synapse 2.154.1__py311-none-any.whl → 2.156.0__py311-none-any.whl

synapse/models/inet.py

@@ -1,4 +1,5 @@
 import socket
+import asyncio
 import hashlib
 import logging
 import ipaddress
@@ -7,6 +8,7 @@ import urllib.parse
 
 import idna
 import regex
+import collections
 import unicodedata
 
 import synapse.exc as s_exc
@@ -479,10 +481,20 @@ class IPv4(s_types.Type):
         return minv, maxv
 
     def getCidrRange(self, text):
-        addr, mask = text.split('/', 1)
+        addr, mask_str = text.split('/', 1)
         norm, info = self.norm(addr)
 
-        mask = cidrmasks[int(mask)]
+        try:
+            mask_int = int(mask_str)
+        except ValueError:
+            raise s_exc.BadTypeValu(valu=text, name=self.name,
+                                    mesg=f'Invalid CIDR Mask "{text}"')
+
+        if mask_int > 32 or mask_int < 0:
+            raise s_exc.BadTypeValu(valu=text, name=self.name,
+                                    mesg=f'Invalid CIDR Mask "{text}"')
+
+        mask = cidrmasks[mask_int]
 
         minv = norm & mask[0]
         return minv, minv + mask[1]
@@ -1008,39 +1020,50 @@ class InetModule(s_module.CoreModule):
         fqdn = node.ndef[1]
         domain = node.get('domain')
 
-        if domain is None:
-            await node.set('iszone', False)
-            await node.set('issuffix', True)
-            return
+        async with node.snap.getEditor() as editor:
+            protonode = editor.loadNode(node)
+            if domain is None:
+                await protonode.set('iszone', False)
+                await protonode.set('issuffix', True)
+                return
 
-        if node.get('issuffix') is None:
-            await node.set('issuffix', False)
+            if protonode.get('issuffix') is None:
+                await protonode.set('issuffix', False)
 
-        # almost certainly in the cache anyway....
-        parent = await node.snap.addNode('inet:fqdn', domain)
+            parent = await node.snap.getNodeByNdef(('inet:fqdn', domain))
+            if parent is None:
+                parent = await editor.addNode('inet:fqdn', domain)
 
-        if parent.get('issuffix'):
-            await node.set('iszone', True)
-            await node.set('zone', fqdn)
-            return
+            if parent.get('issuffix'):
+                await protonode.set('iszone', True)
+                await protonode.set('zone', fqdn)
+                return
 
-        await node.set('iszone', False)
+            await protonode.set('iszone', False)
 
-        if parent.get('iszone'):
-            await node.set('zone', domain)
-            return
+            if parent.get('iszone'):
+                await protonode.set('zone', domain)
+                return
 
-        zone = parent.get('zone')
-        if zone is not None:
-            await node.set('zone', zone)
+            zone = parent.get('zone')
+            if zone is not None:
+                await protonode.set('zone', zone)
 
     async def _onSetFqdnIsSuffix(self, node, oldv):
 
         fqdn = node.ndef[1]
 
         issuffix = node.get('issuffix')
-        async for child in node.snap.nodesByPropValu('inet:fqdn:domain', '=', fqdn):
-            await child.set('iszone', issuffix)
+
+        async with node.snap.getEditor() as editor:
+            async for child in node.snap.nodesByPropValu('inet:fqdn:domain', '=', fqdn):
+                await asyncio.sleep(0)
+
+                if child.get('iszone') == issuffix:
+                    continue
+
+                protonode = editor.loadNode(child)
+                await protonode.set('iszone', issuffix)
 
     async def _onSetFqdnIsZone(self, node, oldv):
 
@@ -1069,17 +1092,24 @@ class InetModule(s_module.CoreModule):
 
     async def _onSetFqdnZone(self, node, oldv):
 
-        fqdn = node.ndef[1]
+        todo = collections.deque([node.ndef[1]])
         zone = node.get('zone')
 
-        async for child in node.snap.nodesByPropValu('inet:fqdn:domain', '=', fqdn):
+        async with node.snap.getEditor() as editor:
+            while todo:
+                fqdn = todo.pop()
+                async for child in node.snap.nodesByPropValu('inet:fqdn:domain', '=', fqdn):
+                    await asyncio.sleep(0)
+
+                    # if they are their own zone level, skip
+                    if child.get('iszone') or child.get('zone') == zone:
+                        continue
 
