Beispiel #1
0
class WhoisContact(entities.Entity):
    _binding = whois_binding
    _binding_class = whois_binding.WhoisContactType
    _namespace = "http://cybox.mitre.org/objects#WhoisObject-2"

    contact_type = fields.TypedField("contact_type")
    contact_id = fields.TypedField("Contact_ID", String)
    name = fields.TypedField("Name", String)
    address = fields.TypedField("Address", String)
    email_address = fields.TypedField("Email_Address", EmailAddress)
    phone_number = fields.TypedField("Phone_Number", String)
    fax_number = fields.TypedField("Fax_Number", String)
    organization = fields.TypedField("Organization", String)
Beispiel #2
0
class NetworkInterface(entities.Entity):
    _namespace = "http://cybox.mitre.org/objects#SystemObject-2"
    _binding = system_binding
    _binding_class = system_binding.NetworkInterfaceType

    adapter = fields.TypedField("Adapter", String)
    description = fields.TypedField("Description", String)
    dhcp_lease_expires = fields.TypedField("DHCP_Lease_Expires", DateTime)
    dhcp_lease_obtained = fields.TypedField("DHCP_Lease_Obtained", DateTime)
    dhcp_server_list = fields.TypedField("DHCP_Server_List", DHCPServerList)
    ip_gateway_list = fields.TypedField("IP_Gateway_List", IPGatewayList)
    ip_list = fields.TypedField("IP_List", IPInfoList)
    mac = fields.TypedField("MAC", String)
Beispiel #3
0
class TLPMarkingStructure(MarkingStructure):
    _binding = tlp_binding
    _binding_class = tlp_binding.TLPMarkingStructureType
    _namespace = 'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1'
    _XSI_TYPE = "tlpMarking:TLPMarkingStructureType"

    color = fields.TypedField("color")

    def __init__(self, color=None):
        super(TLPMarkingStructure, self).__init__()
        self.color = color
class IPv6Header(entities.Entity):
    _binding = network_packet_binding
    _binding_class = network_packet_binding.IPv6HeaderType
    _namespace = "http://cybox.mitre.org/objects#PacketObject-2"

    ip_version = fields.TypedField("IP_Version", String)
    traffic_class = fields.TypedField("Traffic_Class", HexBinary)
    flow_label = fields.TypedField("Flow_Label", HexBinary)
    payload_length = fields.TypedField("Payload_Length", HexBinary)
    next_header = fields.TypedField("Next_Header", String)
    ttl = fields.TypedField("TTL", HexBinary)
    src_ipv6_addr = fields.TypedField("Src_IPv6_Addr", Address)
    dest_ipv6_addr = fields.TypedField("Dest_IPv6_Addr", Address)
Beispiel #5
0
class Marking(stix.EntityList):
    _binding = stix_data_marking_binding
    _binding_class = stix_data_marking_binding.MarkingType
    _namespace = 'http://data-marking.mitre.org/Marking-1'
    marking = fields.TypedField("Marking", MarkingSpecification, multiple=True)

    def __init__(self, markings=None):
        super(Marking, self).__init__(markings)

    def add_marking(self, value):
        self.marking.append(value)
Beispiel #6
0
class RelatedIndicators(GenericRelationshipList):
    _namespace = "http://stix.mitre.org/Campaign-1"
    _binding = campaign_binding
    _binding_class = campaign_binding.RelatedIndicatorsType

    indicator = fields.TypedField(name="Related_Indicator",
                                  type_=RelatedIndicator,
                                  multiple=True,
                                  key_name="indicators",
                                  listfunc=partial(DeprecatedList,
                                                   type=RelatedIndicator))
class PEResource(entities.Entity):
    _binding = win_executable_file_binding
    _binding_class = win_executable_file_binding.PEResourceType
    _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"

    type_ = fields.TypedField("Type", String)
    name = fields.TypedField("Name", String)
    size = fields.TypedField("Size", PositiveInteger)
    virtual_address = fields.TypedField("Virtual_Address", HexBinary)
    language = fields.TypedField("Language", String)
    sub_language = fields.TypedField("Sub_Language", String)
    hashes = fields.TypedField("Hashes", HashList)
    data = fields.TypedField("Data", String)
Beispiel #8
0
class Time(entities.Entity):
    _binding = common_binding
    _binding_class = common_binding.TimeType
    _namespace = 'http://cybox.mitre.org/common-2'

