-
Notifications
You must be signed in to change notification settings - Fork 73
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #189 from vertexproject/visi-ingest
new infotech model and av / cve update
- Loading branch information
Showing
8 changed files
with
80 additions
and
70 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
def getDataModel(): | ||
return { | ||
'prefix':'it', | ||
'version':201703301552, | ||
|
||
'types': ( | ||
('it:host', {'subof':'guid','doc':'A GUID for a host/system'}), | ||
('it:sec:cve', {'subof':'str', 'regex':'^CVE-[0-9]{4}-[0-9]{4,6}$','doc':'A CVE entry from Mitre'}), | ||
|
||
('it:av:sig', {'subof':'sepr', 'sep':'/', 'fields':'org,ou:alias|sig,str:lwr', 'doc':'An antivirus signature' }), | ||
('it:av:filehit', {'subof':'sepr', 'sep':'/', 'fields':'file,file:bytes|sig,it:av:sig', 'doc':'An antivirus hit' }), | ||
), | ||
|
||
'forms': ( | ||
|
||
('it:host', {'ptype':'it:host'},[ | ||
#FIXME we probably eventually need a bunch of stuff here... | ||
]), | ||
|
||
('it:sec:cve', {'ptype':'it:sec:cve'},[ | ||
('desc',{'ptype':'str'}), | ||
]), | ||
|
||
('it:av:sig', {'ptype':'it:av:sig'},[ | ||
('sig',{'ptype':'str:lwr'}), | ||
('org',{'ptype':'ou:alias'}), | ||
('desc',{'ptype':'str'}), | ||
('url',{'ptype':'inet:url'}), | ||
]), | ||
|
||
('it:av:filehit', {'ptype':'it:av:filehit'},[ | ||
('file',{'ptype':'file:bytes'}), | ||
('sig',{'ptype':'it:av:sig'}), | ||
]) | ||
), | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
|
||
from synapse.tests.common import * | ||
|
||
class InfoTechTest(SynTest): | ||
|
||
def test_model_infotech_host(self): | ||
with s_cortex.openurl('ram:///') as core: | ||
core.setConfOpt('enforce',1) | ||
node = core.formTufoByProp('it:host',guid()) | ||
self.nn(node) | ||
self.nn(node[1].get('it:host')) | ||
|
||
def test_model_infotech_cve(self): | ||
with s_cortex.openurl('ram:///') as core: | ||
core.setConfOpt('enforce',1) | ||
node = core.formTufoByProp('it:sec:cve','CVE-2013-9999', desc='This is a description') | ||
self.nn(node) | ||
self.eq( node[1].get('it:sec:cve'), 'CVE-2013-9999') | ||
self.eq( node[1].get('it:sec:cve:desc'), 'This is a description' ) | ||
self.raises( BadTypeValu, core.formTufoByProp, 'it:sec:cve', 'dERP' ) | ||
|
||
def test_model_infotech_av(self): | ||
with s_cortex.openurl('ram:///') as core: | ||
core.setConfOpt('enforce',1) | ||
bytesguid = '1234567890ABCDEFFEDCBA0987654321' | ||
orgname = 'Foo' | ||
signame = 'Bar.BAZ.faZ' | ||
valu = (bytesguid, (orgname, signame)) | ||
|
||
tufo = core.formTufoByFrob('it:av:filehit', valu) | ||
self.eq(tufo[1].get('it:av:filehit:sig'), 'foo/bar.baz.faz') | ||
self.eq(tufo[1].get('it:av:filehit:file'), '1234567890abcdeffedcba0987654321') | ||
|
||
tufo = core.getTufoByProp('it:av:sig', 'foo/bar.baz.faz') | ||
self.eq(tufo[1].get('it:av:sig'), 'foo/bar.baz.faz') | ||
self.eq(tufo[1].get('it:av:sig:org'), 'foo') | ||
self.eq(tufo[1].get('it:av:sig:sig'), 'bar.baz.faz') | ||
|
||
tufo = core.getTufoByProp('ou:alias', 'foo') | ||
self.eq(tufo, None) # ou:alias will not be automatically formed at this time |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters