idea.valid module

class idea.valid.AttachDict(init_data=None)[source]

Bases: abc.TypedDict

allow_unknown = True
typedef = {'ExternalURI': {'description': 'If content of attachment is available and/or recognizable from external source, this is list of defining URIs (usually URLs). May also be URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:mhr:55eaf7effadc07f866d1eaed9c64e7ee49fe081a", "magnet:?xt=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C".', 'type': <class 'abc.URI'>}, 'ContentID': {'description': 'If content of attachment is transferred separately (in underlaying container), this key contains list of external IDs of the content, so it can be paired back to message.', 'type': <class 'abc.String'>}, 'Content': {'description': 'Attachment content.', 'type': <class 'str'>}, 'Size': {'description': 'Length of the content.', 'type': <class 'int'>}, 'Ref': {'description': 'List of references to known sources, related to attack and/or vulnerability, specific to this attachment. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:clamav:Win.Trojan.Banker-14334".', 'type': <class 'abc.URI'>}, 'ContentEncoding': {'description': 'Encoding of the content, if feasible. Nonexistent key means native JSON encoding.', 'type': <function Encoding>}, 'ContentType': {'description': 'Internet Media Type of the attachment, according to [[http://tools.ietf.org/html/rfc2046|RFC 2046]] and related. Along with [[http://www.iana.org/assignments/media-types/media-types.xhtml|types standardized by IANA]] also non standard but widely used media types can be used (for examples see [[http://www.freeformatter.com/mime-types-list.html|MIME types list at freeformatter.com]]).', 'type': <function MediaType>}, 'Hash': {'description': 'Listof checksums of the content (for example "sha1:794467071687f7c59d033f4de5ece6b46415b633" or "md5:dc89f0b4ff9bd3b061dd66bb66c991b1").', 'type': <class 'abc.Hash'>}, 'FileName': {'description': 'List of filenames of the attached file.', 'type': <class 'abc.String'>}, 'Note': {'description': 'Free text human readable additional note.', 'type': <class 'str'>}, 'Handle': {'description': 'Message unique identifier for reference through Attach elements.', 'type': <function Handle>}, 'Type': {'description': 'List of attachment type tags.', 'type': <class 'abc.AttachmentTag'>}, 'ContentCharset': {'description': 'Name of the content character set according to [[http://www.iana.org/assignments/character-sets/character-sets.xhtml|IANA list]]. If key is not defined, unspecified binary encoding is assumed.', 'type': <function Charset>}}
idea.valid.AttachmentTag(s)
idea.valid.Charset(s)[source]
idea.valid.ConfidenceFloat(s)[source]
idea.valid.Duration(t)[source]
idea.valid.Encoding(s)[source]
idea.valid.EventTag(s)[source]
idea.valid.Handle(s)[source]
idea.valid.Hash(s)[source]
idea.valid.ID(s)[source]
class idea.valid.Idea(init_data=None)[source]

Bases: idea.base.IdeaBase

typedef = {'CeaseTime': {'description': 'Deduced end of the event/attack.', 'type': <function Timestamp>}, 'Source': {'description': 'List of dictionaries of information concerning particular source of the problem.', 'type': <class 'abc.SourceList'>}, 'PacketCount': {'description': 'Number of individual packets transferred.', 'type': <class 'int'>}, 'Note': {'description': 'Free text human readable addidional note, possibly longer description of incident if not obvious.', 'type': <class 'str'>}, 'Confidence': {'description': 'Confidence of detector in its own reliability of this particular detection. (0 - surely false, 1 - no doubts). If key is not presented, detector does not know (or has no capability to estimate the confidence).', 'type': <class 'float'>}, 'Target': {'description': 'List of dictionaries of information concerning particular target of the problem.', 'type': <class 'abc.TargetList'>}, 'ByteCount': {'description': 'Number of bytes transferred.', 'type': <class 'int'>}, 'CreateTime': {'description': 'Timestamp of the creation of the IDEA message. May point out delay between detection and processing of data.', 'type': <function Timestamp>}, 'WinStartTime': {'description': 'Beginning of aggregation window in which event has been observed.', 'type': <function Timestamp>}, 'Description': {'description': 'Short free text human readable description.', 'type': <class 'str'>}, 'Category': {'required': True, 'description': 'List of event categories.', 'type': <class 'abc.EventTag'>}, 'Node': {'description': 'List of detector or possible intermediary (event aggregator, correlator, etc.) descriptions, last visited first (as in e-mail Received headers).', 'type': <class 'abc.NodeList'>}, 'AggrID': {'description': 'List of identifiers of messages, which are aggregated into more concise form by this message. Should be sent mostly by intermediary nodes, which detect duplicates, or aggregate events, spanning multiple detection windows, into one longer.', 'type': <class 'abc.ID'>}, 'AltNames': {'description': 'List of alternative identifiers; strings which help to pair the event to internal system information (for example tickets in request tracker systems).', 'type': <class 'abc.String'>}, 'CorrelID': {'description': 'List of identifiers of messages, which are information sources for creation of this message in case the message has been created based on correlation/analysis/deduction of other messages.', 'type': <class 'abc.ID'>}, 'Attach': {'description': 'Array of additional attachments information and data.', 'type': <class 'abc.AttachList'>}, 'PredID': {'description': 'List of identifiers of messages, which are obsoleted and information in them is replaced by this message. Should be sent only by detection nodes to incorporate further data about ongoing event.', 'type': <class 'abc.ID'>}, 'FlowCount': {'description': 'Number of individual simplex (one direction) flows.', 'type': <class 'int'>}, 'Ref': {'description': 'List of references to known sources, related to attack and/or vulnerability. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:cve:CVE-2013-5634".', 'type': <class 'abc.URI'>}, 'Format': {'required': True, 'description': 'Identifier of the IDEA container.', 'type': <function Version>}, 'RelID': {'description': 'List of otherwise related messages identifiers.', 'type': <class 'abc.ID'>}, 'DetectTime': {'required': True, 'description': 'Timestamp of the moment of detection of event (not necessarily time of the event taking place). This timestamp is mandatory, because every detector is able to know when it detected the information - for example when line about event appeared in the logfile, or when its information source says the event was detected, or at least when it accepted the information from the source.', 'type': <function Timestamp>}, 'EventTime': {'description': 'Deduced start of the event/attack, or just time of the event if its solitary.', 'type': <function Timestamp>}, 'ConnCount': {'description': 'Number of individual connections attempted or taken place.', 'type': <class 'int'>}, 'ID': {'required': True, 'description': 'Unique message identifier.', 'type': <function ID>}, 'WinEndTime': {'description': 'End of aggregation window in which event has been observed.', 'type': <function Timestamp>}}
idea.valid.MAC(s)[source]
idea.valid.MediaType(s)[source]
idea.valid.NSID(s)[source]
idea.valid.Net4(s)[source]
idea.valid.Net6(s)[source]
idea.valid.Netname(s)[source]
class idea.valid.NodeDict(init_data=None)[source]

