search

os-threat / Stix-ORM

GNU Affero General Public License v3.0
4 stars 0 forks source link

Fix Edge Case of HAshes in List of Sub Objects #45

Open brettforbes opened 11 months ago

brettforbes commented 11 months ago

When there is a list of sub-objects, that have hashes, then the ORM doesn't handle the numbering properly between lists and so they fail

USe this code to generate an example, assuming you have the right imports

hash_dict1 = {
        "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4",
        "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76"
    }
hash_dict2 = {
    "SHA-256": "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f"
  }
alt_data_stream1 = AlternateDataStream(name="first.stream", size=25536, hashes=hash_dict1)
alt_data_stream2 = AlternateDataStream(name="second.stream", size=25536, hashes=hash_dict2)
ntfs_ext = NTFSExt(sid="1234567", alternate_data_streams=[alt_data_stream1, alt_data_stream2])
file_K = File(name="foo_K.dll", size=25546, extensions={"ntfs-ext":ntfs_ext})
print(file_K.serialize(pretty=True))

The generated stix object will look like this

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--f444836c-d52f-5951-80c6-047037c5e35a",
    "size": 25546,
    "name": "foo_K.dll",
    "extensions": {
        "ntfs-ext": {
            "sid": "1234567",
            "alternate_data_streams": [
                {
                    "name": "first.stream",
                    "hashes": {
                        "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4",
                        "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76"
                    },
                    "size": 25536
                },
                {
                    "name": "second.stream",
                    "hashes": {
                        "SHA-256": "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f"
                    },
                    "size": 25536
                }
            ]
        }
    }
}

But when you try to improt this, then the numbering on the variables goes wrong, for example


insert $file isa file,
 has stix-type $stix-type,
 has spec-version $spec-version,
 has stix-id $stix-id,
 has size $size,
 has name $name;

 $stix-type "file";
 $spec-version "2.1";
 $stix-id "file--f444836c-d52f-5951-80c6-047037c5e35a";
 $size 25546;
 $name "foo_K.dll";

 $ntfs-ext isa ntfs-ext,
 has sid $sid;

 $sid "1234567";

 $ntfs-extension0 (file:$file, ntfs:$ntfs-ext) isa ntfs-extension;

$alternate-data-stream0 isa alternate-data-stream,
 has name "first.stream",
 has size 25536;
$alternate-data-stream1 isa alternate-data-stream,
 has name "second.stream",
 has size 25536;

 $alt-data-streams (ntfs-ext:$ntfs-ext, alt-data-stream:$alternate-data-stream0, alt-data-stream:$alternate-data-stream1) isa alt-data-streams;
 $hash0 isa md-5, has hash-value "a92e5b2bae0b4b3a3d81c85610b95cd4";
 $hash1 isa sha-1, has hash-value "5374e08903744ceeaedd8f5e1bfc06b2c4688e76";

 $hash_rel (hash-owner:$alternate-data-stream0, hash-actual:$hash0, hash-actual:$hash1) isa hashes;
 $hash0 isa sha-256, has hash-value "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f";

 $hash_rel (hash-owner:$alternate-data-stream1, hash-actual:$hash0) isa hashes;```