-            # if they are their own zone level, skip
-            if child.get('iszone'):
-                continue
+                    # the have the same zone we do
+                    protonode = editor.loadNode(child)
+                    await protonode.set('zone', zone)
 
-            # the have the same zone we do
-            await child.set('zone', zone)
+                    todo.append(child.ndef[1])
 
     def getModelDefs(self):
         return (

synapse/models/infotech.py

@@ -222,6 +222,13 @@ tlplevels = (
     (50, 'red'),
 )
 
+suslevels = (
+    (10, 'benign'),
+    (20, 'unknown'),
+    (30, 'suspicious'),
+    (40, 'malicious'),
+)
+
 # The published Attack Flow json schema at the below URL is horribly
 # broken. It depends on some custom python scripting to validate each
 # object individually against the schema for each object's type instead
@@ -401,6 +408,10 @@ class ItModule(s_module.CoreModule):
                     'doc': 'A Mitre ATT&CK Software ID.',
                     'ex': 'S0154',
                 }),
+                ('it:mitre:attack:campaign', ('str', {'regex': r'^C[0-9]{4}$'}), {
+                    'doc': 'A Mitre ATT&CK Campaign ID.',
+                    'ex': 'C0028',
+                }),
                 ('it:mitre:attack:flow', ('guid', {}), {
                     'doc': 'A Mitre ATT&CK Flow diagram.',
                 }),
@@ -483,7 +494,8 @@ class ItModule(s_module.CoreModule):
                 ('it:adid', ('str', {'lower': True, 'strip': True}), {
                     'doc': 'An advertising identification string.'}),
 
-                ('it:os:windows:sid', ('str', {'regex': r'^S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3}$'}), {
+                # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c92a27b1-c772-4fa7-a432-15df5f1b66a1
+                ('it:os:windows:sid', ('str', {'regex': r'^S-1-(?:\d{1,10}|0x[0-9a-fA-F]{12})(?:-(?:\d+|0x[0-9a-fA-F]{2,}))*$'}), {
                     'doc': 'A Microsoft Windows Security Identifier.',
                     'ex': 'S-1-5-21-1220945662-1202665555-839525555-5555',
                 }),
@@ -542,18 +554,25 @@ class ItModule(s_module.CoreModule):
                 ('it:hostsoft', ('comp', {'fields': (('host', 'it:host'), ('softver', 'it:prod:softver'))}), {
                    'doc': 'A version of a software product which is present on a given host.',
                 }),
+
                 ('it:av:sig', ('comp', {'fields': (('soft', 'it:prod:soft'), ('name', 'it:av:signame'))}), {
-                   'doc': 'A signature name within the namespace of an antivirus engine name.'
+                    'deprecated': True,
+                    'doc': 'Deprecated. Please use it:av:scan:result.'
                 }),
                 ('it:av:signame', ('str', {'lower': True}), {
-                    'doc': 'An antivirus signature name.',
-                }),
+                    'doc': 'An antivirus signature name.'}),
+
+                ('it:av:scan:result', ('guid', {}), {
+                    'doc': 'The result of running an antivirus scanner.'}),
+
                 ('it:av:filehit', ('comp', {'fields': (('file', 'file:bytes'), ('sig', 'it:av:sig'))}), {
-                    'doc': 'A file that triggered an alert on a specific antivirus signature.',
-                }),
+                    'deprecated': True,
+                    'doc': 'Deprecated. Please use it:av:scan:result.'}),
+
                 ('it:av:prochit', ('guid', {}), {
-                    'doc': 'An instance of a process triggering an alert on a specific antivirus signature.'
-                }),
+                    'deprecated': True,
+                    'doc': 'Deprecated. Please use it:av:scan:result.'}),
+
                 ('it:auth:passwdhash', ('guid', {}), {
                     'doc': 'An instance of a password hash.',
                 }),
@@ -1241,6 +1260,50 @@ class ItModule(s_module.CoreModule):
                         'doc': 'An array of ATT&CK technique IDs addressed by the mitigation.',
                     }),
                 )),
+                ('it:mitre:attack:campaign', {}, (
+                    ('name', ('ou:campname', {}), {
+                        'doc': 'The primary name for the ATT&CK campaign.',
+                    }),
+                    ('names', ('array', {'type': 'ou:campname', 'uniq': True, 'sorted': True}), {
+                        'doc': 'An array of alternate names for the ATT&CK campaign.',
+                    }),
+                    ('desc', ('str', {'strip': True}), {
+                        'doc': 'A description of the ATT&CK campaign.',
+                        'disp': {'hint': 'text'},
+                    }),
+                    ('url', ('inet:url', {}), {
+                        'doc': 'The URL that documents the ATT&CK campaign.',
+                    }),
+                    ('groups', ('array', {'type': 'it:mitre:attack:group',
+                                             'uniq': True, 'sorted': True, 'split': ','}), {
+                        'doc': 'An array of ATT&CK group IDs attributed to the campaign.',
+                    }),
+                    ('software', ('array', {'type': 'it:mitre:attack:software',
+                                             'uniq': True, 'sorted': True, 'split': ','}), {
+                        'doc': 'An array of ATT&CK software IDs used in the campaign.',
+                    }),
+                    ('techniques', ('array', {'type': 'it:mitre:attack:technique',
+                                             'uniq': True, 'sorted': True, 'split': ','}), {
+                        'doc': 'An array of ATT&CK technique IDs used in the campaign.',
+                    }),
+                    ('matrices', ('array', {'type': 'it:mitre:attack:matrix',
+                                            'uniq': True, 'sorted': True, 'split': ','}), {
+                        'doc': 'The ATT&CK matrices which define the campaign.',
+                    }),
+                    ('references', ('array', {'type': 'inet:url', 'uniq': True}), {
+                        'doc': 'An array of URLs that document the ATT&CK campaign.',
+                    }),
+                    ('period', ('ival', {}), {
+                        'doc': 'The time interval when the campaign was active.'}),
+                    ('created', ('time', {}), {
+                        'doc': 'The time that the campaign was created by Mitre.'}),
+                    ('updated', ('time', {}), {
+                        'doc': 'The time that the campaign was last updated by Mitre.'}),
+                    ('tag', ('syn:tag', {}), {
+                        'doc': 'The synapse tag used to annotate nodes included in this ATT&CK campaign.',
+                        'ex': 'cno.mitre.c0028',
+                    }),
+                )),
                 ('it:mitre:attack:flow', {}, (
                     ('name', ('str', {}), {
                         'doc': 'The name of the attack-flow diagram.'}),
@@ -1743,6 +1806,63 @@ class ItModule(s_module.CoreModule):
                 )),
                 ('it:av:signame', {}, ()),
 
