class Action(entities.Entity):
_binding = core_binding
_binding_class = core_binding.ActionType
_namespace = 'http://cybox.mitre.org/cybox-2'
id_ = fields.TypedField("id")
idref = fields.TypedField("idref")
ordinal_position = fields.TypedField("ordinal_position")
action_status = fields.TypedField("action_status")
context = fields.TypedField("context")
timestamp = fields.TypedField("timestamp")
type_ = vocabs.VocabField("Type", ActionType)
name = vocabs.VocabField("Name", ActionName)
description = fields.TypedField("Description", StructuredText)
action_aliases = fields.TypedField("Action_Aliases", ActionAliases)
action_arguments = fields.TypedField("Action_Arguments", ActionArguments)
discovery_method = fields.TypedField("Discovery_Method", MeasureSource)
associated_objects = fields.TypedField("Associated_Objects",
AssociatedObjects)
relationships = fields.TypedField("Relationships", ActionRelationships)
frequency = fields.TypedField("Frequency", Frequency)
def to_dict(self):
d = super(Action, self).to_dict()
# Don't add an empty timestamp if there isn't already one.
if 'timestamp' in d:
d['timestamp'] = serialize_datetime(d['timestamp'])
return d
@classmethod
def from_dict(cls, action_dict):
action = super(Action, cls).from_dict(action_dict)
action.timestamp = parse_datetime(action.timestamp)
return action
class Authentication(cybox.Entity):
_binding = account_binding
_binding_class = account_binding.AuthenticationType
_namespace = 'http://cybox.mitre.org/objects#AccountObject-2'
_XSI_NS = "AccountObj"
_XSI_TYPE = "AccountObjectType"
authentication_type = vocabs.VocabField("Authentication_Type")
authentication_data = cybox.TypedField("Authentication_Data", String)
authentication_token_protection_mechanism = vocabs.VocabField("Authentication_Token_Protection_Mechanism")
structured_authentication_mechanism = cybox.TypedField("Structured_Authentication_Mechanism", StructuredAuthenticationMechanism)
class ActionArgument(entities.Entity):
_binding = core_binding
_binding_class = core_binding.ActionArgumentType
_namespace = 'http://cybox.mitre.org/cybox-2'
argument_name = vocabs.VocabField("Argument_Name", ArgumentName)
argument_value = fields.TypedField("Argument_Value")
class MeasureSource(cybox.Entity):
_binding = common_binding
_binding_class = common_binding.MeasureSourceType
_namespace = 'http://cybox.mitre.org/common-2'
class_ = cybox.TypedField("classxx", key_name="class")
source_type = cybox.TypedField("source_type")
name = cybox.TypedField("name")
sighting_count = cybox.TypedField("sighting_count")
information_source_type = vocabs.VocabField("Information_Source_Type",
InformationSourceType)
tool_type = vocabs.VocabField("Tool_Type", ToolType)
description = cybox.TypedField("Description", StructuredText)
contributors = cybox.TypedField("Contributors", Personnel)
time = cybox.TypedField("Time", Time)
tools = cybox.TypedField("Tools", ToolInformationList)
platform = cybox.TypedField("Platform", PlatformSpecification)
system = cybox.TypedField("System", ObjectProperties)
instance = cybox.TypedField("Instance", ObjectProperties)
class MalwareConfigurationParameter(maec.Entity):
_binding = package_binding
_binding_class = package_binding.MalwareConfigurationParameterType
_namespace = _namespace
name = vocabs.VocabField("Name", MalwareConfigParameterVocab)
value = fields.TypedField("Value")
def __init__(self):
super(MalwareConfigurationParameter, self).__init__()
class MalwareSubjectRelationship(maec.Entity):
_binding = package_binding
_binding_class = package_binding.MalwareSubjectRelationshipType
_namespace = _namespace
malware_subject_reference = fields.TypedField("Malware_Subject_Reference",
MalwareSubjectReference,
multiple=True)
type_ = vocabs.VocabField("Type", MalwareSubjectRelationshipVocab)
def __init__(self):
super(MalwareSubjectRelationship, self).__init__()
class GroupingRelationship(maec.Entity):
_binding = package_binding
_binding_class = package_binding.GroupingRelationshipType
_namespace = _namespace
type_ = vocabs.VocabField("Type", GroupingRelationshipVocab)
malware_family_name = fields.TypedField("Malware_Family_Name")
malware_toolkit_name = fields.TypedField("Malware_Toolkit_Name")
