KillChain,
multiple=True,
key_name="kill_chains")
@classmethod
def _dict_as_list(cls):
return False
