active_stix 0.1.21
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/MIT-LICENSE +20 -0
- data/README.md +28 -0
- data/Rakefile +32 -0
- data/app/assets/config/active_stix_manifest.js +2 -0
- data/app/assets/javascripts/active_stix/application.js +15 -0
- data/app/assets/javascripts/active_stix/artifacts.js +2 -0
- data/app/assets/javascripts/active_stix/attack_patterns.js +2 -0
- data/app/assets/javascripts/active_stix/bcc_refs.js +2 -0
- data/app/assets/javascripts/active_stix/bundled_objects.js +2 -0
- data/app/assets/javascripts/active_stix/bundles.js +2 -0
- data/app/assets/javascripts/active_stix/campaigns.js +2 -0
- data/app/assets/javascripts/active_stix/course_of_actions.js +2 -0
- data/app/assets/javascripts/active_stix/cyber_observables.js +2 -0
- data/app/assets/javascripts/active_stix/email_messages.js +2 -0
- data/app/assets/javascripts/active_stix/external_references.js +2 -0
- data/app/assets/javascripts/active_stix/files.js +2 -0
- data/app/assets/javascripts/active_stix/identities.js +2 -0
- data/app/assets/javascripts/active_stix/indicator_labels.js +2 -0
- data/app/assets/javascripts/active_stix/indicators.js +2 -0
- data/app/assets/javascripts/active_stix/intrusion_sets.js +2 -0
- data/app/assets/javascripts/active_stix/kill_chain_phases.js +2 -0
- data/app/assets/javascripts/active_stix/kill_chains.js +2 -0
- data/app/assets/javascripts/active_stix/malwares.js +2 -0
- data/app/assets/javascripts/active_stix/marking_definitions.js +2 -0
- data/app/assets/javascripts/active_stix/observed_data.js +2 -0
- data/app/assets/javascripts/active_stix/open_vocabularies.js +2 -0
- data/app/assets/javascripts/active_stix/phases.js +2 -0
- data/app/assets/javascripts/active_stix/recipients.js +2 -0
- data/app/assets/javascripts/active_stix/relationships.js +2 -0
- data/app/assets/javascripts/active_stix/reports.js +2 -0
- data/app/assets/javascripts/active_stix/threat_actors.js +2 -0
- data/app/assets/javascripts/active_stix/tools.js +2 -0
- data/app/assets/javascripts/active_stix/urls.js +2 -0
- data/app/assets/javascripts/active_stix/users.js +2 -0
- data/app/assets/stylesheets/active_stix/application.css +15 -0
- data/app/assets/stylesheets/active_stix/artifacts.css +4 -0
- data/app/assets/stylesheets/active_stix/attack_patterns.css +4 -0
- data/app/assets/stylesheets/active_stix/bcc_refs.css +4 -0
- data/app/assets/stylesheets/active_stix/bundled_objects.css +4 -0
- data/app/assets/stylesheets/active_stix/bundles.css +4 -0
- data/app/assets/stylesheets/active_stix/campaigns.css +4 -0
- data/app/assets/stylesheets/active_stix/course_of_actions.css +4 -0
- data/app/assets/stylesheets/active_stix/cyber_observables.css +4 -0
- data/app/assets/stylesheets/active_stix/email_messages.css +4 -0
- data/app/assets/stylesheets/active_stix/external_references.css +4 -0
- data/app/assets/stylesheets/active_stix/files.css +4 -0
- data/app/assets/stylesheets/active_stix/identities.css +4 -0
- data/app/assets/stylesheets/active_stix/indicator_labels.css +4 -0
- data/app/assets/stylesheets/active_stix/indicators.css +4 -0
- data/app/assets/stylesheets/active_stix/intrusion_sets.css +4 -0
- data/app/assets/stylesheets/active_stix/kill_chain_phases.css +4 -0
- data/app/assets/stylesheets/active_stix/kill_chains.css +4 -0
- data/app/assets/stylesheets/active_stix/malwares.css +4 -0
- data/app/assets/stylesheets/active_stix/marking_definitions.css +4 -0
- data/app/assets/stylesheets/active_stix/observed_data.css +4 -0
- data/app/assets/stylesheets/active_stix/open_vocabularies.css +4 -0
- data/app/assets/stylesheets/active_stix/phases.css +4 -0
- data/app/assets/stylesheets/active_stix/recipients.css +4 -0
- data/app/assets/stylesheets/active_stix/relationships.css +4 -0
- data/app/assets/stylesheets/active_stix/reports.css +4 -0
- data/app/assets/stylesheets/active_stix/threat_actors.css +4 -0
- data/app/assets/stylesheets/active_stix/tools.css +4 -0
- data/app/assets/stylesheets/active_stix/urls.css +4 -0
- data/app/assets/stylesheets/active_stix/users.css +4 -0
- data/app/assets/stylesheets/scaffold.css +80 -0
- data/app/controllers/active_stix/application_controller.rb +5 -0
- data/app/controllers/active_stix/artifacts_controller.rb +62 -0
- data/app/controllers/active_stix/attack_patterns_controller.rb +27 -0
- data/app/controllers/active_stix/bcc_refs_controller.rb +62 -0
