n6sdk.data_spec¶
Note
For basic information how to use the classes defined in this module – please consult the Data specification class chapter of the tutorial.
- class n6sdk.data_spec.BaseDataSpec(**kwargs)[source]¶
Bases: object
The base class for data specification classes.
Typically, it should not be subclassed directly – use DataSpec instead.
- clean_param_dict(params, ignored_keys=(), forbidden_keys=(), extra_required_keys=(), discarded_keys=())[source]¶
- clean_param_keys(params, ignored_keys=(), forbidden_keys=(), extra_required_keys=(), discarded_keys=())[source]¶
- clean_result_dict(result, ignored_keys=(), forbidden_keys=(), extra_required_keys=(), discarded_keys=())[source]¶
- clean_result_keys(result, ignored_keys=(), forbidden_keys=(), extra_required_keys=(), discarded_keys=())[source]¶
- class n6sdk.data_spec.DataSpec(**kwargs)[source]¶
Bases: n6sdk.data_spec.BaseDataSpec
The basic, ready-to-use, data specification class.
You can use it directly or inherit from it.
- active = Field(extra_params={'max': DateTimeField(in_params='optional', single_param=True), 'until': DateTimeField(in_params='optional', single_param=True), 'min': DateTimeField(in_params='optional', single_param=True)}, in_params=None, in_result=None)¶
- address = ExtendedAddressField(in_params=None, in_result='optional')¶
- adip = AnonymizedIPv4Field(in_params=None, in_result='optional')¶
- asn = ASNField(in_params='optional', in_result=None)¶
- category = UnicodeEnumField(enum_values=('amplifier', 'bots', 'backdoor', 'cnc', 'dns-query', 'dos-attacker', 'dos-victim', 'flow', 'flow-anomaly', 'fraud', 'leak', 'malurl', 'phish', 'proxy', 'sandbox-url', 'scanning', 'server-exploit', 'spam', 'spam-url', 'tor', 'vulnerable', 'webinject', 'other'), in_params='optional', in_result='required')¶
- cc = CCField(in_params='optional', in_result=None)¶
- confidence = UnicodeEnumField(enum_values=('low', 'medium', 'high'), in_params='optional', in_result='required')¶
- count = IntegerField(in_params=None, in_result='optional', max_value=32767, min_value=0)¶
- dip = IPv4Field(in_params='optional', in_result='optional')¶
- dport = PortField(in_params='optional', in_result='optional')¶
- email = EmailSimplifiedField(in_params='optional', in_result='optional')¶
- expires = DateTimeField(in_params=None, in_result='optional')¶
- fqdn = DomainNameField(extra_params={'sub': DomainNameSubstringField(in_params='optional')}, in_params='optional', in_result='optional')¶
- iban = IBANSimplifiedField(in_params='optional', in_result='optional')¶
- id = UnicodeLimitedField(in_params='optional', in_result='required', max_length=64)¶
- injects = ListOfDictsField(in_params=None, in_result='optional')¶
- ip = IPv4Field(extra_params={'net': IPv4NetField(in_params='optional')}, in_params='optional', in_result=None)¶
- ipv6 = IPv6Field(extra_params={'net': IPv6NetField(in_params='optional')}, in_params='optional', in_result=None)¶
- md5 = MD5Field(in_params='optional', in_result='optional')¶
- modified = DateTimeField(extra_params={'max': DateTimeField(in_params='optional', single_param=True), 'until': DateTimeField(in_params='optional', single_param=True), 'min': DateTimeField(in_params='optional', single_param=True)}, in_params=None, in_result='optional')¶
- name = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=255)¶
- origin = UnicodeEnumField(enum_values=('c2', 'dropzone', 'proxy', 'p2p-crawler', 'p2p-drone', 'sinkhole', 'sandbox', 'honeypot', 'darknet', 'av', 'ids', 'waf'), in_params='optional', in_result='optional')¶
- phone = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=20)¶
- proto = UnicodeEnumField(enum_values=('tcp', 'udp', 'icmp'), in_params='optional', in_result='optional')¶
- registrar = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=100)¶
- replaces = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=64)¶
- restriction = UnicodeEnumField(enum_values=('public', 'need-to-know', 'internal'), in_params='optional', in_result='required')¶
- sha1 = SHA1Field(in_params='optional', in_result='optional')¶
- source = SourceField(in_params='optional', in_result='required')¶
- sport = PortField(in_params='optional', in_result='optional')¶
- status = UnicodeEnumField(enum_values=('active', 'delisted', 'expired', 'replaced'), in_params='optional', in_result='optional')¶
- target = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=100)¶
- time = DateTimeField(extra_params={'max': DateTimeField(in_params='optional', single_param=True), 'until': DateTimeField(in_params='optional', single_param=True), 'min': DateTimeField(in_params='optional', single_param=True)}, in_params=None, in_result='required')¶
- until = DateTimeField(in_params=None, in_result='optional')¶
- url = URLField(extra_params={'sub': URLSubstringField(in_params='optional')}, in_params='optional', in_result='optional')¶
- url_pattern = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=255)¶
- username = UnicodeLimitedField(in_params='optional', in_result='optional', max_length=64)¶
- x509fp_sha1 = SHA1Field(in_params='optional', in_result='optional')¶
- class n6sdk.data_spec.Ext[source]¶
Bases: dict
A dict-like class for extending field properties in DataSpec subclasses.
- n6sdk.data_spec.CATEGORY_ENUMS = ('amplifier', 'bots', 'backdoor', 'cnc', 'dns-query', 'dos-attacker', 'dos-victim', 'flow', 'flow-anomaly', 'fraud', 'leak', 'malurl', 'phish', 'proxy', 'sandbox-url', 'scanning', 'server-exploit', 'spam', 'spam-url', 'tor', 'vulnerable', 'webinject', 'other')¶
A tuple of network incident category labels – used in the DataSpec.category field specification.
- n6sdk.data_spec.CONFIDENCE_ENUMS = ('low', 'medium', 'high')¶
A tuple of network incident data confidence qualifiers – used in the DataSpec.confidence field specification.
- n6sdk.data_spec.ORIGIN_ENUMS = ('c2', 'dropzone', 'proxy', 'p2p-crawler', 'p2p-drone', 'sinkhole', 'sandbox', 'honeypot', 'darknet', 'av', 'ids', 'waf')¶
A tuple of network incident origin labels – used in the DataSpec.origin field specification.
- n6sdk.data_spec.PROTO_ENUMS = ('tcp', 'udp', 'icmp')¶
A tuple of network incident layer-#4-protocol labels – used in the DataSpec.proto field specification.
- n6sdk.data_spec.RESTRICTION_ENUMS = ('public', 'need-to-know', 'internal')¶
A tuple of network incident data distribution restriction qualifiers – used in the DataSpec.restriction field specification.
- n6sdk.data_spec.STATUS_ENUMS = ('active', 'delisted', 'expired', 'replaced')¶
A tuple of black list item status qualifiers – used in the DataSpec.status field specification.