idea.lite module¶
-
class
idea.lite.AttachDict(init_data=None)[source]¶ Bases:
abc.TypedDict-
allow_unknown= True¶
-
typedef= {'Content': {'type': <class 'str'>, 'description': 'Attachment content.'}, 'ContentCharset': {'type': <function Charset at 0x7f7f14cdfd90>, 'description': 'Name of the content character set according to [[http://www.iana.org/assignments/character-sets/character-sets.xhtml|IANA list]]. If key is not defined, unspecified binary encoding is assumed.'}, 'ContentEncoding': {'type': <function Encoding at 0x7f7f14cdfe18>, 'description': 'Encoding of the content, if feasible. Nonexistent key means native JSON encoding.'}, 'ContentID': {'type': <class 'abc.String'>, 'description': 'If content of attachment is transferred separately (in underlaying container), this key contains list of external IDs of the content, so it can be paired back to message.'}, 'ContentType': {'type': <function MediaType at 0x7f7f14cdfd08>, 'description': 'Internet Media Type of the attachment, according to [[http://tools.ietf.org/html/rfc2046|RFC 2046]] and related. Along with [[http://www.iana.org/assignments/media-types/media-types.xhtml|types standardized by IANA]] also non standard but widely used media types can be used (for examples see [[http://www.freeformatter.com/mime-types-list.html|MIME types list at freeformatter.com]]).'}, 'ExternalURI': {'type': <class 'abc.URI'>, 'description': 'If content of attachment is available and/or recognizable from external source, this is list of defining URIs (usually URLs). May also be URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:mhr:55eaf7effadc07f866d1eaed9c64e7ee49fe081a", "magnet:?xt=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C".'}, 'FileName': {'type': <class 'abc.String'>, 'description': 'List of filenames of the attached file.'}, 'Handle': {'type': <function Handle at 0x7f7f14cdfea0>, 'description': 'Message unique identifier for reference through Attach elements.'}, 'Hash': {'type': <class 'abc.Hash'>, 'description': 'Listof checksums of the content (for example "sha1:794467071687f7c59d033f4de5ece6b46415b633" or "md5:dc89f0b4ff9bd3b061dd66bb66c991b1").'}, 'Note': {'type': <class 'str'>, 'description': 'Free text human readable additional note.'}, 'Ref': {'type': <class 'abc.URI'>, 'description': 'List of references to known sources, related to attack and/or vulnerability, specific to this attachment. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:clamav:Win.Trojan.Banker-14334".'}, 'Size': {'type': <class 'int'>, 'description': 'Length of the content.'}, 'Type': {'type': <class 'abc.AttachmentTag'>, 'description': 'List of attachment type tags.'}}¶
-
-
idea.lite.AttachmentTag(s)¶
-
class
idea.lite.Idea(init_data=None)[source]¶ Bases:
idea.base.IdeaBase-
typedef= {'AggrID': {'type': <class 'abc.ID'>, 'description': 'List of identifiers of messages, which are aggregated into more concise form by this message. Should be sent mostly by intermediary nodes, which detect duplicates, or aggregate events, spanning multiple detection windows, into one longer.'}, 'AltNames': {'type': <class 'abc.String'>, 'description': 'List of alternative identifiers; strings which help to pair the event to internal system information (for example tickets in request tracker systems).'}, 'Attach': {'type': <class 'abc.AttachList'>, 'description': 'Array of additional attachments information and data.'}, 'ByteCount': {'type': <class 'int'>, 'description': 'Number of bytes transferred.'}, 'Category': {'type': <class 'abc.EventTag'>, 'required': True, 'description': 'List of event categories.'}, 'CeaseTime': {'type': <function Timestamp at 0x7f7f14ce1048>, 'description': 'Deduced end of the event/attack.'}, 'Confidence': {'type': <class 'float'>, 'description': 'Confidence of detector in its own reliability of this particular detection. (0 - surely false, 1 - no doubts). If key is not presented, detector does not know (or has no capability to estimate the confidence).'}, 'ConnCount': {'type': <class 'int'>, 'description': 'Number of individual connections attempted or taken place.'}, 'CorrelID': {'type': <class 'abc.ID'>, 'description': 'List of identifiers of messages, which are information sources for creation of this message in case the message has been created based on correlation/analysis/deduction of other messages.'}, 'CreateTime': {'type': <function Timestamp at 0x7f7f14ce1048>, 'description': 'Timestamp of the creation of the IDEA message. May point out delay between detection and processing of data.'}, 'Description': {'type': <class 'str'>, 'description': 'Short free text human readable description.'}, 'DetectTime': {'type': <function Timestamp at 0x7f7f14ce1048>, 'required': True, 'description': 'Timestamp of the moment of detection of event (not necessarily time of the event taking place). This timestamp is mandatory, because every detector is able to know when it detected the information - for example when line about event appeared in the logfile, or when its information source says the event was detected, or at least when it accepted the information from the source.'}, 'EventTime': {'type': <function Timestamp at 0x7f7f14ce1048>, 'description': 'Deduced start of the event/attack, or just time of the event if its solitary.'}, 'FlowCount': {'type': <class 'int'>, 'description': 'Number of individual simplex (one direction) flows.'}, 'Format': {'type': <function Version at 0x7f7f14d73510>, 'default': 'IDEA0', 'required': True, 'description': 'Identifier of the IDEA container.'}, 'ID': {'type': <function ID at 0x7f7f14cdff28>, 'default': <function <lambda> at 0x7f7f14ce17b8>, 'required': True, 'description': 'Unique message identifier.'}, 'Node': {'type': <class 'abc.NodeList'>, 'description': 'List of detector or possible intermediary (event aggregator, correlator, etc.) descriptions, last visited first (as in e-mail Received headers).'