RubyGems - active_stix - Versions diffs - 0.1.21 - Mend

active_stix 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (289) hide show

data/app/helpers/active_stix/application_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module ApplicationHelper
+  end
+end

data/app/helpers/active_stix/artifacts_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module ArtifactsHelper
+  end
+end

data/app/helpers/active_stix/attack_patterns_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module AttackPatternsHelper
+  end
+end

data/app/helpers/active_stix/bcc_refs_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module BccRefsHelper
+  end
+end

data/app/helpers/active_stix/bundled_objects_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module BundledObjectsHelper
+  end
+end

data/app/helpers/active_stix/bundles_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module BundlesHelper
+  end
+end

data/app/helpers/active_stix/campaigns_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module CampaignsHelper
+  end
+end

data/app/helpers/active_stix/course_of_actions_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module CourseOfActionsHelper
+  end
+end

data/app/helpers/active_stix/cyber_observables_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module CyberObservablesHelper
+  end
+end

data/app/helpers/active_stix/email_messages_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module EmailMessagesHelper
+  end
+end

data/app/helpers/active_stix/external_references_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module ExternalReferencesHelper
+  end
+end

data/app/helpers/active_stix/files_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module FilesHelper
+  end
+end

data/app/helpers/active_stix/identities_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module IdentitiesHelper
+  end
+end

data/app/helpers/active_stix/indicator_labels_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module IndicatorLabelsHelper
+  end
+end

data/app/helpers/active_stix/indicators_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module IndicatorsHelper
+  end
+end

data/app/helpers/active_stix/intrusion_sets_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module IntrusionSetsHelper
+  end
+end

data/app/helpers/active_stix/kill_chain_phases_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module KillChainPhasesHelper
+  end
+end

data/app/helpers/active_stix/kill_chains_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module KillChainsHelper
+  end
+end

data/app/helpers/active_stix/malwares_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module MalwaresHelper
+  end
+end

data/app/helpers/active_stix/marking_definitions_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module MarkingDefinitionsHelper
+  end
+end

data/app/helpers/active_stix/observed_data_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module ObservedDataHelper
+  end
+end

data/app/helpers/active_stix/open_vocabularies_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module OpenVocabulariesHelper
+  end
+end

data/app/helpers/active_stix/phases_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module PhasesHelper
+  end
+end

data/app/helpers/active_stix/recipients_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module RecipientsHelper
+  end
+end

data/app/helpers/active_stix/relationships_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module RelationshipsHelper
+  end
+end

data/app/helpers/active_stix/reports_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module ReportsHelper
+  end
+end

data/app/helpers/active_stix/threat_actors_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module ThreatActorsHelper
+  end
+end

data/app/helpers/active_stix/tools_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module ToolsHelper
+  end
+end

data/app/helpers/active_stix/urls_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module UrlsHelper
+  end
+end

data/app/helpers/active_stix/users_helper.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  module UsersHelper
+  end
+end

data/app/jobs/active_stix/application_job.rb ADDED

@@ -0,0 +1,4 @@
+module ActiveStix
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/active_stix/application_mailer.rb ADDED

@@ -0,0 +1,6 @@
+module ActiveStix
+  class ApplicationMailer < ActionMailer::Base
+    default from: 'from@example.com'
+    layout 'mailer'
+  end
+end

data/app/models/active_stix/application_record.rb ADDED

@@ -0,0 +1,5 @@
+module ActiveStix
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/active_stix/artifact.rb ADDED

@@ -0,0 +1,23 @@
+module ActiveStix
+  class Artifact < ApplicationRecord
+    before_create do
+      self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
+    end
+    def type
+      return "artifact"
+    end
+    def self.create_from_eml(eml)
+      mail = Mail.new(eml)
+      artifact = Artifact.new
+      artifact.mime_type = mail.mime_type
+      artifact.payload_bin = eml
+      artifact.save
+      artifact
+    end
+  end
+end

data/app/models/active_stix/attack_pattern.rb ADDED

@@ -0,0 +1,150 @@
+class ActiveStix::AttackPattern < ApplicationRecord
+  has_many :reference_items, as: 'referrer'
+  has_many :external_references, class_name: 'ActiveStix::ExternalReference', through: :reference_items
+  has_many :kill_chain_phases, class_name: 'ActiveStix::KillChainPhase', foreign_key: 'attack_pattern_ref', primary_key: 'stix_id'
+  has_many :phases, class_name: 'ActiveStix::Phase', through: :kill_chain_phases
+  # has_many :marking_definitions, as: 'markable' todo
+  has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
+  has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
+  before_create do
+    self.stix_id = "#{type}--#{SecureRandom.uuid}" if stix_id.blank?
+  end
+  def type
+    'attack-pattern'
+  end
+  def targets?(identity)
+    ActiveStix::Relationship.where(source: self, target: identity).any?
+  end
+  def self.expected_keys
+    [
+        'external_references',
+        'kill_chain_phases',
+        'object_marking_refs'
+    ]
+  end
+  def self.ingest_json(obj)
+    attack_pattern = find_or_create_by(stix_id: obj['id'], name: obj['name'], description: obj['description'])
+    expected_keys.each do |expected_key|
+      if obj.has_key?(expected_key)
+        send(expected_key, *[attack_pattern, obj])
+      end
+    end
+    attack_pattern.save
+    attack_pattern
+  end
+  def self.external_references(attack_pattern, obj)
+    obj['external_references'].each do |er|
+      external_reference = ActiveStix::ExternalReference.ingest_json(er, obj['id'])
+      attack_pattern.external_references << external_reference unless ActiveStix::ReferenceItem.find_by(external_reference_id: external_reference.id, referrer_id: attack_pattern.id)
+    end
+  end
+  def self.kill_chain_phases(attack_pattern, obj)
+    obj['kill_chain_phases'].each do |kc|
+      phase = ActiveStix::Phase.ingest_json(kc)
+      attack_pattern.phases << phase unless ActiveStix::KillChainPhase.find_by(attack_pattern_ref: attack_pattern.stix_id, phase_id: phase.id)
+    end
+  end
+  def self.object_marking_refs(attack_pattern, obj)
+    # obj['object_marking_refs'].each do |mr|
+    #   marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
+    #
+    #   #ensure no duplicate entries
+    #   attack_pattern.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingAttack.find_by(marking_definition_id: marking_definition.id, attack_pattern_id: attack_pattern.id)
+    #
+    # end todo
+  end
+  def indicator_relationships
+    relationships = []
+    ActiveStix::Relationship.where(target: self, relationship_type: "uses", source_type: "ActiveStix::Indicator").or(
+        ActiveStix::Relationship.where(target: self, relationship_type: "indicates", source_type: "ActiveStix::Indicator")
+    ).each do |rel|
+      relationships << rel
+    end
+    relationships
+  end
+  def indicators
+    indicator_relationships.collect {|rel| rel.source}
+  end
+  def convert_to_json
+    external_refs_arr = []
+    external_references.each do |x|
+      external_refs_arr << x.convert_to_json
+    end
+    phase_arr = []
+    phases.each do |x|
+      phase_arr << x.convert_to_json
+    end
+    # marking_def_arr = []
+    # marking_definitions.each do |x|
+    #   marking_def_arr << x.convert_to_json
+    # end todo
+    data_sources_arr = []
+    data_sources.each do |x|
+      data_sources_arr << x.convert_to_json
+    end
+    platform_arr = []
+    platforms.each do |x|
+      platform_arr << x.convert_to_json
+    end
+    perm_arr = []
+    permissions_requireds.each do |x|
+      perm_arr << x.convert_to_json
+    end
+    {
+        :external_references => external_refs_arr,
+        :object_marking_refs => marking_def_arr,
+        :modified => updated_at.to_s,
+        :kill_chain_phases => phase_arr,
+        :id => stix_id,
+        :name => name,
+        :x_mitre_version => versions.first.convert_to_json,
+        :type => "attack-pattern",
+        :description => description,
+    }
+  end
+  def as_stix
+    as_json(only: []).tap do |hash|
+      hash["id"] = stix_id
+      hash["type"] = type
+      hash["created"] = created_at.rfc3339(3)
+      hash["modified"] = updated_at.rfc3339(3)
+      hash["external_references"] = external_references.collect {|ref| ref.as_stix}
+      hash["name"] = name
+      hash["description"] = description
+      hash["kill_chain_phases"] = phases.collect {|phase| phase.as_stix}
+    end
+  end
+  def targets(identity)
+    ActiveStix::Relationship.relate(self, identity, "targets")
+  end
+end

