Ejemplo n.º 1
0
class Times(odm.Model):
    completed = odm.Optional(
        odm.Date(store=False),
        description="Date at which the submission finished scanning")
    submitted = odm.Date(
        default="NOW",
        description="Date at which the submission started scanning")
Ejemplo n.º 2
0
class Submission(odm.Model):
    archive_ts = odm.Date(store=False)  # Archiving timestamp
    classification = odm.Classification()  # Classification of the submission
    error_count = odm.Integer()  # Total number of errors in the submission
    errors = odm.List(odm.Keyword(), store=False)  # List of error keys
    expiry_ts = odm.Optional(odm.Date(store=False))  # Expiry timestamp
    file_count = odm.Integer()  # Total number of files in the submission
    files: List[File] = odm.List(
        odm.Compound(File))  # List of files that were originally submitted
    max_score = odm.Integer()  # Maximum score of all the files in the scan
    metadata = odm.FlattenedObject(
        store=False)  # Metadata associated to the submission
    params: SubmissionParams = odm.Compound(
        SubmissionParams)  # Submission detail blocs
    results: List[str] = odm.List(odm.Keyword(),
                                  store=False)  # List of result keys
    sid = odm.UUID(copyto="__text__")  # Submission ID
    state = odm.Enum(values=SUBMISSION_STATES)  # Status of the submission
    times = odm.Compound(Times, default={})  # Timing bloc
    verdict = odm.Compound(Verdict, default={})  # Verdict timing

    def is_submit(self):
        return self.state == 'submitted'

    def is_complete(self):
        return self.state == 'completed'

    def is_initial(self):
        return self.is_submit() and not self.params.psid
Ejemplo n.º 3
0
class Alert(odm.Model):
    alert_id = odm.Keyword(copyto="__text__")  # ID of the alert
    al = odm.Compound(ALResults)  # Assemblyline result block
    archive_ts = odm.Date(store=False)  # Archiving timestamp
    attack = odm.Compound(Attack)  # Attack result block
    classification = odm.Classification()  # Classification of the alert
    expiry_ts = odm.Optional(odm.Date(store=False))  # Expiry timestamp
    extended_scan = odm.Enum(values=EXTENDED_SCAN_VALUES,
                             store=False)  # Status of the extended scan
    file = odm.Compound(File)  # File block
    filtered = odm.Boolean(default=False)  # Are the alert result filtered
    heuristic = odm.Compound(Heuristic)  # Heuristic result block
    label = odm.List(odm.Keyword(), copyto="__text__",
                     default=[])  # List of labels applied to the alert
    metadata = odm.FlattenedObject(
        default={}, store=False)  # Metadata submitted with the file
    owner = odm.Optional(odm.Keyword())  # Owner of the alert
    priority = odm.Optional(
        odm.Enum(values=PRIORITIES))  # Priority applied to the alert
    reporting_ts = odm.Date()  # Time at which the alert was created
    sid = odm.UUID(store=False)  # ID of the submission related to this alert
    status = odm.Optional(
        odm.Enum(values=STATUSES))  # Status applied to the alert
    ts = odm.Date()  # Timestamp at which the file was submitted
    type = odm.Keyword()  # Type of alert
    verdict = odm.Compound(Verdict, default={})  # Verdict timing
Ejemplo n.º 4
0
class Certificate(odm.Model):
    @odm.model(index=True, store=False)
    class RSA_Info(odm.Model):
        d_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        e_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        n_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        p_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        q_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))

