Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
"""str: type indicator."""
return self.TYPE_INDICATOR
@abc.abstractmethod
def AsDict(self):
"""Represents a source type as a dictionary.
Returns:
dict[str, str]: source type attributes.
"""
class ArtifactGroupSourceType(SourceType):
"""Artifact group source type."""
TYPE_INDICATOR = definitions.TYPE_INDICATOR_ARTIFACT_GROUP
def __init__(self, names=None):
"""Initializes a source type.
Args:
names (Optional[str]): artifact definition names.
Raises:
FormatError: when artifact names is not set.
"""
if not names:
raise errors.FormatError('Missing names value.')
super(ArtifactGroupSourceType, self).__init__()
self.names = names
continue
decoded_artifact = artifacts.Artifact.from_primitive(decoded_artifact)
decoded_artifacts.append((decoded_artifact, snippet))
for decoded_artifact, artifact_text in decoded_artifacts:
artifact_reader = reader.YamlArtifactsReader()
definition = artifact_reader.ReadArtifactDefinitionValues(
decoded_artifact.to_primitive(False))
if is_definition_in_db(current, definition.name):
raise ValueError("Artifact name %s already in database." %
definition.name)
for source in definition.sources:
if (source.type_indicator ==
definitions.TYPE_INDICATOR_ARTIFACT_GROUP):
if not is_definition_in_db(current, source):
raise ValueError(
"Artifact group references %s which "
"is not known yet." % source)
db.artifacts.insert(
name=decoded_artifact.name,
artifact_text=artifact_text,
artifact=decoded_artifact)
return dict()
key_paths = {
key_value['key'] for key_value in source.key_value_pairs}
key_paths_string = ', '.join(key_paths)
logger.warning((
'Windows Registry values are not supported, extracting keys: '
'"{0!s}"').format(key_paths_string))
for key_path in key_paths:
if ArtifactDefinitionsFiltersHelper.CheckKeyCompatibility(key_path):
specifications = self._BuildFindSpecsFromRegistrySourceKey(key_path)
find_specs.extend(specifications)
self.registry_artifact_names.add(definition.name)
elif (source.type_indicator ==
artifact_types.TYPE_INDICATOR_ARTIFACT_GROUP):
for name in source.names:
specifications = self._BuildFindSpecsFromGroupName(
name, environment_variables)
find_specs.extend(specifications)
else:
logger.warning(
'Unsupported artifact definition source type: "{0:s}"'.format(
source.type_indicator))
return find_specs
Raises:
KeyError: if artifact definition is already set for the corresponding
name.
"""
artifact_definition_name = artifact_definition.name.lower()
if artifact_definition_name in self._artifact_definitions:
raise KeyError(
'Artifact definition already set for name: {0:s}.'.format(
artifact_definition.name))
self._artifact_definitions[artifact_definition_name] = artifact_definition
self._defined_artifact_names.add(artifact_definition.name)
for source in artifact_definition.sources:
if source.type_indicator == definitions.TYPE_INDICATOR_ARTIFACT_GROUP:
self._artifact_name_references.update(source.names)
Returns:
dict[str, str]: source type attributes.
"""
source_type_attributes = {'query': self.query}
if self.base_object:
source_type_attributes['base_object'] = self.base_object
return source_type_attributes
class SourceTypeFactory(object):
"""Source type factory."""
_source_type_classes = {
definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType,
definitions.TYPE_INDICATOR_COMMAND: CommandSourceType,
definitions.TYPE_INDICATOR_DIRECTORY: DirectorySourceType,
definitions.TYPE_INDICATOR_FILE: FileSourceType,
definitions.TYPE_INDICATOR_PATH: PathSourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY:
WindowsRegistryKeySourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE:
WindowsRegistryValueSourceType,
definitions.TYPE_INDICATOR_WMI_QUERY: WMIQuerySourceType,
}
@classmethod
def CreateSourceType(cls, type_indicator, attributes):
"""Creates a source type.
Args:
data = info.get(name)
if data is not None:
row[name] = field_type(data)
result.add_result(**row)
yield result
# This lookup table maps between source type name and concrete implementations
# that we support. Artifacts which contain sources which are not implemented
# will be ignored.
SOURCE_TYPES = {
TYPE_INDICATOR_REKALL: RekallEFilterArtifacts,
definitions.TYPE_INDICATOR_FILE: FileSourceType,
definitions.TYPE_INDICATOR_ARTIFACT_GROUP: ArtifactGroupSourceType,
definitions.TYPE_INDICATOR_WMI_QUERY: WMISourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY: RegistryKeySourceType,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE: RegistryValueSourceType,
}
class ArtifactDefinition(_FieldDefinitionValidator):
"""The main artifact class."""
def CheckLabels(self, art_definition):
"""Ensure labels are defined."""
labels = art_definition.get("labels", [])
# Keep unknown labels around in case callers want to check for complete
# label coverage. In most cases it is desirable to allow users to extend
# labels but when super strict validation is required we want to make
# sure that users dont typo a label.