Bases: abc.TypedDict

allow_unknown = True
typedef = {'Name': {'description': 'Name of the detector, which must be reasonably unique, however still bear some meaningful sense. Usually denotes hierarchy of organisational units which detector belongs to and its own name.', 'type': <function NSID>}, 'Type': {'description': 'List of tags, describing various facets of the detector.', 'type': <class 'abc.NodeTag'>}, 'Note': {'description': 'Free text human readable additional description.', 'type': <class 'str'>}, 'AggrWin': {'description': 'The size of the aggregation window, if applicable.', 'type': <function Duration>}, 'SW': {'description': 'List of the names of the detection software (optionally including version). For example "labrea-2.5-stable-1" or "HP TippingPoint 7500NX".', 'type': <class 'abc.String'>}}
idea.valid.NodeTag(s)
idea.valid.Port(s)[source]
idea.valid.ProtocolName(s)[source]
class idea.valid.SourceTargetDict(init_data=None)[source]

Bases: abc.TypedDict

allow_unknown = True
typedef = {'IP6': {'description': 'List of IPv6 addresses of this source/target.', 'type': <class 'abc.Net6'>}, 'IP4': {'description': 'List of IPv4 addresses of this source/target.', 'type': <class 'abc.Net4'>}, 'Proto': {'description': 'List of protocols, concerning connections from/to this source/target.', 'type': <class 'abc.ProtocolName'>}, 'Ref': {'description': 'List of references to known sources, related to attack and/or vulnerability, specific to this source/target. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:cve:CVE-2013-2266".', 'type': <class 'abc.URI'>}, 'ASN': {'description': 'List of autonomous system numbers of this source/target.', 'type': <class 'abc.Integer'>}, 'URL': {'description': 'List of Unified Resource Locator of this source/target. Should be formatted according to [[http://tools.ietf.org/html/rfc1738|RFC 1738]], [[http://tools.ietf.org/html/rfc1808|RFC 1808]] and related, however may not conform exactly, because values, extracted from logs, messages, etc. may themselves be malformed.', 'type': <class 'abc.String'>}, 'AttachHand': {'description': 'List of identifiers of attachments related to this source/target - contain "Handle"s of related attachments.', 'type': <class 'abc.Handle'>}, 'Port': {'description': 'List of source or destination ports affected.', 'type': <class 'abc.Port'>}, 'Note': {'description': 'Free text human readable additional note.', 'type': <class 'str'>}, 'Email': {'description': 'List of email address (for example Reply-To address in phishing message). Should be formatted according to [[http://tools.ietf.org/html/rfc5322#section-3.4|RFC 5322, section 3.4]] and related, however may not conform exactly, because values, extracted from logs, messages, DNS, etc. may themselves be malformed.', 'type': <class 'abc.String'>}, 'Hostname': {'description': 'List of hostnames of this source/target. Should be FQDN, but may not conform exactly, because values, extracted from logs, messages, DNS, etc. may themselves be malformed. Empty array can be used to explicitly indicate that value has been inquired and not found (missing DNS name).', 'type': <class 'abc.String'>}, 'Spoofed': {'description': 'Establishes whether this source/target is forged.', 'type': <class 'bool'>}, 'Anonymised': {'description': 'Establishes whether this source/target is willingly incomplete.', 'type': <class 'bool'>}, 'MAC': {'description': 'List of MAC addresses of this source/target.', 'type': <class 'abc.MAC'>}, 'Type': {'description': 'List of source/target categories.', 'type': <class 'abc.SourceTargetTag'>}, 'Router': {'description': 'List of router/interface path information. Intentionally organisation specific, router identifiers have usually no clear meaning outside organisational unit.', 'type': <class 'abc.String'>}, 'Imprecise': {'description': 'Establishes whether this source/target is knowingly imprecise.', 'type': <class 'bool'>}, 'Netname': {'description': 'List of RIR database reference network identifier (for example "ripe:CESNET-BB2" or "arin:WETEMAA"). Common network identifiers are: ripe, arin, apnic, lacnic, afrinic. Empty array can be used to explicitly indicate that value has been inquired and not found (IP address from unassigned block).', 'type': <class 'abc.Netname'>}}
idea.valid.SourceTargetTag(s)[source]
idea.valid.Timestamp(t)[source]
idea.valid.URI(s)[source]
idea.valid.Version(s)[source]
idea.valid.ip4_to_int(ip)[source]
idea.valid.ip6_to_int(ip)[source]