class File(odm.Model):
md5 = odm.MD5(copyto="__text__", description="MD5 hash of file")
name = odm.Keyword(copyto="__text__", description="Name of the file")
sha1 = odm.SHA1(copyto="__text__", description="SHA1 hash of the file")
sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file")
size = odm.Integer(store=False, description="Size of the file in bytes")
type = odm.Keyword(copyto="__text__", description="Type of file as identified by Assemblyline")
class Resource(odm.Model):
# Since we will end up flattening the Resources and only keeping the data nodes,
# we keep the list of parent's resource_id and the list of parent's labels (name or resource_type)
parent_resource_ids = odm.Optional(
odm.EmptyableKeyword(copyto="__text__"))
parent_labels = odm.Optional(
odm.List(odm.EmptyableKeyword(copyto="__text__")))
characteristics = odm.Optional(odm.Integer())
num_childs = odm.Optional(odm.Integer())
depth = odm.Optional(odm.Integer())
name = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
resource_id = odm.Optional(odm.Integer())
resource_type = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
is_data = odm.Optional(odm.Boolean())
is_directory = odm.Optional(odm.Boolean())
major_version = odm.Optional(odm.Integer())
minor_version = odm.Optional(odm.Integer())
numberof_id_entries = odm.Optional(odm.Integer())
numberof_name_entries = odm.Optional(odm.Integer())
time_date_stamp = odm.Optional(odm.Integer())
hr_time_date_stamp = odm.Optional(odm.Date())
code_page = odm.Optional(odm.Integer())
sha256 = odm.Optional(odm.SHA256())
entropy = odm.Optional(odm.Float())
offset = odm.Optional(odm.Integer())
reserved = odm.Optional(odm.Integer())
class FileInfo(odm.Model):
magic = odm.Keyword() # The output from libmagic which was used to determine the tag
md5 = odm.MD5() # MD5 of the file
mime = odm.Optional(odm.Keyword()) # The libmagic mime type
sha1 = odm.SHA1() # SHA1 hash of the file
sha256 = odm.SHA256() # SHA256 hash of the file
size = odm.Integer() # Size of the file
type = odm.Keyword() # The file type
class File(odm.Model): # File block
md5 = odm.MD5(copyto="__text__") # MD5 of the top level file
name = odm.Keyword(store=False, copyto="__text__") # Name of the file
sha1 = odm.SHA1(copyto="__text__") # SHA1 hash of the file
sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file
size = odm.Integer(store=False) # Size of the file
type = odm.Keyword(
copyto="__text__") # Type of file as identified by Assemblyline
class FileInfo(odm.Model):
magic = odm.Keyword(
description=
"The output from libmagic which was used to determine the tag")
md5 = odm.MD5(description="MD5 of the file")
mime = odm.Optional(odm.Keyword(), description="The libmagic mime type")
sha1 = odm.SHA1(description="SHA1 hash of the file")
sha256 = odm.SHA256(description="SHA256 hash of the file")
size = odm.Integer(description="Size of the file in bytes")
type = odm.Keyword(
description="Type of file as identified by Assemblyline")
class Result(odm.Model):
archive_ts = odm.Date(store=False) # Archiving timestamp
classification = odm.Classification(
) # Aggregate classification for the result
created = odm.Date(
default="NOW") # Date at which the result object got created
expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry time stamp
response: ResponseBody = odm.Compound(
ResponseBody) # The body of the response from the service
result: ResultBody = odm.Compound(ResultBody,
default={}) # The result body
sha256 = odm.SHA256(
store=False) # SHA256 of the file the result object relates to
drop_file = odm.Boolean(
default=False) # Do not pass to other stages after this run
def build_key(self, service_tool_version=None, task=None):
return self.help_build_key(self.sha256,
self.response.service_name,
self.response.service_version,
self.is_empty(),
service_tool_version=service_tool_version,
task=task)
@staticmethod
def help_build_key(sha256,
service_name,
service_version,
is_empty,
service_tool_version=None,
task=None):
key_list = [
sha256,
service_name.replace('.', '_'),
f"v{service_version.replace('.', '_')}",
f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}",
]
if is_empty:
key_list.append("e")
return '.'.join(key_list)
def is_empty(self):
if len(self.response.extracted) == 0 and \
len(self.response.supplementary) == 0 and \
len(self.result.sections) == 0 and \
self.result.score == 0:
return True
return False
class File(odm.Model):
archive_ts = odm.Date(store=False, description="Archiving timestamp")
ascii = odm.Keyword(index=False, store=False,
description="Dotted ASCII representation of the first 64 bytes of the file")
classification = odm.Classification(description="Classification of the file")
entropy = odm.Float(description="Entropy of the file")
expiry_ts = odm.Optional(odm.Date(store=False), description="Expiry timestamp")
is_section_image = odm.Boolean(default=False, description="Is this an image from an Image Result Section?")