- data/app/controllers/active_stix/bundled_objects_controller.rb +62 -0
- data/app/controllers/active_stix/bundles_controller.rb +11 -0
- data/app/controllers/active_stix/campaigns_controller.rb +74 -0
- data/app/controllers/active_stix/course_of_actions_controller.rb +62 -0
- data/app/controllers/active_stix/cyber_observables_controller.rb +62 -0
- data/app/controllers/active_stix/email_addresses_controller.rb +74 -0
- data/app/controllers/active_stix/email_messages_controller.rb +26 -0
- data/app/controllers/active_stix/external_references_controller.rb +62 -0
- data/app/controllers/active_stix/files_controller.rb +74 -0
- data/app/controllers/active_stix/identities_controller.rb +128 -0
- data/app/controllers/active_stix/indicator_labels_controller.rb +62 -0
- data/app/controllers/active_stix/indicators_controller.rb +62 -0
- data/app/controllers/active_stix/intrusion_sets_controller.rb +62 -0
- data/app/controllers/active_stix/kill_chain_phases_controller.rb +62 -0
- data/app/controllers/active_stix/kill_chains_controller.rb +62 -0
- data/app/controllers/active_stix/malwares_controller.rb +62 -0
- data/app/controllers/active_stix/marking_definitions_controller.rb +62 -0
- data/app/controllers/active_stix/observed_data_controller.rb +62 -0
- data/app/controllers/active_stix/open_vocabularies_controller.rb +62 -0
- data/app/controllers/active_stix/phases_controller.rb +62 -0
- data/app/controllers/active_stix/recipients_controller.rb +62 -0
- data/app/controllers/active_stix/relationships_controller.rb +62 -0
- data/app/controllers/active_stix/reports_controller.rb +62 -0
- data/app/controllers/active_stix/threat_actors_controller.rb +75 -0
- data/app/controllers/active_stix/tools_controller.rb +62 -0
- data/app/controllers/active_stix/urls_controller.rb +62 -0
- data/app/controllers/active_stix/user_accounts_controller.rb +74 -0
- data/app/controllers/active_stix/users_controller.rb +62 -0
- data/app/helpers/active_stix/application_helper.rb +4 -0
- data/app/helpers/active_stix/artifacts_helper.rb +4 -0
- data/app/helpers/active_stix/attack_patterns_helper.rb +4 -0
- data/app/helpers/active_stix/bcc_refs_helper.rb +4 -0
- data/app/helpers/active_stix/bundled_objects_helper.rb +4 -0
- data/app/helpers/active_stix/bundles_helper.rb +4 -0
- data/app/helpers/active_stix/campaigns_helper.rb +4 -0
- data/app/helpers/active_stix/course_of_actions_helper.rb +4 -0
- data/app/helpers/active_stix/cyber_observables_helper.rb +4 -0
- data/app/helpers/active_stix/email_messages_helper.rb +4 -0
- data/app/helpers/active_stix/external_references_helper.rb +4 -0
- data/app/helpers/active_stix/files_helper.rb +4 -0
- data/app/helpers/active_stix/identities_helper.rb +4 -0
- data/app/helpers/active_stix/indicator_labels_helper.rb +4 -0
- data/app/helpers/active_stix/indicators_helper.rb +4 -0
- data/app/helpers/active_stix/intrusion_sets_helper.rb +4 -0
- data/app/helpers/active_stix/kill_chain_phases_helper.rb +4 -0
- data/app/helpers/active_stix/kill_chains_helper.rb +4 -0
- data/app/helpers/active_stix/malwares_helper.rb +4 -0
- data/app/helpers/active_stix/marking_definitions_helper.rb +4 -0
- data/app/helpers/active_stix/observed_data_helper.rb +4 -0
- data/app/helpers/active_stix/open_vocabularies_helper.rb +4 -0
- data/app/helpers/active_stix/phases_helper.rb +4 -0
- data/app/helpers/active_stix/recipients_helper.rb +4 -0
- data/app/helpers/active_stix/relationships_helper.rb +4 -0
- data/app/helpers/active_stix/reports_helper.rb +4 -0
- data/app/helpers/active_stix/threat_actors_helper.rb +4 -0
- data/app/helpers/active_stix/tools_helper.rb +4 -0
- data/app/helpers/active_stix/urls_helper.rb +4 -0
- data/app/helpers/active_stix/users_helper.rb +4 -0
- data/app/jobs/active_stix/application_job.rb +4 -0
- data/app/mailers/active_stix/application_mailer.rb +6 -0
- data/app/models/active_stix/application_record.rb +5 -0
- data/app/models/active_stix/artifact.rb +23 -0
- data/app/models/active_stix/attack_pattern.rb +150 -0
- data/app/models/active_stix/bcc_ref.rb +6 -0
- data/app/models/active_stix/bundle.rb +108 -0
- data/app/models/active_stix/bundled_object.rb +4 -0
- data/app/models/active_stix/campaign.rb +65 -0
- data/app/models/active_stix/cc_ref.rb +6 -0
- data/app/models/active_stix/course_of_action.rb +54 -0
- data/app/models/active_stix/cyber_observable.rb +4 -0
- data/app/models/active_stix/email_address.rb +27 -0
