def test01_mitigate_domain(self):
cmd_api = {
"action": "mitigate",
"target": {
"domain_name": "cdn.badco.org"
}
}
cmd_flat = {
"action": "mitigate",
"target.domain_name": "cdn.badco.org"
}
cmd_noname = {"1": 32, "2": {"7": "cdn.badco.org"}}
cmd_concise = ["mitigate", {"domain_name": "cdn.badco.org"}]
cmd_min = [32, {"7": "cdn.badco.org"}]
# Minified (list/tag)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_min)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_min), cmd_api)
self.tc.set_mode(False, True) # Concise (list/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_concise)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_concise), cmd_api)
self.tc.set_mode(True, False) # unused (dict/tag)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_noname)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_noname), cmd_api)
self.tc.set_mode(True, True) # API / Verbose (dict/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(flatten(cmd_api), cmd_flat)
self.assertEqual(fluff(cmd_flat), cmd_api)
self._write_examples("t01_mitigate_domain",
[cmd_api, cmd_flat, cmd_concise, cmd_min])
def check(self, item, cmd_api, cmd_min, cmd_flat):
self.tc.set_mode(False, False) # Minified (list/tag)
self.assertEqual(self.tc.encode(item, cmd_api), cmd_min)
self.assertEqual(self.tc.decode(item, cmd_min), cmd_api)
self.tc.set_mode(True, True) # API / Verbose (dict/name)
self.assertEqual(self.tc.encode(item, cmd_api), cmd_api)
self.assertEqual(self.tc.decode(item, cmd_api), cmd_api)
self.assertEqual(flatten(cmd_api), cmd_flat)
self.assertEqual(fluff(cmd_flat), cmd_api)
def test05_scan_domain(self):
cmd_api = { # API / Verbose (dict/name)
"action": "scan",
"target": {
"domain_name": "www.example.com"
}
}
cmd_flat = {"action": "scan", "target.domain_name": "www.example.com"}
cmd_noname = { # unused (dict/tag)
"1": 1,
"2": {
"7": "www.example.com"
}
}
cmd_concise = [ # Concise (list/name)
"scan", {
"domain_name": "www.example.com"
}
]
cmd_min = [1, {"7": "www.example.com"}]
# Minified (list/tag)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_min)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_min), cmd_api)
self.tc.set_mode(False, True) # Concise (list/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_concise)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_concise), cmd_api)
self.tc.set_mode(True, False) # unused (dict/tag)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_noname)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_noname), cmd_api)
self.tc.set_mode(True, True) # API / Verbose (dict/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(flatten(cmd_api), cmd_flat)
self.assertEqual(dlist(fluff(cmd_flat)),
cmd_api) # Convert numeric dict to list
self._write_examples("t05_scan_domain",
[cmd_api, cmd_flat, cmd_concise, cmd_min])
# OpenC2 producer application:
command1 = { # Python literals use either single or double quotes - no difference in API object
"action": "mitigate",
'target': {
"domain_name": 'cdn.badco.org'
}
}
schema = jadn_load(os.path.join(
"schema", "openc2.jadn")) # Load and validate the OpenC2 schema
codec = Codec(schema, verbose_rec=True, verbose_str=True
) # Create an OpenC2 encoder/decoder (JSON-Verbose encoding)
message1 = codec.encode("OpenC2Command",
command1) # Validate and encode the command
print("Command to be sent (API) =", command1)
print("Sent Message (JSON-v string) =",
json.dumps(message1)) # Single quotes are invalid in JSON
# OpenC2 consumer application:
message2 = '[32,{"7":"cdn.badco.org"}]' # Received OpenC2 command in JSON-minified format
codec.set_mode(verbose_rec=False,
verbose_str=False) # Tell codec to use JSON-minified encoding
command2 = codec.decode(
"OpenC2Command", json.loads(message2)) # Validate and decode the command
print("Received Message (JSON-m string) =", message2)
print("Decoded Command (API) =", command2)
print("Decoded Command (API flat) =", flatten(command2))
def test06_update_software(self):
cmd_api = { # API / Verbose (dict/name)
"action": "update",
"target": {
"software": {
"name": "VirusBeGone",
"vendor": "McAfmantec"
}
},
"actuator": {
"process_remediation_service": {
"actuator_id": "dns://host03274.example.org"
}
},
"modifiers": {
"command_id":
"474074afb389",
"command_src":
"dns://orch.example.org",
"response":
"ack",
"source":
"https://updates.example.org/win7_x64/patch_201704_0137.cab"
}
}
cmd_flat = {
"action":
"update",
"target.software.vendor":
"McAfmantec",
"target.software.name":
"VirusBeGone",
"actuator.process_remediation_service.actuator_id":
"dns://host03274.example.org",
"modifiers.command_id":
"474074afb389",
"modifiers.command_src":
"dns://orch.example.org",
"modifiers.response":
"ack",
"modifiers.source":
"https://updates.example.org/win7_x64/patch_201704_0137.cab"
}
self.tc.set_mode(True, True) # API / Verbose (dict/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(flatten(cmd_api), cmd_flat)