hex = odm.Keyword(index=False, store=False, description="Hex dump of the first 64 bytes of the file")
md5 = odm.MD5(copyto="__text__", description="MD5 of the file")
magic = odm.Keyword(store=False, description="Output from libmagic related to the file")
mime = odm.Optional(odm.Keyword(store=False), description="MIME type of the file as identified by libmagic")
seen = odm.Compound(Seen, default={}, description="Details about when the file was seen")
sha1 = odm.SHA1(copyto="__text__", description="SHA1 hash of the file")
sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file")
size = odm.Integer(description="Size of the file in bytes")
ssdeep = odm.SSDeepHash(store=False, description="SSDEEP hash of the file")
type = odm.Keyword(copyto="__text__", description="Type of file as identified by Assemblyline")
class Error(odm.Model):
archive_ts = odm.Date(store=False) # Archiving timestamp
created = odm.Date(default="NOW") # Date at which the error was created
expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry time stamp
response: Response = odm.Compound(Response) # Response from the service
sha256 = odm.SHA256(
copyto="__text__") # Hash of the file the error is related to
type = odm.Enum(values=list(ERROR_TYPES.keys()),
default="EXCEPTION") # Type of error
def build_key(self, service_tool_version=None, task=None):
key_list = [
self.sha256,
self.response.service_name.replace('.', '_'),
f"v{self.response.service_version.replace('.', '_')}",
f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}",
f"e{ERROR_TYPES.get(self.type, 0)}"
]
return '.'.join(key_list)
class File(odm.Model):
archive_ts = odm.Date(store=False) # Archiving timestamp
ascii = odm.Keyword(
index=False, store=False
) # Dotted ascii representation of the first 64 bytes of the file
classification = odm.Classification() # Classification of the file
entropy = odm.Float() # Entropy of the file
expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry timestamp
hex = odm.Keyword(
index=False, store=False) # Hex dump of the first 64 bytes of the file
md5 = odm.MD5(copyto="__text__") # MD5 of the top level file
magic = odm.Keyword(
store=False) # Output from libmagic related to that file
mime = odm.Optional(odm.Keyword(
store=False)) # Mime type of the file as identified by libmagic
seen = odm.Compound(Seen,
default={}) # Attributes about when the file was seen
sha1 = odm.SHA1(copyto="__text__") # SHA1 hash of the file
sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file
size = odm.Integer() # Size of the file
ssdeep = odm.SSDeepHash(store=False) # SSDEEP hash of the file
type = odm.Keyword(
copyto="__text__") # Type of file as identified by Assemblyline
class Error(odm.Model):
archive_ts = odm.Date(store=False, description="Archiving timestamp")
created = odm.Date(default="NOW", description="Error creation timestamp")
expiry_ts = odm.Optional(odm.Date(store=False),
description="Expiry timestamp")
response: Response = odm.Compound(Response,
description="Response from the service")
sha256 = odm.SHA256(copyto="__text__",
description="SHA256 of file related to service error")
type = odm.Enum(values=list(ERROR_TYPES.keys()),
default="EXCEPTION",
description="Type of error")
def build_key(self, service_tool_version=None, task=None):
key_list = [
self.sha256,
self.response.service_name.replace('.', '_'),
f"v{self.response.service_version.replace('.', '_')}",
f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}",
f"e{ERROR_TYPES.get(self.type, 0)}"
]
return '.'.join(key_list)
class FileOLEMacro(odm.Model):
sha256 = odm.Optional(odm.List(odm.SHA256(copyto="__text__")), description="SHA256 of Macro")
suspicious_string = odm.Optional(odm.List(odm.Keyword(copyto="__text__")),
description="Suspicious Strings")
class ResultOntologyHeader(odm.Model):
@odm.model(index=False,
store=False,
description="Details about the Heuristics raised by a service")
class HeuristicDetails(odm.Model):
name = odm.Text(description="Name of the heuristic raised.")
