class WhoisContact(entities.Entity): _binding = whois_binding _binding_class = whois_binding.WhoisContactType _namespace = "http://cybox.mitre.org/objects#WhoisObject-2" contact_type = fields.TypedField("contact_type") contact_id = fields.TypedField("Contact_ID", String) name = fields.TypedField("Name", String) address = fields.TypedField("Address", String) email_address = fields.TypedField("Email_Address", EmailAddress) phone_number = fields.TypedField("Phone_Number", String) fax_number = fields.TypedField("Fax_Number", String) organization = fields.TypedField("Organization", String)
class NetworkInterface(entities.Entity): _namespace = "http://cybox.mitre.org/objects#SystemObject-2" _binding = system_binding _binding_class = system_binding.NetworkInterfaceType adapter = fields.TypedField("Adapter", String) description = fields.TypedField("Description", String) dhcp_lease_expires = fields.TypedField("DHCP_Lease_Expires", DateTime) dhcp_lease_obtained = fields.TypedField("DHCP_Lease_Obtained", DateTime) dhcp_server_list = fields.TypedField("DHCP_Server_List", DHCPServerList) ip_gateway_list = fields.TypedField("IP_Gateway_List", IPGatewayList) ip_list = fields.TypedField("IP_List", IPInfoList) mac = fields.TypedField("MAC", String)
class TLPMarkingStructure(MarkingStructure): _binding = tlp_binding _binding_class = tlp_binding.TLPMarkingStructureType _namespace = 'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1' _XSI_TYPE = "tlpMarking:TLPMarkingStructureType" color = fields.TypedField("color") def __init__(self, color=None): super(TLPMarkingStructure, self).__init__() self.color = color
class IPv6Header(entities.Entity): _binding = network_packet_binding _binding_class = network_packet_binding.IPv6HeaderType _namespace = "http://cybox.mitre.org/objects#PacketObject-2" ip_version = fields.TypedField("IP_Version", String) traffic_class = fields.TypedField("Traffic_Class", HexBinary) flow_label = fields.TypedField("Flow_Label", HexBinary) payload_length = fields.TypedField("Payload_Length", HexBinary) next_header = fields.TypedField("Next_Header", String) ttl = fields.TypedField("TTL", HexBinary) src_ipv6_addr = fields.TypedField("Src_IPv6_Addr", Address) dest_ipv6_addr = fields.TypedField("Dest_IPv6_Addr", Address)
class Marking(stix.EntityList): _binding = stix_data_marking_binding _binding_class = stix_data_marking_binding.MarkingType _namespace = 'http://data-marking.mitre.org/Marking-1' marking = fields.TypedField("Marking", MarkingSpecification, multiple=True) def __init__(self, markings=None): super(Marking, self).__init__(markings) def add_marking(self, value): self.marking.append(value)
class RelatedIndicators(GenericRelationshipList): _namespace = "http://stix.mitre.org/Campaign-1" _binding = campaign_binding _binding_class = campaign_binding.RelatedIndicatorsType indicator = fields.TypedField(name="Related_Indicator", type_=RelatedIndicator, multiple=True, key_name="indicators", listfunc=partial(DeprecatedList, type=RelatedIndicator))
class PEResource(entities.Entity): _binding = win_executable_file_binding _binding_class = win_executable_file_binding.PEResourceType _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" type_ = fields.TypedField("Type", String) name = fields.TypedField("Name", String) size = fields.TypedField("Size", PositiveInteger) virtual_address = fields.TypedField("Virtual_Address", HexBinary) language = fields.TypedField("Language", String) sub_language = fields.TypedField("Sub_Language", String) hashes = fields.TypedField("Hashes", HashList) data = fields.TypedField("Data", String)