clustering_metadata = fields.TypedField("Clustering_Metadata", ClusteringMetadata)
def __init__(self):
super(GroupingRelationship, self).__init__()
class Action(cybox.Entity):
_binding = core_binding
_binding_class = core_binding.ActionType
_namespace = 'http://cybox.mitre.org/cybox-2'
id_ = cybox.TypedField("id")
idref = cybox.TypedField("idref")
ordinal_position = cybox.TypedField("ordinal_position")
action_status = cybox.TypedField("action_status")
context = cybox.TypedField("context")
timestamp = cybox.TypedField("timestamp")
type_ = vocabs.VocabField("Type", ActionType)
name = vocabs.VocabField("Name", ActionName)
description = cybox.TypedField("Description", StructuredText)
action_aliases = cybox.TypedField("Action_Aliases", ActionAliases)
action_arguments = cybox.TypedField("Action_Arguments", ActionArguments)
discovery_method = cybox.TypedField("Discovery_Method", MeasureSource)
associated_objects = cybox.TypedField("Associated_Objects",
AssociatedObjects)
relationships = cybox.TypedField("Relationships", ActionRelationships)
frequency = cybox.TypedField("Frequency", Frequency)
class Event(entities.Entity):
_binding = core_binding
_binding_class = core_binding.EventType
_namespace = 'http://cybox.mitre.org/cybox-2'
id_ = fields.TypedField("id")
idref = fields.TypedField("idref")
type_ = vocabs.VocabField("Type", EventType)
description = fields.TypedField("Description", StructuredText)
observation_method = fields.TypedField("Observation_Method", MeasureSource)
actions = fields.TypedField("Actions", Actions)
frequency = fields.TypedField("Frequency", Frequency)
event = fields.TypedField("Event", multiple=True)
class LinuxPackage(ObjectProperties):
_binding = linux_package_binding
_binding_class = linux_package_binding.LinuxPackageObjectType
_namespace = "http://cybox.mitre.org/objects#LinuxPackageObject-2"
_XSI_NS = "LinuxPackageObj"
_XSI_TYPE = "LinuxPackageObjectType"
architecture = vocabs.VocabField("Architecture", LinuxPackageArchitecture)
category = fields.TypedField("Category", String)
description = fields.TypedField("Description", String)
epoch = fields.TypedField("Epoch", String)
evr = fields.TypedField("EVR", String)
name = fields.TypedField("Name", String)
release = fields.TypedField("Release", String)
vendor = fields.TypedField("Vendor", String)
version = fields.TypedField("Version", String)
class ExtractedString(entities.Entity):
_binding = common_binding
_binding_class = common_binding.ExtractedStringType
_namespace = 'http://cybox.mitre.org/common-2'
encoding = vocabs.VocabField("Encoding", CharacterEncoding)
string_value = fields.TypedField("String_Value", String)
byte_string_value = fields.TypedField("Byte_String_Value", HexBinary)
hashes = fields.TypedField("Hashes", HashList)
address = fields.TypedField("Address", HexBinary)
length = fields.TypedField("Length", PositiveInteger)
language = fields.TypedField("Language", String)
english_translation = fields.TypedField("English_Translation", String)
def __init__(self, string_value=None):
super(ExtractedString, self).__init__()
self.string_value = string_value
class Hash(entities.Entity):
_binding = common_binding
_binding_class = common_binding.HashType
_namespace = 'http://cybox.mitre.org/common-2'
type_ = vocabs.VocabField("Type", HashName)
simple_hash_value = fields.TypedField("Simple_Hash_Value",
HexBinary,
postset_hook=_set_hash_type)
fuzzy_hash_value = fields.TypedField("Fuzzy_Hash_Value", String)
TYPE_MD5 = u("MD5")
TYPE_MD6 = u("MD6")
TYPE_SHA1 = u("SHA1")
TYPE_SHA224 = u("SHA224")
TYPE_SHA256 = u("SHA256")
TYPE_SHA384 = u("SHA384")
TYPE_SHA512 = u("SHA512")
TYPE_SSDEEP = u("SSDEEP")
TYPE_OTHER = VocabString(u("Other"))
def __init__(self, hash_value=None, type_=None, exact=False):
"""Create a new Hash Object
If exact=True, add 'condition="Equals"' to the hash value and type.
"""
super(Hash, self).__init__()
# Set type_ first so that auto-typing will work.
self.type_ = type_
self.simple_hash_value = hash_value
if exact:
if self.simple_hash_value:
self.simple_hash_value.condition = "Equals"
if self.type_:
self.type_.condition = "Equals"
def __str__(self):
return str(self.simple_hash_value)
class MultipleHash(cybox.Entity):
"""Fake entity class to test multiple on VocabField."""
