class Authentication(entities.Entity):
_binding = account_binding
_binding_class = account_binding.AuthenticationType
_namespace = 'http://cybox.mitre.org/objects#AccountObject-2'
_XSI_NS = "AccountObj"
_XSI_TYPE = "AccountObjectType"
authentication_type = VocabField("Authentication_Type")
authentication_data = fields.TypedField("Authentication_Data", String)
authentication_token_protection_mechanism = VocabField(
"Authentication_Token_Protection_Mechanism")
structured_authentication_mechanism = fields.TypedField(
"Structured_Authentication_Mechanism",
StructuredAuthenticationMechanism)
class ToolInformation(entities.Entity):
_binding = common_binding
_binding_class = common_binding.ToolInformationType
_namespace = 'http://cybox.mitre.org/common-2'
id_ = fields.IdField("id")
idref = fields.IdrefField("idref")
name = fields.TypedField("Name")
type_ = VocabField("Type", ToolType, multiple=True)
description = fields.TypedField("Description", StructuredText)
vendor = fields.TypedField("Vendor")
version = fields.TypedField("Version")
service_pack = fields.TypedField("Service_Pack")
tool_hashes = fields.TypedField("Tool_Hashes", HashList)
def __init__(self, tool_name=None, tool_vendor=None):
super(ToolInformation, self).__init__()
# TODO: Implement items commented out below.
self.name = tool_name
self.description = None
#self.references = None
self.vendor = tool_vendor
self.version = None
self.service_pack = None
#self.tool_specific_data = None
self.tool_hashes = None
class ActionArgument(entities.Entity):
_binding = core_binding
_binding_class = core_binding.ActionArgumentType
_namespace = 'http://cybox.mitre.org/cybox-2'
argument_name = VocabField("Argument_Name", ArgumentName)
argument_value = fields.TypedField("Argument_Value")
class ToolInformation(entities.Entity):
_binding = common_binding
_binding_class = common_binding.ToolInformationType
_namespace = 'http://cybox.mitre.org/common-2'
id_ = fields.IdField("id")
idref = fields.IdrefField("idref")
name = fields.TypedField("Name")
type_ = VocabField("Type", ToolType, multiple=True)
description = fields.TypedField("Description", StructuredText)
references = fields.TypedField("References", ToolReferences)
vendor = fields.TypedField("Vendor")
version = fields.TypedField("Version")
service_pack = fields.TypedField("Service_Pack")
tool_specific_data = fields.TypedField("Tool_Specific_Data",
ToolSpecificData,
factory=ToolSpecificDataFactory)
tool_hashes = fields.TypedField("Tool_Hashes", HashList)
tool_configuration = fields.TypedField("Tool_Configuration",
ToolConfiguration)
execution_environment = fields.TypedField("Execution_Environment",
ExecutionEnvironment)
errors = fields.TypedField("Errors", Errors)
metadata = fields.TypedField("Metadata", Metadata, multiple=True)
compensation_model = fields.TypedField("Compensation_Model",
CompensationModel)
def __init__(self, tool_name=None, tool_vendor=None):
super(ToolInformation, self).__init__()
self.name = tool_name
self.vendor = tool_vendor
class ActionRelationship(entities.Entity):
_binding = core_binding
_binding_class = _binding.ActionRelationshipType
_namespace = 'http://cybox.mitre.org/cybox-2'
type = VocabField("Type", ActionType)
action_references = fields.TypedField("Action_Reference", ActionReference, multiple=True)
class Action(entities.Entity):
_binding = core_binding
_binding_class = core_binding.ActionType
_namespace = 'http://cybox.mitre.org/cybox-2'
id_ = fields.TypedField("id")
idref = fields.TypedField("idref")
ordinal_position = fields.TypedField("ordinal_position")
action_status = fields.TypedField("action_status")
context = fields.TypedField("context")
timestamp = fields.DateTimeField("timestamp")
type_ = VocabField("Type", ActionType)
name = VocabField("Name", ActionName)
description = fields.TypedField("Description", StructuredText)
action_aliases = fields.TypedField("Action_Aliases", ActionAliases)
action_arguments = fields.TypedField("Action_Arguments", ActionArguments)
discovery_method = fields.TypedField("Discovery_Method", MeasureSource)
associated_objects = fields.TypedField("Associated_Objects", AssociatedObjects)
relationships = fields.TypedField("Relationships", ActionRelationships)
frequency = fields.TypedField("Frequency", Frequency)
class AssociatedObject(Object):
"""The CybOX Associated Object element.