class Time(entities.Entity): _binding = common_binding _binding_class = common_binding.TimeType _namespace = 'http://cybox.mitre.org/common-2' start_time = fields.TypedField("Start_Time", DateTimeWithPrecision) end_time = fields.TypedField("End_Time", DateTimeWithPrecision) produced_time = fields.TypedField("Produced_Time", DateTimeWithPrecision) received_time = fields.TypedField("Received_Time", DateTimeWithPrecision) def __init__(self, start_time=None, end_time=None, produced_time=None, received_time=None): super(Time, self).__init__() self.start_time = start_time self.end_time = end_time self.produced_time = produced_time self.received_time = received_time
class NetworkConnection(ObjectProperties): _binding = network_connection_binding _binding_class = network_connection_binding.NetworkConnectionObjectType _namespace = "http://cybox.mitre.org/objects#NetworkConnectionObject-2" _XSI_NS = "NetworkConnectionObj" _XSI_TYPE = "NetworkConnectionObjectType" tls_used = fields.TypedField('tls_used') creation_time = fields.TypedField('Creation_Time', DateTime) layer3_protocol = fields.TypedField('Layer3_Protocol', String) layer4_protocol = fields.TypedField('Layer4_Protocol', String) layer7_protocol = fields.TypedField('Layer7_Protocol', String) source_socket_address = fields.TypedField('Source_Socket_Address', SocketAddress) source_tcp_state = fields.TypedField('Source_TCP_State') destination_socket_address = fields.TypedField( 'Destination_Socket_Address', SocketAddress) destination_tcp_state = fields.TypedField('Destination_TCP_State') layer7_connections = fields.TypedField('Layer7_Connections', Layer7Connections)
class PEFileHeader(entities.Entity): _binding = win_executable_file_binding _binding_class = win_executable_file_binding.PEFileHeaderType _namespace = "http://cybox.mitre.org/objects#WinExecutableFileObject-2" machine = fields.TypedField("Machine", HexBinary) number_of_sections = fields.TypedField("Number_Of_Sections", NonNegativeInteger) time_date_stamp = fields.TypedField("Time_Date_Stamp", HexBinary) pointer_to_symbol_table = fields.TypedField("Pointer_To_Symbol_Table", HexBinary) number_of_symbols = fields.TypedField("Number_Of_Symbols", NonNegativeInteger) size_of_optional_header = fields.TypedField("Size_Of_Optional_Header", HexBinary) characteristics = fields.TypedField("Characteristics", HexBinary) hashes = fields.TypedField("Hashes", HashList)
class DataSegment(entities.Entity): _binding = common_binding _binding_class = common_binding.DataSegmentType _namespace = 'http://cybox.mitre.org/common-2' id_ = fields.TypedField("id") data_format = fields.TypedField("Data_Format") data_size = fields.TypedField("Data_Size", DataSize) byte_order = fields.TypedField("Byte_Order", String) data_segment = fields.TypedField("Data_Segment", String) offset = fields.TypedField("Offset", Integer) search_distance = fields.TypedField("Search_Distance", Integer) search_within = fields.TypedField("Search_Within", Integer)
class RawArtifact(String): _binding = artifact_binding _binding_class = _binding.RawArtifactType _namespace = 'http://cybox.mitre.org/objects#ArtifactObject-2' BIG_ENDIAN = "Big-endian" LITTLE_ENDIAN = "Little-endian" MIDDLE_ENDIAN = "Middle-endian" ENDIANNESS = (BIG_ENDIAN, LITTLE_ENDIAN, MIDDLE_ENDIAN) byte_order = fields.TypedField("byte_order", preset_hook=validate_byte_order_endianness)
class TermsOfUseMarkingStructure(MarkingStructure): _binding = tou_marking_binding _binding_class = tou_marking_binding.TermsOfUseMarkingStructureType _namespace = 'http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1' _XSI_TYPE = "TOUMarking:TermsOfUseMarkingStructureType" terms_of_use = fields.TypedField("Terms_Of_Use") def __init__(self, terms_of_use=None): super(TermsOfUseMarkingStructure, self).__init__() self.terms_of_use = terms_of_use