_binding = common_binding
_binding_class = common_binding.HashType
_namespace = 'http://cybox.mitre.org/common-2'
type_ = vocabs.VocabField("Type", HashName, multiple=True)
class MalwareSubject(maec.Entity):
_binding = package_binding
_binding_class = package_binding.MalwareSubjectType
_namespace = _namespace
id_ = fields.TypedField("id")
malware_instance_object_attributes = fields.TypedField(
"Malware_Instance_Object_Attributes", Object)
label = vocabs.VocabField("Label", MalwareLabel, multiple=True)
configuration_details = fields.TypedField("Configuration_Details",
MalwareConfigurationDetails)
minor_variants = fields.TypedField("Minor_Variants", MinorVariants)
development_environment = fields.TypedField("Development_Environment",
MalwareDevelopmentEnvironment)
#field_data = fields.TypedField("field_data") # TODO: support metadata:fieldDataEntry
analyses = fields.TypedField("Analyses", Analyses)
findings_bundles = fields.TypedField("Findings_Bundles",
FindingsBundleList)
relationships = fields.TypedField("Relationships",
MalwareSubjectRelationshipList)
compatible_platform = fields.TypedField("Compatible_Platform",
PlatformSpecification,
multiple=True)
def __init__(self, id=None, malware_instance_object_attributes=None):
super(MalwareSubject, self).__init__()
if id:
self.id_ = id
else:
self.id_ = idgen.create_id(prefix="malware_subject")
#Set the Malware Instance Object Attributes (a CybOX object) if they are not none
self.malware_instance_object_attributes = malware_instance_object_attributes
#Public methods
#Set the Malware_Instance_Object_Attributes with a CybOX object
def set_malware_instance_object_attributes(
self, malware_instance_object_attributes):
self.malware_instance_object_attributes = malware_instance_object_attributes
#Add an Analysis to the Analyses
def add_analysis(self, analysis):
if not self.analyses:
self.analyses = Analyses()
self.analyses.append(analysis)
def get_analyses(self):
return self.analyses
#Get all Bundles in the Subject
def get_all_bundles(self):
return self.findings_bundles.bundle
#Add a MAEC Bundle to the Findings Bundles
def add_findings_bundle(self, bundle):
if not self.findings_bundles:
self.findings_bundles = FindingsBundleList()
self.findings_bundles.add_bundle(bundle)
def deduplicate_bundles(self):
"""DeDuplicate all Findings Bundles in the Malware Subject. For now, only handles Objects"""
all_bundles = self.get_all_bundles()
for bundle in all_bundles:
bundle.deduplicate()
def dereference_bundles(self):
"""Dereference all Findings Bundles in the Malware Subject. For now, only handles Objects"""
all_bundles = self.get_all_bundles()
for bundle in all_bundles:
bundle.dereference_objects(
[self.malware_instance_object_attributes])
def normalize_bundles(self):
"""Normalize all Findings Bundles in the Malware Subject. For now, only handles Objects"""
all_bundles = self.get_all_bundles()
for bundle in all_bundles:
bundle.normalize_objects()
class Hash(cybox.Entity):
_binding = common_binding
_binding_class = common_binding.HashType
_namespace = 'http://cybox.mitre.org/common-2'
def _auto_type(self):
"""Attempt to determine the hash type if `type_` is None"""
if self.simple_hash_value and not self.type_:
val = self.simple_hash_value.value
if not val:
# If not provided or an empty string, don't assign the type
self.type_ = None
elif len(val) == 32:
self.type_ = Hash.TYPE_MD5
elif len(val) == 40:
self.type_ = Hash.TYPE_SHA1
elif len(val) == 56:
self.type_ = Hash.TYPE_SHA224
elif len(val) == 64:
self.type_ = Hash.TYPE_SHA256
elif len(val) == 96:
self.type_ = Hash.TYPE_SHA384
elif len(val) == 128:
self.type_ = Hash.TYPE_SHA512
else:
self.type_ = Hash.TYPE_OTHER
type_ = vocabs.VocabField("Type", HashName)
simple_hash_value = cybox.TypedField("Simple_Hash_Value",
HexBinary,
callback_hook=_auto_type)
fuzzy_hash_value = cybox.TypedField("Fuzzy_Hash_Value", String)
TYPE_MD5 = u"MD5"
TYPE_MD6 = u"MD6"
TYPE_SHA1 = u"SHA1"
TYPE_SHA224 = u"SHA224"
TYPE_SHA256 = u"SHA256"
TYPE_SHA384 = u"SHA384"
TYPE_SHA512 = u"SHA512"
TYPE_SSDEEP = u"SSDEEP"
TYPE_OTHER = VocabString(u"Other")
def __init__(self, hash_value=None, type_=None, exact=False):
"""Create a new Hash Object
If exact=True, add 'condition="Equals"' to the hash value and type.
"""
super(Hash, self).__init__()
# Set type_ first so that auto-typing will work.
self.type_ = type_
self.simple_hash_value = hash_value
if exact:
if self.simple_hash_value:
self.simple_hash_value.condition = "Equals"
if self.type_:
self.type_.condition = "Equals"
def __str__(self):
return str(self.simple_hash_value)
