n6sdk.data_spec

Note

For basic information how to use the classes defined in this module – please consult the Data specification class chapter of the tutorial.

class n6sdk.data_spec.BaseDataSpec(**kwargs)

Bases: object

The base class for data specification classes.

Typically, it should not be subclassed directly – use DataSpec instead.

clean_param_dict(params, ignored_keys=(), forbidden_keys=(), extra_required_keys=(), discarded_keys=())

clean_param_keys(params, ignored_keys=(), forbidden_keys=(), extra_required_keys=(), discarded_keys=())

clean_result_dict(result, ignored_keys=(), forbidden_keys=(), extra_required_keys=(), discarded_keys=())

clean_result_keys(result, ignored_keys=(), forbidden_keys=(), extra_required_keys=(), discarded_keys=())

get_adjusted_field(key, field, ext=None)

param_field_specs(which='all', multi=True, single=True)

result_field_specs(which='all')

all_keys

Instance property: a frozenset of all keys.

(Includes all legal parameter names and result keys.)

all_param_keys

Instance property: a frozenset of all legal parameter names.

all_result_keys

Instance property: a frozenset of all legal result keys.

class n6sdk.data_spec.DataSpec(**kwargs)

Bases: n6sdk.data_spec.BaseDataSpec

The basic, ready-to-use, data specification class.

You can use it directly or inherit from it.

active = Field(extra_params={'max': DateTimeField(in_params='optional', single_param=True), 'min': DateTimeField(in_params='optional', single_param=True)}, in_params=None, in_result=None)

address = AddressField(in_params=None, in_result='optional')

adip = AnonymizedIPv4Field(in_params=None, in_result='optional')

asn = ASNField(in_params='optional', in_result=None)

category = UnicodeEnumField(enum_values=('bots', 'cnc', 'dos-attacker', 'dos-victim', 'malurl', 'phish', 'proxy', 'resolver', 'sandbox-url', 'scanning', 'server-exploit', 'spam', 'spam-url', 'tor', 'other'), in_params='optional', in_result='required')

cc = CCField(in_params='optional', in_result=None)

confidence = UnicodeEnumField(enum_values=('low', 'medium', 'high'), in_params='optional', in_result='required')

count = IntegerField(in_params=None, in_result='optional', max_value=32767, min_value=0)

dip = IPv4Field(in_params='optional', in_result='optional')

dport = PortField(in_params='optional', in_result='optional')

expires = DateTimeField(in_params=None, in_result='optional')

fqdn = DomainNameField(extra_params={'sub': DomainNameSubstringField(in_params='optional')}, in_params='optional', in_result='optional')

id = UnicodeLimitedField(in_params='optional', in_result='required', max_length=64)

ip = IPv4Field(extra_params={'net': IPv4NetField(in_params='optional')}, in_params='optional', in_result=None)

md5 = MD5Field(in_params='optional', in_result='optional')

name = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=255)

origin = UnicodeEnumField(enum_values=('c2', 'dropzone', 'proxy', 'p2p-crawler', 'p2p-drone', 'sinkhole', 'sandbox', 'honeypot', 'darknet', 'av', 'ids', 'waf'), in_params='optional', in_result='optional')

proto = UnicodeEnumField(enum_values=('tcp', 'udp', 'icmp'), in_params='optional', in_result='optional')

replaces = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=64)

restriction = UnicodeEnumField(enum_values=('public', 'need-to-know', 'internal'), in_params='optional', in_result='required')

sha1 = SHA1Field(in_params='optional', in_result='optional')

source = SourceField(in_params='optional', in_result='required')

sport = PortField(in_params='optional', in_result='optional')

status = UnicodeEnumField(enum_values=('active', 'delisted', 'expired', 'replaced'), in_params='optional', in_result='optional')

target = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=100)

time = DateTimeField(extra_params={'max': DateTimeField(in_params='optional', single_param=True), 'min': DateTimeField(in_params='optional', single_param=True)}, in_params=None, in_result='required')

until = DateTimeField(in_params=None, in_result='optional')

url = URLField(extra_params={'sub': URLSubstringField(in_params='optional')}, in_params='optional', in_result='optional')

class n6sdk.data_spec.Ext

Bases: dict

A dict-like class for extending field properties in DataSpec subclasses.

copy()

make_extended_field(field)

nondestructive_update(other)

n6sdk.data_spec.CATEGORY_ENUMS = ('bots', 'cnc', 'dos-attacker', 'dos-victim', 'malurl', 'phish', 'proxy', 'resolver', 'sandbox-url', 'scanning', 'server-exploit', 'spam', 'spam-url', 'tor', 'other')

A tuple of network incident category labels – used in the DataSpec.category field specification.

n6sdk.data_spec.CONFIDENCE_ENUMS = ('low', 'medium', 'high')

A tuple of network incident data confidence qualifiers – used in the DataSpec.confidence field specification.

n6sdk.data_spec.ORIGIN_ENUMS = ('c2', 'dropzone', 'proxy', 'p2p-crawler', 'p2p-drone', 'sinkhole', 'sandbox', 'honeypot', 'darknet', 'av', 'ids', 'waf')

A tuple of network incident origin labels – used in the DataSpec.origin field specification.

n6sdk.data_spec.PROTO_ENUMS = ('tcp', 'udp', 'icmp')

A tuple of network incident layer-#4-protocol labels – used in the DataSpec.proto field specification.

n6sdk.data_spec.RESTRICTION_ENUMS = ('public', 'need-to-know', 'internal')

A tuple of network incident data distribution restriction qualifiers – used in the DataSpec.restriction field specification.

n6sdk.data_spec.STATUS_ENUMS = ('active', 'delisted', 'expired', 'replaced')

A tuple of black list item status qualifiers – used in the DataSpec.status field specification.