19 package org.sleuthkit.autopsy.modules.stix;
27 import java.util.List;
28 import java.util.ArrayList;
29 import org.mitre.cybox.common_2.ConditionApplicationEnum;
30 import org.mitre.cybox.common_2.ConditionTypeEnum;
32 import org.mitre.cybox.objects.Address;
38 class EvalAddressObj
extends EvaluatableObject {
40 private final Address obj;
42 public EvalAddressObj(Address a_obj, String a_id, String a_spacing) {
49 public synchronized ObservableResult evaluate() {
53 if (obj.getAddressValue() == null) {
54 return new ObservableResult(
id,
"AddressObject: No address value field found",
55 spacing, ObservableResult.ObservableState.INDETERMINATE, null);
60 case1 = Case.getCurrentCaseThrows();
61 }
catch (NoCurrentCaseException ex) {
62 return new ObservableResult(
id,
"Exception while getting open case.",
63 spacing, ObservableResult.ObservableState.FALSE, null);
66 String origAddressStr = obj.getAddressValue().getValue().toString();
70 if (((obj.getAddressValue().getApplyCondition() != null)
71 && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.NONE))) {
72 return new ObservableResult(
id,
"AddressObject: Can not process apply condition " + obj.getAddressValue().getApplyCondition().toString()
73 +
" on Address object", spacing, ObservableResult.ObservableState.INDETERMINATE, null);
77 setUnsupportedFieldWarnings();
79 SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
84 boolean everyPartMatched =
true;
85 List<BlackboardArtifact> combinedArts =
new ArrayList<BlackboardArtifact>();
86 String searchString =
"";
87 String[] parts = origAddressStr.split(
"##comma##");
89 for (String addressStr : parts) {
92 if (!searchString.isEmpty()) {
94 if ((obj.getAddressValue().getApplyCondition() != null)
95 && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)) {
96 searchString +=
" AND ";
98 searchString +=
" OR ";
101 searchString += addressStr;
103 if ((obj.getAddressValue().getCondition() == null)
104 || (obj.getAddressValue().getCondition() == ConditionTypeEnum.EQUALS)) {
105 List<BlackboardArtifact> arts = sleuthkitCase.getBlackboardArtifacts(
106 BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT,
107 BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD,
110 if (arts.isEmpty()) {
111 everyPartMatched =
false;
113 combinedArts.addAll(arts);
119 List<BlackboardArtifact> finalHits =
new ArrayList<BlackboardArtifact>();
122 List<BlackboardArtifact> artList
123 = sleuthkitCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
125 for (BlackboardArtifact art : artList) {
127 for (BlackboardAttribute attr : art.getAttributes()) {
128 if (attr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()) {
129 if (compareStringObject(addressStr, obj.getAddressValue().getCondition(),
130 obj.getAddressValue().getApplyCondition(), attr.getValueString())) {
137 if (finalHits.isEmpty()) {
138 everyPartMatched =
false;
140 combinedArts.addAll(finalHits);
146 if ((obj.getAddressValue().getApplyCondition() != null)
147 && (obj.getAddressValue().getApplyCondition() == ConditionApplicationEnum.ALL)
148 && (!everyPartMatched)) {
149 return new ObservableResult(
id,
"AddressObject: No matches for " + searchString,
150 spacing, ObservableResult.ObservableState.FALSE, null);
153 if (!combinedArts.isEmpty()) {
154 List<StixArtifactData> artData =
new ArrayList<StixArtifactData>();
155 for (BlackboardArtifact a : combinedArts) {
156 artData.add(
new StixArtifactData(a.getObjectID(), id,
"AddressObject"));
158 return new ObservableResult(
id,
"AddressObject: Found a match for " + searchString,
159 spacing, ObservableResult.ObservableState.TRUE, artData);
162 return new ObservableResult(
id,
"AddressObject: Found no matches for " + searchString,
163 spacing, ObservableResult.ObservableState.FALSE, null);
165 }
catch (TskCoreException ex) {
166 return new ObservableResult(
id,
"AddressObject: Exception during evaluation: " + ex.getLocalizedMessage(),
167 spacing, ObservableResult.ObservableState.INDETERMINATE, null);
174 private void setUnsupportedFieldWarnings() {
175 List<String> fieldNames =
new ArrayList<String>();
177 if (obj.getVLANName() != null) {
178 fieldNames.add(
"VLAN_Name");
180 if (obj.getVLANName() != null) {
181 fieldNames.add(
"VLAN_Num");
184 String warningStr =
"";
185 for (String name : fieldNames) {
186 if (!warningStr.isEmpty()) {
192 addWarning(
"Unsupported field(s): " + warningStr);