+                ('it:av:scan:result', {}, (
+
+                    ('time', ('time', {}), {
+                        'doc': 'The time the scan was run.'}),
+
+                    ('verdict', ('int', {'enums': suslevels}), {
+                        'doc': 'The scanner provided verdict for the scan.'}),
+
+                    ('scanner', ('it:prod:softver', {}), {
+                        'doc': 'The scanner software used to produce the result.'}),
+
+                    ('scanner:name', ('it:prod:softname', {}), {
+                        'doc': 'The name of the scanner software.'}),
+
+                    ('signame', ('it:av:signame', {}), {
+                        'doc': 'The name of the signature returned by the scanner.'}),
+
+                    ('target:file', ('file:bytes', {}), {
+                        'doc': 'The file that was scanned to produce the result.'}),
+
+                    ('target:proc', ('it:exec:proc', {}), {
+                        'doc': 'The process that was scanned to produce the result.'}),
+
+                    ('target:host', ('it:host', {}), {
+                        'doc': 'The host that was scanned to produce the result.'}),
+
+                    ('target:fqdn', ('inet:fqdn', {}), {
+                        'doc': 'The FQDN that was scanned to produce the result.'}),
+
+                    ('target:url', ('inet:url', {}), {
+                        'doc': 'The URL that was scanned to produce the result.'}),
+
+                    ('target:ipv4', ('inet:ipv4', {}), {
+                        'doc': 'The IPv4 address that was scanned to produce the result.'}),
+
+                    ('target:ipv6', ('inet:ipv6', {}), {
+                        'doc': 'The IPv6 address that was scanned to produce the result.'}),
+
+                    ('multi:scan', ('it:av:scan:result', {}), {
+                        'doc': 'Set if this result was part of running multiple scanners.'}),
+
+                    ('multi:count', ('int', {'min': 0}), {
+                        'doc': 'The total number of scanners which were run by a multi-scanner'}),
+
+                    ('multi:count:benign', ('int', {'min': 0}), {
+                        'doc': 'The number of scanners which returned a benign verdict.'}),
+
+                    ('multi:count:unknown', ('int', {'min': 0}), {
+                        'doc': 'The number of scanners which returned a unknown/unsupported verdict.'}),
+
+                    ('multi:count:suspicious', ('int', {'min': 0}), {
+                        'doc': 'The number of scanners which returned a suspicious verdict.'}),
+
+                    ('multi:count:malicious', ('int', {'min': 0}), {
+                        'doc': 'The number of scanners which returned a malicious verdict.'}),
+                )),
+
                 ('it:av:filehit', {}, (
                     ('file', ('file:bytes', {}), {
                         'ro': True,
@@ -1863,6 +1983,8 @@ class ItModule(s_module.CoreModule):
                         'doc': 'The URL of the API endpoint the query was sent to.'}),
                     ('language', ('str', {'lower': True, 'onespace': True}), {
                         'doc': 'The name of the language that the query is expressed in.'}),
+                    ('offset', ('int', {}), {
+                        'doc': 'The offset of the last record consumed from the query.'}),
                 )),
                 ('it:exec:thread', {}, (
                     ('proc', ('it:exec:proc', {}), {

