active_stix 0.1.21

data/app/models/active_stix/external_reference.rb

@@ -0,0 +1,48 @@
+class ActiveStix::ExternalReference < ApplicationRecord
+  has_many :course_of_actions, :class_name => 'ActiveStix::CourseOfAction', through: :reference_items
+  has_many :intrusion_sets, :class_name => 'ActiveStix::IntrusionSet', through: :reference_item_is
+  has_many :malwares, :class_name => 'ActiveStix::Malware', through: :reference_items
+  has_many :tools, :class_name => 'ActiveStix::Tool', through: :reference_items
+  # has_many :marking_definitions, :class_name => 'ActiveStix::MarkingDefinition', through: :reference_items todo
+  has_many :reference_items, :class_name => 'ActiveStix::ReferenceItem', foreign_key: 'external_reference_id'
+
+  def self.ingest_json(obj, parent_obj_id)
+    if obj.has_key?('url')
+      external_reference = find_or_create_by(url:obj['url'])
+    elsif obj.has_key?('source_name') and obj.has_key?('description')
+      external_reference = find_or_create_by(source_name:obj['source_name'], description:obj['description'])
+    elsif obj.has_key?('source_name') and obj.has_key?('external_id')
+      external_reference = find_or_create_by(source_name:obj['source_name'], external_id:obj['external_id'])
+    end
+
+    if obj.has_key?('source_name')
+      external_reference.source_name = obj['source_name']
+    end
+    if obj.has_key?('description')
+      external_reference.description = obj['description']
+    end
+    if obj.has_key?('external_id')
+      external_reference.external_id = obj['external_id']
+    end
+    external_reference.save
+    external_reference
+  end
+
+  def convert_to_json
+    {
+        :source_name => source_name,
+        :url => url,
+        :external_id => external_id,
+        :description => description
+    }
+  end
+
+
+  def as_stix
+    as_json(only: [:source_name, :url, :external_id, :description])
+  end
+
+end
+
+
+