self.assertEqual(dlist(fluff(cmd_flat)),
cmd_api) # Convert numeric dict to list
self._write_examples("t06_update_software",
[cmd_api, cmd_flat, None, None])
# -- Response
rsp_api = {
"status": "Processing",
"statusText": "Updating McAfmantec VirusBeGone ...",
"response_src": "dns://orch.example.org",
"command_ref": "474074afb389"
}
self.tc.set_mode(True, True) # API / Verbose (dict/name)
self.assertEqual(self.tc.encode("OpenC2Response", rsp_api), rsp_api)
self.assertEqual(self.tc.decode("OpenC2Response", rsp_api), rsp_api)
self._write_examples("t06_update_software_rsp",
[rsp_api, None, None, None])
def test04_deny_ip(self):
cmd_api = {
"action": "deny",
"target": {
"ip_connection": {
"layer4_protocol": "TCP",
"src_addr": {
"ipv6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
},
"src_port": {
"number": 10996
},
"dst_addr": {
"ipv4": "1.2.3.5"
},
"dst_port": {
"protocol": "https"
}
}
},
"actuator": {
"network_firewall": {
"asset_id": "30"
}
},
"modifiers": {
"command_id": "pf17_8675309",
"context": "91",
"start_time": "2016-11-25T08:10:31-04:00",
"duration": "PT2M30S"
}
}
cmd_flat = {
"action": "deny",
"target.ip_connection.layer4_protocol": "TCP",
"target.ip_connection.src_addr.ipv6":
"2001:0db8:85a3:0000:0000:8a2e:0370:7334",
"target.ip_connection.src_port.number": 10996,
"target.ip_connection.dst_addr.ipv4": "1.2.3.5",
"target.ip_connection.dst_port.protocol": "https",
"actuator.network_firewall.asset_id": "30",
"modifiers.command_id": "pf17_8675309",
"modifiers.context": "91",
"modifiers.start_time": "2016-11-25T08:10:31-04:00",
"modifiers.duration": "PT2M30S"
}
cmd_noname = {
"1": 6,
"2": {
"15": {
"1": {
"2": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
},
"2": {
"1": 10996
},
"3": {
"1": "1.2.3.5"
},
"4": {
"2": 443
},
"5": 6
}
},
"3": {
"14": {
"2": "30"
}
},
"4": {
"1": "91",
"2": "2016-11-25T08:10:31-04:00",
"4": "PT2M30S",
"6": "pf17_8675309"
}
}
cmd_concise = [
"deny", {
"ip_connection": [{
"ipv6":
"2001:0db8:85a3:0000:0000:8a2e:0370:7334"
}, {
"number": 10996
}, {
"ipv4": "1.2.3.5"
}, {
"protocol": "https"
}, "TCP"]
}, {
"network_firewall": [None, "30"]
}, {
"context": "91",
"start_time": "2016-11-25T08:10:31-04:00",
"duration": "PT2M30S",
"command_id": "pf17_8675309"
}
]
cmd_min = [
6, {
"15": [{
"2": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
}, {
"1": 10996
}, {
"1": "1.2.3.5"
}, {
"2": 443
}, 6]
}, {
"14": [None, "30"]
}, {
"1": "91",
"2": "2016-11-25T08:10:31-04:00",
"4": "PT2M30S",
"6": "pf17_8675309"
}
]
# Minified (list/tag)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_min)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_min), cmd_api)
self.tc.set_mode(False, True) # Concise (list/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_concise)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_concise), cmd_api)
self.tc.set_mode(True, False) # unused (dict/tag)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_noname)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_noname), cmd_api)
self.tc.set_mode(True, True) # API / Verbose (dict/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(flatten(cmd_api), cmd_flat)
self.assertEqual(fluff(cmd_flat), cmd_api)
self._write_examples("t04_deny_ip",
[cmd_api, cmd_flat, cmd_concise, cmd_min])
def test03_contain_user(self):
cmd_api = {
"action": "contain",
"target": {
"user_account": {
"user_id": "21942",
"account_login": "******",
"is_disabled": True,
"account_last_login": "******"
}
}
}
cmd_flat = {
"action": "contain",
"target.user_account.user_id": "21942",
"target.user_account.account_login": "******",
"target.user_account.is_disabled": True,
"target.user_account.account_last_login":
"******"
}
cmd_noname = {
"1": 7,
"2": {
"19": {
"1": "21942",
"2": "jsmith",
"8": True,
"13": "2017-03-16T07:38:12-04:00"
}
}
}
cmd_concise = [
"contain", {
"user_account": {
"user_id": "21942",
"account_login": "******",
"is_disabled": True,
"account_last_login": "******"
}
}
]
cmd_min = [
7, {
"19": {
"1": "21942",
"2": "jsmith",
"8": True,
"13": "2017-03-16T07:38:12-04:00"
}
}
]
# Minified (list/tag)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_min)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_min), cmd_api)
self.tc.set_mode(False, True) # Concise (list/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_concise)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_concise), cmd_api)
self.tc.set_mode(True, False) # unused (dict/tag)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_noname)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_noname), cmd_api)
self.tc.set_mode(True, True) # API / Verbose (dict/name)
self.assertEqual(self.tc.encode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(self.tc.decode("OpenC2Command", cmd_api), cmd_api)
self.assertEqual(flatten(cmd_api), cmd_flat)
self.assertEqual(fluff(cmd_flat), cmd_api)
self._write_examples("t03_contain_user",
[cmd_api, cmd_flat, cmd_concise, cmd_min])