synapse/models/orgs.py

@@ -503,6 +503,9 @@ class OuModule(s_module.CoreModule):
 
                     ('tag', ('syn:tag', {}), {
                         'doc': 'The tag used to annotate nodes that are associated with the campaign.'}),
+
+                    ('mitre:attack:campaign', ('it:mitre:attack:campaign', {}), {
+                        'doc': 'A mapping to a Mitre ATT&CK campaign if applicable.'}),
                 )),
                 ('ou:conflict', {}, (
                     ('name', ('str', {'onespace': True}), {

synapse/models/proj.py

@@ -185,6 +185,9 @@ class ProjectModule(s_module.CoreModule):
                         ('ext:creator', ('ps:contact', {}), {
                             'doc': 'Ticket creator contact information from an external system.'}),
 
+                        ('ext:assignee', ('ps:contact', {}), {
+                            'doc': 'Ticket assignee contact information from an external system.'}),
+
                         ('epic', ('proj:epic', {}), {
                             'doc': 'The epic that includes the ticket.'}),
 

synapse/models/risk.py

@@ -115,6 +115,8 @@ class RiskModule(s_module.CoreModule):
                 ('risk:extortion:type:taxonomy', ('taxonomy', {}), {
                     'interfaces': ('taxonomy',),
                     'doc': 'A taxonomy of extortion event types.'}),
+                ('risk:technique:masquerade', ('guid', {}), {
+                    'doc': 'Represents the assessment that a node is designed to resemble another in order to mislead.'}),
             ),
             'edges': (
                 # some explicit examples...
@@ -337,6 +339,9 @@ class RiskModule(s_module.CoreModule):
                     ('timeline:exploited', ('time', {"ismin": True}), {
                         'doc': 'The earliest known time when the vulnerability was exploited in the wild.'}),
 
+                    ('id', ('str', {'strip': True}), {
+                        'doc': 'An identifier for the vulnerability.'}),
+
                     ('cve', ('it:sec:cve', {}), {
                         'doc': 'The CVE ID of the vulnerability.'}),
 
@@ -591,8 +596,11 @@ class RiskModule(s_module.CoreModule):
                     ('benign', ('bool', {}), {
                         'doc': 'Set to true if the alert has been confirmed benign. Set to false if malicious.'}),
 
-                    ('priority', ('int', {}), {
-                        'doc': 'A numeric value used to rank alerts by priority.'}),
+                    ('priority', ('meta:priority', {}), {
+                        'doc': 'A priority rank for the alert.'}),
+
+                    ('severity', ('meta:severity', {}), {
+                        'doc': 'A severity rank for the alert.'}),
 
                     ('verdict', ('risk:alert:verdict:taxonomy', {}), {
                         'ex': 'benign.false_positive',
@@ -695,8 +703,8 @@ class RiskModule(s_module.CoreModule):
                     ('econ:currency', ('econ:currency', {}), {
                         'doc': 'The currency type for the econ:price fields.'}),
 
-                    ('severity', ('int', {}), {
-                        'doc': 'An integer based relative severity score for the compromise.'}),
+                    ('severity', ('meta:severity', {}), {
+                        'doc': 'A severity rank for the compromise.'}),
 
