class Action(entities.Entity): _binding = core_binding _binding_class = core_binding.ActionType _namespace = 'http://cybox.mitre.org/cybox-2' id_ = fields.TypedField("id") idref = fields.TypedField("idref") ordinal_position = fields.TypedField("ordinal_position") action_status = fields.TypedField("action_status") context = fields.TypedField("context") timestamp = fields.TypedField("timestamp") type_ = vocabs.VocabField("Type", ActionType) name = vocabs.VocabField("Name", ActionName) description = fields.TypedField("Description", StructuredText) action_aliases = fields.TypedField("Action_Aliases", ActionAliases) action_arguments = fields.TypedField("Action_Arguments", ActionArguments) discovery_method = fields.TypedField("Discovery_Method", MeasureSource) associated_objects = fields.TypedField("Associated_Objects", AssociatedObjects) relationships = fields.TypedField("Relationships", ActionRelationships) frequency = fields.TypedField("Frequency", Frequency) def to_dict(self): d = super(Action, self).to_dict() # Don't add an empty timestamp if there isn't already one. if 'timestamp' in d: d['timestamp'] = serialize_datetime(d['timestamp']) return d @classmethod def from_dict(cls, action_dict): action = super(Action, cls).from_dict(action_dict) action.timestamp = parse_datetime(action.timestamp) return action
class Authentication(cybox.Entity): _binding = account_binding _binding_class = account_binding.AuthenticationType _namespace = 'http://cybox.mitre.org/objects#AccountObject-2' _XSI_NS = "AccountObj" _XSI_TYPE = "AccountObjectType" authentication_type = vocabs.VocabField("Authentication_Type") authentication_data = cybox.TypedField("Authentication_Data", String) authentication_token_protection_mechanism = vocabs.VocabField("Authentication_Token_Protection_Mechanism") structured_authentication_mechanism = cybox.TypedField("Structured_Authentication_Mechanism", StructuredAuthenticationMechanism)
class ActionArgument(entities.Entity): _binding = core_binding _binding_class = core_binding.ActionArgumentType _namespace = 'http://cybox.mitre.org/cybox-2' argument_name = vocabs.VocabField("Argument_Name", ArgumentName) argument_value = fields.TypedField("Argument_Value")
class MeasureSource(cybox.Entity): _binding = common_binding _binding_class = common_binding.MeasureSourceType _namespace = 'http://cybox.mitre.org/common-2' class_ = cybox.TypedField("classxx", key_name="class") source_type = cybox.TypedField("source_type") name = cybox.TypedField("name") sighting_count = cybox.TypedField("sighting_count") information_source_type = vocabs.VocabField("Information_Source_Type", InformationSourceType) tool_type = vocabs.VocabField("Tool_Type", ToolType) description = cybox.TypedField("Description", StructuredText) contributors = cybox.TypedField("Contributors", Personnel) time = cybox.TypedField("Time", Time) tools = cybox.TypedField("Tools", ToolInformationList) platform = cybox.TypedField("Platform", PlatformSpecification) system = cybox.TypedField("System", ObjectProperties) instance = cybox.TypedField("Instance", ObjectProperties)
class MalwareConfigurationParameter(maec.Entity): _binding = package_binding _binding_class = package_binding.MalwareConfigurationParameterType _namespace = _namespace name = vocabs.VocabField("Name", MalwareConfigParameterVocab) value = fields.TypedField("Value") def __init__(self): super(MalwareConfigurationParameter, self).__init__()
class MalwareSubjectRelationship(maec.Entity): _binding = package_binding _binding_class = package_binding.MalwareSubjectRelationshipType _namespace = _namespace malware_subject_reference = fields.TypedField("Malware_Subject_Reference", MalwareSubjectReference, multiple=True) type_ = vocabs.VocabField("Type", MalwareSubjectRelationshipVocab) def __init__(self): super(MalwareSubjectRelationship, self).__init__()
class GroupingRelationship(maec.Entity): _binding = package_binding _binding_class = package_binding.GroupingRelationshipType _namespace = _namespace type_ = vocabs.VocabField("Type", GroupingRelationshipVocab) malware_family_name = fields.TypedField("Malware_Family_Name") malware_toolkit_name = fields.TypedField("Malware_Toolkit_Name") clustering_metadata = fields.TypedField("Clustering_Metadata", ClusteringMetadata) def __init__(self): super(GroupingRelationship, self).__init__()