Currently only supports the id, association_type and ObjectProperties properties
"""
_binding = core_binding
_binding_class = _binding.AssociatedObjectType
association_type = VocabField("Association_Type", AssociationType)
def __init__(self, defined_object=None, type_=None, association_type=None):
super(AssociatedObject, self).__init__(defined_object, type_)
self.association_type = association_type
class MeasureSource(entities.Entity):
_binding = common_binding
_binding_class = common_binding.MeasureSourceType
_namespace = 'http://cybox.mitre.org/common-2'
class_ = fields.TypedField("classxx", key_name="class")
source_type = fields.TypedField("source_type")
name = fields.TypedField("name")
sighting_count = fields.TypedField("sighting_count")
information_source_type = VocabField("Information_Source_Type",
InformationSourceType)
tool_type = VocabField("Tool_Type", ToolType)
description = fields.TypedField("Description", StructuredText)
contributors = fields.TypedField("Contributors", Personnel)
time = fields.TypedField("Time", Time)
tools = fields.TypedField("Tools", ToolInformationList)
platform = fields.TypedField("Platform", PlatformSpecification)
system = fields.TypedField("System",
ObjectProperties,
factory=ObjectPropertiesFactory)
instance = fields.TypedField("Instance",
ObjectProperties,
factory=ObjectPropertiesFactory)
class ToolInformation(stix.Entity, cybox.common.ToolInformation):
_namespace = 'http://stix.mitre.org/common-1'
_binding = common_binding
_binding_class = common_binding.ToolInformationType
title = fields.TypedField("Title")
short_descriptions = fields.TypedField("Short_Description",
StructuredTextList)
type_ = VocabField("Type", AttackerToolType, multiple=True)
def __init__(self,
title=None,
short_description=None,
tool_name=None,
tool_vendor=None):
super(ToolInformation, self).__init__(tool_name=tool_name,
tool_vendor=tool_vendor)
self.title = title
self.short_description = StructuredTextList(short_description)
@property
def short_description(self):
"""A single short description about the contents or purpose of this
object.
Default Value: ``None``
Note:
If this object has more than one short description set, this will
return the short description with the lowest ordinality value.
Returns:
An instance of
:class:`.StructuredText`
"""
return next(iter(self.short_descriptions), None)
@short_description.setter
def short_description(self, value):
self.short_descriptions = value
def add_short_description(self, description):
"""Adds a description to the ``short_descriptions`` collection.
This is the same as calling "foo.short_descriptions.add(bar)".
"""
self.short_descriptions.add(description)
class Event(entities.Entity):
_binding = core_binding
_binding_class = core_binding.EventType
_namespace = 'http://cybox.mitre.org/cybox-2'
id_ = fields.TypedField("id")
idref = fields.TypedField("idref")
type_ = VocabField("Type", EventType)
description = fields.TypedField("Description", StructuredText)
observation_method = fields.TypedField("Observation_Method", MeasureSource)
actions = fields.TypedField("Actions", Actions)
frequency = fields.TypedField("Frequency", Frequency)
event = fields.TypedField("Event", multiple=True)
class LinuxPackage(ObjectProperties):
_binding = linux_package_binding
_binding_class = linux_package_binding.LinuxPackageObjectType
_namespace = "http://cybox.mitre.org/objects#LinuxPackageObject-2"
_XSI_NS = "LinuxPackageObj"
_XSI_TYPE = "LinuxPackageObjectType"
architecture = VocabField("Architecture", LinuxPackageArchitecture)
category = fields.TypedField("Category", String)
description = fields.TypedField("Description", String)
epoch = fields.TypedField("Epoch", String)
evr = fields.TypedField("EVR", String)
name = fields.TypedField("Name", String)
release = fields.TypedField("Release", String)
vendor = fields.TypedField("Vendor", String)
version = fields.TypedField("Version", String)
class Hash(entities.Entity):
_binding = common_binding
_binding_class = common_binding.HashType
_namespace = 'http://cybox.mitre.org/common-2'
type_ = VocabField("Type", HashName)
simple_hash_value = fields.TypedField("Simple_Hash_Value",
HexBinary,
postset_hook=_set_hash_type)
fuzzy_hash_value = fields.TypedField("Fuzzy_Hash_Value", String)
TYPE_MD5 = u("MD5")
TYPE_MD6 = u("MD6")
TYPE_SHA1 = u("SHA1")
TYPE_SHA224 = u("SHA224")
TYPE_SHA256 = u("SHA256")
TYPE_SHA384 = u("SHA384")
TYPE_SHA512 = u("SHA512")
TYPE_SSDEEP = u("SSDEEP")
TYPE_OTHER = VocabString(u("Other"))
def __init__(self, hash_value=None, type_=None, exact=False):
"""Create a new Hash Object
If exact=True, add 'condition="Equals"' to the hash value and type.