tags = odm.Compound(Tagging,
description="Tags associated to heuristic")
# Required metadata
md5 = odm.MD5(description="MD5 of file")
sha1 = odm.SHA1(description="SHA1 of file")
sha256 = odm.SHA256(description="SHA256 of file")
type = odm.Keyword(
description="Type of file as identified by Assemblyline")
size = odm.Integer(description="Size of the file in bytes")
classification = odm.Keyword(
default=Classification.UNRESTRICTED,
description="Classification of the service result")
service_name = odm.Keyword(description="Service Name")
service_version = odm.Keyword(description="Service Version")
service_tool_version = odm.Optional(odm.Keyword(default=''),
description="Service Tool Version")
# Optional metadata
filenames = odm.Optional(odm.List(odm.Text()),
description="Known filenames associated to file")
date = odm.Optional(odm.Date(), description="Date of analysis")
parent = odm.Optional(
odm.SHA256(),
description="Immediate parent of file relative to submission")
sid = odm.Optional(odm.Keyword(),
description="Submission ID associated to file")
source_system = odm.Optional(
odm.Text(),
description=
"Which Assemblyline instance does the result originate from?")
original_source = odm.Optional(
odm.Text(),
description="Source as specified by submitter (from metadata)")
submitted_classification = odm.Keyword(
default=Classification.UNRESTRICTED,
description="Submitted classification")
submitter = odm.Optional(odm.Keyword(), description="Submitter")
retention_id = odm.Optional(
odm.Keyword(),
description="Reference to knowledge base for long-term data retention."
)
# What tags did the service associate to the result
tags = odm.Optional(odm.Compound(Tagging),
description="Tags raised by service")
# What tags are related to certain heuristics raised
# {
# "SERVICENAME_1": {
# "name": "Bad Things happened"
# "tags": {
# "network": {
# "static": {
# "uri": ["bad.domain", ...]
# ...
# }
# ...
# }
# ...
# }
# }
# }
heuristics = odm.Optional(odm.Mapping(odm.Compound(HeuristicDetails)),
description="Heuristics raised by service.")
class FileOLEMacro(odm.Model):
sha256 = odm.Optional(odm.List(odm.SHA256(copyto="__text__")))
suspicious_string = odm.Optional(
odm.List(odm.Keyword(copyto="__text__")))
class Authentihash(odm.Model):
sha512 = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
sha384 = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
sha256 = odm.Optional(odm.SHA256())
sha1 = odm.Optional(odm.SHA1())
md5 = odm.Optional(odm.MD5())
class File(odm.Model):
name = odm.Keyword(copyto="__text__", description="Name of the file")
size = odm.Optional(odm.Integer(), description="Size of the file in bytes")
sha256 = odm.SHA256(copyto="__text__",
description="SHA256 hash of the file")
class File(odm.Model):
name = odm.Keyword(copyto="__text__") # Name of the file
size = odm.Optional(odm.Integer()) # Size of the file
sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file
class File(odm.Model):
name = odm.Keyword(copyto="__text__") # Name of the file
sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file
description = odm.Text(copyto="__text__") # Description of the file
classification = odm.Classification() # Classification of the file