class Action(cybox.Entity): _binding = core_binding _binding_class = core_binding.ActionType _namespace = 'http://cybox.mitre.org/cybox-2' id_ = cybox.TypedField("id") idref = cybox.TypedField("idref") ordinal_position = cybox.TypedField("ordinal_position") action_status = cybox.TypedField("action_status") context = cybox.TypedField("context") timestamp = cybox.TypedField("timestamp") type_ = vocabs.VocabField("Type", ActionType) name = vocabs.VocabField("Name", ActionName) description = cybox.TypedField("Description", StructuredText) action_aliases = cybox.TypedField("Action_Aliases", ActionAliases) action_arguments = cybox.TypedField("Action_Arguments", ActionArguments) discovery_method = cybox.TypedField("Discovery_Method", MeasureSource) associated_objects = cybox.TypedField("Associated_Objects", AssociatedObjects) relationships = cybox.TypedField("Relationships", ActionRelationships) frequency = cybox.TypedField("Frequency", Frequency)
class Event(entities.Entity): _binding = core_binding _binding_class = core_binding.EventType _namespace = 'http://cybox.mitre.org/cybox-2' id_ = fields.TypedField("id") idref = fields.TypedField("idref") type_ = vocabs.VocabField("Type", EventType) description = fields.TypedField("Description", StructuredText) observation_method = fields.TypedField("Observation_Method", MeasureSource) actions = fields.TypedField("Actions", Actions) frequency = fields.TypedField("Frequency", Frequency) event = fields.TypedField("Event", multiple=True)
class LinuxPackage(ObjectProperties): _binding = linux_package_binding _binding_class = linux_package_binding.LinuxPackageObjectType _namespace = "http://cybox.mitre.org/objects#LinuxPackageObject-2" _XSI_NS = "LinuxPackageObj" _XSI_TYPE = "LinuxPackageObjectType" architecture = vocabs.VocabField("Architecture", LinuxPackageArchitecture) category = fields.TypedField("Category", String) description = fields.TypedField("Description", String) epoch = fields.TypedField("Epoch", String) evr = fields.TypedField("EVR", String) name = fields.TypedField("Name", String) release = fields.TypedField("Release", String) vendor = fields.TypedField("Vendor", String) version = fields.TypedField("Version", String)
class ExtractedString(entities.Entity): _binding = common_binding _binding_class = common_binding.ExtractedStringType _namespace = 'http://cybox.mitre.org/common-2' encoding = vocabs.VocabField("Encoding", CharacterEncoding) string_value = fields.TypedField("String_Value", String) byte_string_value = fields.TypedField("Byte_String_Value", HexBinary) hashes = fields.TypedField("Hashes", HashList) address = fields.TypedField("Address", HexBinary) length = fields.TypedField("Length", PositiveInteger) language = fields.TypedField("Language", String) english_translation = fields.TypedField("English_Translation", String) def __init__(self, string_value=None): super(ExtractedString, self).__init__() self.string_value = string_value
class Hash(entities.Entity): _binding = common_binding _binding_class = common_binding.HashType _namespace = 'http://cybox.mitre.org/common-2' type_ = vocabs.VocabField("Type", HashName) simple_hash_value = fields.TypedField("Simple_Hash_Value", HexBinary, postset_hook=_set_hash_type) fuzzy_hash_value = fields.TypedField("Fuzzy_Hash_Value", String) TYPE_MD5 = u("MD5") TYPE_MD6 = u("MD6") TYPE_SHA1 = u("SHA1") TYPE_SHA224 = u("SHA224") TYPE_SHA256 = u("SHA256") TYPE_SHA384 = u("SHA384") TYPE_SHA512 = u("SHA512") TYPE_SSDEEP = u("SSDEEP") TYPE_OTHER = VocabString(u("Other")) def __init__(self, hash_value=None, type_=None, exact=False): """Create a new Hash Object If exact=True, add 'condition="Equals"' to the hash value and type. """ super(Hash, self).__init__() # Set type_ first so that auto-typing will work. self.type_ = type_ self.simple_hash_value = hash_value if exact: if self.simple_hash_value: self.simple_hash_value.condition = "Equals" if self.type_: self.type_.condition = "Equals" def __str__(self): return str(self.simple_hash_value)
class MultipleHash(cybox.Entity): """Fake entity class to test multiple on VocabField.""" _binding = common_binding _binding_class = common_binding.HashType _namespace = 'http://cybox.mitre.org/common-2' type_ = vocabs.VocabField("Type", HashName, multiple=True)