class CandidateIndicatorCollection(BaseCollection): _binding = bundle_binding _binding_class = bundle_binding.CandidateIndicatorCollectionType _namespace = _namespace id_ = fields.TypedField("id") candidate_indicator_list = fields.TypedField("Candidate_Indicator_List", CandidateIndicatorList) def __init__(self, name=None, id=None): super(CandidateIndicatorCollection, self).__init__(name) if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="candidate_indicator_collection") self.candidate_indicator_list = CandidateIndicatorList() def add_candidate_indicator(self, candidate_indicator): """Add an input Candidate Indicator to the Collection.""" self.candidate_indicator_list.append(candidate_indicator)
class PropertyAffected(stix.Entity): _namespace = "http://stix.mitre.org/Incident-1" _binding = incident_binding _binding_class = incident_binding.PropertyAffectedType property_ = vocabs.VocabField("Property", vocabs.LossProperty, key_name="property") descriptions_of_effect = fields.TypedField("Description_Of_Effect", StructuredTextList) type_of_availability_loss = vocabs.VocabField("Type_Of_Availability_Loss", vocabs.AvailabilityLossType) duration_of_availability_loss = vocabs.VocabField("Duration_Of_Availability_Loss", vocabs.LossDuration) non_public_data_compromised = fields.TypedField("Non_Public_Data_Compromised", NonPublicDataCompromised) def __init__(self): super(PropertyAffected, self).__init__() self.descriptions_of_effect = StructuredTextList() @property def description_of_effect(self): """A :class:`.StructuredTextList` object, containing descriptions about the purpose or intent of this object. Iterating over this object will yield its contents sorted by their ``ordinality`` value. Default Value: Empty :class:`.StructuredTextList` object. Note: IF this is set to a value that is not an instance of :class:`.StructuredText`, an effort will ne made to convert it. If this is set to an iterable, any values contained that are not an instance of :class:`.StructuredText` will be be converted. Returns: An instance of :class:`.StructuredTextList` """ return next(iter(self.descriptions_of_effect), None) @description_of_effect.setter def description_of_effect(self, value): self.descriptions_of_effect = value
class PublicRelease(stix.Entity): _binding = cyber_profile _binding_class = _binding.PublicReleaseType _namespace = 'urn:edm:edh:cyber:v3' released_by = fields.TypedField("releasedBy", key_name="released_by", preset_hook=validate_token) released_on = fields.DateField("releasedOn", key_name="released_on") def __init__(self): super(PublicRelease, self).__init__()
class PotentialCOAs(GenericRelationshipList): """ A list of ``Potential_COA`` objects, defaults to empty array """ _namespace = "http://stix.mitre.org/ExploitTarget-1" _binding = exploit_target_binding _binding_class = exploit_target_binding.PotentialCOAsType potential_coa = fields.TypedField("Potential_COA", RelatedCOA, multiple=True, key_name="coas") def __init__(self, coas=None, scope=None): super(PotentialCOAs, self).__init__(scope, coas)
class Compression(Packaging): """A Compression packaging layer Currently only zlib and bz2 are supported. Also, compression_mechanism_ref is not currently supported. """ _namespace = 'http://cybox.mitre.org/objects#ArtifactObject-2' _binding = artifact_binding _binding_class = _binding.CompressionType compression_mechanism = fields.TypedField("compression_mechanism") compression_mechanism_ref = fields.TypedField("compression_mechanism_ref") def __init__(self, compression_mechanism=None): super(Compression, self).__init__() self.compression_mechanism = compression_mechanism def to_dict(self): dict_ = super(Compression, self).to_dict() dict_['packaging_type'] = 'compression' return dict_
class AccessPrivilege(stix.Entity): _binding = cyber_profile _binding_class = _binding.AccessPrivilegeType _namespace = 'urn:edm:edh:cyber:v3' _ALLOWED_VALUES = ('permit', 'deny') privilege_action = fields.TypedField("privilegeAction", key_name="privilege_action", preset_hook=validate_token) privilege_scope = fields.TypedField("privilegeScope", type_="stix_edh.common.NMTokens", multiple=True, key_name="privilege_scope") rule_effect = fields.TypedField("ruleEffect", key_name="rule_effect", preset_hook=validate_enum_token) def __init__(self): super(AccessPrivilege, self).__init__() def add_privilege_scope(self, value): from stix_edh import common if not value: return nmtokens = common.NMTokens(value) self.privilege_scope.append(nmtokens)