                     ('goal', ('ou:goal', {}), {
                         'doc': 'The assessed primary goal of the attacker for the compromise.'}),
@@ -748,8 +756,8 @@ class RiskModule(s_module.CoreModule):
                     ('compromise', ('risk:compromise', {}), {
                         'doc': 'A compromise that this attack contributed to.'}),
 
-                    ('severity', ('int', {}), {
-                        'doc': 'An integer based relative severity score for the attack.'}),
+                    ('severity', ('meta:severity', {}), {
+                        'doc': 'A severity rank for the attack.'}),
 
                     ('sophistication', ('meta:sophistication', {}), {
                         'doc': 'The assessed sophistication of the attack.'}),
@@ -939,6 +947,16 @@ class RiskModule(s_module.CoreModule):
                         'doc': 'The currency in which payment was demanded.'}),
 
                 )),
+                ('risk:technique:masquerade', {}, (
+                    ('node', ('ndef', {}), {
+                        'doc': 'The node masquerading as another.'}),
+                    ('period', ('ival', {}), {
+                        'doc': 'The time period when the masquerading was active.'}),
+                    ('target', ('ndef', {}), {
+                        'doc': 'The being masqueraded as.'}),
+                    ('technique', ('ou:technique', {}), {
+                        'doc': 'The specific technique which describes the type of masquerading.'}),
+                )),
             ),
         }
         name = 'risk'

synapse/models/syn.py

@@ -127,9 +127,6 @@ class SynModule(s_module.CoreModule):
                 ('syn:cmd', ('str', {'strip': True}), {
                     'doc': 'A Synapse storm command.'
                 }),
-                ('syn:splice', ('guid', {'strip': True}), {
-                    'doc': 'A splice from a layer.'
-                }),
                 ('syn:nodedata', ('comp', {'fields': (('key', 'str'), ('form', 'syn:form'))}), {
                     'doc': 'A nodedata key and the form it may be present on.',
                 }),
@@ -282,40 +279,5 @@ class SynModule(s_module.CoreModule):
                     ('nodedata', ('array', {'type': 'syn:nodedata'}), {
                         'doc': 'The list of nodedata that may be added by the command.', 'uniq': True, 'sorted': True, 'ro': True}),
                 )),
-                ('syn:splice', {'runt': True}, (
-                    ('type', ('str', {'strip': True}), {
-                        'doc': 'Type of splice.', 'ro': True
-                    }),
-                    ('iden', ('str', {}), {
-                        'doc': 'The iden of the node involved in the splice.', 'ro': True,
-                    }),
-                    ('form', ('syn:form', {'strip': True}), {
-                        'doc': 'The form involved in the splice.', 'ro': True
-                    }),
-                    ('prop', ('syn:prop', {'strip': True}), {
-                        'doc': 'Property modified in the splice.', 'ro': True
-                    }),
-                    ('tag', ('syn:tag', {'strip': True}), {
-                        'doc': 'Tag modified in the splice.', 'ro': True
-                    }),
-                    ('valu', ('data', {}), {
-                        'doc': 'The value being set in the splice.', 'ro': True
-                    }),
-                    ('oldv', ('data', {}), {
-                        'doc': 'The value before the splice.', 'ro': True
-                    }),
-                    ('user', ('guid', {}), {
-                        'doc': 'The user who caused the splice.', 'ro': True,
-                    }),
-                    ('prov', ('guid', {}), {
-                        'doc': 'The provenance stack of the splice.', 'ro': True,
-                    }),
-                    ('time', ('time', {}), {
-                        'doc': 'The time the splice occurred.', 'ro': True,
-                    }),
-                    ('splice', ('data', {}), {
-                        'doc': 'The splice.', 'ro': True
-                    }),
-                )),
             ),
         }),)

synapse/tests/test_cmds_cortex.py

@@ -245,7 +245,7 @@ class CmdCoreTest(s_t_utils.SynTest):
                 cmdr = await s_cmdr.getItemCmdr(core, outp=outp)
                 await cmdr.runCmdLine('log --on --format jsonl')
                 fp = cmdr.locs.get('log:fp')
-                await cmdr.runCmdLine('storm --editformat splices [test:str=hi :tick=2018 +#haha.hehe]')
+                await cmdr.runCmdLine('storm [test:str=hi :tick=2018 +#haha.hehe]')
 
                 await cmdr.runCmdLine('storm --editformat nodeedits [test:str=hi2 :tick=2018 +#haha.hehe]')
                 await cmdr.runCmdLine('storm [test:comp=(42, bar)]')