data/app/models/active_stix/file.rb

@@ -0,0 +1,2 @@
+class ActiveStix::File < ApplicationRecord
+end

data/app/models/active_stix/identity.rb

@@ -0,0 +1,141 @@
+class ActiveStix::Identity < ApplicationRecord
+  has_many :user_accounts, :class_name => 'ActiveStix::UserAccount', foreign_key: 'identity_id'
+  has_many :email_addresses, :class_name => 'ActiveStix::EmailAddress', foreign_key: 'identity_id'
+  has_many :email_messages, :class_name => 'ActiveStix::EmailMessage', through: :email_addresses
+  # has_many :reference_object_marking_identities, class_name: 'ActiveStix::ReferenceObjectMarkingIdentity', foreign_key: 'stix_identity_id' todo
+  # has_many :marking_definitions, class_name: 'ActiveStix::MarkingDefinition', through: :reference_object_marking_identities todo
+  has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
+  has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
+
+
+  before_create do
+    self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
+  end
+
+  def type
+    'identity'
+  end
+
+  def to_refs
+    ActiveStix::ToRef.where("stix_email_address_id in (#{email_addresses.collect(&:id).join(", ")})")
+  end
+
+  def self.find_from_contact_information(info, contactable=ActiveStix::Identity.all)
+    info.keys.each do |key|
+      contactable = contactable.where("contact_information -> '#{key}' ? :values", values: info[key])
+    end
+    contactable
+  end
+
+  def corpus(mailbox)
+
+    dirname = "#{mailbox}_corpus_" + name.to_s + "_#{Time.now.to_i}"
+    zip_file_name = Dir.pwd + "/tmp/" + dirname + ".zip"
+    messages = case mailbox
+               when 'sent'
+                 email_messages.includes(:eml)
+               when 'received'
+                 to_refs.collect {|tr| tr.email_message}
+               else
+                 []
+               end
+
+    Zip::File.open(zip_file_name, ::Zip::File::CREATE) do |zipfile|
+      zipfile.mkdir(dirname)
+      messages.each_with_index do |em, i|
+        zipfile.get_output_stream("#{dirname}/#{i}.eml") {|f| f.puts em.eml.raw_source if em.eml}
+      end
+    end
+    zip_file_name
+  end
+
+  def self.ingest_json(obj)
+    identity = find_or_create_by(stix_id: obj['id'], name: obj['name'], identity_class: obj['identity_class'])
+    if obj.has_key?('object_marking_refs')
+      # obj['object_marking_refs'].each do |mr|
+      #   marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
+      #   identity.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingIdentity.find_by(stix_marking_definition_id: marking_definition.id, stix_identity_id: identity.id)
+      # end todo
+    end
+    identity.save
+    identity
+  end
+
+  def as_stix
+    as_json(only: [:first_observed, :number_observed, :last_observed]).tap do |hash|
+      hash["id"] = stix_id
+      hash["name"] = email_addresses.any? ? email_addresses.first.value : stix_id
+      hash["type"] = type
+      hash["created"] = created_at.rfc3339(3)
+      hash["modified"] = updated_at.rfc3339(3)
+      hash["identity_class"] = identity_class
+      hash["spec_version"] = "2.0"
+    end
+  end
+
+  def threat_class
+    organizational_threat_class or individual_threat_class
+  end
+
+  def organizational_threat_class
+    return nil unless identity_class == "organization"
+    return "threat" if threat_group?
+    return "verified" if legitimate_organization
+    return "unverified"
+  end
+
+  def attack_patterns
+    return [] unless identity_class == "organization"
+    target_relationships
+        .where(source_type: "ActiveStix::AttackPattern", relationship_type: "targets").collect do |rel|
+      rel.source
+    end
+  end
+
+  def threat_groups
+    return [] unless identity_class == "organization"
+    target_relationships
+        .where(source_type: "ActiveStix::ThreatActor", relationship_type: "attributed-to").collect do |rel|
+      rel.source
+    end.compact
+  end
+
+  def threat_group?
+    return false unless identity_class == "organization"
+    threat_groups.any?
+  end
+
+  def verified?
+    return false unless identity_class == "organization"
+    known_person or legitimate_organization
+  end
+
+  def individual_threat_class
+    return nil unless identity_class == "individual"
+    return "threat" unless employers.find {|employer| employer.threat_group?}.nil?
+    return "verified" if known_person or employers.find {|employer| employer.verified?}
+    return "unverified"
+  end
+
+
+  def self.employ(individual, organization)
+    if individual.employers.include?(organization)
+      individual.target_relationships.where(source_ref: organization.stix_id, relationship_type: "employs")
+    else
+      ActiveStix::Relationship.relate(organization, individual, "employs")
+    end
+  end
+
+  def employers
+    target_relationships.where(relationship_type: "employs").all.collect {|rel| rel.source}
+  end
+
+  def employees
+    source_relationships.where(relationship_type: "employs").all.collect {|rel| rel.target}
+  end
+
+  def self.organizations
+    where(identity_class: 'organization').all
+  end
+
+end

data/app/models/active_stix/indicator.rb

@@ -0,0 +1,58 @@
+class ActiveStix::Indicator < ApplicationRecord
+  has_many :active_stix_indicator_labels, :class_name => 'ActiveStix::IndicatorLabel', foreign_key: 'stix_indicator_id'
+  has_many :markups, as: :labelable
+  has_many :labels, through: :markups
+
+  before_create do
+    self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
+  end
+
+
+  def self.ingest_json(obj)
+    indicator = find_or_create_by(stix_id:obj['id'], name:obj['name'], description:obj['description'], pattern:obj['pattern'], valid_from:obj['valid_from'])
+
+    if obj.has_key?('labels')
+      obj['labels'].each do | lab |
+        label = ActiveStix::Label.ingest_label('indicator-labels', lab)
+        indicator.labels << label unless ActiveStix::Markup.find_by(labelable: indicator, label: label)
+      end
+    end
+
+    indicator.save
+    indicator
+  end
+
+
+  def attack_pattern_relationships
+    relationships = []
+    ActiveStix::Relationship.where(source: self, relationship_type: "uses", target_type: "ActiveStix::AttackPattern").or(
+        ActiveStix::Relationship.where(source: self, relationship_type: "indicates", target_type: "ActiveStix::AttackPattern")
+    ).each do |rel|
+      relationships << rel
+    end
+    relationships
+  end
+
+  def attack_patterns
+    attack_pattern_relationships.collect {|rel| rel.target}
+  end
+
+
+
+  def type
+    'indicator'
+  end
+
+  def as_stix(classification = nil, chess = nil)
+    as_json(only: [:name, :description, :pattern]).tap do |hash|
+      hash["id"] = stix_id
+      hash["type"] = type
+      hash["description"] = description
+      hash["created"] = created_at.rfc3339(3)
+      hash["labels"] = ["malicious-activity"]
+      hash["valid_from"] = (valid_from || updated_at).rfc3339(3)
+      hash["modified"] = updated_at.rfc3339(3)
+    end
+  end
+
+end