}, 'Note': {'type': <class 'str'>, 'description': 'Free text human readable addidional note, possibly longer description of incident if not obvious.'}, 'PacketCount': {'type': <class 'int'>, 'description': 'Number of individual packets transferred.'}, 'PredID': {'type': <class 'abc.ID'>, 'description': 'List of identifiers of messages, which are obsoleted and information in them is replaced by this message. Should be sent only by detection nodes to incorporate further data about ongoing event.'}, 'Ref': {'type': <class 'abc.URI'>, 'description': 'List of references to known sources, related to attack and/or vulnerability. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:cve:CVE-2013-5634".'}, 'RelID': {'type': <class 'abc.ID'>, 'description': 'List of otherwise related messages identifiers.'}, 'Source': {'type': <class 'abc.SourceList'>, 'description': 'List of dictionaries of information concerning particular source of the problem.'}, 'Target': {'type': <class 'abc.TargetList'>, 'description': 'List of dictionaries of information concerning particular target of the problem.'}, 'WinEndTime': {'type': <function Timestamp at 0x7f7f14ce1048>, 'description': 'End of aggregation window in which event has been observed.'}, 'WinStartTime': {'type': <function Timestamp at 0x7f7f14ce1048>, 'description': 'Beginning of aggregation window in which event has been observed.'}}¶
-
-
class
idea.lite.NodeDict(init_data=None)[source]¶ Bases:
abc.TypedDict-
allow_unknown= True¶
-
typedef= {'AggrWin': {'type': <function Duration at 0x7f7f14ce10d0>, 'description': 'The size of the aggregation window, if applicable.'}, 'Name': {'type': <function NSID at 0x7f7f14ce12f0>, 'description': 'Name of the detector, which must be reasonably unique, however still bear some meaningful sense. Usually denotes hierarchy of organisational units which detector belongs to and its own name.'}, 'Note': {'type': <class 'str'>, 'description': 'Free text human readable additional description.'}, 'SW': {'type': <class 'abc.String'>, 'description': 'List of the names of the detection software (optionally including version). For example "labrea-2.5-stable-1" or "HP TippingPoint 7500NX".'}, 'Type': {'type': <class 'abc.NodeTag'>, 'description': 'List of tags, describing various facets of the detector.'}}¶
-
-
idea.lite.NodeTag(s)¶
-
class
idea.lite.SourceTargetDict(init_data=None)[source]¶ Bases:
abc.TypedDict-
allow_unknown= True¶
-
typedef= {'ASN': {'type': <class 'abc.Integer'>, 'description': 'List of autonomous system numbers of this source/target.'}, 'Anonymised': {'type': <class 'bool'>, 'description': 'Establishes whether this source/target is willingly incomplete.'}, 'AttachHand': {'type': <class 'abc.Handle'>, 'description': 'List of identifiers of attachments related to this source/target - contain "Handle"s of related attachments.'}, 'Email': {'type': <class 'abc.String'>, 'description': 'List of email address (for example Reply-To address in phishing message). Should be formatted according to [[http://tools.ietf.org/html/rfc5322#section-3.4|RFC 5322, section 3.4]] and related, however may not conform exactly, because values, extracted from logs, messages, DNS, etc. may themselves be malformed.'}, 'Hostname': {'type': <class 'abc.String'>, 'description': 'List of hostnames of this source/target. Should be FQDN, but may not conform exactly, because values, extracted from logs, messages, DNS, etc. may themselves be malformed. Empty array can be used to explicitly indicate that value has been inquired and not found (missing DNS name).'}, 'IP4': {'type': <class 'abc.Net4'>, 'description': 'List of IPv4 addresses of this source/target.'}, 'IP6': {'type': <class 'abc.Net6'>, 'description': 'List of IPv6 addresses of this source/target.'}, 'Imprecise': {'type': <class 'bool'>, 'description': 'Establishes whether this source/target is knowingly imprecise.'}, 'MAC': {'type': <class 'abc.MAC'>, 'description': 'List of MAC addresses of this source/target.'}, 'Netname': {'type': <class 'abc.Netname'>, 'description': 'List of RIR database reference network identifier (for example "ripe:CESNET-BB2" or "arin:WETEMAA"). Common network identifiers are: ripe, arin, apnic, lacnic, afrinic. Empty array can be used to explicitly indicate that value has been inquired and not found (IP address from unassigned block).'}, 'Note': {'type': <class 'str'>, 'description': 'Free text human readable additional note.'}, 'Port': {'type': <class 'abc.Port'>, 'description': 'List of source or destination ports affected.'}, 'Proto': {'type': <class 'abc.ProtocolName'>, 'description': 'List of protocols, concerning connections from/to this source/target.'}, 'Ref': {'type': <class 'abc.URI'>, 'description': 'List of references to known sources, related to attack and/or vulnerability, specific to this source/target. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:cve:CVE-2013-2266".'}, 'Router': {'type': <class 'abc.String'>, 'description': 'List of router/interface path information. Intentionally organisation specific, router identifiers have usually no clear meaning outside organisational unit.'}, 'Spoofed': {'type': <class 'bool'>, 'description': 'Establishes whether this source/target is forged.'}, 'Type': {'type': <class 'abc.SourceTargetTag'>, 'description': 'List of source/target categories.'}, 'URL': {'type': <class 'abc.String'>, 'description': 'List of Unified Resource Locator of this source/target. Should be formatted according to [[http://tools.ietf.org/html/rfc1738|RFC 1738]], [[http://tools.ietf.org/html/rfc1808|RFC 1808]] and related, however may not conform exactly, because values, extracted from logs, messages, etc. may themselves be malformed.'}}¶
-