class RelatedExploitTargets(GenericRelationshipList): """ A list of ``RelatedExploitTargets`` objects, defaults to empty array """ _namespace = "http://stix.mitre.org/ExploitTarget-1" _binding = exploit_target_binding _binding_class = exploit_target_binding.RelatedExploitTargetsType related_exploit_target = fields.TypedField("Related_Exploit_Target", RelatedExploitTarget, multiple=True, key_name="related_exploit_targets") def __init__(self, related_exploit_targets=None, scope=None): super(RelatedExploitTargets, self).__init__(scope, related_exploit_targets)
class MarkingSpecification(stix.Entity): _binding = stix_data_marking_binding _binding_class = stix_data_marking_binding.MarkingSpecificationType _namespace = 'http://data-marking.mitre.org/Marking-1' id_ = fields.IdField("id") idref = fields.IdrefField("idref") version = fields.TypedField("version") controlled_structure = fields.TypedField("Controlled_Structure") marking_structures = fields.TypedField("Marking_Structure", MarkingStructure, factory=MarkingStructureFactory, multiple=True, key_name="marking_structures") information_source = fields.TypedField("Information_Source", InformationSource) def __init__(self, controlled_structure=None, marking_structures=None): super(MarkingSpecification, self).__init__() self.id_ = None self.idref = None self.version = None self.controlled_structure = controlled_structure self.marking_structures = marking_structures self.information_source = None
class MalwareSubjectRelationship(maec.Entity): _binding = package_binding _binding_class = package_binding.MalwareSubjectRelationshipType _namespace = _namespace malware_subject_reference = fields.TypedField("Malware_Subject_Reference", MalwareSubjectReference, multiple=True) type_ = vocabs.VocabField("Type", MalwareSubjectRelationshipVocab) def __init__(self): super(MalwareSubjectRelationship, self).__init__()
class SnortTestMechanism(test_mechanism._BaseTestMechanism): _namespace = "http://stix.mitre.org/extensions/TestMechanism#Snort-1" _binding = snort_tm_binding _binding_class = _binding.SnortTestMechanismType _XSI_TYPE = "snortTM:SnortTestMechanismType" product_name = fields.TypedField("Product_Name", EncodedCDATA) version = fields.TypedField("Version", EncodedCDATA) rules = fields.TypedField("Rule", EncodedCDATA, multiple=True, key_name="rules") event_filters = fields.TypedField("Event_Filter", EncodedCDATA, multiple=True, key_name="event_filters") rate_filters = fields.TypedField("Rate_Filter", EncodedCDATA, multiple=True, key_name="rate_filters") event_suppressions = fields.TypedField("Event_Suppression", EncodedCDATA, multiple=True, key_name="event_suppressions") def __init__(self, id_=None, idref=None): super(SnortTestMechanism, self).__init__(id_=id_, idref=idref)
class ToolInformation(entities.Entity): _binding = common_binding _binding_class = common_binding.ToolInformationType _namespace = 'http://cybox.mitre.org/common-2' id_ = fields.IdField("id") idref = fields.IdrefField("idref") name = fields.TypedField("Name") type_ = VocabField("Type", ToolType, multiple=True) description = fields.TypedField("Description", StructuredText) vendor = fields.TypedField("Vendor") version = fields.TypedField("Version") service_pack = fields.TypedField("Service_Pack") tool_hashes = fields.TypedField("Tool_Hashes", HashList) def __init__(self, tool_name=None, tool_vendor=None): super(ToolInformation, self).__init__() # TODO: Implement items commented out below. self.name = tool_name self.description = None #self.references = None self.vendor = tool_vendor self.version = None self.service_pack = None #self.tool_specific_data = None self.tool_hashes = None