data/app/models/active_stix/indicator_label.rb

@@ -0,0 +1,4 @@
+class ActiveStix::IndicatorLabel < ApplicationRecord
+  belongs_to :label, :class_name => 'ActiveStix::Label', foreign_key: 'stix_label_id'
+  belongs_to :indicator, :class_name => 'ActiveStix::Indicator', foreign_key: 'stix_indicator_id'
+end

data/app/models/active_stix/intrusion_set.rb

@@ -0,0 +1,69 @@
+class ActiveStix::IntrusionSet < ApplicationRecord
+  has_many :reference_items, as: 'referrer'
+  has_many :external_references, class_name: 'ActiveStix::ExternalReference', through: :reference_items
+  # has_many :reference_object_marking_intrusion_set, class_name: 'ActiveStix::ReferenceObjectMarkingIntrusionSet', foreign_key: 'stix_intrusion_set_id' todo
+  # has_many :marking_definitions, class_name: 'ActiveStix::MarkingDefinition', through: :reference_object_marking_intrusion_set todo
+  has_many :reference_object_intrusion_alias, class_name: 'ActiveStix::ReferenceObjectIntrusionAlias', foreign_key: 'stix_intrusion_set_id'
+  has_many :intrusion_set_aliases, class_name: 'ActiveStix::IntrusionSetAlias', through: :reference_object_intrusion_alias
+  has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
+  has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
+
+
+  before_create do
+    self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
+  end
+
+  def type
+    'intrusion-set'
+  end
+
+
+  def self.ingest_json(obj)
+    intrusion_set = find_or_create_by(stix_id: obj['id'], name: obj['name'])
+
+    if obj.has_key?('description')
+      intrusion_set.description = obj['description']
+    end
+
+    if obj.has_key?('external_references')
+      obj['external_references'].each do |er|
+        external_reference = ActiveStix::ExternalReference.ingest_json(er, obj['id'])
+        intrusion_set.external_references << external_reference unless ActiveStix::ReferenceItem.find_by(external_reference: external_reference, referrer: intrusion_set)
+      end
+    end
+
+    if obj.has_key?('object_marking_refs')
+      # obj['object_marking_refs'].each do |mr|
+      #   marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
+      #   intrusion_set.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingIntrusionSet.find_by(stix_marking_definition_id: marking_definition.id, stix_intrusion_set_id: intrusion_set.id)
+      # end todo
+    end
+
+    if obj.has_key?('aliases')
+        intrusion_set.aliases = obj['aliases']
+    end
+    intrusion_set.save
+    intrusion_set
+  end
+
+  def as_stix(classification = nil, chess = nil)
+    as_json(only: [:name]).tap do |hash|
+      hash["type"] = type
+      hash["description"] = description if description
+      hash["created"] = created_at.utc.iso8601(3)
+      hash["modified"] = updated_at.utc.iso8601(3)
+      hash["id"] = stix_id
+      hash["spec_version"] = "2.0"
+    end
+  end
+
+  def convert_to_json
+    {
+        :type => "intrusion-set",
+        :name => name,
+        :id => stix_id,
+        :created => created_at.to_s,
+        :modified => updated_at.to_s
+    }
+  end
+end

data/app/models/active_stix/kill_chain.rb

@@ -0,0 +1,7 @@
+class ActiveStix::KillChain < ApplicationRecord
+  has_many :phases
+
+  def convert_to_json
+    name
+  end
+end

data/app/models/active_stix/kill_chain_phase.rb

@@ -0,0 +1,6 @@
+class ActiveStix::KillChainPhase < ApplicationRecord
+  belongs_to :attack_pattern, :class_name => 'ActiveStix::AttackPattern', foreign_key: 'attack_pattern_ref', primary_key: 'stix_id'
+  belongs_to :phase, :class_name => 'ActiveStix::Phase', foreign_key: 'phase_id', primary_key: 'id'
+
+
+end