    start_time = fields.TypedField("Start_Time", DateTimeWithPrecision)
    end_time = fields.TypedField("End_Time", DateTimeWithPrecision)
    produced_time = fields.TypedField("Produced_Time", DateTimeWithPrecision)
    received_time = fields.TypedField("Received_Time", DateTimeWithPrecision)

    def __init__(self,
                 start_time=None,
                 end_time=None,
                 produced_time=None,
                 received_time=None):
        super(Time, self).__init__()
        self.start_time = start_time
        self.end_time = end_time
        self.produced_time = produced_time
        self.received_time = received_time
class NetworkConnection(ObjectProperties):
    _binding = network_connection_binding
    _binding_class = network_connection_binding.NetworkConnectionObjectType
    _namespace = "http://cybox.mitre.org/objects#NetworkConnectionObject-2"
    _XSI_NS = "NetworkConnectionObj"
    _XSI_TYPE = "NetworkConnectionObjectType"

    tls_used = fields.TypedField('tls_used')
    creation_time = fields.TypedField('Creation_Time', DateTime)
    layer3_protocol = fields.TypedField('Layer3_Protocol', String)
    layer4_protocol = fields.TypedField('Layer4_Protocol', String)
    layer7_protocol = fields.TypedField('Layer7_Protocol', String)
    source_socket_address = fields.TypedField('Source_Socket_Address',
                                              SocketAddress)
    source_tcp_state = fields.TypedField('Source_TCP_State')
    destination_socket_address = fields.TypedField(
        'Destination_Socket_Address', SocketAddress)
    destination_tcp_state = fields.TypedField('Destination_TCP_State')
    layer7_connections = fields.TypedField('Layer7_Connections',
                                           Layer7Connections)
Beispiel #10
0
class PEFileHeader(entities.Entity):
    _binding = win_executable_file_binding
    _binding_class = win_executable_file_binding.PEFileHeaderType
    _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2"

    machine = fields.TypedField("Machine", HexBinary)
    number_of_sections = fields.TypedField("Number_Of_Sections", NonNegativeInteger)
    time_date_stamp = fields.TypedField("Time_Date_Stamp", HexBinary)
    pointer_to_symbol_table = fields.TypedField("Pointer_To_Symbol_Table", HexBinary)
    number_of_symbols = fields.TypedField("Number_Of_Symbols", NonNegativeInteger)
    size_of_optional_header = fields.TypedField("Size_Of_Optional_Header", HexBinary)
    characteristics = fields.TypedField("Characteristics", HexBinary)
    hashes = fields.TypedField("Hashes", HashList)
Beispiel #11
0
class DataSegment(entities.Entity):
    _binding = common_binding
    _binding_class = common_binding.DataSegmentType
    _namespace = 'http://cybox.mitre.org/common-2'

    id_ = fields.TypedField("id")
    data_format = fields.TypedField("Data_Format")
    data_size = fields.TypedField("Data_Size", DataSize)
    byte_order = fields.TypedField("Byte_Order", String)
    data_segment = fields.TypedField("Data_Segment", String)
    offset = fields.TypedField("Offset", Integer)
    search_distance = fields.TypedField("Search_Distance", Integer)
    search_within = fields.TypedField("Search_Within", Integer)
Beispiel #12
0
class RawArtifact(String):
    _binding = artifact_binding
    _binding_class = _binding.RawArtifactType
    _namespace = 'http://cybox.mitre.org/objects#ArtifactObject-2'

    BIG_ENDIAN = "Big-endian"
    LITTLE_ENDIAN = "Little-endian"
    MIDDLE_ENDIAN = "Middle-endian"
    ENDIANNESS = (BIG_ENDIAN, LITTLE_ENDIAN, MIDDLE_ENDIAN)

    byte_order = fields.TypedField("byte_order", preset_hook=validate_byte_order_endianness)
Beispiel #13
0
class TermsOfUseMarkingStructure(MarkingStructure):
    _binding = tou_marking_binding
    _binding_class = tou_marking_binding.TermsOfUseMarkingStructureType
    _namespace = 'http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1'
    _XSI_TYPE = "TOUMarking:TermsOfUseMarkingStructureType"

    terms_of_use = fields.TypedField("Terms_Of_Use")

    def __init__(self, terms_of_use=None):
        super(TermsOfUseMarkingStructure, self).__init__()
        self.terms_of_use = terms_of_use
Beispiel #14
0
class CandidateIndicatorCollection(BaseCollection):
    _binding = bundle_binding
    _binding_class = bundle_binding.CandidateIndicatorCollectionType
    _namespace = _namespace

    id_ = fields.TypedField("id")
    candidate_indicator_list = fields.TypedField("Candidate_Indicator_List",
                                                 CandidateIndicatorList)

    def __init__(self, name=None, id=None):
        super(CandidateIndicatorCollection, self).__init__(name)
        if id:
            self.id_ = id
        else:
            self.id_ = idgen.create_id(prefix="candidate_indicator_collection")
        self.candidate_indicator_list = CandidateIndicatorList()

    def add_candidate_indicator(self, candidate_indicator):
        """Add an input Candidate Indicator to the Collection."""
        self.candidate_indicator_list.append(candidate_indicator)
Beispiel #15
0
class PropertyAffected(stix.Entity):
    _namespace = "http://stix.mitre.org/Incident-1"
    _binding = incident_binding
    _binding_class = incident_binding.PropertyAffectedType
    
    property_ = vocabs.VocabField("Property", vocabs.LossProperty, key_name="property")
    descriptions_of_effect = fields.TypedField("Description_Of_Effect", StructuredTextList)
    type_of_availability_loss = vocabs.VocabField("Type_Of_Availability_Loss", vocabs.AvailabilityLossType)
    duration_of_availability_loss = vocabs.VocabField("Duration_Of_Availability_Loss", vocabs.LossDuration)
    non_public_data_compromised = fields.TypedField("Non_Public_Data_Compromised", NonPublicDataCompromised)
    
    def __init__(self):
        super(PropertyAffected, self).__init__()
        self.descriptions_of_effect = StructuredTextList()

    @property
    def description_of_effect(self):
        """A :class:`.StructuredTextList` object, containing descriptions about
        the purpose or intent of this object.

        Iterating over this object will yield its contents sorted by their
        ``ordinality`` value.

        Default Value: Empty :class:`.StructuredTextList` object.

        Note:
            IF this is set to a value that is not an instance of
            :class:`.StructuredText`, an effort will ne made to convert it.
            If this is set to an iterable, any values contained that are not
            an instance of :class:`.StructuredText` will be be converted.

        Returns:
            An instance of
            :class:`.StructuredTextList`

        """
        return next(iter(self.descriptions_of_effect), None)

    @description_of_effect.setter
    def description_of_effect(self, value):
        self.descriptions_of_effect = value
Beispiel #16
0
class PublicRelease(stix.Entity):
    _binding = cyber_profile
    _binding_class = _binding.PublicReleaseType
    _namespace = 'urn:edm:edh:cyber:v3'

    released_by = fields.TypedField("releasedBy",
                                    key_name="released_by",
                                    preset_hook=validate_token)
    released_on = fields.DateField("releasedOn", key_name="released_on")

    def __init__(self):
        super(PublicRelease, self).__init__()
Beispiel #17
0
class PotentialCOAs(GenericRelationshipList):
    """
    A list of ``Potential_COA`` objects, defaults to empty array
    """
    _namespace = "http://stix.mitre.org/ExploitTarget-1"
    _binding = exploit_target_binding
    _binding_class = exploit_target_binding.PotentialCOAsType

    potential_coa = fields.TypedField("Potential_COA", RelatedCOA, multiple=True, key_name="coas")

    def __init__(self, coas=None, scope=None):
        super(PotentialCOAs, self).__init__(scope, coas)
Beispiel #18
0
class Compression(Packaging):
    """A Compression packaging layer

    Currently only zlib and bz2 are supported.
    Also, compression_mechanism_ref is not currently supported.
    """
    _namespace = 'http://cybox.mitre.org/objects#ArtifactObject-2'
    _binding = artifact_binding
    _binding_class = _binding.CompressionType

    compression_mechanism = fields.TypedField("compression_mechanism")
    compression_mechanism_ref = fields.TypedField("compression_mechanism_ref")

    def __init__(self, compression_mechanism=None):
        super(Compression, self).__init__()
        self.compression_mechanism = compression_mechanism

    def to_dict(self):
        dict_ = super(Compression, self).to_dict()
        dict_['packaging_type'] = 'compression'
        return dict_
Beispiel #19
0
class AccessPrivilege(stix.Entity):
    _binding = cyber_profile
    _binding_class = _binding.AccessPrivilegeType
    _namespace = 'urn:edm:edh:cyber:v3'
    _ALLOWED_VALUES = ('permit', 'deny')