- data/app/models/active_stix/email_message.rb +339 -0
- data/app/models/active_stix/external_reference.rb +48 -0
- data/app/models/active_stix/file.rb +2 -0
- data/app/models/active_stix/identity.rb +141 -0
- data/app/models/active_stix/indicator.rb +58 -0
- data/app/models/active_stix/indicator_label.rb +4 -0
- data/app/models/active_stix/intrusion_set.rb +69 -0
- data/app/models/active_stix/kill_chain.rb +7 -0
- data/app/models/active_stix/kill_chain_phase.rb +6 -0
- data/app/models/active_stix/label.rb +17 -0
- data/app/models/active_stix/label_malware.rb +4 -0
- data/app/models/active_stix/label_report.rb +4 -0
- data/app/models/active_stix/label_tool.rb +4 -0
- data/app/models/active_stix/malware.rb +98 -0
- data/app/models/active_stix/marking_definition.rb +21 -0
- data/app/models/active_stix/markup.rb +6 -0
- data/app/models/active_stix/object_marking.rb +11 -0
- data/app/models/active_stix/observed_datum.rb +67 -0
- data/app/models/active_stix/open_vocabulary.rb +8 -0
- data/app/models/active_stix/phase.rb +41 -0
- data/app/models/active_stix/recipient.rb +4 -0
- data/app/models/active_stix/reference_item.rb +4 -0
- data/app/models/active_stix/relationship.rb +95 -0
- data/app/models/active_stix/report.rb +93 -0
- data/app/models/active_stix/report_object.rb +9 -0
- data/app/models/active_stix/threat_actor.rb +139 -0
- data/app/models/active_stix/to_ref.rb +6 -0
- data/app/models/active_stix/tool.rb +112 -0
- data/app/models/active_stix/url.rb +15 -0
- data/app/models/active_stix/user.rb +4 -0
- data/app/models/active_stix/user_account.rb +3 -0
- data/app/views/active_stix/artifacts/_form.html.erb +57 -0
- data/app/views/active_stix/artifacts/edit.html.erb +6 -0
- data/app/views/active_stix/artifacts/index.html.erb +41 -0
- data/app/views/active_stix/artifacts/new.html.erb +5 -0
- data/app/views/active_stix/artifacts/show.html.erb +44 -0
- data/app/views/active_stix/attack_patterns/_form.html.erb +37 -0
- data/app/views/active_stix/attack_patterns/edit.html.erb +2 -0
- data/app/views/active_stix/attack_patterns/index.html.erb +2 -0
- data/app/views/active_stix/attack_patterns/new.html.erb +2 -0
- data/app/views/active_stix/attack_patterns/show.html.erb +140 -0
- data/app/views/active_stix/bcc_refs/_form.html.erb +27 -0
- data/app/views/active_stix/bcc_refs/edit.html.erb +6 -0
- data/app/views/active_stix/bcc_refs/index.html.erb +29 -0
- data/app/views/active_stix/bcc_refs/new.html.erb +5 -0
- data/app/views/active_stix/bcc_refs/show.html.erb +14 -0
- data/app/views/active_stix/bundles/index.html.erb +1 -0
- data/app/views/active_stix/bundles/show.html.erb +7 -0
- data/app/views/active_stix/campaigns/_form.html.erb +42 -0
- data/app/views/active_stix/campaigns/_stix_campaign.json.jbuilder +2 -0
- data/app/views/active_stix/campaigns/edit.html.erb +6 -0
- data/app/views/active_stix/campaigns/index.html.erb +35 -0
- data/app/views/active_stix/campaigns/index.json.jbuilder +1 -0
- data/app/views/active_stix/campaigns/new.html.erb +5 -0
- data/app/views/active_stix/campaigns/show.html.erb +29 -0
- data/app/views/active_stix/campaigns/show.json.jbuilder +1 -0
- data/app/views/active_stix/email_messages/_form.html.erb +62 -0
- data/app/views/active_stix/email_messages/_stix_email_message.json.jbuilder +2 -0
- data/app/views/active_stix/email_messages/edit.html.erb +6 -0
- data/app/views/active_stix/email_messages/index.html.erb +43 -0
- data/app/views/active_stix/email_messages/index.json.jbuilder +1 -0
- data/app/views/active_stix/email_messages/new.html.erb +5 -0
- data/app/views/active_stix/email_messages/show.html.erb +165 -0
- data/app/views/active_stix/email_messages/show.json.jbuilder +1 -0
- data/app/views/active_stix/files/_form.html.erb +92 -0
- data/app/views/active_stix/files/_stix_file.json.jbuilder +2 -0
- data/app/views/active_stix/files/edit.html.erb +6 -0
- data/app/views/active_stix/files/index.html.erb +55 -0
- data/app/views/active_stix/files/index.json.jbuilder +1 -0
- data/app/views/active_stix/files/new.html.erb +5 -0
- data/app/views/active_stix/files/show.html.erb +79 -0
- data/app/views/active_stix/files/show.json.jbuilder +1 -0
- data/app/views/active_stix/identities/_form.html.erb +27 -0
- data/app/views/active_stix/identities/_individual.html.erb +100 -0
- data/app/views/active_stix/identities/_organization.html.erb +72 -0
- data/app/views/active_stix/identities/_received_email_messages.html.erb +27 -0
