search

oasis-open / cti-python-stix2

OASIS TC Open Repository: Python APIs for STIX 2
https://stix2.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
367 stars 120 forks source link

InvalidValueError: Invalid value for File 'extensions': Cannot determine extension type #414

Closed Lastrellik closed 4 years ago

Lastrellik commented 4 years ago

When adding extensions to a File object, we get an error InvalidValueError: Invalid value for File 'extensions': Cannot determine extension type

To reproduce, create and run this script:

from stix2 import File

def build_file_intel():
    file_extensions = {
        'ntfs-ext': 'exe'
    }
    file = File(extensions=file_extensions)

build_file_intel()

According to http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.html#_Toc496716232 in regards to File extensions:

The File Object defines the following extensions. In addition to these, producers MAY create their own.

ntfs-ext, raster-image-ext, pdf-ext, archive-ext, windows-pebinary-ext

Dictionary keys MUST identify the extension type by name.

The corresponding dictionary values MUST contain the contents of the extension instance.

The file_extensions dictionary in the script seems to follow these requirements, but we still get that error.

emmanvg commented 4 years ago

Hi @Lastrellik, I think the problem you have here is that you are not building the NTFS-Extension correctly. This extension defines two properties: sid and alternate_data_streams. The data_streams define a specific object to be used alternate-data-stream-type. Taking your example:

from stix2 import File, AlternateDataStream, NTFSExt

def build_file_intel():
    stream = AlternateDataStream(name="exe")
    file_extensions = {
        'ntfs-ext': NTFSExt(alternate_data_streams=stream)
    }
    file = File(name="foo", extensions=file_extensions)
    print(file)

build_file_intel()

Procudes:

{
    "type": "file",
    "name": "foo",
    "extensions": {
        "ntfs-ext": {
            "alternate_data_streams": [
                {
                    "name": "exe"
                }
            ]
        }
    }
}

Reference: http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.html#_Toc496716236

Closing since its not an actual bug in the library. Feel free to reopen if you think the issue has not addressed.