    privilege_action = fields.TypedField("privilegeAction", key_name="privilege_action", preset_hook=validate_token)
    privilege_scope = fields.TypedField("privilegeScope", type_="stix_edh.common.NMTokens", multiple=True, key_name="privilege_scope")
    rule_effect = fields.TypedField("ruleEffect", key_name="rule_effect", preset_hook=validate_enum_token)

    def __init__(self):
        super(AccessPrivilege, self).__init__()

    def add_privilege_scope(self, value):
        from stix_edh import common

        if not value:
            return

        nmtokens = common.NMTokens(value)
        self.privilege_scope.append(nmtokens)
Beispiel #20
0
class RelatedExploitTargets(GenericRelationshipList):
    """
    A list of ``RelatedExploitTargets`` objects, defaults to empty array
    """
    _namespace = "http://stix.mitre.org/ExploitTarget-1"
    _binding = exploit_target_binding
    _binding_class = exploit_target_binding.RelatedExploitTargetsType

    related_exploit_target = fields.TypedField("Related_Exploit_Target", RelatedExploitTarget, multiple=True, key_name="related_exploit_targets")

    def __init__(self, related_exploit_targets=None, scope=None):
        super(RelatedExploitTargets, self).__init__(scope, related_exploit_targets)
Beispiel #21
0
class MarkingSpecification(stix.Entity):
    _binding = stix_data_marking_binding
    _binding_class = stix_data_marking_binding.MarkingSpecificationType
    _namespace = 'http://data-marking.mitre.org/Marking-1'

    id_ = fields.IdField("id")
    idref = fields.IdrefField("idref")
    version = fields.TypedField("version")
    controlled_structure = fields.TypedField("Controlled_Structure")
    marking_structures = fields.TypedField("Marking_Structure", MarkingStructure, factory=MarkingStructureFactory, multiple=True, key_name="marking_structures")
    information_source = fields.TypedField("Information_Source", InformationSource)

    def __init__(self, controlled_structure=None, marking_structures=None):
        super(MarkingSpecification, self).__init__()

        self.id_ = None
        self.idref = None
        self.version = None
        self.controlled_structure = controlled_structure
        self.marking_structures = marking_structures
        self.information_source = None
Beispiel #22
0
class MalwareSubjectRelationship(maec.Entity):
    _binding = package_binding
    _binding_class = package_binding.MalwareSubjectRelationshipType
    _namespace = _namespace

    malware_subject_reference = fields.TypedField("Malware_Subject_Reference",
                                                  MalwareSubjectReference,
                                                  multiple=True)
    type_ = vocabs.VocabField("Type", MalwareSubjectRelationshipVocab)

    def __init__(self):
        super(MalwareSubjectRelationship, self).__init__()
Beispiel #23
0
class SnortTestMechanism(test_mechanism._BaseTestMechanism):
    _namespace = "http://stix.mitre.org/extensions/TestMechanism#Snort-1"
    _binding = snort_tm_binding
    _binding_class = _binding.SnortTestMechanismType
    _XSI_TYPE = "snortTM:SnortTestMechanismType"

    product_name = fields.TypedField("Product_Name", EncodedCDATA)
    version = fields.TypedField("Version", EncodedCDATA)
    rules = fields.TypedField("Rule",
                              EncodedCDATA,
                              multiple=True,
                              key_name="rules")
    event_filters = fields.TypedField("Event_Filter",
                                      EncodedCDATA,
                                      multiple=True,
                                      key_name="event_filters")
    rate_filters = fields.TypedField("Rate_Filter",
                                     EncodedCDATA,
                                     multiple=True,
                                     key_name="rate_filters")
    event_suppressions = fields.TypedField("Event_Suppression",
                                           EncodedCDATA,
                                           multiple=True,
                                           key_name="event_suppressions")

    def __init__(self, id_=None, idref=None):
        super(SnortTestMechanism, self).__init__(id_=id_, idref=idref)
Beispiel #24
0
class ToolInformation(entities.Entity):
    _binding = common_binding
    _binding_class = common_binding.ToolInformationType
    _namespace = 'http://cybox.mitre.org/common-2'

    id_ = fields.IdField("id")
    idref = fields.IdrefField("idref")
    name = fields.TypedField("Name")
    type_ = VocabField("Type", ToolType, multiple=True)
    description = fields.TypedField("Description", StructuredText)
    vendor = fields.TypedField("Vendor")
    version = fields.TypedField("Version")
    service_pack = fields.TypedField("Service_Pack")
    tool_hashes = fields.TypedField("Tool_Hashes", HashList)

    def __init__(self, tool_name=None, tool_vendor=None):
        super(ToolInformation, self).__init__()
        # TODO: Implement items commented out below.
        self.name = tool_name
        self.description = None
        #self.references = None
        self.vendor = tool_vendor
        self.version = None
        self.service_pack = None
        #self.tool_specific_data = None
        self.tool_hashes = None
class Activity(stix.Entity):
    _binding = common_binding
    _binding_class = common_binding.ActivityType
    _namespace = 'http://stix.mitre.org/common-1'

    date_time = fields.TypedField("Date_Time", DateTimeWithPrecision)
    descriptions = fields.TypedField("Description", StructuredTextList)

    def __init__(self):
        super(Activity, self).__init__()
        self.descriptions = StructuredTextList()