- data/app/views/active_stix/identities/_sent_email_messages.html.erb +27 -0
- data/app/views/active_stix/identities/_threat_icons.html.erb +3 -0
- data/app/views/active_stix/identities/edit.html.erb +2 -0
- data/app/views/active_stix/identities/index.html.erb +37 -0
- data/app/views/active_stix/identities/new.html.erb +5 -0
- data/app/views/active_stix/identities/show.html.erb +15 -0
- data/app/views/active_stix/layouts/active_stix/application.html.erb +16 -0
- data/app/views/active_stix/recipients/_form.html.erb +27 -0
- data/app/views/active_stix/recipients/edit.html.erb +6 -0
- data/app/views/active_stix/recipients/index.html.erb +29 -0
- data/app/views/active_stix/recipients/new.html.erb +5 -0
- data/app/views/active_stix/recipients/show.html.erb +14 -0
- data/app/views/active_stix/threat_actors/_form.html.erb +32 -0
- data/app/views/active_stix/threat_actors/_stix_threat_actor.json.jbuilder +2 -0
- data/app/views/active_stix/threat_actors/edit.html.erb +6 -0
- data/app/views/active_stix/threat_actors/flags.html.erb +184 -0
- data/app/views/active_stix/threat_actors/index.html.erb +26 -0
- data/app/views/active_stix/threat_actors/index.json.jbuilder +1 -0
- data/app/views/active_stix/threat_actors/new.html.erb +5 -0
- data/app/views/active_stix/threat_actors/show.html.erb +4 -0
- data/app/views/active_stix/threat_actors/show.json.jbuilder +1 -0
- data/app/views/layouts/active_stix/application.html.erb +16 -0
- data/config/routes.rb +39 -0
- data/db/migrate/20191204200025_create_active_stix_bundled_objects.rb +11 -0
- data/db/migrate/20191204213707_create_active_stix_bundles.rb +10 -0
- data/db/migrate/20191204213802_create_active_stix_campaigns.rb +15 -0
- data/db/migrate/20191204213926_create_active_stix_course_of_actions.rb +12 -0
- data/db/migrate/20191204214020_create_active_stix_cyber_observables.rb +11 -0
- data/db/migrate/20191204214955_create_active_stix_email_messages.rb +20 -0
- data/db/migrate/20191204215029_create_active_stix_external_references.rb +12 -0
- data/db/migrate/20191204215302_create_active_stix_files.rb +23 -0
- data/db/migrate/20191204215419_create_active_stix_identities.rb +13 -0
- data/db/migrate/20191204215542_create_active_stix_indicator_labels.rb +10 -0
- data/db/migrate/20191204215637_create_active_stix_indicators.rb +16 -0
- data/db/migrate/20191204215849_create_active_stix_intrusion_sets.rb +15 -0
- data/db/migrate/20191204215929_create_active_stix_kill_chain_phases.rb +10 -0
- data/db/migrate/20191204215951_create_active_stix_kill_chains.rb +9 -0
- data/db/migrate/20191204220149_create_active_stix_malwares.rb +12 -0
- data/db/migrate/20191204220539_create_active_stix_marking_definitions.rb +12 -0
- data/db/migrate/20191204220853_create_active_stix_observed_data.rb +12 -0
- data/db/migrate/20191204220917_create_active_stix_open_vocabularies.rb +9 -0
- data/db/migrate/20191204220952_create_active_stix_phases.rb +11 -0
- data/db/migrate/20191204221129_create_active_stix_recipients.rb +10 -0
- data/db/migrate/20191204221227_create_active_stix_relationships.rb +16 -0
- data/db/migrate/20191204221323_create_active_stix_report_objects.rb +11 -0
- data/db/migrate/20191204221359_create_active_stix_reports.rb +14 -0
- data/db/migrate/20191204221425_create_active_stix_threat_actors.rb +11 -0
- data/db/migrate/20191204221454_create_active_stix_tools.rb +12 -0
- data/db/migrate/20191204221639_create_active_stix_urls.rb +9 -0
- data/db/migrate/20191204221849_create_active_stix_users.rb +22 -0
- data/db/migrate/20191205182234_create_active_stix_bcc_refs.rb +10 -0
- data/db/migrate/20191205182255_create_active_stix_cc_refs.rb +10 -0
- data/db/migrate/20191205182316_create_active_stix_to_refs.rb +10 -0
- data/db/migrate/20191212203611_add_spec_version_to_bundles.rb +5 -0
- data/db/migrate/20191212215136_create_active_stix_attack_patterns.rb +12 -0
- data/db/migrate/20191212220222_create_active_stix_reference_items.rb +11 -0
- data/db/migrate/20191213135204_create_active_stix_labels.rb +10 -0
- data/db/migrate/20191213140951_create_active_stix_markups.rb +11 -0
- data/db/migrate/20191221210537_fix_observed_data.rb +6 -0
- data/db/migrate/20191221223602_create_active_stix_artifacts.rb +16 -0
- data/db/migrate/20191223075550_change_artifact_ref_to_string.rb +5 -0
- data/db/migrate/20191223154000_add_stix_id_to_email_messages.rb +5 -0