    version = odm.Optional(odm.Integer())
    subject = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
    issuer = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
    serial_number = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
    key_size = odm.Optional(odm.Integer())
    key_type = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
    key_usage = odm.Optional(odm.List(odm.EmptyableKeyword(copyto="__text__")))
    certificate_policies = odm.Optional(
        odm.List(odm.EmptyableKeyword(copyto="__text__")))
    ext_key_usage = odm.Optional(
        odm.List(odm.EmptyableKeyword(copyto="__text__")))
    valid_from = odm.Optional(odm.Date())
    valid_to = odm.Optional(odm.Date())
    signature = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
    signature_algorithm = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
    is_trusted = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
    raw_hex = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
    rsa_info = odm.Optional(odm.Compound(RSA_Info))
Ejemplo n.º 5
0
class Statistics(odm.Model):
    count = odm.Integer(default=0)
    min = odm.Integer(default=0)
    max = odm.Integer(default=0)
    avg = odm.Integer(default=0)
    sum = odm.Integer(default=0)
    first_hit = odm.Optional(odm.Date())
    last_hit = odm.Optional(odm.Date())
class Statistics(odm.Model):
    count = odm.Integer(default=0, description="Count of statistical hits")
    min = odm.Integer(default=0, description="Minimum value of all stastical hits")
    max = odm.Integer(default=0, description="Maximum value of all stastical hits")
    avg = odm.Integer(default=0, description="Anerage of all stastical hits")
    sum = odm.Integer(default=0, description="Sum of all stastical hits")
    first_hit = odm.Optional(odm.Date(), description="Date of first hit of statistic")
    last_hit = odm.Optional(odm.Date(), description="Date of last hit of statistic")
Ejemplo n.º 7
0
class Signature(odm.Model):
    classification = odm.Classification(store=True,
                                        default=Classification.UNRESTRICTED)
    data = odm.Text(index=False, store=False)
    last_modified = odm.Date(default="NOW")
    name = odm.Keyword(copyto="__text__")
    order = odm.Integer(default=1, store=False)
    revision = odm.Keyword(default="1")
    signature_id = odm.Optional(odm.Keyword())
    source = odm.Keyword()
    state_change_date = odm.Optional(odm.Date(store=False))
    state_change_user = odm.Optional(odm.Keyword(store=False))
    status = odm.Enum(values=RULE_STATUSES, copyto="__text__")
    type = odm.Keyword(copyto="__text__")
Ejemplo n.º 8
0
class Result(odm.Model):
    archive_ts = odm.Date(store=False)  # Archiving timestamp
    classification = odm.Classification(
    )  # Aggregate classification for the result
    created = odm.Date(
        default="NOW")  # Date at which the result object got created
    expiry_ts = odm.Optional(odm.Date(store=False))  # Expiry time stamp
    response: ResponseBody = odm.Compound(
        ResponseBody)  # The body of the response from the service
    result: ResultBody = odm.Compound(ResultBody,
                                      default={})  # The result body
    sha256 = odm.SHA256(
        store=False)  # SHA256 of the file the result object relates to
    drop_file = odm.Boolean(
        default=False)  # Do not pass to other stages after this run

    def build_key(self, service_tool_version=None, task=None):
        return self.help_build_key(self.sha256,
                                   self.response.service_name,
                                   self.response.service_version,
                                   self.is_empty(),
                                   service_tool_version=service_tool_version,
                                   task=task)

    @staticmethod
    def help_build_key(sha256,
                       service_name,
                       service_version,
                       is_empty,
                       service_tool_version=None,
                       task=None):
        key_list = [
            sha256,
            service_name.replace('.', '_'),
            f"v{service_version.replace('.', '_')}",
            f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}",
        ]

        if is_empty:
            key_list.append("e")

        return '.'.join(key_list)