    @property
    def description(self):
        """A single description about the contents or purpose of this object.

        Default Value: ``None``

        Note:
            If this object has more than one description set, this will return
            the description with the lowest ordinality value.

        Returns:
            An instance of
            :class:`.StructuredText`

        """
        return next(iter(self.descriptions), None)

    @description.setter
    def description(self, value):
        self.descriptions = StructuredTextList(value)

    def add_description(self, description):
        """Adds a description to the ``descriptions`` collection.

        This is the same as calling "foo.descriptions.add(bar)".

        """
        self.descriptions.add(description)
class UserAccount(Account):
    _binding = user_account_binding
    _binding_class = user_account_binding.UserAccountObjectType
    _namespace = 'http://cybox.mitre.org/objects#UserAccountObject-2'
    _XSI_NS = "UserAccountObj"
    _XSI_TYPE = "UserAccountObjectType"

    password_required = fields.TypedField('password_required')
    full_name = fields.TypedField('Full_Name', String)
    home_directory = fields.TypedField('Home_Directory', String)
    last_login = fields.TypedField('Last_Login', DateTime)
    script_path = fields.TypedField('Script_Path', String)
    username = fields.TypedField('Username', String)
    user_password_age = fields.TypedField('User_Password_Age', Duration)

    # These should be overriden by subclasses
    group_list = fields.TypedField('Group_List', GroupList)
    privilege_list = fields.TypedField('Privilege_List', PrivilegeList)
Beispiel #27
0
class NetflowV5FlowHeader(entities.Entity):
    _binding = network_flow_binding
    _binding_class = network_flow_binding.NetflowV5FlowHeaderType
    _namespace = "http://cybox.mitre.org/objects#NetworkFlowObject-2"

    version = fields.TypedField("Version", HexBinary)
    count = fields.TypedField("Count", Integer)
    sys_up_time = fields.TypedField("Sys_Up_Time", Integer)
    unix_secs = fields.TypedField("Unix_Secs", Integer)
    unix_nsecs = fields.TypedField("Unix_Nsecs", Integer)
    flow_sequence = fields.TypedField("Flow_Sequence", Integer)
    engine_type = fields.TypedField("Engine_Type", String)
    engine_id = fields.TypedField("Engine_ID", Integer)
    sampling_interval = fields.TypedField("Sampling_Interval", HexBinary)

    def __init__(self):
        super(NetflowV5FlowHeader, self).__init__()
        self.version = "05"
class History(stix.EntityList):
    _namespace = "http://stix.mitre.org/Incident-1"
    _binding = incident_binding
    _binding_class = incident_binding.HistoryType

    history_items = fields.TypedField("History_Item",
                                      HistoryItem,
                                      multiple=True,
                                      key_name="history_items")

    @classmethod
    def _dict_as_list(cls):
        return False
Beispiel #29
0
class RelatedCampaignRefs(GenericRelationshipList):
    _namespace = "http://stix.mitre.org/Indicator-2"
    _binding = indicator_binding
    _binding_class = _binding.RelatedCampaignReferencesType

    related_campaign = fields.TypedField(name="Related_Campaign",
                                         type_=RelatedCampaignRef,
                                         multiple=True,
                                         key_name="related_campaigns",
                                         listfunc=_RelatedCampaignRefList)

    def __init__(self, related_campaign_refs=None, scope=None):
        super(RelatedCampaignRefs, self).__init__(scope, related_campaign_refs)
Beispiel #30
0
class KillChains(stix.EntityList):
    _binding = common_binding
    _namespace = 'http://stix.mitre.org/common-1'
    _binding_class = _binding.KillChainsType

    kill_chain = fields.TypedField("Kill_Chain",
                                   KillChain,
                                   multiple=True,
                                   key_name="kill_chains")

    @classmethod
    def _dict_as_list(cls):
        return False