Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Edge Case of HAshes in List of Sub Objects #45

Open
brettforbes opened this issue Dec 5, 2023 · 0 comments
Open

Fix Edge Case of HAshes in List of Sub Objects #45

brettforbes opened this issue Dec 5, 2023 · 0 comments
Assignees
@brettforbes

Comments

@brettforbes
Copy link
Collaborator

When there is a list of sub-objects, that have hashes, then the ORM doesn't handle the numbering properly between lists and so they fail

USe this code to generate an example, assuming you have the right imports

hash_dict1 = {
        "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4",
        "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76"
    }
hash_dict2 = {
    "SHA-256": "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f"
  }
alt_data_stream1 = AlternateDataStream(name="first.stream", size=25536, hashes=hash_dict1)
alt_data_stream2 = AlternateDataStream(name="second.stream", size=25536, hashes=hash_dict2)
ntfs_ext = NTFSExt(sid="1234567", alternate_data_streams=[alt_data_stream1, alt_data_stream2])
file_K = File(name="foo_K.dll", size=25546, extensions={"ntfs-ext":ntfs_ext})
print(file_K.serialize(pretty=True))

The generated stix object will look like this

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--f444836c-d52f-5951-80c6-047037c5e35a",
    "size": 25546,
    "name": "foo_K.dll",
    "extensions": {
        "ntfs-ext": {
            "sid": "1234567",
            "alternate_data_streams": [
                {
                    "name": "first.stream",
                    "hashes": {
                        "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4",
                        "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76"
                    },
                    "size": 25536
                },
                {
                    "name": "second.stream",
                    "hashes": {
                        "SHA-256": "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f"
                    },
                    "size": 25536
                }
            ]
        }
    }
}

But when you try to improt this, then the numbering on the variables goes wrong, for example

insert $file isa file,
 has stix-type $stix-type,
 has spec-version $spec-version,
 has stix-id $stix-id,
 has size $size,
 has name $name;

 $stix-type "file";
 $spec-version "2.1";
 $stix-id "file--f444836c-d52f-5951-80c6-047037c5e35a";
 $size 25546;
 $name "foo_K.dll";

 $ntfs-ext isa ntfs-ext,
 has sid $sid;

 $sid "1234567";

 $ntfs-extension0 (file:$file, ntfs:$ntfs-ext) isa ntfs-extension;


$alternate-data-stream0 isa alternate-data-stream,
 has name "first.stream",
 has size 25536;
$alternate-data-stream1 isa alternate-data-stream,
 has name "second.stream",
 has size 25536;

 $alt-data-streams (ntfs-ext:$ntfs-ext, alt-data-stream:$alternate-data-stream0, alt-data-stream:$alternate-data-stream1) isa alt-data-streams;
 $hash0 isa md-5, has hash-value "a92e5b2bae0b4b3a3d81c85610b95cd4";
 $hash1 isa sha-1, has hash-value "5374e08903744ceeaedd8f5e1bfc06b2c4688e76";

 $hash_rel (hash-owner:$alternate-data-stream0, hash-actual:$hash0, hash-actual:$hash1) isa hashes;
 $hash0 isa sha-256, has hash-value "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f";

 $hash_rel (hash-owner:$alternate-data-stream1, hash-actual:$hash0) isa hashes;```
@brettforbes brettforbes self-assigned this Dec 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brettforbes brettforbes

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brettforbes