    def is_empty(self):
        if len(self.response.extracted) == 0 and \
                len(self.response.supplementary) == 0 and \
                len(self.result.sections) == 0 and \
                self.result.score == 0:
            return True
        return False
class Current(odm.Model):
    """The current assignment for a service worker"""
    status: str = odm.Enum(values=STATUSES,
                           default='INITIALIZING')  # Status of the client
    task: Opt[Task] = odm.Optional(odm.Compound(Task))
    task_timeout: Opt[datetime] = odm.Optional(
        odm.Date())  # Time the task was assigned to the client
Ejemplo n.º 10
0
class ALResults(odm.Model):  # Assemblyline result block
    attrib = odm.List(odm.Keyword(), default=[],
                      copyto="__text__")  # List of attribution
    av = odm.List(odm.Keyword(), default=[], store=True,
                  copyto="__text__")  # List of AV hits
    behavior = odm.List(odm.Keyword(), default=[],
                        copyto="__text__")  # List of behaviors for the alert
    domain = odm.List(odm.Domain(), default=[],
                      copyto="__text__")  # List of all domains
    domain_dynamic = odm.List(
        odm.Domain(),
        default=[])  # List of domains found during dynamic analysis
    domain_static = odm.List(
        odm.Domain(),
        default=[])  # List of domains foudn during static analysis
    ip = odm.List(odm.IP(), default=[], copyto="__text__")  # List of all IPs
    ip_dynamic = odm.List(
        odm.IP(), default=[])  # List of IPs found during dynamic analysis
    ip_static = odm.List(
        odm.IP(), default=[])  # List of IPs found during static analysis
    request_end_time = odm.Date(
        index=False)  # End time of the Assemblyline submission
    score = odm.Integer(store=True)  # Maximum score found in the submission
    yara = odm.List(odm.Keyword(), default=[],
                    copyto="__text__")  # List of yara hits
class SubmissionSummary(odm.Model):
    classification = odm.Classification(default=Classification.UNRESTRICTED)  # Classification of the cache
    filtered = odm.Boolean(default=False)                                     # Has this cache entry been filtered
    expiry_ts = odm.Date(index=True)                                          # Expiry date
    tags = odm.Text()                                                         # Tags cache
    attack_matrix = odm.Text()                                                # Att&ck Matrix cache
    heuristics = odm.Text()                                                   # Heuristics cache
Ejemplo n.º 12
0
    class Debug(odm.Model):
        @odm.model(index=True, store=False)
        class CodeView(odm.Model):
            age = odm.Optional(odm.Integer())
            cv_signature = odm.Optional(
                odm.EmptyableKeyword(copyto="__text__"))
            filename = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
            guid = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))

        @odm.model(index=True, store=False)
        class POGO(odm.Model):
            @odm.model(index=True, store=False)
            class Entry(odm.Model):
                name = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
                size = odm.Optional(odm.Integer())
                start_rva = odm.Optional(odm.Integer())

            entries = odm.Optional(odm.List(odm.Compound(Entry)))
            signature = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))

        addressof_rawdata = odm.Optional(odm.Integer())
        characteristics = odm.Optional(odm.Integer())
        major_version = odm.Optional(odm.Integer())
        minor_version = odm.Optional(odm.Integer())
        pointerto_rawdata = odm.Optional(odm.Integer())
        sizeof_data = odm.Optional(odm.Integer())
        timestamp = odm.Optional(odm.Integer())
        hr_timestamp = odm.Optional(odm.Date())
        type = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        code_view = odm.Optional(odm.Compound(CodeView))
        pogo = odm.Optional(odm.Compound(POGO))
Ejemplo n.º 13
0
class IngestTask(odm.Model):
    # Submission Parameters
    submission: Submission = odm.Compound(Submission)

    # Shortcut for properties of the submission
    @property
    def file_size(self) -> int:
        return sum(file.size for file in self.submission.files)

    @property
    def params(self) -> SubmissionParams:
        return self.submission.params

    @property
    def sha256(self) -> str:
        return self.submission.files[0].sha256

    # Information about the ingestion itself, parameters irrelevant
    scan_key = odm.Optional(odm.Keyword())  # the filescore key
    retries = odm.Integer(default=0)