class MalwareSubject(maec.Entity): _binding = package_binding _binding_class = package_binding.MalwareSubjectType _namespace = _namespace id_ = fields.TypedField("id") malware_instance_object_attributes = fields.TypedField( "Malware_Instance_Object_Attributes", Object) label = vocabs.VocabField("Label", MalwareLabel, multiple=True) configuration_details = fields.TypedField("Configuration_Details", MalwareConfigurationDetails) minor_variants = fields.TypedField("Minor_Variants", MinorVariants) development_environment = fields.TypedField("Development_Environment", MalwareDevelopmentEnvironment) #field_data = fields.TypedField("field_data") # TODO: support metadata:fieldDataEntry analyses = fields.TypedField("Analyses", Analyses) findings_bundles = fields.TypedField("Findings_Bundles", FindingsBundleList) relationships = fields.TypedField("Relationships", MalwareSubjectRelationshipList) compatible_platform = fields.TypedField("Compatible_Platform", PlatformSpecification, multiple=True) def __init__(self, id=None, malware_instance_object_attributes=None): super(MalwareSubject, self).__init__() if id: self.id_ = id else: self.id_ = idgen.create_id(prefix="malware_subject") #Set the Malware Instance Object Attributes (a CybOX object) if they are not none self.malware_instance_object_attributes = malware_instance_object_attributes #Public methods #Set the Malware_Instance_Object_Attributes with a CybOX object def set_malware_instance_object_attributes( self, malware_instance_object_attributes): self.malware_instance_object_attributes = malware_instance_object_attributes #Add an Analysis to the Analyses def add_analysis(self, analysis): if not self.analyses: self.analyses = Analyses() self.analyses.append(analysis) def get_analyses(self): return self.analyses #Get all Bundles in the Subject def get_all_bundles(self): return self.findings_bundles.bundle #Add a MAEC Bundle to the Findings Bundles def add_findings_bundle(self, bundle): if not self.findings_bundles: self.findings_bundles = FindingsBundleList() self.findings_bundles.add_bundle(bundle) def deduplicate_bundles(self): """DeDuplicate all Findings Bundles in the Malware Subject. For now, only handles Objects""" all_bundles = self.get_all_bundles() for bundle in all_bundles: bundle.deduplicate() def dereference_bundles(self): """Dereference all Findings Bundles in the Malware Subject. For now, only handles Objects""" all_bundles = self.get_all_bundles() for bundle in all_bundles: bundle.dereference_objects( [self.malware_instance_object_attributes]) def normalize_bundles(self): """Normalize all Findings Bundles in the Malware Subject. For now, only handles Objects""" all_bundles = self.get_all_bundles() for bundle in all_bundles: bundle.normalize_objects()
class Hash(cybox.Entity): _binding = common_binding _binding_class = common_binding.HashType _namespace = 'http://cybox.mitre.org/common-2' def _auto_type(self): """Attempt to determine the hash type if `type_` is None""" if self.simple_hash_value and not self.type_: val = self.simple_hash_value.value if not val: # If not provided or an empty string, don't assign the type self.type_ = None elif len(val) == 32: self.type_ = Hash.TYPE_MD5 elif len(val) == 40: self.type_ = Hash.TYPE_SHA1 elif len(val) == 56: self.type_ = Hash.TYPE_SHA224 elif len(val) == 64: self.type_ = Hash.TYPE_SHA256 elif len(val) == 96: self.type_ = Hash.TYPE_SHA384 elif len(val) == 128: self.type_ = Hash.TYPE_SHA512 else: self.type_ = Hash.TYPE_OTHER type_ = vocabs.VocabField("Type", HashName) simple_hash_value = cybox.TypedField("Simple_Hash_Value", HexBinary, callback_hook=_auto_type) fuzzy_hash_value = cybox.TypedField("Fuzzy_Hash_Value", String) TYPE_MD5 = u"MD5" TYPE_MD6 = u"MD6" TYPE_SHA1 = u"SHA1" TYPE_SHA224 = u"SHA224" TYPE_SHA256 = u"SHA256" TYPE_SHA384 = u"SHA384" TYPE_SHA512 = u"SHA512" TYPE_SSDEEP = u"SSDEEP" TYPE_OTHER = VocabString(u"Other") def __init__(self, hash_value=None, type_=None, exact=False): """Create a new Hash Object If exact=True, add 'condition="Equals"' to the hash value and type. """ super(Hash, self).__init__() # Set type_ first so that auto-typing will work. self.type_ = type_ self.simple_hash_value = hash_value if exact: if self.simple_hash_value: self.simple_hash_value.condition = "Equals" if self.type_: self.type_.condition = "Equals" def __str__(self): return str(self.simple_hash_value)