class Activity(stix.Entity): _binding = common_binding _binding_class = common_binding.ActivityType _namespace = 'http://stix.mitre.org/common-1' date_time = fields.TypedField("Date_Time", DateTimeWithPrecision) descriptions = fields.TypedField("Description", StructuredTextList) def __init__(self): super(Activity, self).__init__() self.descriptions = StructuredTextList() @property def description(self): """A single description about the contents or purpose of this object. Default Value: ``None`` Note: If this object has more than one description set, this will return the description with the lowest ordinality value. Returns: An instance of :class:`.StructuredText` """ return next(iter(self.descriptions), None) @description.setter def description(self, value): self.descriptions = StructuredTextList(value) def add_description(self, description): """Adds a description to the ``descriptions`` collection. This is the same as calling "foo.descriptions.add(bar)". """ self.descriptions.add(description)
class UserAccount(Account): _binding = user_account_binding _binding_class = user_account_binding.UserAccountObjectType _namespace = 'http://cybox.mitre.org/objects#UserAccountObject-2' _XSI_NS = "UserAccountObj" _XSI_TYPE = "UserAccountObjectType" password_required = fields.TypedField('password_required') full_name = fields.TypedField('Full_Name', String) home_directory = fields.TypedField('Home_Directory', String) last_login = fields.TypedField('Last_Login', DateTime) script_path = fields.TypedField('Script_Path', String) username = fields.TypedField('Username', String) user_password_age = fields.TypedField('User_Password_Age', Duration) # These should be overriden by subclasses group_list = fields.TypedField('Group_List', GroupList) privilege_list = fields.TypedField('Privilege_List', PrivilegeList)
class NetflowV5FlowHeader(entities.Entity): _binding = network_flow_binding _binding_class = network_flow_binding.NetflowV5FlowHeaderType _namespace = "http://cybox.mitre.org/objects#NetworkFlowObject-2" version = fields.TypedField("Version", HexBinary) count = fields.TypedField("Count", Integer) sys_up_time = fields.TypedField("Sys_Up_Time", Integer) unix_secs = fields.TypedField("Unix_Secs", Integer) unix_nsecs = fields.TypedField("Unix_Nsecs", Integer) flow_sequence = fields.TypedField("Flow_Sequence", Integer) engine_type = fields.TypedField("Engine_Type", String) engine_id = fields.TypedField("Engine_ID", Integer) sampling_interval = fields.TypedField("Sampling_Interval", HexBinary) def __init__(self): super(NetflowV5FlowHeader, self).__init__() self.version = "05"
class History(stix.EntityList): _namespace = "http://stix.mitre.org/Incident-1" _binding = incident_binding _binding_class = incident_binding.HistoryType history_items = fields.TypedField("History_Item", HistoryItem, multiple=True, key_name="history_items") @classmethod def _dict_as_list(cls): return False
class RelatedCampaignRefs(GenericRelationshipList): _namespace = "http://stix.mitre.org/Indicator-2" _binding = indicator_binding _binding_class = _binding.RelatedCampaignReferencesType related_campaign = fields.TypedField(name="Related_Campaign", type_=RelatedCampaignRef, multiple=True, key_name="related_campaigns", listfunc=_RelatedCampaignRefList) def __init__(self, related_campaign_refs=None, scope=None): super(RelatedCampaignRefs, self).__init__(scope, related_campaign_refs)
class KillChains(stix.EntityList): _binding = common_binding _namespace = 'http://stix.mitre.org/common-1' _binding_class = _binding.KillChainsType kill_chain = fields.TypedField("Kill_Chain", KillChain, multiple=True, key_name="kill_chains") @classmethod def _dict_as_list(cls): return False