    # Fields added after a submission is complete for notification/bookkeeping processes
    failure = odm.Text(
        default='')  # If the ingestion has failed for some reason, what is it?
    score = odm.Optional(
        odm.Integer())  # Score from previous processing of this file
    extended_scan = odm.Enum(EXTENDED_SCAN_VALUES, default="skipped")
    ingest_id = odm.UUID()
    ingest_time = odm.Date(default="NOW")
Ejemplo n.º 14
0
    class Resource(odm.Model):
        # Since we will end up flattening the Resources and only keeping the data nodes,
        # we keep the list of parent's resource_id and the list of parent's labels (name or resource_type)
        parent_resource_ids = odm.Optional(
            odm.EmptyableKeyword(copyto="__text__"))
        parent_labels = odm.Optional(
            odm.List(odm.EmptyableKeyword(copyto="__text__")))

        characteristics = odm.Optional(odm.Integer())
        num_childs = odm.Optional(odm.Integer())
        depth = odm.Optional(odm.Integer())
        name = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        resource_id = odm.Optional(odm.Integer())
        resource_type = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        is_data = odm.Optional(odm.Boolean())
        is_directory = odm.Optional(odm.Boolean())
        major_version = odm.Optional(odm.Integer())
        minor_version = odm.Optional(odm.Integer())
        numberof_id_entries = odm.Optional(odm.Integer())
        numberof_name_entries = odm.Optional(odm.Integer())
        time_date_stamp = odm.Optional(odm.Integer())
        hr_time_date_stamp = odm.Optional(odm.Date())

        code_page = odm.Optional(odm.Integer())
        sha256 = odm.Optional(odm.SHA256())
        entropy = odm.Optional(odm.Float())
        offset = odm.Optional(odm.Integer())
        reserved = odm.Optional(odm.Integer())
Ejemplo n.º 15
0
    class Export(odm.Model):
        @odm.model(index=True, store=False)
        class Entry(odm.Model):
            @odm.model(index=True, store=False)
            class Forward_Information(odm.Model):
                function = odm.Optional(
                    odm.EmptyableKeyword(copyto="__text__"))
                library = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))

            address = odm.Optional(odm.Integer())
            forward_information = odm.Optional(
                odm.Compound(Forward_Information))
            function_rva = odm.Optional(odm.Integer())
            is_extern = odm.Optional(odm.Boolean())
            name = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
            ordinal = odm.Optional(odm.Integer())

        entries = odm.Optional(odm.List(odm.Compound(Entry)))
        export_flags = odm.Optional(odm.Integer())
        major_version = odm.Optional(odm.Integer())
        minor_version = odm.Optional(odm.Integer())
        name = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        ordinal_base = odm.Optional(odm.Integer())
        timestamp = odm.Optional(odm.Integer())
        hr_timestamp = odm.Optional(odm.Date())
Ejemplo n.º 16
0
class Submission(odm.Model):
    sid = odm.UUID()                                                     # Submission ID to use
    time = odm.Date(default="NOW")
    files: List[File] = odm.List(odm.Compound(File), default=[])         # File block
    metadata: Dict[str, str] = odm.FlattenedObject(default={})           # Metadata submitted with the file
    notification: Notification = odm.Compound(Notification, default={})  # Notification queue parameters
    params: SubmissionParams = odm.Compound(SubmissionParams)            # Parameters of the submission
Ejemplo n.º 17
0
class Submission(odm.Model):
    archive_ts = odm.Date(store=False, description="Archiving timestamp")
    classification = odm.Classification(
        description="Classification of the submission")
    error_count = odm.Integer(
        description="Total number of errors in the submission")
    errors: list[str] = odm.List(odm.Keyword(),
                                 store=False,
                                 description="List of error keys")
    expiry_ts = odm.Optional(odm.Date(store=False),
                             description="Expiry timestamp")
    file_count = odm.Integer(
        description="Total number of files in the submission")
    files: list[File] = odm.List(
        odm.Compound(File),
        description="List of files that were originally submitted")
    max_score = odm.Integer(
        description="Maximum score of all the files in the scan")
    metadata = odm.FlattenedObject(
        store=False, description="Metadata associated to the submission")
    params: SubmissionParams = odm.Compound(
        SubmissionParams, description="Submission parameter details")
    results: list[str] = odm.List(odm.Keyword(),
                                  store=False,
                                  description="List of result keys")
    sid = odm.UUID(copyto="__text__", description="Submission ID")
    state = odm.Enum(values=SUBMISSION_STATES,
                     description="Status of the submission")
    times = odm.Compound(Times,
                         default={},
                         description="Submission-specific times")
    verdict = odm.Compound(Verdict,
                           default={},
                           description="Malicious verdict details")

    # the filescore key, used in deduplication. This is a non-unique key, that is
    # shared by submissions that may be processed as duplicates.
    scan_key = odm.Optional(odm.Keyword(store=False, index=False))

    def is_submit(self):
        return self.state == 'submitted'

    def is_complete(self):
        return self.state == 'completed'

    def is_initial(self):
        return self.is_submit() and not self.params.psid
Ejemplo n.º 18
0
class Process(odm.Model):
    objectid = odm.Compound(ObjectID, description="The object ID of the process object")

    # Parent process details
    pobjectid = odm.Compound(ObjectID, description="The object ID of the parent process object")
    pimage = odm.Optional(odm.Text(), description="The image of the parent process that spawned this process")
    pcommand_line = odm.Optional(odm.Text(), description="The command line that the parent process ran")
    ppid = odm.Optional(odm.Integer(), description="The process ID of the parent process")

    pid = odm.Optional(odm.Integer(), description="The process ID")
    image = odm.Text(default="<unknown_image>", description="The image of the process")
    command_line = odm.Optional(odm.Text(), description="The command line that the process ran")
    start_time = odm.Date(description="The time of creation for the process")
    end_time = odm.Date(description="The time of termination for the process")
    integrity_level = odm.Optional(odm.Text(), description="The integrity level of the process")
    image_hash = odm.Optional(odm.Text(), description="The hash of the file run")
    original_file_name = odm.Optional(odm.Text(), description="The original name of the file")
Ejemplo n.º 19
0
class User(odm.Model):
    agrees_with_tos = odm.Optional(
        odm.Date(index=False, store=False),
        description="Date the user agree with terms of service")
    api_quota = odm.Integer(
        default=10,
        store=False,
        description="Maximum number of concurrent API requests")
    apikeys = odm.Mapping(odm.Compound(ApiKey),
                          default={},
                          index=False,
                          store=False,
                          description="Mapping of API keys")
    apps = odm.Mapping(odm.Compound(Apps),
                       default={},
                       index=False,
                       store=False,
                       description="Applications with access to the account")
    can_impersonate = odm.Boolean(
        default=False,
        index=False,
        store=False,
        description="Allowed to query on behalf of others?")
    classification = odm.Classification(
        is_user_classification=True,
        copyto="__text__",
        default=Classification.UNRESTRICTED,
        description="Maximum classification for the user")
    dn = odm.Optional(odm.Keyword(store=False, copyto="__text__"),
                      description="User's LDAP DN")
    email = odm.Optional(odm.Email(copyto="__text__"),
                         description="User's email address")
    groups = odm.List(odm.Keyword(),
                      copyto="__text__",
                      default=["USERS"],
                      description="List of groups the user submits to")
    is_active = odm.Boolean(default=True, description="Is the user active?")
    name = odm.Keyword(copyto="__text__", description="Full name of the user")
    otp_sk = odm.Optional(
        odm.Keyword(index=False, store=False),
        description="Secret key to generate one time passwords")
    password = odm.Keyword(index=False,
                           store=False,
                           description="BCrypt hash of the user's password")
    submission_quota = odm.Integer(
        default=5,
        store=False,
        description="Maximum number of concurrent submissions")
    type = odm.List(odm.Enum(values=USER_TYPES),
                    default=['user'],
                    description="Type of user")
    security_tokens = odm.Mapping(odm.Keyword(),
                                  index=False,
                                  store=False,
                                  default={},
                                  description="Map of security tokens")
    uname = odm.Keyword(copyto="__text__", description="Username")
Ejemplo n.º 20
0
class ObjectID(odm.Model):
    guid = odm.Text(description="The GUID associated with the object")
    tag = odm.Optional(odm.Text(),
                       description="The normalized tag of the object")
    treeid = odm.Optional(odm.Text(), description="The hash of the tree ID")
    processtree = odm.Optional(
        odm.Keyword(),
        description="Human-readable tree ID (concatenation of tags)")
    time_observed = odm.Optional(
        odm.Date(), description="The time at which the object was observed")
Ejemplo n.º 21
0
class FileScore(odm.Model):
    psid = odm.Optional(
        odm.UUID())  # ID of the parent submission to the associated submission
    expiry_ts = odm.Date(
        index=True)  # Expiry timestamp, used for garbage collection.
    score = odm.Integer()  # Maximum score for the associated submission
    errors = odm.Integer(
    )  # Number of errors that occurred during the previous analysis
    sid = odm.UUID()  # ID of the associated submission
    time = odm.Float()  # Epoch time at which the FileScore entry was created
Ejemplo n.º 22
0
 class Header(odm.Model):
     characteristics_hash = odm.Optional(odm.Integer())
     characteristics_list = odm.Optional(
         odm.List(odm.EmptyableKeyword(copyto="__text__")))
     machine = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
     numberof_sections = odm.Optional(odm.Integer())
     numberof_symbols = odm.Optional(odm.Integer())
     signature = odm.Optional(odm.List(odm.Integer()))
     timestamp = odm.Optional(odm.Integer())
     hr_timestamp = odm.Optional(odm.Date())
Ejemplo n.º 23
0
class File(odm.Model):

