Closed Lastrellik closed 4 years ago
Hi @Lastrellik, I think the problem you have here is that you are not building the NTFS-Extension correctly. This extension defines two properties: sid and alternate_data_streams. The data_streams define a specific object to be used alternate-data-stream-type
. Taking your example:
from stix2 import File, AlternateDataStream, NTFSExt
def build_file_intel():
stream = AlternateDataStream(name="exe")
file_extensions = {
'ntfs-ext': NTFSExt(alternate_data_streams=stream)
}
file = File(name="foo", extensions=file_extensions)
print(file)
build_file_intel()
Procudes:
{
"type": "file",
"name": "foo",
"extensions": {
"ntfs-ext": {
"alternate_data_streams": [
{
"name": "exe"
}
]
}
}
}
Closing since its not an actual bug in the library. Feel free to reopen if you think the issue has not addressed.
When adding extensions to a File object, we get an error
InvalidValueError: Invalid value for File 'extensions': Cannot determine extension type
To reproduce, create and run this script:
According to http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.html#_Toc496716232 in regards to File extensions:
The
file_extensions
dictionary in the script seems to follow these requirements, but we still get that error.