- data/db/migrate/20200114162245_add_labels_to_active_stix_identities.rb +5 -0
- data/db/migrate/20200404223006_add_aliases_to_tools.rb +5 -0
- data/db/migrate/20200404223047_add_aliases_to_attack_patterns.rb +5 -0
- data/db/migrate/20200404223158_add_aliases_to_malwares.rb +5 -0
- data/db/migrate/20200404223210_add_aliases_to_threat_actors.rb +5 -0
- data/lib/active_stix.rb +8 -0
- data/lib/active_stix/engine.rb +13 -0
- data/lib/active_stix/version.rb +3 -0
- data/lib/tasks/active_stix_tasks.rake +4 -0
- metadata +358 -0
@@ -0,0 +1,48 @@
|
|
1
|
+
class ActiveStix::ExternalReference < ApplicationRecord
|
2
|
+
has_many :course_of_actions, :class_name => 'ActiveStix::CourseOfAction', through: :reference_items
|
3
|
+
has_many :intrusion_sets, :class_name => 'ActiveStix::IntrusionSet', through: :reference_item_is
|
4
|
+
has_many :malwares, :class_name => 'ActiveStix::Malware', through: :reference_items
|
5
|
+
has_many :tools, :class_name => 'ActiveStix::Tool', through: :reference_items
|
6
|
+
# has_many :marking_definitions, :class_name => 'ActiveStix::MarkingDefinition', through: :reference_items todo
|
7
|
+
has_many :reference_items, :class_name => 'ActiveStix::ReferenceItem', foreign_key: 'external_reference_id'
|
8
|
+
|
9
|
+
def self.ingest_json(obj, parent_obj_id)
|
10
|
+
if obj.has_key?('url')
|
11
|
+
external_reference = find_or_create_by(url:obj['url'])
|
12
|
+
elsif obj.has_key?('source_name') and obj.has_key?('description')
|
13
|
+
external_reference = find_or_create_by(source_name:obj['source_name'], description:obj['description'])
|
14
|
+
elsif obj.has_key?('source_name') and obj.has_key?('external_id')
|
15
|
+
external_reference = find_or_create_by(source_name:obj['source_name'], external_id:obj['external_id'])
|
16
|
+
end
|
17
|
+
|
18
|
+
if obj.has_key?('source_name')
|
19
|
+
external_reference.source_name = obj['source_name']
|
20
|
+
end
|
21
|
+
if obj.has_key?('description')
|
22
|
+
external_reference.description = obj['description']
|
23
|
+
end
|
24
|
+
if obj.has_key?('external_id')
|
25
|
+
external_reference.external_id = obj['external_id']
|
26
|
+
end
|
27
|
+
external_reference.save
|
28
|
+
external_reference
|
29
|
+
end
|
30
|
+
|
31
|
+
def convert_to_json
|
32
|
+
{
|
33
|
+
:source_name => source_name,
|
34
|
+
:url => url,
|
35
|
+
:external_id => external_id,
|
36
|
+
:description => description
|
37
|
+
}
|
38
|
+
end
|
39
|
+
|
40
|
+
|
41
|
+
def as_stix
|
42
|
+
as_json(only: [:source_name, :url, :external_id, :description])
|
43
|
+
end
|
44
|
+
|
45
|
+
end
|
46
|
+
|
47
|
+
|
48
|
+
|
@@ -0,0 +1,141 @@
|
|
1
|
+
class ActiveStix::Identity < ApplicationRecord
|
2
|
+
has_many :user_accounts, :class_name => 'ActiveStix::UserAccount', foreign_key: 'identity_id'
|
3
|
+
has_many :email_addresses, :class_name => 'ActiveStix::EmailAddress', foreign_key: 'identity_id'
|
4
|
+
has_many :email_messages, :class_name => 'ActiveStix::EmailMessage', through: :email_addresses
|
5
|
+
# has_many :reference_object_marking_identities, class_name: 'ActiveStix::ReferenceObjectMarkingIdentity', foreign_key: 'stix_identity_id' todo
|
6
|
+
# has_many :marking_definitions, class_name: 'ActiveStix::MarkingDefinition', through: :reference_object_marking_identities todo
|
7
|
+
has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
|
8
|
+
has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
|
9
|
+
|
10
|
+
|
11
|
+
before_create do
|
12
|
+
self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
|
13
|
+
end
|
14
|
+
|
15
|
+
def type
|
16
|
+
'identity'
|
17
|
+
end
|
18
|
+
|
19
|
+
def to_refs
|
20
|
+
ActiveStix::ToRef.where("stix_email_address_id in (#{email_addresses.collect(&:id).join(", ")})")
|
21
|
+
end
|
22
|
+
|
23
|
+
def self.find_from_contact_information(info, contactable=ActiveStix::Identity.all)
|
24
|
+
info.keys.each do |key|
|
25
|
+
contactable = contactable.where("contact_information -> '#{key}' ? :values", values: info[key])
|
26
|
+
end
|
27
|
+
contactable
|
28
|
+
end
|
29
|
+
|
30
|
+
def corpus(mailbox)
|
31
|
+
|
32
|
+
dirname = "#{mailbox}_corpus_" + name.to_s + "_#{Time.now.to_i}"
|
33
|
+
zip_file_name = Dir.pwd + "/tmp/" + dirname + ".zip"
|
34
|
+
messages = case mailbox
|
35
|
+
when 'sent'
|
36
|
+
email_messages.includes(:eml)
|
37
|
+
when 'received'
|
38
|
+
to_refs.collect {|tr| tr.email_message}
|
39
|
+
else
|
40
|
+
[]
|
41
|
+
end
|
42
|
+
|
43
|
+