    archive_ts = odm.Date(store=False, description="Archiving timestamp")
    ascii = odm.Keyword(index=False, store=False,
                        description="Dotted ASCII representation of the first 64 bytes of the file")
    classification = odm.Classification(description="Classification of the file")
    entropy = odm.Float(description="Entropy of the file")
    expiry_ts = odm.Optional(odm.Date(store=False), description="Expiry timestamp")
    is_section_image = odm.Boolean(default=False, description="Is this an image from an Image Result Section?")
    hex = odm.Keyword(index=False, store=False, description="Hex dump of the first 64 bytes of the file")
    md5 = odm.MD5(copyto="__text__", description="MD5 of the file")
    magic = odm.Keyword(store=False, description="Output from libmagic related to the file")
    mime = odm.Optional(odm.Keyword(store=False), description="MIME type of the file as identified by libmagic")
    seen = odm.Compound(Seen, default={}, description="Details about when the file was seen")
    sha1 = odm.SHA1(copyto="__text__", description="SHA1 hash of the file")
    sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file")
    size = odm.Integer(description="Size of the file in bytes")
    ssdeep = odm.SSDeepHash(store=False, description="SSDEEP hash of the file")
    type = odm.Keyword(copyto="__text__", description="Type of file as identified by Assemblyline")
Ejemplo n.º 24
0
class SubmissionTree(odm.Model):
    classification = odm.Classification(
        default=Classification.UNRESTRICTED,
        description="Classification of the cache")
    filtered = odm.Boolean(default=False,
                           description="Has this cache entry been filtered?")
    expiry_ts = odm.Date(description="Expiry timestamp")
    supplementary = odm.Text(index=False,
                             description="Tree of supplementary files")
    tree = odm.Text(index=False, description="File tree cache")
Ejemplo n.º 25
0
class Workflow(odm.Model):
    classification = odm.Classification(
        copyto="__text__",
        default=Classification.UNRESTRICTED)  # Classification of the workflow
    creation_date = odm.Date(default="NOW")  # Creation date of the workflow
    creator = odm.Keyword()  # UID of the creator
    edited_by = odm.Keyword()  # UID of the last edit user
    hit_count = odm.Integer(default=0)  # Number of time workflow hit
    labels = odm.List(odm.Keyword(), copyto="__text__",
                      default=[])  # Labels applied by the workflow
    last_edit = odm.Date(default="NOW")  # Last edit date
    last_seen = odm.Optional(odm.Date())  # Last hit date
    name = odm.Keyword(copyto="__text__")  # Name of the workflow
    priority = odm.Optional(
        odm.Enum(copyto="__text__",
                 values=PRIORITIES))  # Priority applied by the workflow
    query = odm.Keyword()  # Query that the workflow runs
    status = odm.Optional(odm.Enum(
        copyto="__text__", values=STATUSES))  # Status applied by the workflow
    workflow_id = odm.Optional(odm.UUID())  # ID of the workflow
Ejemplo n.º 26
0
    class Load_Configuration(odm.Model):
        @odm.model(index=True, store=False)
        class Code_Integrity(odm.Model):
            catalog = odm.Optional(odm.Integer())
            catalog_offset = odm.Optional(odm.Integer())
            flags = odm.Optional(odm.Integer())
            reserved = odm.Optional(odm.Integer())

