class File(odm.Model): md5 = odm.MD5(copyto="__text__", description="MD5 hash of file") name = odm.Keyword(copyto="__text__", description="Name of the file") sha1 = odm.SHA1(copyto="__text__", description="SHA1 hash of the file") sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file") size = odm.Integer(store=False, description="Size of the file in bytes") type = odm.Keyword(copyto="__text__", description="Type of file as identified by Assemblyline")
class Resource(odm.Model): # Since we will end up flattening the Resources and only keeping the data nodes, # we keep the list of parent's resource_id and the list of parent's labels (name or resource_type) parent_resource_ids = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) parent_labels = odm.Optional( odm.List(odm.EmptyableKeyword(copyto="__text__"))) characteristics = odm.Optional(odm.Integer()) num_childs = odm.Optional(odm.Integer()) depth = odm.Optional(odm.Integer()) name = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) resource_id = odm.Optional(odm.Integer()) resource_type = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) is_data = odm.Optional(odm.Boolean()) is_directory = odm.Optional(odm.Boolean()) major_version = odm.Optional(odm.Integer()) minor_version = odm.Optional(odm.Integer()) numberof_id_entries = odm.Optional(odm.Integer()) numberof_name_entries = odm.Optional(odm.Integer()) time_date_stamp = odm.Optional(odm.Integer()) hr_time_date_stamp = odm.Optional(odm.Date()) code_page = odm.Optional(odm.Integer()) sha256 = odm.Optional(odm.SHA256()) entropy = odm.Optional(odm.Float()) offset = odm.Optional(odm.Integer()) reserved = odm.Optional(odm.Integer())
class FileInfo(odm.Model): magic = odm.Keyword() # The output from libmagic which was used to determine the tag md5 = odm.MD5() # MD5 of the file mime = odm.Optional(odm.Keyword()) # The libmagic mime type sha1 = odm.SHA1() # SHA1 hash of the file sha256 = odm.SHA256() # SHA256 hash of the file size = odm.Integer() # Size of the file type = odm.Keyword() # The file type
class File(odm.Model): # File block md5 = odm.MD5(copyto="__text__") # MD5 of the top level file name = odm.Keyword(store=False, copyto="__text__") # Name of the file sha1 = odm.SHA1(copyto="__text__") # SHA1 hash of the file sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file size = odm.Integer(store=False) # Size of the file type = odm.Keyword( copyto="__text__") # Type of file as identified by Assemblyline
class FileInfo(odm.Model): magic = odm.Keyword( description= "The output from libmagic which was used to determine the tag") md5 = odm.MD5(description="MD5 of the file") mime = odm.Optional(odm.Keyword(), description="The libmagic mime type") sha1 = odm.SHA1(description="SHA1 hash of the file") sha256 = odm.SHA256(description="SHA256 hash of the file") size = odm.Integer(description="Size of the file in bytes") type = odm.Keyword( description="Type of file as identified by Assemblyline")
class Result(odm.Model): archive_ts = odm.Date(store=False) # Archiving timestamp classification = odm.Classification( ) # Aggregate classification for the result created = odm.Date( default="NOW") # Date at which the result object got created expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry time stamp response: ResponseBody = odm.Compound( ResponseBody) # The body of the response from the service result: ResultBody = odm.Compound(ResultBody, default={}) # The result body sha256 = odm.SHA256( store=False) # SHA256 of the file the result object relates to drop_file = odm.Boolean( default=False) # Do not pass to other stages after this run def build_key(self, service_tool_version=None, task=None): return self.help_build_key(self.sha256, self.response.service_name, self.response.service_version, self.is_empty(), service_tool_version=service_tool_version, task=task) @staticmethod def help_build_key(sha256, service_name, service_version, is_empty, service_tool_version=None, task=None): key_list = [ sha256, service_name.replace('.', '_'), f"v{service_version.replace('.', '_')}", f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}", ] if is_empty: key_list.append("e") return '.'.join(key_list) def is_empty(self): if len(self.response.extracted) == 0 and \ len(self.response.supplementary) == 0 and \ len(self.result.sections) == 0 and \ self.result.score == 0: return True return False
class File(odm.Model): archive_ts = odm.Date(store=False, description="Archiving timestamp") ascii = odm.Keyword(index=False, store=False, description="Dotted ASCII representation of the first 64 bytes of the file") classification = odm.Classification(description="Classification of the file") entropy = odm.Float(description="Entropy of the file") expiry_ts = odm.Optional(odm.Date(store=False), description="Expiry timestamp") is_section_image = odm.Boolean(default=False, description="Is this an image from an Image Result Section?") hex = odm.Keyword(index=False, store=False, description="Hex dump of the first 64 bytes of the file") md5 = odm.MD5(copyto="__text__", description="MD5 of the file") magic = odm.Keyword(store=False, description="Output from libmagic related to the file") mime = odm.Optional(odm.Keyword(store=False), description="MIME type of the file as identified by libmagic") seen = odm.Compound(Seen, default={}, description="Details about when the file was seen") sha1 = odm.SHA1(copyto="__text__", description="SHA1 hash of the file") sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file") size = odm.Integer(description="Size of the file in bytes") ssdeep = odm.SSDeepHash(store=False, description="SSDEEP hash of the file") type = odm.Keyword(copyto="__text__", description="Type of file as identified by Assemblyline")
class Error(odm.Model): archive_ts = odm.Date(store=False) # Archiving timestamp created = odm.Date(default="NOW") # Date at which the error was created expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry time stamp response: Response = odm.Compound(Response) # Response from the service sha256 = odm.SHA256( copyto="__text__") # Hash of the file the error is related to type = odm.Enum(values=list(ERROR_TYPES.keys()), default="EXCEPTION") # Type of error def build_key(self, service_tool_version=None, task=None): key_list = [ self.sha256, self.response.service_name.replace('.', '_'), f"v{self.response.service_version.replace('.', '_')}", f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}", f"e{ERROR_TYPES.get(self.type, 0)}" ] return '.'.join(key_list)
class File(odm.Model): archive_ts = odm.Date(store=False) # Archiving timestamp ascii = odm.Keyword( index=False, store=False ) # Dotted ascii representation of the first 64 bytes of the file classification = odm.Classification() # Classification of the file entropy = odm.Float() # Entropy of the file expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry timestamp hex = odm.Keyword( index=False, store=False) # Hex dump of the first 64 bytes of the file md5 = odm.MD5(copyto="__text__") # MD5 of the top level file magic = odm.Keyword( store=False) # Output from libmagic related to that file mime = odm.Optional(odm.Keyword( store=False)) # Mime type of the file as identified by libmagic seen = odm.Compound(Seen, default={}) # Attributes about when the file was seen sha1 = odm.SHA1(copyto="__text__") # SHA1 hash of the file sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file size = odm.Integer() # Size of the file ssdeep = odm.SSDeepHash(store=False) # SSDEEP hash of the file type = odm.Keyword( copyto="__text__") # Type of file as identified by Assemblyline
class Error(odm.Model): archive_ts = odm.Date(store=False, description="Archiving timestamp") created = odm.Date(default="NOW", description="Error creation timestamp") expiry_ts = odm.Optional(odm.Date(store=False), description="Expiry timestamp") response: Response = odm.Compound(Response, description="Response from the service") sha256 = odm.SHA256(copyto="__text__", description="SHA256 of file related to service error") type = odm.Enum(values=list(ERROR_TYPES.keys()), default="EXCEPTION", description="Type of error") def build_key(self, service_tool_version=None, task=None): key_list = [ self.sha256, self.response.service_name.replace('.', '_'), f"v{self.response.service_version.replace('.', '_')}", f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}", f"e{ERROR_TYPES.get(self.type, 0)}" ] return '.'.join(key_list)
class FileOLEMacro(odm.Model): sha256 = odm.Optional(odm.List(odm.SHA256(copyto="__text__")), description="SHA256 of Macro") suspicious_string = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Suspicious Strings")
class ResultOntologyHeader(odm.Model): @odm.model(index=False, store=False, description="Details about the Heuristics raised by a service") class HeuristicDetails(odm.Model): name = odm.Text(description="Name of the heuristic raised.") tags = odm.Compound(Tagging, description="Tags associated to heuristic") # Required metadata md5 = odm.MD5(description="MD5 of file") sha1 = odm.SHA1(description="SHA1 of file") sha256 = odm.SHA256(description="SHA256 of file") type = odm.Keyword( description="Type of file as identified by Assemblyline") size = odm.Integer(description="Size of the file in bytes") classification = odm.Keyword( default=Classification.UNRESTRICTED, description="Classification of the service result") service_name = odm.Keyword(description="Service Name") service_version = odm.Keyword(description="Service Version") service_tool_version = odm.Optional(odm.Keyword(default=''), description="Service Tool Version") # Optional metadata filenames = odm.Optional(odm.List(odm.Text()), description="Known filenames associated to file") date = odm.Optional(odm.Date(), description="Date of analysis") parent = odm.Optional( odm.SHA256(), description="Immediate parent of file relative to submission") sid = odm.Optional(odm.Keyword(), description="Submission ID associated to file") source_system = odm.Optional( odm.Text(), description= "Which Assemblyline instance does the result originate from?") original_source = odm.Optional( odm.Text(), description="Source as specified by submitter (from metadata)") submitted_classification = odm.Keyword( default=Classification.UNRESTRICTED, description="Submitted classification") submitter = odm.Optional(odm.Keyword(), description="Submitter") retention_id = odm.Optional( odm.Keyword(), description="Reference to knowledge base for long-term data retention." ) # What tags did the service associate to the result tags = odm.Optional(odm.Compound(Tagging), description="Tags raised by service") # What tags are related to certain heuristics raised # { # "SERVICENAME_1": { # "name": "Bad Things happened" # "tags": { # "network": { # "static": { # "uri": ["bad.domain", ...] # ... # } # ... # } # ... # } # } # } heuristics = odm.Optional(odm.Mapping(odm.Compound(HeuristicDetails)), description="Heuristics raised by service.")
class FileOLEMacro(odm.Model): sha256 = odm.Optional(odm.List(odm.SHA256(copyto="__text__"))) suspicious_string = odm.Optional( odm.List(odm.Keyword(copyto="__text__")))
class Authentihash(odm.Model): sha512 = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) sha384 = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) sha256 = odm.Optional(odm.SHA256()) sha1 = odm.Optional(odm.SHA1()) md5 = odm.Optional(odm.MD5())
class File(odm.Model): name = odm.Keyword(copyto="__text__", description="Name of the file") size = odm.Optional(odm.Integer(), description="Size of the file in bytes") sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file")
class File(odm.Model): name = odm.Keyword(copyto="__text__") # Name of the file size = odm.Optional(odm.Integer()) # Size of the file sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file
class File(odm.Model): name = odm.Keyword(copyto="__text__") # Name of the file sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file description = odm.Text(copyto="__text__") # Description of the file classification = odm.Classification() # Classification of the file