Zip::File.open(zip_file_name, ::Zip::File::CREATE) do |zipfile|
|
44
|
+
zipfile.mkdir(dirname)
|
45
|
+
messages.each_with_index do |em, i|
|
46
|
+
zipfile.get_output_stream("#{dirname}/#{i}.eml") {|f| f.puts em.eml.raw_source if em.eml}
|
47
|
+
end
|
48
|
+
end
|
49
|
+
zip_file_name
|
50
|
+
end
|
51
|
+
|
52
|
+
def self.ingest_json(obj)
|
53
|
+
identity = find_or_create_by(stix_id: obj['id'], name: obj['name'], identity_class: obj['identity_class'])
|
54
|
+
if obj.has_key?('object_marking_refs')
|
55
|
+
# obj['object_marking_refs'].each do |mr|
|
56
|
+
# marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
|
57
|
+
# identity.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingIdentity.find_by(stix_marking_definition_id: marking_definition.id, stix_identity_id: identity.id)
|
58
|
+
# end todo
|
59
|
+
end
|
60
|
+
identity.save
|
61
|
+
identity
|
62
|
+
end
|
63
|
+
|
64
|
+
def as_stix
|
65
|
+
as_json(only: [:first_observed, :number_observed, :last_observed]).tap do |hash|
|
66
|
+
hash["id"] = stix_id
|
67
|
+
hash["name"] = email_addresses.any? ? email_addresses.first.value : stix_id
|
68
|
+
hash["type"] = type
|
69
|
+
hash["created"] = created_at.rfc3339(3)
|
70
|
+
hash["modified"] = updated_at.rfc3339(3)
|
71
|
+
hash["identity_class"] = identity_class
|
72
|
+
hash["spec_version"] = "2.0"
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
def threat_class
|
77
|
+
organizational_threat_class or individual_threat_class
|
78
|
+
end
|
79
|
+
|
80
|
+
def organizational_threat_class
|
81
|
+
return nil unless identity_class == "organization"
|
82
|
+
return "threat" if threat_group?
|
83
|
+
return "verified" if legitimate_organization
|
84
|
+
return "unverified"
|
85
|
+
end
|
86
|
+
|
87
|
+
def attack_patterns
|
88
|
+
return [] unless identity_class == "organization"
|
89
|
+
target_relationships
|
90
|
+
.where(source_type: "ActiveStix::AttackPattern", relationship_type: "targets").collect do |rel|
|
91
|
+
rel.source
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
def threat_groups
|
96
|
+
return [] unless identity_class == "organization"
|
97
|
+
target_relationships
|
98
|
+
.where(source_type: "ActiveStix::ThreatActor", relationship_type: "attributed-to").collect do |rel|
|
99
|
+
rel.source
|
100
|
+
end.compact
|
101
|
+
end
|
102
|
+
|
103
|
+
def threat_group?
|
104
|
+
return false unless identity_class == "organization"
|
105
|
+
threat_groups.any?
|
106
|
+
end
|
107
|
+
|
108
|
+
def verified?
|
109
|
+
return false unless identity_class == "organization"
|
110
|
+
known_person or legitimate_organization
|
111
|
+
end
|
112
|
+
|
113
|
+
def individual_threat_class
|
114
|
+
return nil unless identity_class == "individual"
|
115
|
+
return "threat" unless employers.find {|employer| employer.threat_group?}.nil?
|
116
|
+
return "verified" if known_person or employers.find {|employer| employer.verified?}
|
117
|
+
return "unverified"
|
118
|
+
end
|
119
|
+
|
120
|
+
|
121
|
+
def self.employ(individual, organization)
|
122
|
+
if individual.employers.include?(organization)
|
123
|
+
individual.target_relationships.where(source_ref: organization.stix_id, relationship_type: "employs")
|
124
|
+
else
|
125
|
+
ActiveStix::Relationship.relate(organization, individual, "employs")
|
126
|
+
end
|
127
|
+
end
|
128
|
+
|
129
|
+
def employers
|
130
|
+
target_relationships.where(relationship_type: "employs").all.collect {|rel| rel.source}
|
131
|
+
end
|
132
|
+
|
133
|
+
def employees
|
134
|
+
source_relationships.where(relationship_type: "employs").all.collect {|rel| rel.target}
|
135
|
+
end
|
136
|
+
|
137
|
+
def self.organizations
|
138
|
+
where(identity_class: 'organization').all
|
139
|
+
end
|
140
|
+
|
141
|
+
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
class ActiveStix::Indicator < ApplicationRecord
|
2
|
+
has_many :active_stix_indicator_labels, :class_name => 'ActiveStix::IndicatorLabel', foreign_key: 'stix_indicator_id'
|
3
|
+
has_many :markups, as: :labelable
|
4
|
+
has_many :labels, through: :markups
|
5
|
+
|
6
|
+
before_create do
|
7
|
+
self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
|
8
|
+
end
|
9
|
+
|
10
|
+
|
11
|
+
def self.ingest_json(obj)
|
12
|
+
indicator = find_or_create_by(stix_id:obj['id'], name:obj['name'], description:obj['description'], pattern:obj['pattern'], valid_from:obj['valid_from'])
|
13
|
+