        characteristics = odm.Optional(odm.Integer())
        critical_section_default_timeout = odm.Optional(odm.Integer())
        csd_version = odm.Optional(odm.Integer())
        decommit_free_block_threshold = odm.Optional(odm.Integer())
        decommit_total_free_threshold = odm.Optional(odm.Integer())
        editlist = odm.Optional(odm.Integer())
        global_flags_clear = odm.Optional(odm.Integer())
        global_flags_set = odm.Optional(odm.Integer())
        lock_prefix_table = odm.Optional(odm.Integer())
        major_version = odm.Optional(odm.Integer())
        maximum_allocation_size = odm.Optional(odm.Integer())
        minor_version = odm.Optional(odm.Integer())
        process_affinity_mask = odm.Optional(odm.Integer())
        process_heap_flags = odm.Optional(odm.Integer())
        reserved1 = odm.Optional(odm.Integer())
        security_cookie = odm.Optional(odm.Integer())
        timedatestamp = odm.Optional(odm.Integer())
        hr_timedatestamp = odm.Optional(odm.Date())
        version = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        virtual_memory_threshold = odm.Optional(odm.Integer())
        se_handler_count = odm.Optional(odm.Integer())
        se_handler_table = odm.Optional(odm.Integer())
        guard_cf_check_function_pointer = odm.Optional(odm.Integer())
        guard_cf_dispatch_function_pointer = odm.Optional(odm.Integer())
        guard_cf_flags_list = odm.Optional(
            odm.List(odm.EmptyableKeyword(copyto="__text__")))
        guard_cf_function_count = odm.Optional(odm.Integer())
        guard_cf_function_table = odm.Optional(odm.Integer())
        guard_flags = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
        code_integrity = odm.Optional(odm.Compound(Code_Integrity))
        guard_address_taken_iat_entry_count = odm.Optional(odm.Integer())
        guard_address_taken_iat_entry_table = odm.Optional(odm.Integer())
        guard_long_jump_target_count = odm.Optional(odm.Integer())
        guard_long_jump_target_table = odm.Optional(odm.Integer())
        dynamic_value_reloc_table = odm.Optional(odm.Integer())
        hybrid_metadata_pointer = odm.Optional(odm.Integer())
        dynamic_value_reloctable_offset = odm.Optional(odm.Integer())
        dynamic_value_reloctable_section = odm.Optional(odm.Integer())
        guard_rf_failure_routine = odm.Optional(odm.Integer())
        guard_rf_failure_routine_function_pointer = odm.Optional(odm.Integer())
        reserved2 = odm.Optional(odm.Integer())
        guard_rf_verify_stackpointer_function_pointer = odm.Optional(
            odm.Integer())
        hotpatch_table_offset = odm.Optional(odm.Integer())
        addressof_unicode_string = odm.Optional(odm.Integer())
        reserved3 = odm.Optional(odm.Integer())
Ejemplo n.º 27
0
class TCSignature(odm.Model):
    al_score = odm.Enum(values=SCORES, default="HIGH")
    al_status = odm.Enum(values=STATUSES, default="TESTING")
    callback = odm.Optional(odm.Keyword())
    classification = odm.Classification(default=Classification.UNRESTRICTED)
    comment = odm.Optional(odm.Keyword())
    implant_family = odm.Optional(odm.Keyword())
    last_modified = odm.Date(default="NOW")
    name = odm.Keyword(copyto="__text__")
    threat_actor = odm.Optional(odm.Keyword())
    values = odm.List(odm.Keyword())
Ejemplo n.º 28
0
class Error(odm.Model):
    archive_ts = odm.Date(store=False)  # Archiving timestamp
    created = odm.Date(default="NOW")  # Date at which the error was created
    expiry_ts = odm.Optional(odm.Date(store=False))  # Expiry time stamp
    response: Response = odm.Compound(Response)  # Response from the service
    sha256 = odm.SHA256(
        copyto="__text__")  # Hash of the file the error is related to
    type = odm.Enum(values=list(ERROR_TYPES.keys()),
                    default="EXCEPTION")  # Type of error