"""
super(Hash, self).__init__()
# Set type_ first so that auto-typing will work.
self.type_ = type_
if self.type_ == self.TYPE_SSDEEP:
self.fuzzy_hash_value = hash_value
else:
self.simple_hash_value = hash_value
if exact:
if self.simple_hash_value:
self.simple_hash_value.condition = "Equals"
if self.type_:
self.type_.condition = "Equals"
def __str__(self):
if self.type_ == self.TYPE_SSDEEP:
return str(self.fuzzy_hash_value)
else:
return str(self.simple_hash_value)
class MultipleHash(entities.Entity):
"""Fake entity class to test multiple on VocabField."""
_binding = common_binding
_binding_class = common_binding.HashType
_namespace = 'http://cybox.mitre.org/common-2'
type_ = VocabField("Type", HashName, multiple=True)
class Object(entities.Entity):
"""
The CybOX Object construct identifies and specifies the characteristics of
a specific cyber-relevant object (e.g. a file, a registry key or a
process).
Currently only supports the following data members:
- id\_
- idref
- has_changed
- description
- properties
- related_objects
- domain_specific_object_properties
Notes:
By default ``cybox.core.object.Object`` will cache objects when
instantiated. If your are experiencing memory issues in your
environment, we encourage the use of ``cybox.utils.caches.cache_clear()``
in your script to prevent an Out of Memory error. Depending on your
use case, it can be after serialization or if a certain threshold is
met (e.g. %30 of memory consumed by cache mechanism).
"""
_binding = core_binding
_binding_class = _binding.ObjectType
_namespace = 'http://cybox.mitre.org/cybox-2'
id_ = fields.IdField("id", postset_hook=_cache_object)
idref = fields.IdrefField("idref")
has_changed = fields.TypedField("has_changed")
state = VocabField("State")
description = fields.TypedField("Description", StructuredText)
properties = fields.TypedField("Properties",
ObjectProperties,
factory=ObjectPropertiesFactory,
postset_hook=_modify_properties_parent)
domain_specific_object_properties = fields.TypedField(
"Domain_Specific_Object_Properties",
"cybox.core.object.DomainSpecificObjectProperties",
factory=ExternalTypeFactory)
related_objects = fields.TypedField("Related_Objects",
"cybox.core.object.RelatedObjects")
def __init__(self, properties=None, id_=None, idref=None):
super(Object, self).__init__()
if properties:
prefix = str(properties.__class__.__name__)
else:
prefix = "Object"
self.id_ = id_ or idgen.create_id(prefix=prefix)
self.idref = idref
self.properties = properties
self.related_objects = RelatedObjects()
def __str__(self):
if self.id_ is not None:
return self.id_
elif self.idref is not None:
return self.idref
else:
return super(Object, self).__repr__()
def add_related(self, related, relationship, inline=True):
if not isinstance(related, ObjectProperties):
raise ValueError("Must be a ObjectProperties")
r = RelatedObject(related, relationship=relationship, inline=inline)
self.related_objects.append(r)
class RelatedObject(Object):
_binding = core_binding
_binding_class = _binding.RelatedObjectType
relationship = VocabField("Relationship", Relationship)
def __init__(self, *args, **kwargs):
relationship = kwargs.pop('relationship', None)
self._inline = kwargs.pop('inline', True)
super(RelatedObject, self).__init__(*args, **kwargs)
self.relationship = relationship
if not self._inline and self.properties:
self.idref = self.properties.parent.id_
self.properties = None
def __str__(self):
return "Related: " + super(RelatedObject, self).__str__()
#TODO: make this a property somehow
def get_properties(self):
if self.properties:
return self.properties
elif self.idref:
return cybox.utils.cache_get(self.idref).properties
else:
return None
def to_obj(self, ns_info=None):
relobj_obj = super(RelatedObject, self).to_obj(ns_info=ns_info)
if not self._inline:
relobj_obj.idref = self.idref
if self.relationship:
relobj_obj.Relationship = self.relationship.to_obj(ns_info=ns_info)
return relobj_obj
def to_dict(self):
if self._inline:
return super(RelatedObject, self).to_dict()
relobj_dict = {'idref': self.idref}
if self.relationship:
relobj_dict['relationship'] = self.relationship.to_dict()
return relobj_dict
@classmethod
def from_obj(cls, cls_obj):
if not cls_obj:
return None
relobj = super(RelatedObject, cls).from_obj(cls_obj)
if not relobj.idref and relobj.properties:
relobj._inline = True
return relobj
@classmethod
def from_dict(cls, cls_dict):
if not cls_dict:
return None
relobj = super(RelatedObject, cls).from_dict(cls_dict)
if not relobj.idref and relobj.properties:
relobj._inline = True
return relobj