|
14
|
+
if obj.has_key?('labels')
|
15
|
+
obj['labels'].each do | lab |
|
16
|
+
label = ActiveStix::Label.ingest_label('indicator-labels', lab)
|
17
|
+
indicator.labels << label unless ActiveStix::Markup.find_by(labelable: indicator, label: label)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
indicator.save
|
22
|
+
indicator
|
23
|
+
end
|
24
|
+
|
25
|
+
|
26
|
+
def attack_pattern_relationships
|
27
|
+
relationships = []
|
28
|
+
ActiveStix::Relationship.where(source: self, relationship_type: "uses", target_type: "ActiveStix::AttackPattern").or(
|
29
|
+
ActiveStix::Relationship.where(source: self, relationship_type: "indicates", target_type: "ActiveStix::AttackPattern")
|
30
|
+
).each do |rel|
|
31
|
+
relationships << rel
|
32
|
+
end
|
33
|
+
relationships
|
34
|
+
end
|
35
|
+
|
36
|
+
def attack_patterns
|
37
|
+
attack_pattern_relationships.collect {|rel| rel.target}
|
38
|
+
end
|
39
|
+
|
40
|
+
|
41
|
+
|
42
|
+
def type
|
43
|
+
'indicator'
|
44
|
+
end
|
45
|
+
|
46
|
+
def as_stix(classification = nil, chess = nil)
|
47
|
+
as_json(only: [:name, :description, :pattern]).tap do |hash|
|
48
|
+
hash["id"] = stix_id
|
49
|
+
hash["type"] = type
|
50
|
+
hash["description"] = description
|
51
|
+
hash["created"] = created_at.rfc3339(3)
|
52
|
+
hash["labels"] = ["malicious-activity"]
|
53
|
+
hash["valid_from"] = (valid_from || updated_at).rfc3339(3)
|
54
|
+
hash["modified"] = updated_at.rfc3339(3)
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
end
|
@@ -0,0 +1,69 @@
|
|
1
|
+
class ActiveStix::IntrusionSet < ApplicationRecord
|
2
|
+
has_many :reference_items, as: 'referrer'
|
3
|
+
has_many :external_references, class_name: 'ActiveStix::ExternalReference', through: :reference_items
|
4
|
+
# has_many :reference_object_marking_intrusion_set, class_name: 'ActiveStix::ReferenceObjectMarkingIntrusionSet', foreign_key: 'stix_intrusion_set_id' todo
|
5
|
+
# has_many :marking_definitions, class_name: 'ActiveStix::MarkingDefinition', through: :reference_object_marking_intrusion_set todo
|
6
|
+
has_many :reference_object_intrusion_alias, class_name: 'ActiveStix::ReferenceObjectIntrusionAlias', foreign_key: 'stix_intrusion_set_id'
|
7
|
+
has_many :intrusion_set_aliases, class_name: 'ActiveStix::IntrusionSetAlias', through: :reference_object_intrusion_alias
|
8
|
+
has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
|
9
|
+
has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
|
10
|
+
|
11
|
+
|
12
|
+
before_create do
|
13
|
+
self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
|
14
|
+
end
|
15
|
+
|
16
|
+
def type
|
17
|
+
'intrusion-set'
|
18
|
+
end
|
19
|
+
|
20
|
+
|
21
|
+
def self.ingest_json(obj)
|
22
|
+
intrusion_set = find_or_create_by(stix_id: obj['id'], name: obj['name'])
|
23
|
+
|
24
|
+
if obj.has_key?('description')
|
25
|
+
intrusion_set.description = obj['description']
|
26
|
+
end
|
27
|
+
|
28
|
+
if obj.has_key?('external_references')
|
29
|
+
obj['external_references'].each do |er|
|
30
|
+
external_reference = ActiveStix::ExternalReference.ingest_json(er, obj['id'])
|
31
|
+
intrusion_set.external_references << external_reference unless ActiveStix::ReferenceItem.find_by(external_reference: external_reference, referrer: intrusion_set)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
if obj.has_key?('object_marking_refs')
|
36
|
+
# obj['object_marking_refs'].each do |mr|
|
37
|
+
# marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
|
38
|
+
# intrusion_set.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingIntrusionSet.find_by(stix_marking_definition_id: marking_definition.id, stix_intrusion_set_id: intrusion_set.id)
|
39
|
+
# end todo
|
40
|
+
end
|
41
|
+
|
42
|
+
if obj.has_key?('aliases')
|
43
|
+
intrusion_set.aliases = obj['aliases']
|
44
|
+
end
|
45
|
+
intrusion_set.save
|
46
|
+
intrusion_set
|
47
|
+
end
|
48
|
+
|
49
|
+
def as_stix(classification = nil, chess = nil)
|
50
|
+
as_json(only: [:name]).tap do |hash|
|
51
|
+
hash["type"] = type
|
52
|
+
hash["description"] = description if description
|
53
|
+
hash["created"] = created_at.utc.iso8601(3)
|
54
|
+
hash["modified"] = updated_at.utc.iso8601(3)
|
55
|
+
hash["id"] = stix_id
|
56
|
+
hash["spec_version"] = "2.0"
|
57
|
+
end
|
58
|
+
end
|
59
|
+
|
60
|
+
def convert_to_json
|
61
|
+
{
|
62
|
+
:type => "intrusion-set",
|
63
|
+
:name => name,
|
64
|
+