data/app/models/active_stix/bcc_ref.rb ADDED

@@ -0,0 +1,6 @@
+module ActiveStix
+  class BccRef < ActiveStix::Recipient
+    belongs_to :email_message
+    belongs_to :email_address
+  end
+end

data/app/models/active_stix/bundle.rb ADDED

@@ -0,0 +1,108 @@
+module ActiveStix
+  class Bundle < ApplicationRecord
+    has_many :bundled_objects, primary_key: 'stix_id', foreign_key: 'bundle_ref'
+    @@stix_map = {
+        'bundle' => ActiveStix::Bundle,
+        'attack-pattern' => ActiveStix::AttackPattern,
+        'relationship' => ActiveStix::Relationship,
+        'course-of-action' => ActiveStix::CourseOfAction,
+        'identity' => ActiveStix::Identity,
+        'intrusion-set' => ActiveStix::IntrusionSet,
+        'malware' => ActiveStix::Malware,
+        'tool' => ActiveStix::Tool,
+        'marking-definition' => ActiveStix::MarkingDefinition,
+        'report' => ActiveStix::Report,
+        'campaign' => ActiveStix::Campaign,
+        'indicator' => ActiveStix::Indicator
+    }
+    before_create do
+      self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
+    end
+    def type
+      'bundle'
+    end
+    def self.ingest(filename)
+      file_handle = ::File.open(filename, "r")
+      file_data = file_handle.read
+      json_file_data = JSON.parse(file_data)
+      bundle = ingest_json(json_file_data, nil)
+      bundle
+    end
+    def self.ingest_json(obj, parent)
+      #first create all the objects and then create the relationships to simplify associations
+      # first create all objects then reference object_refs in reports
+      list_relationships = []
+      list_reports = []
+      bundle = ActiveStix::Bundle.find_or_create_by(stix_id: obj['id'], spec_version: obj['spec_version'])
+      objects = obj['objects'].collect do |o|
+        #puts "Loc A: #{o['type']}"
+        if o['type'] == 'relationship'
+          list_relationships << o
+        else
+          begin
+            #puts o['type']
+            if o['type'].starts_with?("x-") and !ActiveStix.process_x_attrs?
+            else
+              bundle.add(@@stix_map[o['type']].ingest_json(o))
+            end
+            if o['type'] == 'report'
+              #add all report object_refs after all objects are created
+              list_reports << o
+            end
+          rescue
+            Rails.logger.info "Failed trying to ingest type #{o['type']}"
+            raise
+          end
+        end
+      end
+      list_relationships.each do |rel|
+        bundle.add(ActiveStix::Relationship.ingest_json(rel))
+      end
+      list_reports.each do |rep|
+        ActiveStix::Report.add_obj_refs(rep)
+      end
+      bundle
+    end
+    def add(stix_object)
+      if stix_object.is_a? Enumerable
+        stix_object.each do |so|
+          add(so)
+        end
+      else
+        unless bundled_objects.where(object_ref: stix_object.stix_id).any?
+          bundled_objects.create(stix_object: stix_object)
+        end
+      end
+    end
+    def includes?(stix_object)
+      bundled_objects.where(object_ref: stix_object.stix_id).any?
+    end
+    def as_stix
+      {
+          "type" => type,
+          "id" => stix_id,
+          "spec_version" => "2.0",
+          "objects" => bundled_objects.collect {|bo| bo.stix_object.as_stix}
+      }
+    end
+    def convert_to_json
+      {
+          :type => "bundle",
+          :id => stix_id,
+          :spec_version => spec_version,
+          :objects => bundled_objects.collect {|bo| bo.stix_object.convert_to_json}
+      }.to_json
+    end
+  end
+end