    def build_key(self, service_tool_version=None, task=None):
        key_list = [
            self.sha256,
            self.response.service_name.replace('.', '_'),
            f"v{self.response.service_version.replace('.', '_')}",
            f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}",
            f"e{ERROR_TYPES.get(self.type, 0)}"
        ]

        return '.'.join(key_list)
Ejemplo n.º 29
0
    class AnalysisMetadata(odm.Model):
        @odm.model(
            description=
            "The metadata regarding the machine where the analysis took place")
        class MachineMetadata(odm.Model):
            ip = odm.Optional(
                odm.IP(),
                description="The IP of the machine used for analysis")
            hypervisor = odm.Optional(
                odm.Keyword(),
                description="The hypervisor of the machine used for analysis")
            hostname = odm.Optional(
                odm.Keyword(),
                description="The name of the machine used for analysis")
            platform = odm.Optional(
                odm.Platform(),
                description="The platform of the machine used for analysis")
            version = odm.Optional(
                odm.Keyword(),
                description=
                "The version of the operating system of the machine used for analysis"
            )
            architecture = odm.Optional(
                odm.Processor(),
                description="The architecture of the machine used for analysis"
            )

        task_id = odm.Optional(
            odm.Keyword(),
            description="The ID used for identifying the analysis task")
        start_time = odm.Date(description="The start time of the analysis")
        end_time = odm.Date(description="The end time of the analysis")
        routing = odm.Optional(
            odm.Keyword(),
            description=
            "The routing used in the sandbox setup (Spoofed, Internet, Tor, VPN)"
        )
        machine_metadata = odm.Optional(
            odm.Compound(MachineMetadata),
            description="The metadata of the analysis")
Ejemplo n.º 30
0
class Submission(odm.Model):
    sid = odm.UUID(description="Submission ID to use")
    time = odm.Date(default="NOW", description="Message time")
    files: List[File] = odm.List(odm.Compound(File),
                                 default=[],
                                 description="File block")
    metadata: Dict[str, str] = odm.FlattenedObject(
        default={}, description="Metadata submitted with the file")
    notification: Notification = odm.Compound(
        Notification, default={}, description="Notification queue parameters")
    params: SubmissionParams = odm.Compound(
        SubmissionParams, description="Parameters of the submission")
    scan_key: Opt[str] = odm.Optional(odm.Keyword())