:id => stix_id,
|
65
|
+
:created => created_at.to_s,
|
66
|
+
:modified => updated_at.to_s
|
67
|
+
}
|
68
|
+
end
|
69
|
+
end
|
@@ -0,0 +1,6 @@
|
|
1
|
+
class ActiveStix::KillChainPhase < ApplicationRecord
|
2
|
+
belongs_to :attack_pattern, :class_name => 'ActiveStix::AttackPattern', foreign_key: 'attack_pattern_ref', primary_key: 'stix_id'
|
3
|
+
belongs_to :phase, :class_name => 'ActiveStix::Phase', foreign_key: 'phase_id', primary_key: 'id'
|
4
|
+
|
5
|
+
|
6
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
class ActiveStix::Label < ApplicationRecord
|
2
|
+
belongs_to :open_vocabulary
|
3
|
+
|
4
|
+
has_many :markups
|
5
|
+
has_many :labelables, through: :markups
|
6
|
+
|
7
|
+
def self.ingest_label(open_vocabulary, label)
|
8
|
+
|
9
|
+
open_voc = ActiveStix::OpenVocabulary.find_or_create_by(name: open_vocabulary)
|
10
|
+
lab = find_or_create_by(open_vocabulary_id: open_voc.id, name: label)
|
11
|
+
lab
|
12
|
+
end
|
13
|
+
|
14
|
+
def convert_to_json
|
15
|
+
value
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,98 @@
|
|
1
|
+
class ActiveStix::Malware < ApplicationRecord
|
2
|
+
has_many :reference_items, as: 'referrer'
|
3
|
+
has_many :external_references, class_name: 'ActiveStix::ExternalReference', through: :reference_items
|
4
|
+
|
5
|
+
has_many :reference_object_marking_malware, class_name: 'ActiveStix::ReferenceObjectMarkingMalware', foreign_key: 'stix_malware_id'
|
6
|
+
has_many :marking_definitions, class_name: 'ActiveStix::MarkingDefinition', through: :reference_object_marking_malware
|
7
|
+
|
8
|
+
has_many :markups, as: :labelable
|
9
|
+
has_many :labels, through: :markups
|
10
|
+
|
11
|
+
def self.expected_keys
|
12
|
+
[
|
13
|
+
'description',
|
14
|
+
'external_references',
|
15
|
+
'object_marking_refs'
|
16
|
+
]
|
17
|
+
end
|
18
|
+
|
19
|
+
def type
|
20
|
+
'malware'
|
21
|
+
end
|
22
|
+
|
23
|
+
def self.ingest_json(obj)
|
24
|
+
malware = find_or_create_by(stix_id: obj['id'], name: obj['name'], created_by_ref: obj['created_by_ref'])
|
25
|
+
|
26
|
+
expected_keys.each do |expected_key|
|
27
|
+
if obj.has_key?(expected_key)
|
28
|
+
send(expected_key, *[malware, obj])
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
malware.save
|
33
|
+
malware
|
34
|
+
end
|
35
|
+
|
36
|
+
def self.description(malware, obj)
|
37
|
+
malware.description = obj['description']
|
38
|
+
end
|
39
|
+
|
40
|
+
def self.external_references(malware, obj)
|
41
|
+
obj['external_references'].each do |er|
|
42
|
+
external_reference = ActiveStix::ExternalReference.ingest_json(er, obj['id'])
|
43
|
+
malware.external_references << external_reference unless ActiveStix::ReferenceItem.find_by(external_reference: external_reference, referrer: malware)
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def self.object_marking_refs(malware, obj)
|
48
|
+
obj['object_marking_refs'].each do |mr|
|
49
|
+
# todo
|
50
|
+
# marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
|
51
|
+
# malware.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingMalware.find_by(stix_marking_definition_id:marking_definition.id, stix_malware_id:malware.id)
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
def as_stix(classification = nil, chess = nil)
|
56
|
+
as_json
|
57
|
+
end
|
58
|
+
|
59
|
+
def convert_to_json
|
60
|
+
external_refs_arr = []
|
61
|
+
external_references.each do |x|
|
62
|
+
external_refs_arr << x.convert_to_json
|
63
|
+
end
|
64
|
+
|
65
|
+
marking_def_arr = []
|
66
|
+
marking_definitions.each do |x|
|
67
|
+
marking_def_arr << x.convert_to_json
|
68
|
+
end
|
69
|
+
|
70
|
+
platform_arr = []
|
71
|
+
platforms.each do |x|
|
72
|
+
platform_arr << x.convert_to_json
|
73
|
+
end
|
74
|
+
|
75
|
+
labels_arr = []
|
76
|
+
labels.each do |x|
|
77
|
+
labels_arr << x.open_vocabulary.convert_to_json
|
78
|
+
end
|
79
|
+
|
80
|
+
alias_arr = []
|
81
|
+
attack_aliases.each do |x|
|
82
|
+
alias_arr << x.convert_to_json
|
83
|
+
end
|
84
|
+
|
85
|
+
{
|
86
|
+
:external_references => external_refs_arr,
|
87
|
+
:object_marking_refs => marking_def_arr,
|
88
|
+
:modified => updated_at.to_s,
|
89
|
+
:created_by_ref => created_by_ref,
|
90
|
+
:id => stix_id,
|
91
|
+
:name => name,
|
92
|
+
:created => created_at.to_s,
|
93
|
+
:labels => labels_arr,
|
94
|
+
:type => "malware",
|
95
|
+
:description => description
|
96
|
+
}
|
97
|
+
end
|
98
|
+
end
|