def test_domain_name_example(): dn = stix2.DomainName(_valid_refs={"1": 'domain-name'}, value="example.com", resolves_to_refs=["1"]) assert dn.value == "example.com" assert dn.resolves_to_refs == ["1"]
def test_domain_name_example_invalid_ref_type(): with pytest.raises(stix2.exceptions.InvalidObjRefError) as excinfo: stix2.DomainName(_valid_refs={"1": "file"}, value="example.com", resolves_to_refs=["1"]) assert excinfo.value.cls == stix2.DomainName assert excinfo.value.prop_name == "resolves_to_refs"
def obs_view(request, id): o = ObservableObject.objects.get(id=id) dict = {id: {}} if o.type.model_name: m = apps.get_model(o._meta.app_label, o.type.model_name) o = m.objects.get(id=o.id) s = None refs = [] if o.type.name == "domain-name": for r in o.resolves_to_refs.all(): m = apps.get_model(r._meta.app_label, r.type.model_name) ref = m.objects.get(id=r.id) if ref.type.name == "ipv4-addr": i = stix2.IPv4Address(value=ref.value) dict[ref.id] = json.loads(str(i)) refs.append(str(ref.id)) s = stix2.DomainName(value=o.value, #resolves_to_refs=refs, ) #dict[id] = json.loads(str(s)) #dict[id]["resolves_to_refs"] = refs elif o.type.name == "file": s = stix2.File(name=o.name, ) #dict[id] = json.loads(str(s)) elif o.type.name == "ipv4-addr": s = stix2.IPv4Address(value=o.value, ) elif o.type.name == "url": s = stix2.URL(value=o.value, ) if s: dict[id] = json.loads(str(s)) if refs: dict[id]["resolves_to_refs"] = refs form = getobsform(o.type.name, instance=o) if request.POST: if "update" in request.POST: form = getobsform(o.type.name, instance=o, request=request) if form.is_valid(): if o.type.name in ["file"]: o.name = form.cleaned_data["value"] o.save() else: s = form.save() if o.type.name in ["domain-name"]: new = form.cleaned_data["new_refs"] for line in new.split("\n"): if line: r = create_obs_from_line(line) o.resolve_to_refs.add(r) o.save() objects = [] rels = [] sights = [] observables = [] value = None if hasattr(o, "value"): value = o.value elif hasattr(o, "name"): value = o.name ods = ObservedData.objects.filter(observable_objects=o) for od in ods: for s in Sighting.objects.filter(observed_data_refs=od): for ro in get_related_obj(s): if ro.object_type.name == "sighting": if not ro in sights: sights.append(ro) elif ro.object_type.name == "relationship": if not ro in rels: rels.append(ro) else: if not ro in objects: objects.append(ro) ind = Indicator.objects.filter(pattern__pattern__icontains=value) for i in ind: if not i in objects: objects.append(i) rs = Relationship.objects.filter( source_ref=i.object_id, relationship_type=RelationshipType.objects.get( name="indicates")) for r in rs: if not r in rels: rels.append(r) for tgt in rel.values_list("target_ref", flat=True): t = get_obj_from_id(tgt) if not t in objects: objects.append(t) c = { "obj": o, "type": o.type.name, "form": form, "stix": json.dumps(dict, indent=2), "objects": objects, "rels": rels, "sights": sights, } return render(request, 'base_view.html', c)
def stix_bundle(objs, mask=True): objects = () for obj in objs: oid = obj.object_id.object_id dscr = "" if not mask and hasattr(obj, "description"): dscr = obj.description if obj.object_type.name == 'attack-pattern': a = stix2.AttackPattern( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (a, ) elif obj.object_type.name == 'campaign': c = stix2.Campaign( id=oid, name=obj.name, description=dscr, aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, first_seen=obj.first_seen, last_seen=obj.last_seen, ) objects += (c, ) elif obj.object_type.name == 'course-of-action': c = stix2.CourseOfAction( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, ) objects += (c, ) elif obj.object_type.name == 'identity': name = obj.name if mask: name = oid label = obj.labels.all() if label.count() >= 1: name = str(obj.id) if label[0].alias: name += '-' + label[0].alias else: name += '-' + label[0].value i = stix2.Identity( id=oid, name=name, identity_class=obj.identity_class, description=dscr, sectors=[str(s.value) for s in obj.sectors.all()], labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, ) objects += (i, ) elif obj.object_type.name == 'indicator': pattern = "[]" if not mask and obj.pattern: pattern = obj.pattern.pattern i = stix2.Indicator( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], pattern=pattern, created=obj.created, modified=obj.modified, valid_from=obj.valid_from, valid_until=obj.valid_until, ) objects += (i, ) elif obj.object_type.name == 'intrusion-set': i = stix2.IntrusionSet( id=oid, name=obj.name, description=dscr, aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, first_seen=obj.first_seen, #last_seen=obj.last_seen, ) objects += (i, ) elif obj.object_type.name == 'malware': m = stix2.Malware( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (m, ) elif obj.object_type.name == 'observed-data': obs = {} for o in obj.observable_objects.all(): ob = None if o.type.name == "file": f = FileObject.objects.get(id=o.id) ob = stix2.File(name=f.name) elif o.type.name == "ipv4-addr": i = IPv4AddressObject.objects.get(id=o.id) ob = stix2.IPv4Address(value=i.value) elif o.type.name == "url": u = URLObject.objects.get(id=o.id) ob = stix2.URL(value=u.value) elif o.type.name == "domain-name": dn = DomainNameObject.objects.get(id=o.id) ob = stix2.DomainName(value=dn.value) if ob and not mask: obs[str(o.id)] = json.loads(str(ob)) od = stix2.ObservedData( id=oid, created=obj.created, modified=obj.modified, first_observed=obj.first_observed, last_observed=obj.last_observed, number_observed=obj.number_observed, objects=obs, ) objects += (od, ) elif obj.object_type.name == 'report': created_by = None if obj.created_by_ref: created_by = obj.created_by_ref.object_id r = stix2.Report( id=oid, labels=[str(l.value) for l in obj.labels.all()], name=obj.name, description=dscr, published=obj.published, object_refs=[str(r.object_id) for r in obj.object_refs.all()], created_by_ref=created_by, created=obj.created, modified=obj.modified, ) objects += (r, ) elif obj.object_type.name == 'threat-actor': t = stix2.ThreatActor( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], aliases=[str(a.name) for a in obj.aliases.all()], created=obj.created, modified=obj.modified, ) objects += (t, ) elif obj.object_type.name == 'tool': t = stix2.Tool( id=oid, name=obj.name, description=dscr, labels=[str(l.value) for l in obj.labels.all()], created=obj.created, modified=obj.modified, kill_chain_phases=stix2killchain(obj), ) objects += (t, ) elif obj.object_type.name == 'vulnerability': v = stix2.Vulnerability( id=oid, name=obj.name, description=dscr, created=obj.created, modified=obj.modified, ) objects += (v, ) elif obj.object_type.name == 'relationship': r = stix2.Relationship( id=oid, relationship_type=obj.relationship_type.name, description=dscr, source_ref=obj.source_ref.object_id, target_ref=obj.target_ref.object_id, created=obj.created, modified=obj.modified, ) objects += (r, ) elif obj.object_type.name == 'sighting': s = stix2.Sighting( id=oid, sighting_of_ref=obj.sighting_of_ref.object_id, where_sighted_refs=[ str(w.object_id.object_id) for w in obj.where_sighted_refs.all() ], observed_data_refs=[ str(od.object_id.object_id) for od in obj.observed_data_refs.all() ], first_seen=obj.first_seen, last_seen=obj.last_seen, created=obj.created, modified=obj.modified, ) objects += (s, ) bundle = stix2.Bundle(*objects) return bundle