def test_10(self):
"""
Test a query. Should match just the APT1 report.
"""
test = tdq.Test(capability_id=tdq.CM_CORE,
relationship=R_EQUALS,
parameters={
P_VALUE: 'Unit 61398',
P_MATCH_TYPE: 'case_sensitive_string'
})
criterion = tdq.Criterion(
target=
'STIX_Package/Threat_Actors/Threat_Actor/Identity/Specification/PartyName/OrganisationName/SubDivisionName',
test=test)
criteria = tdq.Criteria(OP_AND, criterion=[criterion])
q = tdq.DefaultQuery(CB_STIX_XML_111, criteria)
pp = tm11.PollParameters()
pr = tm11.PollRequest(message_id=generate_message_id(),
collection_name='default',
poll_parameters=pp)
#msg = self.send_poll_request('/services/test_poll_1/', VID_TAXII_XML_11, pr)
msg = make_request('/services/test_poll_1/', pr.to_xml(),
get_headers(VID_TAXII_SERVICES_11, False),
MSG_POLL_RESPONSE)
if len(msg.content_blocks) != 1:
raise ValueError('Got %s CBs' % len(msg.content_blocks))
def main():
# Create the test portion of the query
my_test = tdq.Test(capability_id=CM_CORE,
relationship=R_EQUALS,
parameters={P_VALUE: value,
P_MATCH_TYPE: 'case_insensitive_string'}
)
#Put the test into a Criterion
my_criterion = tdq.Criterion(target=target, test=my_test)
# Put the Criterion into a Criteria
my_criteria = tdq.Criteria(operator=OP_AND,
criterion=[my_criterion],
criteria=None)
# Create a query with the criteria
my_query = tdq.DefaultQuery(CB_STIX_XML_111, my_criteria)
# Create a Poll Parameters that indicates
# Only STIX 1.1.1 is accepted in response
# and with the query created previously
params = tm11.PollParameters(content_bindings=[tm11.ContentBinding(CB_STIX_XML_111)],
query=my_query)
poll_request = tm11.PollRequest(message_id=generate_message_id(),
collection_name='file_hash_reputation',
poll_parameters=params)
print poll_request.to_xml(pretty_print=True)
def create_request_message(self, args):
msg = super(QueryClient11Script, self).create_request_message(args)
if args.subscription_id is not None:
return msg # Query goes in Poll Parameters, which can't be specified with a subscription
capability_module = tdq.capability_modules.get(args.capability_module,
None)
if capability_module is None:
raise ValueError("Unknown Capability Module specified: %s" %
args.capability_module)
relationship = capability_module.relationships.get(
args.relationship, None)
if relationship is None:
raise ValueError("Unknown Relationship: %s" % args.relationship)
params = {}
for parameter in tdq.P_NAMES:
param_obj = relationship.parameters.get(
parameter, None) # Will either be a parameter object or None
param_value = getattr(args,
parameter) # Will either be a value or None
if param_obj and not param_value:
raise ValueError(
'The parameter "%s" is needed and was not specified. Specify using --%s <value>'
% (parameter, parameter.replace('_', '-')))
if param_value and not param_obj:
raise ValueError(
'The parameter %s was specified and is not needed' %
parameter)
if param_obj:
param_obj.verify(param_value)
params[parameter] = param_value
test = tdq.Test(capability_id=capability_module.capability_module_id,
relationship=relationship.name,
parameters=params)
criterion = tdq.Criterion(target=args.target, test=test)
criteria = tdq.Criteria(operator=tdq.OP_AND, criterion=[criterion])
q = tdq.DefaultQuery(args.tev, criteria)
msg.poll_parameters.query = q
return msg
def create_query(s, query):
criterion = []
for q in query:
type, value = q.split(":", 1)
if type == "address":
target = "//Address_Value"
elif type == "addresstype":
target = "//Object/Properties/@category"
elif type == "domainname":
# FIXME: Namespace is messed. Lucky this is the only thing
# that uses Value at the moment.
target = "//Object/Properties/Value"
elif type == "port":
target = "//Port_Value"
elif type == "hash":
target = "//Hash/Simple_Hash_Value"
elif type == "id":
target = "/STIX_Package/@id"
elif type == "source":
target = "//Information_Source/Identity/@idref"
else:
raise TypeError("Don't understand type '" + type + "'")
params = {'value':value, 'match_type': 'case_sensitive_string'}
test = tdq.DefaultQuery.Criterion.Test(capability_id=tdq.CM_CORE,
relationship='equals',
parameters=params)
cron = tdq.DefaultQuery.Criterion(target=target, test=test,
negate=False)
criterion.append(cron)
criteria = tdq.DefaultQuery.Criteria(operator=tdq.OP_AND,
criterion=criterion)
qry=tdq.DefaultQuery(t.CB_STIX_XML_11, criteria)
return qry
print s.get_collections()
print s.get_documents("bunchy")
target = "//Information_Source/Identity/@idref"
value = "source:bunchy"
params = {'value':value, 'match_type': 'case_sensitive_string'}
test = tdq.DefaultQuery.Criterion.Test(capability_id=tdq.CM_CORE,
relationship='equals',
parameters=params)
cron = tdq.DefaultQuery.Criterion(target=target, test=test,
negate=False)
criterion = [cron]
criteria = tdq.DefaultQuery.Criteria(operator=tdq.OP_AND,
criterion=criterion)
qry=tdq.DefaultQuery(t.CB_STIX_XML_11, criteria)
def printme(content, file):
print "MATCH: ", file
s.get_matching("bunchy", None, None, qry, printme)
tc = TaxiiClient()
ret = tc.perform_poll(collection="bunchy")
for r in ret:
print "PACKAGE", r.id_