data/app/models/active_stix/label.rb

@@ -0,0 +1,17 @@
+class ActiveStix::Label < ApplicationRecord
+  belongs_to :open_vocabulary
+
+  has_many :markups
+  has_many :labelables, through: :markups
+
+  def self.ingest_label(open_vocabulary, label)
+
+    open_voc = ActiveStix::OpenVocabulary.find_or_create_by(name: open_vocabulary)
+    lab = find_or_create_by(open_vocabulary_id: open_voc.id, name: label)
+    lab
+  end
+
+  def convert_to_json
+    value
+  end
+end

data/app/models/active_stix/label_malware.rb

@@ -0,0 +1,4 @@
+class ActiveStix::LabelMalware < ApplicationRecord
+  belongs_to :label, :class_name => 'ActiveStix::Label', foreign_key: 'label_id'
+  belongs_to :malware, :class_name => 'ActiveStix::Malware', foreign_key: 'malware_id'
+end

data/app/models/active_stix/label_report.rb

@@ -0,0 +1,4 @@
+class ActiveStix::LabelReport < ApplicationRecord
+  belongs_to :label, :class_name => 'ActiveStix::Label', foreign_key: 'stix_label_id'
+  belongs_to :report, :class_name => 'ActiveStix::Report', foreign_key: 'stix_report_id'
+end

data/app/models/active_stix/label_tool.rb

@@ -0,0 +1,4 @@
+class ActiveStix::LabelTool < ApplicationRecord
+  belongs_to :label, :class_name => 'ActiveStix::Label', foreign_key: 'label_id'
+  belongs_to :tool, :class_name => 'ActiveStix::Tool', foreign_key: 'tool_id'
+end

data/app/models/active_stix/malware.rb

@@ -0,0 +1,98 @@
+class ActiveStix::Malware < ApplicationRecord
+  has_many :reference_items, as: 'referrer'
+  has_many :external_references, class_name: 'ActiveStix::ExternalReference', through: :reference_items
+
+  has_many :reference_object_marking_malware, class_name: 'ActiveStix::ReferenceObjectMarkingMalware', foreign_key: 'stix_malware_id'
+  has_many :marking_definitions, class_name: 'ActiveStix::MarkingDefinition', through: :reference_object_marking_malware
+
+  has_many :markups, as: :labelable
+  has_many :labels, through: :markups
+
+  def self.expected_keys
+    [
+        'description',
+        'external_references',
+        'object_marking_refs'
+    ]
+  end
+
+  def type
+    'malware'
+  end
+
+  def self.ingest_json(obj)
+    malware = find_or_create_by(stix_id: obj['id'], name: obj['name'], created_by_ref: obj['created_by_ref'])
+
+    expected_keys.each do |expected_key|
+      if obj.has_key?(expected_key)
+        send(expected_key, *[malware, obj])
+      end
+    end
+
+    malware.save
+    malware
+  end
+
+  def self.description(malware, obj)
+    malware.description = obj['description']
+  end
+
+  def self.external_references(malware, obj)
+    obj['external_references'].each do |er|
+      external_reference = ActiveStix::ExternalReference.ingest_json(er, obj['id'])
+      malware.external_references << external_reference unless ActiveStix::ReferenceItem.find_by(external_reference: external_reference, referrer: malware)
+    end
+  end
+
+  def self.object_marking_refs(malware, obj)
+    obj['object_marking_refs'].each do |mr|
+      # todo
+      # marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
+      # malware.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingMalware.find_by(stix_marking_definition_id:marking_definition.id, stix_malware_id:malware.id)
+    end
+  end
+
+  def as_stix(classification = nil, chess = nil)
+    as_json
+  end
+
+  def convert_to_json
+    external_refs_arr = []
+    external_references.each do |x|
+      external_refs_arr << x.convert_to_json
+    end
+
+    marking_def_arr = []
+    marking_definitions.each do |x|
+      marking_def_arr << x.convert_to_json
+    end
+
+    platform_arr = []
+    platforms.each do |x|
+      platform_arr << x.convert_to_json
+    end
+
+    labels_arr = []
+    labels.each do |x|
+      labels_arr << x.open_vocabulary.convert_to_json
+    end
+
+    alias_arr = []
+    attack_aliases.each do |x|
+      alias_arr << x.convert_to_json
+    end
+
+    {
+        :external_references => external_refs_arr,
+        :object_marking_refs => marking_def_arr,
+        :modified => updated_at.to_s,
+        :created_by_ref => created_by_ref,
+        :id => stix_id,
+        :name => name,
+        :created => created_at.to_s,
+        :labels => labels_arr,
+        :type => "malware",
+        :description => description
+    }
+  end
+end